The U.S. ACH network, moving $40 trillion a year through 22 billion transactions for 13,000 financial institutions, is now heading towards the biggest transition in its payment history.
NACHA is pushing the boundaries of its payment infrastructure to be on par with the rest of the payment industry worldwide. While Same-Day ACH inherently creates its own challenges for the banks and credit unions that might be directly or indirectly involved, originating depository financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) also need to prepare for the impending fraud risks that will accompany this change.
Change drives increased risk
If Same-Day ACH has the adoption rate that NACHA desires, there will be increased use of the service for same day payroll, P2P, bill pay, and other payment offerings. More ACH files needing to be posted and cleared in a time frame that is being reduced from two days to two hours will place tremendous pressure on operational processes and staffing.
Also, the funds will be harder to retrieve if a transaction turns out to be fraudulent. Just as wire transfers have been popular with fraudsters because of the speed with which they can access the funds and move them out of reach, Same-Day ACH will now provide criminals with this same benefit.
And with any new service comes increased opportunity for the fraudsters, who have repeatedly demonstrated their ability to take advantage of change in unexpected ways.
Anticipating criminals’ new attacks
Any disruption to established processes provides opportunity for criminals to slip fraudulent payments through unnoticed.
Here are some of the fraud schemes that financial institutions need to be thinking about as they update processes and consider new technologies. Fraudsters could:
• Submit large volume of payments just before the cut-off time, forcing financial institutions to rush through the review process. This could result in some payments getting through undetected.
• Submit payments that are just under the institution’s review threshold so they’re less likely to get noticed, especially in light of higher volumes and tighter timeframes.
• Target other channels or payment types, knowing that institutions will pull resources from those departments to meet ACH deadlines.
• Use social engineering techniques against account holders, resulting in payments that look legitimate because they’re coming from the actual account holder, but with less time to uncover the underlying scheme.
• Add recipients to payroll files or change account information for existing recipients within a payroll file. These are hard enough to detect today and will be even harder to detect under severe time constraints.
• Compromise third-party senders and submit fraudulent payments into which ODFIs have no visibility and that could get overlooked among the high volume of payments needing to be reviewed in the short review window.
New strategies for mitigating fraud risk
Adding more bodies to increase the size of the team responsible for reviewing ACH files is not a realistic option. The cost of hiring additional staff would be prohibitive, and pulling people from other functions even for a few hours a day would leave those other areas understaffed.
Yet institutions need to stay vigilant across all channels and payment types to guard against fraud schemes that criminals intentionally aim away from the ACH system on the theory that the institutions will be overly focused there.
Another approach that companies might consider is tightening up the security rules in their payments review tools that are designed to identify suspicious ACH payments. However, that will likely result in higher false positive rates, which on top of the higher volume will result in more alerts than available staff can investigate within the limited timeframe.
Adding technology to automate as much of the review process as possible may be the preferred option. A real-time analysis solution can triage incoming files into low-risk payments that can be released automatically, and high-risk payments that need to be reviewed manually.
Furthermore, if the new technology can provide historical context for a high-risk payment, it will be easier and faster for fraud analysts to investigate the payment and make a decision on whether to release it. Knowing the historical payment frequency patterns for the originator and recipient, typical amounts, and the way in which payments are normally submitted all could help an analyst determine if this latest payment is legitimate or not.
September 2016, the effective date for the ACH shift, lies just around the corner. Now is the time for every bank to begin addressing this challenge.
About the author
Srividya Sunderamurthy manages payment products at Guardian Analytics. For the past eight years she has been focused on building strategic risk management and payments solutions. Prior to Guardian Analytics, Sunderamurthy was a key contributor at industry-leading companies including eBay, PayPal, KPMG Consulting, and Tata Consultancy. Email her at [email protected]