Back to all articles
An ACH payment is a secure way to send money from one bank account to another. However, every day, millions of dollars are compromised due to ACH fraud.
While the ACH Network is secure, and there are measures in place that ensure that it is continually secured, all parties play a role in maintaining security requirements.
If you are an ACH operator, you need to maintain the level of security required by the National Automated Clearing House Association (NACHA). Additionally, stopping fraud is up to the business and the Originating or Receiving Depository Financial Institution (ODFI or RDFI).
Here’s what you need to know to prevent fraud on ACH systems:
According to the Federal Reserve, ACH fraud is very rare and ACH payments have the lowest rates of fraud by value. According to their 2018 survey, the Federal Reserve found that ACH payments fraud is only represented in a fraction of 1 percent of the total value of ACH payments sent, equating to 8 cents for every $10,000 in payments.
This low number is most likely due to the security measures in place for authorizing ACH payments combined with the fact that the ACH system is nearly one hundred percent automated.
While ACH fraud rates are low, they still occur. So where does ACH fraud come from?
ACH fraud mostly occurs when a transaction is sent by a third party without the authorization, agreement, or voluntary assistance of the authorized user (usually the cardholder or the account holder). ACH fraud almost always has the intent for personal financial gain.
ACH fraud is typically carried out by a third party and it takes advantage of vulnerabilities in a security system, security failure with payment, or another security failure in an initiated payment method or system.
ACH processing is usually initiated and performed through online payment methods. This presents an inherent and elevated risk for malicious attackers to compromise ACH transactions. Current ACH users are threatened by cyberattacks, email phishing, account takeovers, vendor impersonation, and much more.
It is up to the bank to set up security measures to protect their accounts and customers against fraud on ACH systems. This means that all sensitive data must be passed through an encrypted network, stored behind authentication measures, and be authorized by the bank account owner.
In 2018, thanks to the Federal Reserve’s Working Group “Fraud Definitions Work Group,”, the FraudClassifier model was developed. The FraudClassifier model is a set of tools and materials that help financial institutions to classify and understand the magnitude of fraudulent activity as well as understand how fraud occurs across the payments industry.
Train your staff using the FraudClassifier model so that they are aware of the types of fraud that could be occurring as well as its severity and prevalence. It may help to prevent widespread and devastating fraud before it does any serious damage.
There are generally five types of ACH fraud activity: ACH credit risk, ACH debit risk, ACH operational risk, ACH fraud risk, and ACH systemic risk. These types of ACH fraud activities merely describe how the fraud transpired.
For example, a bank account holder might be the victim of an ACH debit fraud when their ACH transaction was stolen from under them. However, if the transaction is part of an account takeover, then it may be a sign of a larger ACH systemic fraud.
There are specific ACH fraud activities that are also easier to spot. Here some common fraudulent ACH activities:
Other forms of fraud are meant to be deterred by the ACH system in place. For example, ACH credit risk will occur when an ACH file arrives at an RDFI and it is requesting that money is deposited into a bank account. The fraud occurs when the transaction is made but there are not enough funds in the originating bank account to make the transaction.
If the RDFI does not have the holding period in place, the RDFI would have deposited the funds into the receiver’s account before the holding period. Then, the funds would be pulled from the originating bank account and the RDFI loses the money in the transaction.
While a simple procedure, this type of fraud is easily avoided with return codes. NACHA requires that all RDFIs wait at least 48 hours for a return code before processing the transaction.
This processing time can be expedited in same day ACH transactions, so it is up to the RDFI and ODFI to practice Know Your Customer (KYC) rules so that they verify that the bank account owner can be trusted. This ensures that same day ACH transactions are only occurring with long-time banking customers or customers who can absolutely verify their identity.
Since targeted ACH fraud attacks can be so devastating, financial institutions typically set up protective measures to limit unauthorized ACH transactions and identity theft. These are the two most common safety measures that could protect an account from ACH fraud.
Here are other ways to prevent ACH fraud:
To operate as an ODFI or RDFI on the ACH network, the bank must ensure that they are always compliant under NACHA guidelines. Therefore, it is in the best interest of the financial institution to protect customers against all measures of ACH risk.
To protect ACH systems against hacking risk, consider the following:
It is also important that your customers are educated about the best practices to protect against ACH fraud. Customers should be encouraged to:
ACH payments can be made more secure with a secure API, like the Sila ACH API. ACH APIs provide each user with secure account linking, encrypted data sharing, and can offer flexibility in ACH payments through implementation into a digital wallet.
If you suspect that a fraudulent transaction has occurred at your financial institution, it is imperative to fight back and immediately stop the transaction from continuing. ACH fraud settling can be done in-house or through a third party to minimize the losses.