Back to all articles
ACH or Automated Clearing House payments are payments made through the electronic payments network known as the ACH Network in the United States. While there are many benefits to these largely automated ACH payments, there are still ways that ACH fraud can occur.
Ultimately, ACH fraud is relatively rare. A 2018 study that looked at the Federal Reserve Payments found that payment fraud represented only a fraction of 1% of the total value of payments; among all payments, ACH fraud is extremely low at 0.08 basis points, or 8 cents for every $10,000 in payments. However, this does not necessarily mean that it is uncommon or might not occur for your business.
If you provide ACH payment processing for your business or clients, it’s important to recognize that your company is liable for ACH payment fraud so you need to be prepared to mitigate it or prevent it from happening in the first place.
In this article, we want to provide a breakdown of ACH fraud and what you need to be looking for.
ACH fraud is unauthorized ACH transactions or the fraudulent transfer of funds through the ACH Network. ACH fraud typically targets a specific bank account and takes advantage of the time delay that occurs in ACH processing.
While rare, ACH fraud is easy to execute. All that is needed in order to execute ACH fraud is an account number and a bank routing number. Therefore when someone obtains this information, that is all they need to initiate a payment.
ACH fraud is mitigated by the ACH network. An ACH transfer, which will transfer from one bank account to another, must go through the ACH Network. The ACH Network comprises a number of actors (automated and human) that are in place to ensure that money transfers are secured and successfully processed.
Those in the ACH Network include the Originating Depository Financial Institution (ODFIs) and Receiving Depository Financial Institution (RDFIs), the Clearing House, the National Automated Clearing House Association (NACHA), and the Federal Reserve. Based on the NACHA Operating Rules, each ACH entity must adhere to a set of guidelines in order to ensure that the ACH file that is being processed is checked to ensure that the file submitted adheres to the guidelines set out.
Obtaining the bank account and routing number is obviously the hardest part of the ACH fraud process, but there are ways that hackers can obtain this information and then execute ACH fraud.
Here are some common ways that hackers can obtain a bank account and routing number information and proceed with ACH fraud:
There are a few main ways that criminals can gain access to sensitive banking information. Usually, it is obtained through a malicious attack either by means of an external data breach or an insider threat. And in many cases, the malicious attack will also expose other vulnerable information like a social security number and potentially lead to identity theft.
With the authorization credentials in hand, the thief can access authorized information and use it to send themselves an ACH transfer, pay a bill by means of ACH transfer, or set up recurring billing through an online banking portal.
ACH fraud is rare because of the preventative measures that are inherent in the banking and fintech industry as well as multi-factor authentication (MFA), encryption, and secure file transfers.
If your business will be facilitating the transfer of ACH funds, you must ensure that you set up all of these preventative measures.
Here are some ACH fraud prevention measures that your financial institution (such as the bank, credit union, or ACH API that you use) should adhere to:
In addition to these security best practices during the ACH transaction period, make sure that the payment data collected is stored securely using PCI approved hardware and software and by using PCI DSS Validated Entity service providers.
Security numbers or electronic track data should not be stored locally or unencrypted and phone recordings containing credit card accounting information need to be encrypted if stored. It is recommended that an ACH alert is set up for each customer so that the customer can monitor and stop an unauthorized ACH debit and stop ACH debit fraud early on.
There are additional fraud protection measures to be taken in order to protect your business and clients against ACH payments fraud. You can consider useful technologies such as secure APIs and cryptocurrency as a form of performing ACH transfers securely.
Both of these technologies are built with security in mind, so you know that by investing in an ACH API that the payment data will be kept or transferred securely.
ACH APIs, which are Automated Programming Interfaces dedicated to the sole task of transferring funds over the ACH Network, is a robust yet concise code that requires API authentication in order to access any of the information provided, making the technology virtually hack-proof.
The same goes for cryptocurrency, which encrypts data through a public and private key that publishes transactions through a public accessing blockchain, thereby verifying that the transaction went through while simultaneously keeping the transaction details secret.
An ACH API is the best way to send money as it can be embedded into a financial service and it can use secure third-party service providers in order to ensure authentication and client authorization. An ACH API that uses cryptocurrency will also improve the security of the ACH transfer as the transfer is then confirmed on the blockchain and forever protected.
If you facilitate ACH transactions then you will have to stay on top of current fraud threats and keep up with trends and fraud regulations around providing secure ACH transactions.
Additionally, providing ACH transactions through a secure ACH API like Sila can nearly guarantee that compliance and security measures are always followed.