There will be 25 billion ACH transactions occurring annually by 2010, estimates NACHA, the electronics payment association. Many of these transactions will be check conversions at merchants, including Wal-Mart, Target and large supermarket chains.
With these numbers growing every year, ACH fraud is also growing, says Michael Thomas, Executive with the Financial Institution Group at Crowe Horwath. Criminals are finding it more enticing "to follow the money," Thomas says.
This article reviews the latest ACH fraud trends - and what institutions should be doing to protect themselves.
How ACH Fraud Happens
Before ACH did check conversion, there was very little fraud, because most transactions were driven by relationship, notes Nancy Atkinson, wholesale banking senior analyst at the Aite Group. "So when a corporation had to get an individual's permission to credit, much less debit their account, the banks knew the corporation, and they knew they could depend on the corporation to stand behind its transactions if a debit or credit came into question by a consumer."
On the business side, the companies using ACH set up accounts that would either only accept ACH credits or issue them. As ACH has expanded past the payroll, social security payment or repetitive bill-pay solution, moving into mainstream transactions that can be used for almost any kind of payment and check replacement truncation - fraud risk has grown. "This includes at point of sale or on the web or over the phone," Atkinson says. "You've lost the controls that used to exist, and those direct relationships that used to exist. Banks used to have controls on how big a transaction a business can make and how much coverage it has to have over the two-day period it takes for that transaction to settle."
One way ACH fraud can occur: Companies can get hooked into a legitimate bank ACH network and then send out fictitious changes, like telling checking accounts they've agreed to pay a small amount to a charity. "By the time the customers get a copy of these transactions and they protest the withdrawal, by that point the bank is stuck with all the returns, because the sham operator of the fraud has withdrawn all the money and left," Thomas says.
The good news is that type of ACH fraud had been the most common type of fraud over the years, but NACHA and a number of financial institutions have been doing a much better up front job in determining who they will let become an ACH customer. So this specific type of fraud, while still occurring, has slowed down a lot, Thomas notes.
Other fraud threats, alas, have grown.
ACH Risk #1: Payroll Fraud
The new type of ACH fraud that Thomas and other fraud experts are seeing is a combination of ACH fraud and what he calls "social engineering and computer hacking." This is the threat with which Thomas sees a lot of his customers getting hit.
Traditionally in the ACH process, a bank would set up a business to do its payroll through ACH, say, on the 13th and 28th of the month. The institution would bring over the tape, and the bank would run it on its machine and check that the nature and amount of the check was proper. The bank would call back and verify the amounts with the company before it released the payroll. Everything was a chain-of-command, procedures, and the parties knew it was going to happen on a specific date for a specific amount.
"The fraud we're seeing today is because financial institutions are doing all of this over the Internet," Thomas notes. "Typically, the bank does not have controls over these processes. It assumes that because you were able to access the account, you, (the business) know your password and account information."
What he is now seeing are conmen or criminals who can't break into a bank through its firewalls, so "They're actually going to manufacturing companies, businesses, and social engineering their way to someone's laptop," Thomas says. "They're coming in through a firewall, with a stolen account and password and are pretending to be that customer."
The hacker/conman comes in through the ACH account and cleans it out. "So instead of paying out the payroll, the payroll goes to the conman."
Thomas' advice to institutions on handling payroll ACH fraud: "Go ahead, go back to the old way. Even though it is coming through the Internet, pick up the phone to verify, and this way you're covered. Or by fax, 'We see you're processing the payroll, just wanted to verify the amount,'" he says.
ACH Risk #2: Kiting
ACH kiting is similar to check kiting and is an unusual kind of fraud. "But when it happens, it can happen big," says Thomas. He lays out the scenario: A bogus charity sends out charges for $100,000.The bills are sitting in companies' inboxes, and the bogus charity now has what appears to be $100,000 worth of credit in their account at the bank. Then they take that money and they're gone. Then the companies who see their accounts debited for that amount come back and question it, and the bank finds out the scam has happened, and they're left with lots of angry commercial account holders and $100,000 in fraud losses.
In ACH kiting, it happens that the first day the scam charity sends out 100,000, then the second day it sends out $150,000 and the third day it sends out $200,000 and so on, so when the first day and second day charges begin to be returned it appears the scam charity has a net position of a big credit. The bank doesn't realize its exposure, because the credits keep coming in at a faster rate than the returns do. So what happens then as scam charity keeps building up its balance to a point that it gets really, really high. "In the first scam the fake charity may only get $100,000, in this scenario it could get millions, because it can keep running the fraud. So when it does cut and run, the institution is faced with a tremendous hit," Thomas notes.
His advice is, again, focus on the procedures here, and monitor debit returns and over a period of time.
More sophisticated institutions will set up exposure limits for new customers, and set them on single-day exposures, and then over a period of days. "For example, the bank sets a limit of exposure for a single day at $100,000, and not more than $150,000 of a period of four days," he explains. This way it is limiting its exposure to ACH kiting, and monitoring the new customer until the institution builds up history with it.
As to the question of how long to monitor, Thomas says most people do a standard three months, some go as high as six months. "The better institutions understand that this is a credit product, and do their due diligence up front through their loan officer," he observes. The less sophisticated institutions see this as a deposit product and are more likely to get hit with fraud.
Who's at Risk?
Larger institutions are getting hit with ACH fraud because they have more complex internet ACH transaction mechanisms in place and have done away with the "call-backs" and manual controls. They also have much higher volumes, Thomas notes.
The ACH fraud Thomas sees is hitting regional and super regional banks. Many of them are restoring those manual controls (call-backs). Rather than putting an automatic callback on every ACH transaction over a certain amount, Thomas suggests that the bank look at whether the ACH transaction is scheduled. Most of them are, such as payroll payouts, most outgoing debits go on schedules and most are for similar amounts and won't vary widely.
More Security, Monitoring Needed
Aite's Atkinson sees the need for further tightening in security for online banking, including strong multi-factor authentication. "Banks need to demand that core service providers offer it as well," she says. ACH providers have built improvements into their systems, including ways for positive payer and payee capabilities, including check processing for corporations, "So that if a check gets converted to an ACH transaction, the corporation has not lost the opportunity for positive pay and payee. If something doesn't match when the bank is processing, the bank stops it and brings it back to the corporation," Atkinson notes this has been a real improvement.
The reality of it is, unless an institution has miniscule amounts of ACH transactions, it needs to have some form of automated monitoring of the transaction in order to evaluate what is originating out of the institution, says Erik Stein, Fiserv's Solutions Architecture Fraud & Compliance Solutions vice president. "Institutions need to know who is originating transactions and manage their due diligence, to know they're looking at those originators on an ongoing basis," he says.
In doing due diligence, institutions will have a set of criteria of the characteristics of who they'll do business with. "If you don't know the business model of your originator, they could be out factoring for other businesses that wouldn't have been able to sign up as an originator with your bank. They're now going through you, without your knowing about it," Stein notes.
Stein sees the ACH world will continue to become increasingly risky. "There are new SEC codes coming out on international ACH transactions, that IAT (International ACH Transactions) is coming out with," he says. It creates a whole other set of risk profiles than what institutions have historically seen.
Another area for financial institutions to improve their fraud detection and monitoring is the centralization of fraud prevention across all payment systems. "This will make for less fraud, no matter what the payment mechanism is," Atkinson notes.
Say someone who wants to perpetuate fraud, she explains. They may start out in checks, then, when that hole is filled, they move to ACH. If an institution has filters and ways to detect and monitor behaviors that may be suspicious, and share that information across ACH, wire transfers, checks and credit cards, as well as ATM activity, then they're getting a much better overall fraud picture and will know which individuals to pinpoint and worry about. "Banks have said that having this type of information across all activities will greatly improve their ability to fight fraud and improve regulatory compliance," says Atkinson.