ACH Fraud: Avoid 3rd-Party Risks
NACHA Offers Tips for Screening Potential Senders One bank recently learned a tough lesson about ACH fraud.The bank, an originating depository financial institution, didn't review or check the companies a third-party sender was doing business for as a transmitter. "Turns out that [one] new business among hundreds of the originators was a scam," says Jeannette Fox, senior director of risk investigations and services for NACHA, the electronic payments association. When the new business created its first ACH file, Fox says, "Every entry in the file was for the same amount, $29.99, and every receiver in the file was the same name." The majority of the entries were returned as invalid within one week, and the bank had to freeze the settlement credit until all funds were refunded.
This case illustrates the fraud risks to financial institutions when it comes to doing business with third-party service providers (TPSP). Sometimes those risks, Fox notes, don't present themselves until after a business customer has signed up for ACH services. And the losses rack up for an institution quickly. According to the 2010 Association for Financial Professionals' Payments Fraud and Control Survey, the average fraud loss because of a third-party incident was $17,100.
There are several ways these problems can come up, whether through a third-party service provider or a third-party sender. Fox explains what the difference is between a third-party service provider (TPSP) and a third-party sender (TPS): "In the TPSP model, the originator has an agreement with the financial institution and the TPSP." While in the third-party service model, the originator has an agreement with the third-party service only. "Basically, it became increasingly common for a financial institution and originator to enter into agreements with third parties instead of direct agreements with each other," Fox says. This is what led to defining the responsibilities of Third-Party Senders within the NACHA operating rules in December 2004.
Third-party Sender Vetting Tips
What should a financial institution do before bringing on a third-party sender? Fox advises institutions to verify basic facts about the third-party sender - legal names, doing-business-as names, address, type of business, website and other general information.
Institutions also should conduct due diligence on third-party sender candidates, Fox notes, similar to such practices used for commercial loan underwriting, including:
- Review all services, products, advertising, marketing;
- Does the third-party support high-risk activity? Know the third party's customers;
- According to FFIEC guidance, high-risk includes gambling and adult entertainment companies;
- Perform a credit analysis across all payments channels and bank services that will be provided to the third party;
- Perform open source research - sometimes a Google search can yield lots of information;
- Specific to ACH, review the third party's return percentages;
- Ensure that the agreement with the third-party addresses all necessary provisions such as using proper company names, termination policies and prohibited businesses (as defined by the financial institution).
Consider Third-Party Risks
As for advice for financial institutions that have third parties or are thinking of contracting with third parties, Fox recommends:- Make sure the third party fits with the financial institution's culture;
- Remember third parties may add too much risk or require too many additional processes for some financial institutions;
- Make sure that the agreement is "iron clad" and provides the ability for the financial institution to enforce provisions in the agreement - such as settlement, returns, over limit situations, account reconcilement, security, compliance, and others.
Financial institutions should also consider the impact to all ACH participants if it becomes necessary to terminate a third-party relationship. To minimize further damage, the financial institution should define the circumstances for immediate termination such as providing false information, engaging in activity prohibited by the financial institution, or state or Federal law, as examples.
Financial institutions can appropriately mitigate risk associated with third-party relationships by carefully considering best practices and knowing their obligations and liabilities under the NACHA Operating Rules.
For more on ACH fraud and NACHA. Please see: ACH Fraud: How to Fight Back