Mike Mulholand on ACH Fraud: Strategies to Fight Back
TOM FIELD: Hi This is Tom Field with Information Security Media Group. I am talking today with Mike Mulholland, Director of Fraud Solution Strategies with Memento, Inc. Now Mike has got years of financial services experience. He spent time at institutions and most recently with banking solutions vendor Metavante.
Mike, it is pretty safe to say you spent a lot of years around fraud. Is that fair?
MIKE MULHOLAND: At least the last 10 years around fraud, although I was probably involved more on the operational side earlier than that.
FIELD: Now I wanted to talk with you today about ACH fraud, Automated Clearing House. Give me a sense Mike, what is the key story line here for financial institutions?
MULHOLAND: I think the key story line is that the risk for ACH fraud is really defined in a basic, fundamental change in the relationship between the parties to a transaction. It is moving from a transaction that is occurring between two known and trusted parties that have an ongoing relationship, to two parties that are unknown, untrusted and have a very transient relationship.
Examples would be an employer and an employee; that is an ongoing relationship, a trusted, known parties. On the other side is the one-time transaction that you have someone who is coming in and purchasing something from a merchant. That individual may be back, may not be back, and probably doesn't know them. So you get a basic difference in the fundamental relationship. That is where the risk is coming from.
FIELD: Okay. So if you could define ACH fraud and what you are seeing today, what are sort of the major manifestations of it?
MULHOLAND: What we are seeing in ACH is tied to a couple of things. One of the things that is happening is these one-time transactions, the non-recurring transactions. It essentially leaves the parties to the transaction vulnerable to fraud that doesn't need to be extended. It is fraud that occurs very quickly, and the fraudster is gone. So it is a one-time hit kind of a thing, which check fraud has always been.
The other element of fraud is really tied more toward the fact that the access to the payment system today is becoming more and more electronic and more and more tied to the internet. As a result, the weak point in many networks that banks have to deliver products to customers, the weak point is actually the customer. The fact that that customer is attached to the internet for other purposes makes that customer's PC vulnerable, and when those credentials that are used to access bank products are compromised, the fraudster has free reign and takes full advantage of it.
FIELD: That makes sense. Now how do you see institutions fighting back against ACH fraud?
MULHOLAND: There are a number of ways. There is some preventative and some detection. Essentially in the ACH world you really have to know your customer. You have to know your originator and, you know, this has been repeated often times by groups and other individuals, but essentially you really need to understand who it is that is originating ACH items and do your due diligence on those individuals and ensure that you understand their business, you understand what they are going to do and you cover yourself from a credit point of view.
A lot of banks use for ACH due diligence, very similar to the due diligence that they do for a loan customer for extending credit. The other side of the fence, after you have done all that, you can still be victimized. A good originator, for example, can be victimized by a bad player in the transactions that they are doing. So the other side of the fence is detection, and detection comes in a number of ways, but essentially you need to look both on the origination side and on the receiving side for unusual activity.
FIELD: What do you see that particularly works in some of the ways that institutions are fighting back and what still needs work?
MULHOLAND: What has worked fairly well, and there are a number of solutions in existence for this side, is the receiving side. Essentially what has happened on the receiving side is that the new transactions coming in and the new mechanisms for generating these ACH transaction has allowed for these one-time electronic transactions, e-checks if you will, to come in against accounts, and they may or may not be valid. So the incoming side looks at new transactions and compares it to existing behavior on that receiver's account. When that occurs, when I have a new transaction that comes in that is nothing like the behavior that I have seen in the past, that can be flagged and can be looked at and the customer can be contacted and so on.
Essentially what you have on the receiving side, for unauthorized transactions 60 days from the day the item settles to return that item for unauthorized. So on the receiving side it is not so much an issue of 'am I going to take a loss?' It is more of an issue of customer service. I don't want these unauthorized transactions to ever post against the customer account to begin with, so I want to monitor for that and return them in a timely basis.
On the originating side, which in the ACH is really where the financial risk lies, you need to look at transactions that are being generated and compare those transactions to the normal transactions generated by a particular originator. And what you are looking for there, again, is unusual activity.
An example there might be, back to my discussion of just a minute ago about the compromising of credentials, let's say I have an ACH originator who uses ACH for a very specific reason and therefore the activity is very predictable. I know when he originates files, I know the volume of the files, I know the dollars amounts of the files, and so on. And then, one of the PC's in his network gets compromised, key logger gets put on it or whatever happens to compromise that individual's credentials, and now the fraudster has the credentials and can get into that company's activity. So they go in and they look and they find an ACH template so they grab that template, they modify it and instead of creating credit files for let's say payroll, they create a file that contains 10 or 15 credits, all high dollar and send that file out. Because the correct credentials were used, the bank will, generally speaking, transmit that file and process it. By the time the true originator knows what happened, the credits on the other end have already been withdrawn from the accounts and chances of recovery are very small.
So what you want to do is look at that activity. Look at the normal activity for the customer and say, 'gee I've got this file, its only got 10 items instead of 100 items, it is for the same overall dollar amount, but the average dollar amount of the items in this file is $15,000 dollars instead of $1,500 dollars. That is a problem.' By the way, this file was originated on Tuesday afternoon instead of Thursday morning like the normal files for this customer.
When that gets flagged, now I have the capability to go to that originator and say, 'what is going on here,' and you can stop it before the file ever gets generated, before it gets transmitted. So that is the kind of thing you have to do and that is the area where a lot of companies are struggling. That is the area where Memento can help, actually on both sides.
FIELD: You make it sound really like a war that is being fought on a lot of different planes.
MULHOLAND: It absolutely is, and it is being fought on the internet, in terms of internet security, the nexus between security and fraud is growing ever stronger. And it is also being fought in the ACH operations arena.
FIELD: So given this, Mike, what would you say are some of the encouraging signs you are seeing in this war?
MULHOLAND: Encouraging signs are that people are becoming more aware. The ABA Fraud Survey for example in 2003 only 31% of the responders where aware of ACH fraud within their bank. By 2007, 51% of the responders were aware. Now you can look at that statistic to a sort, it is like wow we went from 31% to 51%, but yes that means more fraud is being perpetrated, but it also means the awareness to the fraud is much stronger and as a result, people are taking actions necessary to combat the fraud.
The second thing that where it is getting better is that the ACH NACHA has recognized that the risk is growing and NACHA has taken steps to begin to change rules and we can expect new rules to come up and be promulgated in the near future and there is--NACHA has a beefed up the unit that deals with fraud, hired lawyers in that unit, and so there is a lot more attention being paid to ACH fraud and will continue to be.
Now the third thing that is an improvement is that company's like Memento and others are working on developing solutions for detection monitoring and prevention of fraudulent ACH activities.
FIELD: Excellent. So, one last question for you, Mike. If you could offer one piece of advice to an institution that is just starting to tackle ACH today, what would that advice be?
MULHOLAND: Two-fold. The advice would be first, understand who your originator is and what they are originating. And the second is find yourself somebody who can help you monitor ACH activity and start to look at the fraud potential within your bank in a more enterprise way. In a way that is more customer centered than a counter-transaction centered.
FIELD: Well said. Mike, I appreciate your time and your insight today.
MULHOLAND: You are very welcome. My pleasure.
FIELD: I've been talking with Mike Mulholand, Director of Fraud Solutions Strategies with Memento, Inc. For Information Security Media Group, I'm Tom Field. Thank you very much.