The US automated clearing house (ACH) network is a system of the Federal Reserve Bank that provides electronic funds transfer (EFT) between banks. It is used for all kinds of fund transfer transactions, including direct deposit of pay cheques and monthly debits for routine payments to vendors. The ACH is individualised and distinct from the various bank card networks that process credit card transactions. ACH operations are completed in a batch and can take up to 74 hours to process before the money is actually transmitted. And typically return notification is only sent if there are insufficient funds in the account.
With EFT and executing online banking through the ACH network comes newly generated cyber-crimes. ACH fraud is characteristically similar to good old-fashioned cheque fraud. This kind of fraud that involves the ACH network is becoming a favourite with hackers since it provides a great way to siphon money out of the bank accounts of unsuspecting victims. Financial institutions use the ACH network often in handling direct deposits, cheques, bill payments and cash transfers between businesses and individuals. The direct deposit of payroll, social security benefits and tax refunds are typical examples of ACH credit transfers and critical data to safeguard. The direct debiting of mortgages and utility bills are typical examples of ACH debit transfers, which are usually consistent and monthly.
Last year there were several highly publicised cases of corporate and government bank account takeovers. The thieves used the ACH network to initiate fraudulent credit transfers and then the wire transfer system to send the money to mule accounts to the perpetrators offshore. The failure here was not a security vulnerability of the ACH network, but was the result of either bank or corporate negligence, an outcome technology providers are trying to overcome through next generation anti-fraud solutions. In many cases, banks had inadequate security controls for accessing the bank’s cash management system, allowing the customer accounts to be compromised. In other situations, business customers did not take advantage of the advanced access controls offered by their banks.
The payroll function, which makes abundant use of the ACH network for direct deposits and other transactions, is particularly vulnerable to ACH fraud. According to the FBI, this fraud is growing, with new victims and cases opened every week partly because fraudsters only need two pieces of information to pull off ACH fraud: a chequing account number and a bank routing number. They often obtain the information with a targeted phishing email that tricks the victim into running malicious software, which then allows criminals to install key logging software and steal bank account passwords.
Who Pays the Price for ACH Fraud?
The result is that criminals can make millions of dollars per day with ACH fraud. And while consumers are protected from this type of fraud, the rules for corporations and organisations are not as clearcut, so sometimes victims find themselves having to pay. Financial and commercial institutions today are in dire need of sophisticated anti-fraud solutions.
One of many areas of concern for potential fraud involves the public exposure of bank account information. Every time a consumer or business issues a cheque, bank account information is exposed. The thieves have to understand how to interpret the lines on a cheque to acquire the bank account information. Anti-fraud solutions need to deliver the ability to perform real-time blocking actions, offering issuers, acquirers and third party processors the ability to stop fraud immediately.
The account information from bank accounts is being used to fraudulently debit business and consumer accounts through the use of ACH debits and remotely created cheques. Anti-fraud experts promote the use of electronic payment (e-payment) credit transfers for consumers and businesses performing international transactions by securing the receivers’ account information.
Anti-fraud Technology Solutions
Technology is constantly changing and the market is unpredictable, yet the pressure to reduce operating costs, increase efficiency and mitigate risk continues to intensify. At the same time, financial institutions need the right tools and technologies to remain competitive and enable support of the client base.
Smart Payment Solutions endorses the use of ACH payments as more convenient for paying employees or receiving payment for a service rendered or goods received. Its payment software solutions use the ACH network to make and receive payments without the use of paper cheques. Alternatively, ACOM payment software solutions help businesses transition their corporate payments from cheques to electronic ACH payments by providing a single payment platform that can support both cheque printing, as well as electronic ACH payments. ACOM finds it easier for clients to manage and facilitate the movement of vendors to e-payments.
For the ever-expanding mobile market, EastNets’ en.MoRe mobile remittances solution is designed to enable secure cross-border, person-to-person (P2P) mobile-initiated payments. It interconnects global mobile network operators (MNOs) and banks. The security and privacy of account information is maintained by masking the information, while facilitating the receipt of e-payments. Business customers can take advantage of debit blocks and filters to prevent unauthorised debits to their accounts.
Fiserv, a provider of financial services technology solutions, claims that approximately 52% of the US’s more than 19.4 billion ACH payments are being processed using its software. There are obvious benefits to replacing slow, error-prone manual processes with automated processing and online access to real-time systems, but what is not to be missed is the inclusion of anti-fraud security measures to safeguard automated processes.
Regulations for ACH Payments
In 2001, the National Automated Clearing House Association (NACHA) set the rules and standards for ACH transactions and more recently released a set of guidelines for e-commerce merchants that accept ACH payments on their websites. Prior to NACHA, there were no rules except those set by the merchants’ banks. However, today that has changed and merchants are required to have an authentication system in place so they can identify their customers electronically. There are filtering solutions available today that can be rapidly deployed, incorporating the new International ACH Transactions (IAT) criteria to help organisations comply with the new NACHA IAT regulations.
For instance, EastNets’ en.SafeWatch scans and analyses the new IAT data ?elds on both your inbound and outbound IAT traf?c against the new Office of Foreign Assets Control (OFAC) sanctions lists. It is important to choose an anti-fraud solution that can verify routing numbers, conduct security audits and provide a 360-degree holistic approach to security. “We observed market signs pointing to the need for an extra real-time security layer for both transaction monitoring and customer profiling. We decided to add a real-time layer to enable end users to pause, release and block payments manually and gain access to an embedded IP locator, an SMS facility, and many other cutting-edge tools,” said Paul Buelens, head of compliance product management for EastNets. “These extra provisions assure that all possible measures are accurately taken when hackers try to invade a bank e-portal.”
Comprehensive Payments Solutions for Banking Security
ACH payments are processed in batches, so a transaction can take a day or two to be completed. It is critical to conduct cheques and leverage this window of time in which a consumer or business can decide to cancel the payment since ACH payments can be repudiated.
In terms of research and development (R&D) and fraud prevention, it has been identified early on that organisations that first deploy a robust anti-fraud platform, which offers several individual software modules to address all the potential areas of fraud end up with the most comprehensive and integrated solution. For instance, using an anti-fraud platform that offers a payment card fraud module can prove critical in mitigating risk and diminishing any chance for a damaged reputation. It is critical that the modules offer a real-time web-based application that integrates seamlessly with their anti-money laundering (AML) profiling component.
Anti-fraud solutions today need to be focused on arresting cyber-attacks against payment processes and issues surrounding corporate account takeover and data security in the ACH. Financial experts report that while the ACH network was originally used to process mostly recurring payments, the network is today being used extensively to process one-time debit transfers, such as converted cheque payments and payments made over the telephone and internet, increasing the risk for cyber attacks.
According to NACHA, the number of ACH network payments exceeded 20.2 billion in 2011, an increase of 4.35% compared to a year ago. Fraud in the ACH does not have to be widespread if the right safeguards are put into place. In reality, it actually can be being managed extremely well. Overall, the banking industry must continually improve the security techniques necessary to protect their customer’s accounts and funds. They can never become complacent because the thieves will make the most of any vulnerability that exists.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.