Stepping up the pressure on third-party processors to police their ACH users, NACHA member institutions may decide later this summer on new network rules to strengthen fines or even ban originators with excessive unauthorized items.
The new proposals would also require originators to maintain statistics on their return activity and rid themselves of problem firms (read: telemarketers) that blatantly violate NACHA rules with improper Web- or telephone-based authorizations-each helping to form the basis of a de facto originators blacklist. "Obviously, if you suspended a company from the ACH network, you would have to let all the banks in the country know about that," says Michael Herd, managing director of network rules for the ACH Network's governing body.
Two years ago, a less-stringent proposal to automate fees against returned transactions failed to garner enough support from NACHA members. But these new enforcement rules arrive in a more heavy-handed atmosphere, as risk and fraud factors have mushroomed alongside ACH's growing check conversion and electronic payments volume. An industry already bruised by card-breach horror stories was stung again with the widespread news in May of a penny-deposit scam, in which fraudsters pinged and raided active accounts through the ACH network, using algorithmic software to generate random account and routing numbers.
And in the new 2007 payments fraud survey from the Association of Financial Professionals, the percentage of companies reporting ACH fraud rose from 34 to 36 percent from 2005. Much of the crime derived from gargantuan security holes-almost half those defrauded weren't using their financial institutions' debit block or debit filter offerings. Nearly a quarter passed through fraudulent checks that had been stopped by check-based positive pay ledgers but re-presented as ACH debits. "I have heard from large banks that the manipulation of check and ACH transactions is their biggest source of concern, from a fraud point of view," says Gartner financial security analyst Avivah Litan.
The proposed network enforcement rules would add considerable bite to NACHA oversight. Fines will quadruple from $250 to $1,000 per unauthorized transaction, and lead to suspension of network use by the "worst cases" of repeat offenses. The changes are being suggested even though unauthorized transactions continue declining as a percentage of volume (.04 percent, according to Herd), but that volume is expanding rapidly. NACHA reported 14 billion transactions in 2006, and the first quarter 2007 volume of 3.42 billion transactions reported by NACHA was a 14.8 percent hike over 1Q activity a year ago.
"I do think it's important, from a network standpoint, to really look at who are the high-volume offenders," says Laura Lee Orcutt, a NACHA rules and operations committee member and a Wells Fargo svp and group product manager for e-payments and cash vault services in treasury management.
While ACH is considered a generally safer channel for fraud risk compared to checks or online, ACH still carries some exclusive hazards. Business-to-business ACH transactions don't have Regulation E safeguards in place like consumer-account EFTs.
Banks, which handle ACH in batch, also lack the means to efficiently disqualify illegitimate payees coming in through legitimate processors and means, says Litan. "There's not a lot of data on the transaction to verify at the bank level," she says. "Go look at the ACH field message format. It's just credit this account, debit this account, an amount, [and] a date."
Getting payee information further down the line is another change within the proposed enforcement rules. ACH transactions will require originator's identity that would be visible to the end-user, including a phone number, according to Herd.
Commercial customers, aware that the speed and convenience of ACH can also be its disadvantage, are increasingly seeking out debit blocks and ACH filters for their accounts. In the AFP survey, an additional 19 percent of companies last year added debit blocks to accounts and 15 percent started using filters, which permit funds transfers only to a pre-approved roster of billers.
The expanded uses of ACH in 2006, including business-check conversions, are pressuring banks to improve protections to help identify potential problem ACH debits without tripping up legitimate payments.
Deutsche Bank this fall is rolling out a positive pay service for commercial client's ACH debits, where blocked transactions are still presented to clients for approval on a manual "one-by-one basis," says Arthur Brieske, director and head of Deutsche's Global ACH and dbworldPAS payments and collection service. "We're going to automate this process," says Brieske. "What this allows our clients to do is feel comfortable in putting on that debit block, along with the filters, without having to worry about [for example], a state tax payment being rejected."
The new NACHA rules would add to the stable of industry fraud-risk tools that have cropped up in the market. Private-sector ACH operator Electronic Payments Network (EPN) operates an ACH fraud reporting service that issues alerts to excessive returns, including the administrative returns resulting from invalid account numbers. Last year, the Fed introduced its own monitoring service to help banks using the FedLine service keep better track of ACH originating companies.
