Two newer transaction formats have pushed the automated clearing house system - originally designed as a behind-the-scenes way for banks and corporations to move money - into the consumer realm, which in turn has introduced more fraud.
Various merchants, most notably Wal-Mart Stores Inc., have begun letting consumers pay by direct debit, which involves supplying a checking account number and bank routing number (by phone or on the Internet), and authorizing the initiation of an ACH debit. Some Internet-based banks also let people fund their accounts this way.
But fraudsters have figured out that there is no good way for merchants and banks to determine if consumers are supplying the particulars of their own bank account. In some of the most flagrant examples, workers have used their employers' account information (copied straight from their paychecks) to buy things for their own use.
In another type of fraud, unscrupulous companies - often telemarketing firms - initiate transactions debiting individuals' accounts without their permission or in violation of the ban on such transactions when a consumer does not have a relationship with a company.
In any event, banks initiating an ACH debit (known as the ODFI, or originating depository financial institution), are liable for the transaction, on the theory that they should make the appropriate verifications.
"This is starting to become a larger problem," said George Thomas, the president of Electronic Payments Network LLC in New York, the largest private ACH operator. "We are seeing more and more incidents of people trying to access other people's accounts."
The spike in fraud is in many ways the underside of the growth of ACH transaction volume in the past two years. More volume means more income for the banks that handle it, but consumers' increasing familiarity with the ACH system means its can be breached more easily. That means banks must become more vigilant, observers said.
In March 2000, Nacha, the electronic payments association, began letting consumers authorize ACH debits on the Web or by phone. It piloted the program, which worked well and was continued. In September 2001 Nacha formally introduced two new ACH categories, WEB and TEL, to cover the transactions.
The new type of ACH fraud "was impossible in the past, because there were no Web or telephone transactions," Mr. Thomas said. "People had no way to access the ACH."
The numbers are still small, and Nacha executives call it a limited issue. ACH transactions also leave a detailed digital trail, making improper ones fairly easy to trace.
In late 2001, for example, Nacha noticed an unusually high return rate in the TEL category. The rate climbed through mid-2002 and peaked in the third quarter at about 1.25% of such transactions. Using the network's audit trail, Nacha identified and shut down individuals and merchants with unusually high return rates, which would indicate that they were initiating unauthorized debits.
Elliott McEntee, Nacha's president and chief executive, said the effort has brought down the return rate in the TEL category dramatically, to just 0.2% in the first quarter. Over all "it's really small potatoes compared with other things, such as check fraud."
He estimated that losses from ACH fraud totaled $2 million to $5 million last year. In the TEL category alone, more than 67 million transactions were initiated last year, and less than 1% were bogus.
However, Mr. Thomas at Electronic Payments Network pointed out that these figures represent only the fraudulent transactions that are reported and that many more could go undetected.
"It's pretty easy to do this," he said. "We don't know how big the problem really is. It's big, and it's going to get bigger."
Executives cite some dramatic cases.
In one a scammer used a fake name to obtain a credit card and over 18 months took cash advances totaling more than $400,000. The person paid the card bills electronically in 24 ACH transactions that debited the account of a large brokerage firm.
This month the Federal Trade Commission filed a suit against a Texas payment processor, Electronic Financial Group Inc., which was allegedly helping shady telemarketers process ACH debits to consumers' accounts. The company has been barred from processing certain transactions in the system while the case is heard.
Even Nacha has been burned. The organization, which is based in Herndon, Va., has long printed its own bank account details on promotional materials to encourage people to pay for conferences through the ACH network. Last year it discovered that the information had been used improperly to buy several computers from a major electronics maker.
Ingersoll-Rand Co. is one company concerned about the potential for such abuses. The industrial equipment company discovered this year that someone had tried to use its bank account to pay cellular telephone bills and to make other payments. However, it had put a debit block on the account, which told the bank that no ACH transactions should be processed against it, and the payments were denied.
"It's not just us - many other companies are getting hit as well," said Michael Dunn, the manager for treasury operations at Ingersoll-Rand, which is based in Bermuda.
According to Keith Theisen, a senior vice president with the treasury management group at Wells Fargo & Co., account holders are not liable when fraudulent transactions are processed. Responsibility for the loss lies instead with the bank that originated the transaction.
Debit blocks like the one Ingersoll-Rand used are an effective tool for protecting corporate accounts, he said. Wells Fargo has created an ACH fraud filter product and claims that it is blocking unauthorized debits every month that range from $28,000 to $100,000.
Wells also recommends that companies pay more attention to monthly transaction records. Many con artists have been able to debit the same account for several months, simply because a company did not notice the discrepancy.
"We need to take fraud prevention very seriously," Mr. Theisen said. "It has the potential to be big."
