The number of paper checks being converted to ACH transactions is growing exponentially, making the channel more enticing to thieves and increasing instances of fraud. It's a problem that's starting to get the attention of the industry, says Nick Holland, a senior analyst at Aite Group. He recently surveyed 23 U.S. banks and credit unions and found that 95 percent cited ACH fraud as an important or extremely important concern.
The driving factor is that ACH is being used in ways not originally intended and that security around the channel has not kept up. "Fraud moves to the point of least resistance," Holland says, and as the access to the ACH network grows and fraudsters' sophistication advances, the ACH network may be increasingly targeted.
Originally, ACH was for direct, recurring payments between two well-known parties, such as an employer and employee. But as check digitalization has grown, transactions between less familiar parties (so-called nonrecurring transactions) are flooding the ACH network. From 2001 to 2008, nonrecurring transactions as a percentage of all ACH transactions grew from 2.3 percent to 37.9 percent, says Mike Mulholand, director of fraud solution strategies at Memento Security.
However, Jan Estep, CEO of NACHA, which oversees the ACH Network, says the percentage of fraud on the network remains very low and that heightened concern about ACH fraud is due in part to a more open dialogue in the industry about fraud in general. "The risk in the ACH network is trending down in the past few years," she says. In 2008, the percentage of unauthorized debit transactions (generally considered a good indicator of ACH fraud) was 0.040 percent of transactions, down from 0.041 percent the year before, she says.
Meanwhile, unauthorized debit returns via the Web fell to 0.04 percent from 0.05 percent, indicating that channel remains secure. However, she notes, the absolute number of unauthorized transactions is increasing as the total volume moving through the channel grows; the total number of ACH transactions was up seven percent in 2008. Volume matters, of course. A very small percentage of a very big number might still spell unacceptable losses at certain banks.
Since run-of-the-mill check fraud increasingly and easily ends up in the ACH channel, fraud schemes don't always have to be that creative or high tech. Old fashioned check kiting is a threat, as are fraudsters who pose as a legitimate businessmen and lure the bank into accepting fraudulent ACH transactions.
Tom Miltonberger, chief executive of Guardian Analytics, says bank execs should bear in mind as they craft solutions to ACH fraud that ACH is a payment mechanism, and that security resides not within the channel but at the application level.
Banks must tighten up security (such as customer due diligence) and monitoring, and make sure the fraud tools they already use for paper checks are applied to the converted checks flowing through the ACH channel. Monitoring is especially important since once a fraudulent ACH transaction occurs it's difficult to undo.