Faster ACH payments are taxing banksâ ability to check for fraud and criminals are taking notice.
As of September, credit-based ACH payments are now being settled within the same day. These are transactions where one person or entity is pushing money from their bank account to another person or organization, using the automated clearinghouse. Examples include direct deposit, payroll, person-to-person and vendor payments.
Where before banks had two to five days to analyze suspicious transactions, now in some cases they have only two hours. Banks havenât quite caught up with the shorter timeframe for checking red flags, some say, and fraudsters have jumped on this opportunity.
âRecently weâve seen more evidence of incidences of ACH fraud than we have in the past,â said Andrew Davies, a vice president at Fiserv who helps financial institutions worldwide spot potentially illegal transactions.
Davies has seen recent cases of malicious software tampering with ACH files to perpetrate fraud. For instance, hackers are manipulating payroll files and adding themselves as fake employees to collect money. Some of the cases have been in the U.S.
Some banksâ systems donât sufficiently scrutinize ACH files.
âA lot of their fraud filters will not necessarily have the wherewithal to break out all the transactions, look at history of the accounts on the incoming and outgoing side, look at the batches within the file, and then look at the behavior associated with the overall file from an ACH perspective,â Davies said.
Money lost this way will be difficult to recover.
âAny time you push money out, itâs really hard to pull it back,â said Ruston Miles, founder and chief innovation officer of Bluefin Payment Systems, a payment processor. For instance, âif itâs a payroll file, the money has been pushed out, and you canât go out to the customer and pull it back.â
A lot of fraud monitoring is still done manually today, Miles said.
âMost banks have electronic fraud detection systems that catch transactions that donât look right and put them in an exception bin and these banks employ floors of people who inspect the flagged transactions,â Miles said. âWith same day, all that time gets crunched down, so you either have to add more people or you have to open the floodgates on your fraud detection systems or youâve got to get more picky about fraud detection.â
Along with faster settlement, the increasing interconnectedness of international payment systems taxes fraud investigatorsâ skills and resources. The fact that dozens of countries are increasing the speed of payment transactions brings an increased level of risk.
âIf youâre settling transactions between financial institutions more frequently or in shorter time frames, and you have too many false positives or you have a limited amount of resources to remediate unusual activity, the funds ⊠may well have moved on to South Korea in a relatively short timeframe, and youâre still sitting on an alert you havenât had a chance to look at,â Davies said.
âI wouldnât say banks are scrambling but thereâs increased focus and understanding of the elevated risks associated with those transactions,â Davies said.
In a way, this problem isnât new. There have long been different speeds for ACH payments. Also, in some cases you can pay to expedite ACH or bill payments.
âMany financial institutions have found that if criminals can pay a fee for expedited processing, they donât mind paying the fee, and you see a shift in many cases to these quicker mechanisms,â said David Pollino, deputy chief security officer for Bank of the West.
He points out that thereâs an upside: now banks have a way to risk-stack their products, knowing that the faster services are inherently more attractive to criminals.
Jane Larimer, executive vice president of ACH network administration at NACHA, said she is not aware of increased fraud over the network.
âWe have not heard that at all,â she said. âItâs been amazingly quiet.â Bank members worked to make sure they had robust risk and fraud systems during the 16-month lead-up to the faster credit payments.
âThey did that work and they were ready to go on phase 1,â she said.
Banks arenât required to report ACH-related fraud to NACHA. âBut if there was some upswing, we do hear things,â Larimer said.
Pollino is also unworried about the threat of fraudsters breaking in and changing ACH files, because doing so takes a lot of work. Phishing attacks are still the biggest fraud concern at Bank of the West.
âWhy hack into a system, understand a complex financial package, figure out where that file is and then change the file if you can just email the person and ask them for the money?â he said.
Next challenge: Same-day ACH debits
Same-day ACH debit payments, which go into effect September 15, 2017, will be even trickier for fraud prevention teams.
ACH debit transactions typically take two to three days to clear and settle, noted Steve Mott, principal of BetterBuyDesign, an advisory firm in Stamford, Conn. And banksâ fraud systems take full advantage of that window.
âSome would say itâs a lazy way, because it takes advantage of the time to say, âOK, I donât have to check this stuff until I come in on Monday morning,â â Mott said.
The banksâ fraud systems, controls and secondary and tertiary checks all assume the bank has plenty of time to perform those checks. Those will need to be updated.
âWhatâs happened historically is that none of the financial institutions have wanted to change much in the way they did faster and more secure stuff through the pipes until they absolutely have to,â Mott said.
Power of the bank account number
In a faster-ACH-payments world, the bank account number becomes more powerful because it can be turned into cash more quickly.
To date, bank account numbers have been worth less than credit card numbers in the black market because theyâve been harder to use.
With same-day settlement, fraudsters will be able to use bank account numbers to make real-time purchases, such as software, movie and song downloads, and receive the items before a bank can stop them.
âIf fraud starts really going there and merchants start losing, merchants will either have to add anti-fraud detection systems themselves or they may turn away from ACH payments for any real-time or near-real-time transfers, because they canât be assured of the funds,â Miles said.
Americans are fairly casual about writing and sending checks, which have our full account number printed at the bottom, to anyone because of the built-in protections of time, Miles said. I recently sent a yearend tip by check to the person who delivers my newspaper. This is someone Iâve never met, who lives in a town Iâve never been to, and for all I know she could be a petty criminal. Now she has my checking account number and my bank name and routing number, as well as my address and signature.
âNow weâre taking out that time buffer, making this twice a day, same day, meaning that itâs more convenient and easier for fraudsters to capitalize on the account numbers.â
But account numbers printed on checks are unlikely to be a large-scale problem, Miles pointed out.
âHackers want to automate these attacks, they donât want to dig through the trash all over the country to steal a million check numbers,â he said. âThey want to open their laptop and see that 10,000 bank account numbers were found over the past week, through automated attack tools. So thatâs the big threat.â
Miles suggested the banking industry needs to develop security standards like PCI. âThe best way to fix the problem is to not have the fraudsters get their hands on the bank account numbers in the first place, and that comes through data security and not through authentication,â Miles said. For instance, the PCI data security standard requires that payment card data be encrypted at all times; this same rule could help protect bank account data. Tokenization of account numbers could also help, he said.
Continuous improvement
As ACH payments continue to get faster, along with FedWire, Chips, and other types of payments, banks are going to have to step up their fraud analytics and security efforts accordingly. Those processes will need to be continuously improved, too, Pollino said.
âAs soon as youâre happy with your controls, the criminals will get happy with them as well because theyâll figure out a way around them,â he said.
NACHA members have been upgrading their risk processes and procedures, Larimer said. âSame day is the tipping point,â Larimer said. âWeâre the first movement in faster payments. So theyâre starting here and I donât think this is the end of it.â
She also noted that faster payments can lower transaction risk, especially credit and operations risk.
âAnd the faster you can settle things on the system, that lessens the systemic risk,â she said.
One thing banks need to do is understand how the criminal rings that target them work, Pollino suggested.
âAre they looking for the small, quick score or are they looking for the larger, long-term payoff?â he said. âCriminals looking for the quick, small score might be drawn toward this type of product.â The bankâs fraud analytics and fraud detection strategies need to be tuned to that.
Third party data sets become increasingly useful to help vet the parties to a transaction, Pollino said. Names, phone numbers, email addresses and account numbers can all be checked against databases run by Early Warning Services, LexisNexis, Experian and others.
âItâs becoming more and more important to understand where this money is going, whoâs at the other end of the transaction,â he said. âDoes your customer know whoâs at the other end of the transaction? What personal information is included in a transaction?â
Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.
