Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

September 22, 2014

New ACH Return Rate Threshold on the Horizon

In a December 2013 post, we asked the question, Is it the right time for lower ACH return rate thresholds? We can now say that the answer is "Yes." The voting membership of NACHA-The Electronic Payments Association recently approved a NACHA Operating Rule amendment that will reduce the unauthorized debit return rate threshold.

The process of returning payment transactions is a pain point for the receiving financial institutions that incur the costs of exception processing, which includes handling customer service inquiries and the returns. Unauthorized transactions are also a pain point for customers who have experienced such postings to their accounts. For the financial institution originating transactions on behalf of businesses and third-party customers, ongoing and proactive monitoring of return rates can help them quickly identify potential problems and determine if those problems have been addressed.

The NACHA Operating Rule amendment will reduce the threshold for returns of unauthorized debit entries from 1 percent to 0.5 percent, effective September 18, 2015. An originating depository financial institution will be subject to possible reporting and fines if they have an originator or third-party sender whose return rate for unauthorized debits exceeds the current threshold.

As NACHA states in its information on the new rule, this 0.5 percent threshold is more than 16 times higher than the average network return rate of 0.03 percent for unauthorized debit entries in 2013. This new threshold will continue to emphasize the importance of institutions focusing on high return rates and working with their customers to bring any excessive rates down. The amendment also establishes a review process for when returns for "administrative" or "overall return" reasons exceed certain levels. For administrative returns, this will be 3 percent, and for overall returns, it will be 15 percent. Administrative returns include debits returned for reasons such as closed account, invalid account number structure, or the account number not corresponding to an existing account. Overall returns for ACH debits include unauthorized and administrative reasons, as well as others such as insufficient funds and stop payments.

Unlike the unauthorized return threshold, breaching return rate levels for administrative and overall return reasons will not result in an automatic requirement to reduce the return rate or undergo a rules enforcement proceeding. Instead, exceeding these return rates will lead to a process to determine if the origination practices of a given originator or third-party sender need to be modified to achieve lower exception levels.

The timeframe for implementing this rule allows originating financial institutions to look carefully at their current return monitoring processes and determine whether customers are near these return rates and to put into place practices that would address problem areas. Will this new rule affect your due diligence processes? Does your current monitoring already show that your customers' return rates are lower than the new thresholds?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 22, 2014 in ACH, debit cards, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c6dede57970b

Listed below are links to blogs that reference New ACH Return Rate Threshold on the Horizon:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 16, 2013

Is It the Right Time for Lower ACH Return Rate Thresholds?

Monitoring return rates for automated clearing house (ACH) transactions is an important element of a bank’s risk mitigation program for its business and third-party clients. Recently, NACHA issued a request for comment (RFC) that addresses proposed changes to return rate thresholds included in the NACHA Operating Rules.

The NACHA Operating Rules currently identify a return rate threshold for unauthorized debit entries of 1 percent. The threshold is intended to reduce unauthorized entries transmitted over the ACH network. The NACHA Operating Rules hold an originating depository financial institution (ODFI) that has an originator or third-party sender with an unauthorized return rate over 1 percent subject to ODFI reporting and possible fines if the rate of returns is not reduced in a timely fashion.

According to the RFC, the unauthorized debit return rate declined due to several risk management efforts—including the 1 percent threshold, established in 2008—from 0.06 percent in 2005 to 0.03 percent in 2012. These reduced numbers demonstrate that the monitoring of return rates by banks and other network participants helps to identify issues and leads to fewer problematic transactions.

This RFC proposes three changes to how the NACHA Operating Rules currently address return rate thresholds.

  • A reduction in the return rate threshold for unauthorized debit entries from 1 percent to 0.5 percent.
  • Establishment of a return rate threshold for data quality debit entries (such as invalid account number) of 3 percent.
  • Implementation of an overall debit return rate threshold of 15 percent.

NACHA had issued an RFC in spring 2011 that proposed changes similar to the first two listed items, but ACH participants did not provide sufficient support then and the changes were not implemented. It seems that the time may now be right. The RFC indicates that the environment for this proposal appears to have changed, with ACH participants expressing interest in looking at new thresholds. And the proposal for an overall debit return threshold stresses the need for banks to focus on their overall return rates in addition to specific return reasons.

Regardless of which thresholds are included in the NACHA Operating Rules, banks should monitor for any increase in returns. They should also understand the underlying cause and remedies that their business or processor customers are implementing. A bank focus on return issues is one element of a robust risk management program that helps to ensure the bank’s origination of high-quality payment transactions.

With this proposal on return rate thresholds, is your institution rethinking its internal policies for return rate monitoring?

Photo of Deborah ShawBy Deborah Shaw, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


December 16, 2013 in ACH, banks and banking, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b0317a3ef970d

Listed below are links to blogs that reference Is It the Right Time for Lower ACH Return Rate Thresholds?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 26, 2013

Caution, Online Payday Lender Ahead

Payday lenders offer consumers short-term unsecured loans with high fees and interest rates. Payday loans—also referred to as deposit advance loans or payday advances—are a form of credit that some consumers may find appealing for a number of reasons, including an inability to qualify for other credit sources. The borrower usually pays the loan back on the next payday—hence the term "payday loan"—which means the underwriting process typically includes a history of payroll and related employment records.

A growing number of payday lenders operate their businesses virtually. Consumers can obtain loans and authorize repayment of the loans and fees during the same online session. In a typical online payday loan scenario, a borrower obtains a loan and provides authorization for the lender to send Automated Clearing House (ACH) debits to the consumer's account at a later date for repayment. The payday lender's bank can originate the debits through the ACH network. Wire transfer and remotely created checks may be other payment options.

Both state and federal regulators are currently focusing on the payday lending industry to protect consumers from illegal payday loans. Payday lending practices are usually regulated on the state level. Some states prohibit payday lending, while others require lenders to be licensed and to comply with maximum fees, loan amounts, and interest rate caps, among other restrictions. On the federal level, the Dodd-Frank Act has given the Consumer Financial Protection Bureau the authority to address deceptive and abusive practices by payday lenders.

Payday lenders' banks should consider all the risks involved with working with online payday lenders. And they should make sure to incorporate due diligence techniques and to become familiar with the available tools.

Reputation, reputation, reputation
First, there is reputational risk. A payday lender's bank should be aware that a business relationship—including ACH origination activity—with a company making illegal payday loans can damage the bank's image. Reputation can suffer even if the bank is not complicit in the illegal activities of its payday lender customer. But once a financial institution determines that facilitating payments on behalf of online payday lenders falls within its risk management model, it should ensure compliance with applicable laws and regulations. Providing periodic reports on ACH customers to the bank's board of directors is one way to facilitate review of whether these customers' activities remain within the bank's risk management model. It is critical that the bank protect its reputation, as that affects every part of its business.

The importance of know-your-customer practices
The payday lender's bank should also develop and follow adequate due diligence procedures. ACH rules require—and regulatory guidance advises—that banks perform "know your customer" (KYC) due diligence. KYC includes a variety of activities such as assessing the nature of the online payday lender's activities, setting appropriate restrictions on the types of entries and exposure limits for the lender, and monitoring origination and return activity.

Due diligence steps can include: 1) identifying the business's principal owners, 2) reviewing ratings for the business from the Better Business Bureau, consumer complaint sites, and credit service companies, and 3) determining if there have been recent legal actions against the business. A thoughtful review of the lender's website, including the terms of the consumer's authorization agreement as well as promotional materials, is advised. These due diligence practices during onboarding and on an ongoing basis for all merchants—including online payday lenders—help the bank with setting and enforcing appropriate restrictions for the customer and therefore mitigate the risk of the bank discovering a problem when it is too late.

Mitigating problems by being proactive
Banks can develop tools that flag potential problems in-house or obtain them from vendors, ACH operators, or NACHA. In addition, incorporating a process to monitor transactions and returns to identify anomalies can be very useful. An anomaly could, for example, be a sudden uptick in returns or an unusual increase in origination volume or average dollar amount. Detecting anomalies can be a trigger to conduct further research with a customer.

Other tools can be NACHA's originator watch list and vendor-terminated originator databases, which can help banks identify customers that may warrant additional scrutiny. Periodic audits can also be a useful tool to identify rules compliance issues.

For a bank, protecting its reputation is paramount when it is considering offering payment services to high-risk originators like online payday lenders. It should exercise caution, performing risk-based due diligence on new customers and then diligently monitoring current customers so it can identify problems early and address them proactively.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 26, 2013 in ACH, consumer protection, online banking fraud, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901f04d739970b

Listed below are links to blogs that reference Caution, Online Payday Lender Ahead:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 01, 2012

Summer Is Gone, but ACH Fraud Remains

As the official summer came to an end this past Saturday, there was a noticeable change in the Atlanta weather that this runner was thrilled to greet. The heat and humidity of the past three months was replaced by cool and much drier air. Much like weather that changes with the seasons, the payments industry is continually evolving. Looking back through payments news over the summer, the industry experienced some shifts, most notably around mobile payments and digital wallets. However, at least one constant in payments grabbed the headlines yet again—a payments scam that could eventually lead to payments fraud.

In late June and early July, news broke of a scam that claimed President Obama or the federal government would help consumers pay their bills. In exchange for providing the scammers with personal data, such as social security number and bank routing and account numbers, consumers were given routing and account numbers to use to pay their bills. Interestingly, this scam went viral not because of scammers' actions, but through social media outlets as consumers caught up in the scam spread the word about “free money.” The routing numbers used in the scam actually turned out to be legitimate routing numbers of financial institutions—but the account numbers were invalid.

Ultimately, this scam negatively affected all involved: consumers, billers, originating depository financial institutions (ODFIs), and receiving depository financial institutions (RDFIs). Consumers' bills went unpaid, and some were saddled with late fees by their billers who had not received payments on time. ODFIs and RDFIs were left with thousands of returned items. Deborah Shaw, a managing director with NACHA, recently shared with us at the forum several procedures and policies for both ODFIs and RDFIs to consider in light of this scam:

  • ODFIs should review files for unusual patterns such as a high number of repeated routing and account number combinations.
  • ODFIs need to educate their business customers on the importance of communicating to consumers that ACH debit payments can be returned.
  • RDFIs should not delay the processing of returns, especially when there is a high volume of them. For most ACH debits, NACHA has a two-day deadline for returning the item back to the ODFI if the RDFI wants to use the ACH system for the return.
  • RDFIs must implement a methodology of monitoring returns so they can detect developing patterns.
  • RDFIs should develop a contingency plan for return volumes that significantly exceed their normal return volumes.

In addition to Deborah's suggestion, we believe that RDFIs should evaluate their systems to ensure that they can handle larger-than-normal return volumes. A large number of RDFIs still rely on manually keying returns; we suggest that these institutions consider developing an automated return process in light of these emerging risks. Further, RDFIs need to ensure that they are well-capitalized or able to access funds should they face a large debit from high return volumes and are unable to quickly return the items.

The seasons will continue to change and blow in new weather, the payments industry will continue to progress, and fraud will without a doubt continue to find its way into the ACH system. And while this fraud will evolve alongside the evolving payments industry, financial institutions can take steps to mitigate the business and financial impact of fraud by proactively instituting policies and procedures to quickly identify and return fraudulent transactions.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 1, 2012 in ACH, consumer fraud, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c32410708970b

Listed below are links to blogs that reference Summer Is Gone, but ACH Fraud Remains:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 20, 2012

Finding a Reasonable Definition of Commercially Reasonable

Corporate account takeovers have cost businesses millions of dollars over the last several years. According to 2011 congressional testimony of Gordon Snow, assistant director of the FBI's cyber division, the FBI was at that time investigating more than 400 reported cases of corporate account takeovers. These 400 cases involved the attempted theft of over $255 million, resulting in actual losses of approximately $85 million.

Corporate accounts are not offered the same protections as consumer accounts, which are protected from financial loss from online fraud through the Electronic Funds Transfer Act and Regulation E. Article 4A of the Uniform Commercial Code (UCC) states that as long as a bank adopts commercially reasonable security measures, its business customers are accountable for fraud losses arising from funds transfers. Unfortunately, Article 4A does not provide a definition for "commercially reasonable," which leaves the term open to interpretation.

A recent ruling by a court of appeals reveals one court's opinion on what is commercially reasonable versus unreasonable. Despite the bank's compliance with Federal Financial Institutions Examination Council (FFIEC) guidance, the court found in favor of the bank's customer. In accordance with the FFIEC guidance, the bank employed multifactor authentication and had the capacity to detect and stop possible fraud. However, the court still found the bank's security measures unreasonable due to two factors.

First, the bank failed to consider the circumstances of its customer's frequency and volume of ACH transactions when implementing security measures and developing security procedures. And second, it failed to monitor and provide notice of possible fraudulent transactions to the customer. A key takeaway from this court's opinion is that financial institutions must take a holistic approach to preventing and detecting fraud. Having the proper prevention and detection tools in place is just one aspect of a fraud mitigation strategy. Financial institutions should also have policies and procedures in place to effectively use their deployed resources and technology for the unique circumstances of each of their customers. Unfortunately, a "one-size-fits-all" approach does not work in the fraud prevention arena.

Though the court did not offer an opinion on the customer's obligations in this particular case, it did recognize that commercial customers also have "obligations and responsibilities" under Article 4A of the UCC. So, at least according to this court's opinion, the holistic approach to fraud prevention does not stop with the financial institution. Corporate customers must also incorporate systems and policies to prevent unauthorized access to its financial accounts and other sensitive documents. With corporate account takeover fraud showing no signs of slowing down, it is imperative that financial institutions and their corporate customers discuss each others' roles and obligations to effectively minimize their risks.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 20, 2012 in account takeovers, ACH | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0176175624e1970c

Listed below are links to blogs that reference Finding a Reasonable Definition of Commercially Reasonable:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 31, 2011

Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens

Play Play podcast (MP3 7:23) TranscriptTranscript

Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.

Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.

Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.

Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.

Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.

Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.

Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.

Photo of Ana Cavazos-WrightBy Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 31, 2011 in account takeovers, ACH, banks and banking, cybercrime, data security, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c823e9d8970c

Listed below are links to blogs that reference Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 24, 2011

The future role of financial institutions in the domestic P2P environment

Although the use of online banking and online bill payment has flourished over the past decade, banks have yet to capitalize on the opportunity of the thriving online and mobile domestic person-to-person (P2P) transaction market. Online banking use more than doubled from 20 percent of households in 2000 to 53 percent in 2009, according to a December 2009 Javelin Strategy report (Multi-Channel Account-to-Account Transfers and P2P Payments Forecast: Evaluating Trends and Assessing the Future 2006–2014). Further, online bill payment usage has grown from 5 percent of households to 36 percent during the same time period. However, the traditional bank P2P methods of check, cash, and wire transfer continue to decline while online and mobile domestic transfers are expected to grow at a 9 percent compound annual growth rate, according to the Javelin Strategy report. As banks face continued downward pressure on revenues and intense competition from both new and existing players, the online and mobile P2P market represents a threat to banks' traditional check business. However, it also represents a potential opportunity for banks to offer a distinct service to their customers.

The expanding domestic P2P market
A 2009 TowerGroup report (Noncash P2P Payments: Checks in Decline Still Rule the Roost) estimates the U.S. noncash domestic transfer market at $1.1 trillion, composed of more than three billion transactions. Checks remain the dominant P2P means of settlement. However, the availability of the Internet to households, impressive growth of smartphones, exponential increases in consumer mobile data usage, and numerous mobile applications (especially for the iPhone) are creating a healthy environment for the growing online and mobile domestic transfer market in the United States. The Javelin Strategy report suggests nearly 44 percent of the 86 million online households made at least one online P2P transfer, up from 27 percent in 2008.


US Person-to-Person (P2P) Payment Mix (2008)
Enlarge Enlarge


The online and mobile P2P market has been dominated by PayPal to date. However, payment processors, electronic card networks, and new emerging payment service providers have launched competing products over the last several years. PayPal and other service providers, such as CashEdge, Fiserv, FIS, and MasterCard, have each created products designed to integrate into banks' existing online and mobile channels. Although these products can be integrated into banking channels and the transactions are more convenient for consumers than a traditional bank wire or check transaction, the transaction is far from seamless. In order to use the online and mobile P2P products that banks currently offer, consumers must register not only with their bank but also with the bank's P2P service provider partner, which often requires them to submit their personal and banking account information. Adding further complications, completing the transaction may require the receiver of the payment, or the receiver’s bank, to have a relationship with the P2P provider that the payer uses.

Tapping the ACH network?
While it appears that the migration from paper checks to electronic forms of payment in the consumer-to-business market is crossing over to the P2P market, banks still have many hurdles to clear before they can capitalize on the P2P opportunity as online and mobile P2P payments become widespread. The P2P providers offer banks a solution that allows for quicker settlement than either checks or wire transfers, but the solution is still far from consumer-friendly. In order to provide banking consumers a friendlier P2P online and mobile service, banks could consider the development of a P2P solution that leverages the extensive ACH network in a manner similar to a person-to-business transaction. Much like mobile banking or bill payment, consumers could opt into the P2P service and transfer or receive funds between any banking institution on the ACH network without having to register with and provide confidential data to a third-party P2P service provider to access the service.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 24, 2011 in ACH, banks and banking, P2P | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e1ebdaa1970b

Listed below are links to blogs that reference The future role of financial institutions in the domestic P2P environment:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 13, 2010

Numbers don't back up fears about WEB and TEL

Recently, I got word that many banks, particularly small banks, may be bypassing the opportunity to market certain ACH origination services to their corporate customers because they are concerned about the underlying potential for fraud. In particular, banks may be holding back on offering debit origination services to companies selling services or accepting bill payments over the web or telephone. These are recognized as WEB or TEL entries in the parlance of ACH.

Certainly, conscientious, well-controlled financial institutions should be concerned about ensuring that they are not party to fraudulent transactions through the ACH. However, there is nothing inherently risky about WEB and TEL entries compared to any other types of transactions. In fact, in recent presentations, the NACHA-The Electronic Payments Association has revealed encouraging long-term trends with regard to a key statistic in sensing fraud: the level of unauthorized ACH returns.

WEB and TEL return data are favorable
Data collected from the Federal Reserve and the Clearing House Payments Company—the two ACH operators—and aggregated by NACHA show that the overall return rate for WEB transactions stands at 0.03 percent, or three transactions in every 10,000, as of the second quarter of 2010. Interestingly, this rate is actually slightly lower than the rate for all preauthorized debits—such as insurance premiums, car payments, and health club fees—which stands at 0.04 percent over the same period.

For TEL transactions, the rate is somewhat higher at 0.11 percent, or 11 returns for every 10,000 transactions. This higher rate may stem from the fact that a good percentage of TEL transactions flow from telemarketing activities that are sometimes fraudulent or sometimes characterized by "buyer's remorse." In contrast, Federal Reserve data show that return rates for check collection—a business generally thought to be safe by most banks—average something less than 1.0 percent. The point here is that data shows that ACH WEB and TEL transactions do not appear to be risky by common transaction processing measures.

Knowing the customer is still critical
As with all account relationships held by financial institutions, a small dose of due diligence can go a long way to help ensure that an institution does not engage with a fraudulent firm. This "know your customer" process, if applied regularly, can diminish any significant chance of experiencing ACH fraud for TEL transactions. For that matter, the same due diligence is necessary for remote deposit capture, remotely created check relationships, and credit card services. In addition, both the Federal Reserve and the Clearing House offer originating depository financial institutions ACH risk management and monitoring services that allow a bank to quickly detect any dangerous trends in unauthorized return experience. In fact, the Federal Reserve service allows originating financial institutions to reduce their risk exposure by establishing debit and credit origination limits on any of their corporate originators as part of their overall risk management program.

The only thing we have to fear...
It's possible that some of the concerns that small banks have regarding these transactions stem from recent news reports. Some corporations that have fallen victim to so-called account takeovers have accused their banks of not doing enough to help them detect fraudulent activity in their ACH-originated payroll files. As most professionals know by now, Internet-based criminals use the account takeover scheme to insert malware into a company's system through e-mail, spam, or some other vehicle. Banks are still wrestling with ways to help their clients monitor such files, and ACH operators do not have any specific services in place yet to help the banks do this. However, WEB and TEL transactions involve the origination of debit transactions, not credit transactions, as is generally the case with account takeovers.

Small banks may also not be originating WEB and TEL transactions simply because many smaller companies, utilities, manufacturers, and retailers are not yet offering web-based payment services. In essence, the market for selling such services is limited, but it's clear that over time more and more small companies will be able to offer these payment services and will be asking their banks to support ACH WEB and TEL originations. And really, given the data and controls noted above, "The only thing we have to fear is fear itself," to quote a famous president.

Marie Curie said it a little differently: "Nothing in life is to be feared. It is only to be understood." It is important to be risk-conscious, but it is also important to understand the available data and controls for informing decisions about ACH services that could represent opportunities to service a customer's changing needs better.

Photo of Rich OliverBy Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum

December 13, 2010 in ACH, fraud, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e0a433c8970b

Listed below are links to blogs that reference Numbers don't back up fears about WEB and TEL:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 30, 2010

Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They're on the rise, but under control

Play Play podcast (MP3 15:07) TranscriptTranscript

NACHA—The Electronic Payments Association (formerly the National Automated Clearinghouse Association) describes ACH fraud risk as "the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions or the alteration of static data that controls the routing or settlement of valid ACH transactions." Fraud in the ACH network can occur in a number of ways, including through corporate account takeovers, direct-access relationships, and possibly person-to-person payments.

In our latest podcast interview, Jane Larimer, executive vice president of ACH network administration, general counsel for NACHA, and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, explores these risks and some of the steps financial institutions can take to mitigate them.

Corporate account takeovers
The incidence of corporate account takeovers—when cybercriminals use malicious software to steal user credentials to originate wire transfers and ACH batches—has been a significant fraud issue in the past year. Criminals have stolen the banking credentials of several small businesses, municipalities, and even school districts, which they have then used to make unauthorized ACH transactions and wire transfers.

Larimer says that the best way to safeguard against this type of ACH fraud is to be aware of your surroundings and follow safe best practices like using multifactor and multichannel authentication as well as multilayer controls. Financial institutions can also employ red-flag controls and out-of-band verification for transactions. Most importantly, businesses should monitor their activities by conducting daily account reconcilements. This is important advice, she says, even if it may seem old school. Also critical is ensuring that anti-spyware, anti-malware, and security software for computer workstations and laptops used for online banking and payments are up to date. Larimer also recommends using a dedicated computer for online banking functions and not using it for other activities such as browsing at a Wi-Fi hotspot or coffee shop.

ACH risk measures show a downward trend
A common measure of risk in the ACH network is the number of unauthorized debits returned to institutions originating transactions. NACHA reported that this measure has declined for the past several years, including last year, which saw a 9.6 percent decline. The reason? Larimer attributes the success story to effective risk management, targeted rulemaking, and rule enforcement. Thanks to new network enforcement and company name rules, NACHA has seen a continued decline in return rates and unauthorized debits, especially in the first quarter of 2010, when the volume of unauthorized debits declined 16 percent over the first quarter of 2009.

Direct-access relationships
In March 2010, NACHA released an ACH Operations Bulletin that requires financial institutions to register or report their direct-access relationships with originators or third parties. Larimer explains that the new registration requirement helps NACHA track and promote due diligence in accordance with originating depository financial institutions' (ODFI) risk-management policies. An ODFI that permits its originator or third parties direct access to the ACH network potentially exposes itself to a host of risks. Larimer says that it is essential for an ODFI participating in these relationships to effectively mitigate the risks by appropriately underwriting, managing, and monitoring its customer relationships.

Partnerships in the fight against ACH network fraud and risk
ACH fraud and risk impact financial institutions and businesses, and while their goals may vary according to their unique roles, they all share a common responsibility to safeguard the network against fraud through sound controls and processes. Larimer believes that risk mitigation and prevention are the responsibility of every party in the ACH network, and that establishing partnerships between financial institutions and business is a move towards reducing fraud and risk in the ACH network.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

August 30, 2010 in account takeovers, ACH, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0134868ebe44970c

Listed below are links to blogs that reference Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They're on the rise, but under control:

Comments

To underscore the blog post, please see the folowing post from my blog: thepaymentsblog.com

Everything You Read Is Not Always Accurate


Last week I Tweeted about an article published by Digital Transactions on August 19, 2010 whose headline "A Survey Reveals a Rising Volume of Disputed ACH Debits" could have led readers to believe that all hell was breaking loose within the ACH industry. The article cited a survey conducted by eGistics in which financial institutions and payment processors indicated a 63% rise in disputed or unauthorized ACH transactions in 2009 when compared to 2008.

Well that article troubled me because I know through firsthand experience in running ACH businesses and as a NACHA Board member, how much real progress has been made to effectively manage ACH risk, especially the risks posed by unauthorized ACH transactions. So much work has been done by NACHA, the Risk Management Group and subsequent rules changes to reduce return item risk and volumes. Therefore, I did some investigation to better understand how eGistics came up with their numbers and cross-referenced them to the return numbers tracked and published by NACHA - the organization responsible for establishing and enforcing adherence to ACH rules within the network and NACHA’s numbers depict a far different picture than eGistics.

eGistics conducted a webinar last week to discuss their survey results. In that webinar, eGistics was asked to better describe the processors and financial institutions participating in the survey. eGitics indicated that many of their respondents experienced ACH growth far beyond the industry rate of 2%. These respondents had actually seen their ACH volume grow 20% or more - which then explains how return rates for these specific FI's and processors were higher due their individual origination growth rates; not a true indication that return rates, as an industry, were once gain climbing; nor a true reflection of the experience of all ACH originators. But it did explain to me the Digital Transaction headline – that is and was not representative of all ACH participants. The simple truth is that return rates of all kinds will increase as one’s origination volumes grow. However, the experience of a few does not a trend make and returns ARE going down, not up.

So I hope this provides a more complete picture; dispels any unwarranted fear and set the record straight - return item volume has been declining ever since NACHA’s network rules and enforcement efforts became more robust.
So don’t believe everything you read (and I say that to me too) and ask questions to see what is really behind the headlines.

Posted by: Marcie J. Haitema | August 31, 2010 at 06:00 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 02, 2010

Fight against payments fraud: The target is moving, but not everybody takes aim

Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.

Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.


Changes in Types of Suspicious Activity, 2008-09
ENLARGE

This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.


FinCEN Suspicious activity report filings by depository institutions
ENLARGE

Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.


Prevalence of Payments Fraud in 2009
ENLARGE

Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.

Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.


Reasons for Not Using Positive Pay, Debit Blocks or UPIC
ENLARGE

Looking forward
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

August 2, 2010 in ACH, card networks, check fraud, consumer fraud, fraud, online banking fraud, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485f0df70970c

Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in