New Fraud Challenges Introduced by Same Day ACH

We all recognize that Same Day ACH promises improved payments services for account holders. But FIs have a lot to figure out between now and when it goes live in September 2016, including how to mitigate increased fraud risk.

While we have some ideas for the types of schemes fraudsters may launch (below), perhaps the biggest risk is they have repeatedly demonstrated their creativity and innovation in how to take advantage of any disruption or change. If you want to be truly ready for Same Day ACH, it’s time to step up your fraud prevention game.

What’s Different?
If the improved service level has the effect that NACHA (and the industry) wants, there will be increased use of the ACH payments system for same day payroll, P2P, bill pay, and other payment offerings. So, more files will need to be processed in a shorter period of time.
Also, the funds will be harder to retrieve if a fraudulent transaction does slip through. Just as wire transfers have been popular with fraudsters because of the speed with which they can access the funds and move them out of reach, Same Day ACHs will now provide criminals with this same benefit.

How Will Criminals Attack?
Here are some of the fraud schemes that FIs need to consider as they update processes and consider new technologies. Fraudsters could:

  • Submit a large volume of payments just before the cut-off time, forcing FIs to rush through their review process and resulting in some payments slipping through undetected
  • Submit payments that are just under the FI’s review threshold so they’re less likely to get noticed, especially in light of higher payment volumes
  • Target other channels or payment types, on the theory that FIs are overly focused on ACH leading up to settlement times, lowering their guard elsewhere
  • Use social engineering techniques against account holders, resulting in payments that look legit because they’re coming from the actual account holder, but with less time to uncover the underlying scheme
  • Add recipients to payroll files or change account information for existing recipients within a payroll file, which are hard enough to detect today and will be even harder to detect under severe time constraints
  • Compromise third-party senders and submit fraudulent payments into which ODFIs have no visibility and that could get overlooked among the high volume of payments needing to be reviewed in the short review window

New Strategies for Mitigating Fraud Risk
Simply increasing the size of the team charged with reviewing ACH files is not an affordable, scalable, nor sustainable option. The cost of hiring additional staff would be prohibitive, especially at a time when many FIs are trying to downsize their fraud operations team, and pulling people from other functions for a few hours a day would leave those other areas understaffed and exposed.

And tightening up security rules crafted to identify suspicious ACH payments will likely just result in poor customer service and higher false positive rates. On top of the higher volume, this will produce more alerts, with less time to investigate them.

The best strategy is to add technology to automate as much of the review process as possible. A real-time behavioral analytics solution like ACH ODFI & RDFI Fraud Detection can use behavioral models to triage incoming files into low risk payments that can be released automatically (the majority of payments), and the relatively few high-risk payments that require manual review.

Furthermore, Guardian Analytics’ ACH ODFI & RDFI Fraud Detection rich activity history for will make it easier and faster for analysts to investigate high-risk payments and decide which ones to release.

Our most important recommendation is to start now, because you know the fraudsters have already started planning their new attacks. Rethink your payments offerings and policies, evaluate technology solutions for automatically reviewing payments, and budget now to be sure you’re ready to go come September 2016, which is just around the corner.
This article also appeared, with slight modifications, in Banking Exchange.