Fraud and Risk in the ACH Network

July 2010

Moderator: Welcome to the Federal Reserve Bank of Atlanta's Payments Spotlight podcast. Today we're joined by Jane Larimer, executive vice president of ACH network administration, and general counsel for NACHA, the Electronic Payments Association. Jane also serves on the advisory group for the Atlanta Fed's Retail Payments Risk Forum. She will be speaking about fraud and risk in the ACH network. Jane, thank you for joining us.

Jane Larimer: Jennifer, it's my pleasure to be here today.

Moderator: Let's start by talking about corporate account takeovers, which has been a significant fraud issue in the payments arena this past year. In fact, there have been several cases of small businesses, municipalities, and even school districts that have had their banking credentials stolen, and the perpetrators were then able to make unauthorized ACH transactions and wire transfers. What advice would you give to financial institutions and businesses on how to be proactive in guarding against this type of fraud?

Larimer: Well, Jennifer, I think the first thing is, the way we can safeguard against this kind of crime is the same way we'd safeguard against any crime. The number one thing we're told about ensuring personal safety is that you have to be aware of your surroundings. So, when I'm walking to my car late at night, the first thing I am told is that I need to be alert and look around the parking lot and be aware of any noises or anything that you hear. The same thing can be said in the instance of corporate account takeover. Nearly all of these cyberattacks can be avoided by both the financial institution and businesses implementing safe best practices. So, this is a partnership between FI's and businesses, and both financial institutions and businesses need to do their part. Financial institutions can employ best practices, like multifactor and multichannel authentication as well as multilayer controls. They can employ red-flag controls and out-of-band verification for transactions. And, in general, the number one thing, I think, businesses should be doing to monitor activity and be aware of what's going on with their accounts is to reconcile their accounts daily. And that's kind of old school, but it's the number one thing. Be aware of what's happening on your business account.

Then, ensure that all anti-spyware, anti-malware, and security software and mechanisms for all computer workstations and laptops that are used for online banking and payments are robust and up to date. One of the things that has been recommended is using one dedicated computer for online banking only. If you're using your laptop for online banking, some pretty, I think, basic safety is to not use that computer, that laptop, at, say a wi-fi hotspot, or a coffee shop, to do your online banking on that same computer.

There are some things that are very basic, practical things to do. Another one for a business, maybe, is for business-to-practice dual control, is to have one treasurer or officer or employee to write the payment or authorize the payment and for another one to authorize it or verify it before it goes out. So I think that there are some due diligence and some pretty basic things that both businesses and financial institutions can do in this area.

Moderator: Jane, as you know, a common measure of risk in the ACH network is the number of unauthorized debits returned to the institution that originated the transaction. NACHA has reported a downward trend in unauthorized returns for several years, including a 9.6 percent decline last year. Should we expect this trend to continue, or are there other factors that may impact this in the future?

Larimer: Well, you know, this is a success story, I think. As a result of effective risk management and rules enforcement and targeted rule making, including passing the network enforcement rule and the company name rule, we have seen a continued decline in return rates in unauthorized debits. And, in fact, in first quarter 2010, we saw that the absolute volume of unauthorized debits was down 16.2 percent over the first quarter of 2009. So, I think that this is a big success story, and something that we are looking at.

The unauthorized return rate even went down from .04 percent to .03 percent, so that's 3 in every 10,000 transactions are returned for unauthorized reasons. And while this is an extremely positive development, I think one of the things we need to do is to watch it, and to continue to be diligent as we look at new risk-management practices and additional monitoring.

I think another thing that we're seeing is just the overall return rates declining. So that includes closed account and valid account NSF returns. And, I think, this is also indicative of higher-quality ACH transactions that are flowing through the network. For example, the company name rule requires that companies originating transactions must be defined by a name that the consumer can recognize. This has made transactions more transparent to the consumer helping to mitigate returns; say the consumer might have been confused because they didn't know who the payee of the payment was. It's also helped prevent high-risk originators from using phone numbers or other vague names in the hope that consumers might assume the transaction was valid when it might not have been valid in the first place.

So, I think, although we've seen very positive trends since 2008, and I expect this positive trend to continue, I do think that the rate of decline may likely slow going into the future. The operators in NACHA have been diligent in our approach to risk management, and the industry has embraced these efforts and is taking unauthorized returns very seriously. I think they are monitoring them more readily; they're cracking down on occurrences. But that said, I don't think that all high risk originators, all telemarketing schemes, all of these things are gone from the industry totally. So, it doesn't mean that there's not high-risk activity out there that's always looking for a way onto a channel. Those high-risk originators may be looking for another way to get into the ACH, or they may have just moved to another channel, another payment channel.

So, for instance, these transactions are now being collected as remotely created checks; as an industry we cannot monitor them. And we're aware of organizations that are actively marketing RCCs to originators who may have had high rates of returns. So we know that all this high-risk activity hasn't gone away completely, and so as an industry, I just think, we need to all be safeguarding against payments risk in whatever channel it shows up in.

Moderator: When NACHA released a study this year that examined the potential consumer demand for electronic person-to-person, or what are often called P-to-P payments. These transactions obviously represent an opportunity for financial institutions and solution providers to leverage the ACH network. However, are there any inherent risks with person-to-person payments?

Larimer: Well, that's a great question. I mean, P-to-P payments are definitely a growing area of interest for the industry, and they're certainly high on the list of the things that NACHA's looking at. In fact, NACHA's membership just approved a rule on mobile ACH payments that expands the definition of a web payment to incorporate mobile ACH debits. This is just our first step in a mobile approach that will include the evaluation of unique attributes of specific uses of mobile payments, such as a P-to-P payment.

One of the most prevalent models that we are seeing in the market today, Jennifer, utilizes a split transaction, where the funds are debited, held to protect against the risk of NSF, and then they're credited to the payee. So, for example, this would be an instance where the P-to-P payment provider debits money from me, they hold it for two days, and then they credit it on to you, Jennifer, as the payee. So, the degree of risk that's added to a split transaction is if there is a potential unauthorized return. So, in this case, it may be that I send the money to you, Jennifer, the payment provider holds it for two or three days, they credit it to you, and then 45 days after that I return the transaction for unauthorized reasons, or I claim that the transaction, the underlying funding transaction, is unauthorized. So, there is that added risk to a split transaction, and the question will be, how the payments providers, the P-to-P payments provider, mitigates against that risk. What due diligence and risk management controls do they have in place to lessen the likelihood of that happening, or to control against that risk?

So, our position is that with proper rules and risk management procedures in place, the industry can capitalize on the safety, efficiency, and ubiquity of the network for this type of payment solution. So we're really looking forward to see how the market will evolve.

Moderator: One of NACHA's responsibilities is implementing the risk management framework for the ACH network. In 2007, NACHA increased the fines that could be levied for violations to the operating rules. Has NACHA's efforts to institute stricter fines had any effect?

Larimer: The risk management tools we've put in place have had a profound effect on the network as evidenced, as we were just talking about, by the double-digit decline in unauthorized debits. Raising fines was actually one component of a much broader rule, and it's a rule that we, that NACHA, called the network enforcement rule, so it was one component of that rule. The network enforcement rule required ODFI originator combinations—and I'm trying to simplify this—to maintain an unauthorized return rate of less than 1 percent. In addition, it provided NACHA with the ability to ask the ODFI to verify its unauthorized return rates, and if those rates were higher than 1 percent, to require the ODFI to develop a plan to quickly reduce the rate of unauthorized returns. So, it was a much broader rule than just stricter fines. In fact, it also gave the Rules Enforcement Panel the authority to direct an ODFI to suspend an originator or third-party sender from the ACH network in very bad circumstances. So it was, I think, a broad rule that really gave the network enforcement rule and NACHA more teeth to enforce the NACHA operating rules. So, I think that that has had a profound effect.

Moderator: NACHA recently started requiring financial institutions to register or report their direct access relationships with originators or third parties. Are there any emerging ACH fraud risks related to third parties that cause you concern?

Larimer: Well, that's a very big question, Jennifer. I'm going to try to take it in maybe two parts. First of all, for those who might not be as familiar with the ACH lingo, "direct access" is a circumstance in which an originator, or a third-party sender, sends ACH transactions directly to an ACH operator. Those transactions do not run through their ODFIs. And so, we passed a rule so that we'd be able to adequately measure those relationships on the ACH network, see how often they occur, and then be able to have a better idea from a risk perspective of what additional risk they might pose to the network.

So, this registration does a couple of things. It helps us do that tracking, but it also promotes due diligence in adherence to risk management policies by ODFIs. When an ODFI allows its originator or third parties direct access to the operators the ACH network participants, and including the ODFI, may be exposed to a variety of risks, including frauds that arise out of shortcomings in the originators or third parties policies and procedures. So, it's essential that ODFIs that permit direct access effectively mitigate that risk by appropriately underwriting, managing, and monitoring its relationship to the customer. So as part of this registration, one of the things that we are doing is we are ensuring that the ODFI has an understanding of the fact that they're allowing direct access, who the parties are, does the ODFI have an understanding that this could be more risky if they are not doing the appropriate due diligence and risk controls that they need to be doing? So, we're not saying that direct access is inherently riskier. It's just inherently riskier when ODFIs are not doing the things that they should be doing. So, if they abdicate all responsibility for risk management and they abdicate that due diligence responsibility, that definitely could add risk to the network.

And, I think, whether or not a third party has direct access to the operators, there's one flavor of third-party risk that has been emerging that we're looking at right now, and I think that if this third party has direct access to the operator it could really make this much worse. But this is a scenario where a third party either goes bankrupt, it has its banking relationship terminated, or it absconds with the funds in their account. What we've seen a couple of times over the past several years is a situation where a third-party sender has collected the funding debits and then there is a failure before the credits are paid on to the payee. So, in this case, the failure could be that the ODFI ceases processing; it terminates that banking relationship very suddenly. Or, it could be an instance where the third-party sender, in one instance, basically left the United States with all of the money that they had, or they could go bankrupt.

So for instance, to try to add a little color to this, it would be a scenario, or say you, Jennifer, were paying tuition for your child, and you went online to the school to pay tuition. That school had a third-party processor that was actually moving the money, so in that case the debit was made to your account, but the third-party sender goes under in some way before the funding credit is actually made to the school. So, you have a scenario where the school is saying, "I never got paid," but the consumer, the payor, says, "Yeah, my account was already debited." So in these instances it means that there is a risk situation for both the payor, who has already had their account debited, and for their financial institution who is caught in the middle of this transaction. So, NACHA's risk management and advisory group has been looking at this issue and is developing proposed solutions. Because what we really don't want is that the payor, or the RDFI (the receiving bank), we don't want them to bare the risk of a third party that cannot complete a transaction. That risk should be sitting with the third party and with their financial institution, the ODFI. So we are starting to see proposals come out of the RMAG group, and that's something that we'll be looking at rulemaking in within NACHA within the next few months.

Moderator: Well, Jane, it's been pleasure talking to you; thanks for sharing your insights with us today.

Larimer: It was my pleasure, Jennifer.

Moderator: Again, we've been speaking today with Jane Larimer, NACHA's executive vice president of ACH network administration and general council. This concludes our Payments Spotlight podcast on fraud and risk in the ACH network. You can find more information about the Retail Payments Risk Forum by visiting our Web site at Thanks for listening and please return for more podcasts. If you have comments or questions, please send us an e-mail at