By Andrew Leon
In September 2016, same-day Automated Clearing House (ACH) payment processing will become a reality. While this represents a terrific opportunity for banks to be responsive to their customer’s requirements for faster ACH payments, plus the ability to attract new customers from banks who choose not to offer the same level of responsiveness, it also increases the risk of payment fraud. Fraudsters have already locked in on Same Day ACH as an opportunity to commit fraud, particularly around payroll and account to account transfers, if the bank doesn’t have a real-time system in place to quickly receive, analyze and either approve or deny ACH requests, depending on their validity.
Here, in brief, is a look at what same-day ACH is, how it will dramatically increase risk, why current fraud detection systems are inadequate, and what banks need to do to protect themselves while seizing this new opportunity to be competitive.
Today, most ACH transactions are completed as soon as the next business day. Some transactions may take longer. Same-day ACH will allow transactions to be initiated and completed on the same day – a welcome option for businesses and individuals who require expedited payment alternatives.
Many banks are in favor of same-day ACH as well. Offering this value-added service will bring them a competitive advantage and the opportunity to earn higher fees for processing payment requests within the shorter timeframe. However, there is a problem: greater risk due to reduced transaction review times, increased transaction volumes, and intensified interest from fraudsters.
The Risks of Same-Day ACH
1. Decreased Settlement Times
In September, two new same-day settlement windows will be added to the ACH Network:
- A morning submission deadline at 10:30 AM ET, with settlement occurring at 1:00 PM.
- An afternoon submission deadline at 2:45 PM ET, with settlement occurring at 5:00 PM.
This will increase the movement of funds by financial institutions from once per day to three times per day. The corollary is that originating banks will have less time to review payments. Currently, investigators have several days to detect and investigate suspicious transactions. With the shortened time windows, funds can clear in as little as 2.5 hours. Banks of any size may have difficulty with such a compressed timeframe.
Once funds are moved, the originating institution would need to identify suspicious activity, investigate, and attempt a transaction reversal within five days to recover a fraudulent payment. If the account has been closed, the originating bank will have little hope of the funds being recovered.
2. Increased Transaction Volumes
Volume is a second major risk consideration. While same-day payments are nothing new to the banking industry – wire transfer systems have been in existence for decades – the volume of same-day ACH transactions has the potential to dwarf the volumes banks are accustomed to dealing with.
Initially same-day ACH applies to credit transactions only. However, it’s important to realize that in the next few years virtually all types of ACH payments, including both credits and debits, will be eligible for same-day processing. Only international transactions (IATs) and high-value transactions above $25,000 will not be eligible. Eligible transactions account for approximately 99% of current ACH Network volume. This means that the volume of same-day ACH transactions will be rising exponentially, at the same time that the settlement window is contracting to a matter of hours.
3. Intensified Interest from Fraudsters
In the current financial IT ecosystem, it is not easy for fraudsters to exploit ACH: banks often have the time and resources to review transactions and detect anomalies. But with same-day ACH in place, fraud attacks will increase dramatically. At the 2016 NACHA conference, TD Bank polled more than 280 finance professionals and business end-users about the implication of faster payments on business processes and fraud. 89% of respondents believe payments fraud will become a bigger threat in the next 2-3 years. Fraudsters know that because of increased transaction volume and decreased settlement time, they have a golden opportunity to steal funds before originating banks can identify a problem.
The Inadequacies of Current Fraud Detection
Most banks are not equipped to deal with the new risks posed by same-day ACH. Current payment fraud detection systems come up lacking in three key areas:
- A reliance on back-office monitoring. Put simply, people cannot be expected to review the increased volume of ACH transactions in the required timeframe. Manual processing is no longer a valid approach to fraud detection. Real-time automated fraud intelligence that monitors transactions from the point of origination (the online banking application and the user behavior) is critical.
- A lack of investigative and audit tools. Banks often do not have the tools in place to investigate suspicious activity quickly enough. For example, they may not be able to prioritize alerts so that they can respond to the most important threats first. Or again, they may not be able to integrate multiple systems to achieve the needed visibility to facilitate agile fraud detection and decision-making.
- An inability to block transactions. Banks don’t want to release suspicious transactions, since reclaiming the funds is often impossible. Unfortunately, most banks don’t have an easy way to block transactions in real-time (called payment interdiction). While many banks offer automated blocks or filters to corporate customers, these services are only used by larger companies and do not provide payment interdiction capabilities to institutions.
What Banks Will Need to Mitigate Same-Day ACH Risks
To address the gaps in the current fraud detection structure, banks need technology that:
- Monitors user behavior in real-time
- Complements transaction monitoring with web security to ensure that the user is valid (e.g., taking into account geographic location and device type)
- Provides risk scoring to help prioritize the highest risk alerts
- Leverages both user profiling and rules-based detection
- Blocks suspicious transactions before they are sent to the processing system
With the continued shift by banks and customers to faster payment initiatives such as Same Day ACH payment processing, there also needs to be the requisite security systems in place that are layered, flexible, adaptive, and integrated to enable banks to efficiently protect themselves and their customers.
1theclearinghouse.org annual statistics for wire transactions in 2015 (110,408,835); frbservices.org annual statistics for 2015 (142,757,101);
2nacha.org 2015 network statistics
Andrew Leon is a Senior Implementation Engineer with Bottomline Technologies. Mr. Leon is a Cyber Fraud and Security expert with over 15 years of experience in business development, product management, and technical application, product, R&D, and engineering. He has spent the last 10 years focusing on various aspects of Cyber Fraud and Security, with a specialization in client delivery and customer engagement over the course of the last 5 years. Mr. Leon is regularly on client-site, helping customers identify their security needs and finding innovative ways to help them meet their cyber fraud and security goals.