Is ACH Fraud Over-Hyped?

NACHA CEO Says ACH Fraud Affects Small Fraction of Transactions
2010 saw several high-profile incidents of corporate account takeover that turned the banking industry's focus to the scourge of ACH fraud.

But with some $30 trillion flowing annually across the Automated Clearing House Network, the losses financial institutions suffer from ACH fraud, relative to other types of fraud, are low, according to the head of NACHA -- The Electronic Payments Association.

"Fraud is certainly something we need to be diligent about," says Jan Estep, president and CEO of NACHA. "However, we do know that, with $30 trillion moving over the ACH Network, that the number of compromises and/or the number of actual losses is a very small fraction of that."

In fact, NACHA, the rule-making body for the ACH network, has found that corporate account takeover fraud perpetrated via ACH and wire transfers accounts for a "very small fraction," Estep says, of all transactions. "We know most banks are using sound practices, such as multichannel techniques, multifactor authentication, out-of-band authentication. There is always more we can do, but we have to point out that we are doing a good job now."

The root of the problem, Estep says, is not ACH; it's the online channel. "ACH fraud occurs when an online account is breached, and once that happens, the criminals can move money out of the country via wire transfer or ACH," she says. "Keeping the computer secure is really the key."

In 2011, while fraud detection and holistic monitoring tools will have an impact, customer and employee education will play the leading role in the ongoing fight against fraud. "We need to continue focusing on education, like letting businesses know they cannot use an unsecure wireless connection to conduct banking transactions," Estep says. "It is important to continue those discussions and continue education, and then make sure the potential for downloading malware or spyware is something we are all aware of and are working to prevent."

During this interview (transcript below), Estep discusses:

  • Communication and collaboration between financial institutions and commercial customers to prevent future incidents of corporate account takeover;
  • Why customer and employee education is critical when it comes to fraud detection and prevention;
  • Why ACH is more secure than other payments methods.

Estep serves as president and chief executive officer of NACHA - The Electronic Payments Association, a not-for-profit trade association that oversees the Automated Clearing House Network, one of the largest electronic payments networks in the world. Estep oversees NACHA's daily operations and rule-making processes, and works to promote the development, promotion and use of electronic payment solutions to improve the payments system. Her responsibilities include ensuring that the ACH network remains a safe, high-quality payments system with prudent risk management practices.

Before joining NACHA, Estep served as executive vice president of U.S. Bank's Transaction Services division, and was accountable for the general management of the division, which included Elan ATM & Debit Services, ATM Banking Product and Operational Support, ATM & Kiosk Services and EFT Network support. She joined U.S. Bank in 1997 with responsibility for the Merchant Payment Services division, previously holding a variety of management positions in technology-intensive companies.

Estep also has held leadership positions with Twin Cities laboratory, Pace Analytical Services and IBM.

ACH: Secure Payments

TRACY KITTEN: What trends and investments are expected to have the greatest impact on ACH payments and online security in 2011? I'm here today with Jan Estep, president and CEO of NACHA - The Electronic Payments Association.

JAN ESTEP: I'll just give you a little introduction to NACHA for those who might be listening today. NACHA is the rule making body that is responsible for the ACH network, managing its development, administration and governance. Our focus is creating rules for the network that will appropriately balance innovation and risk management, and we've really being doing this successfully for about 40 years, since the beginning of the network.

Let me just give you a couple examples. The Web transaction for the Internet was introduced over 10 years ago, and it is an authorized debit rate of only .03 percent, which is very consistent with the rest of the network. Check conversion transactions and other transactions introduced within the last 10 years have virtually no unauthorized transaction, which is a huge improvement over paper checks.

When you ask about security at the payments, as it relates to ACH and online, certainly the Web transaction is part of that; but I think it is also important to note that securing the online computing environment is really key to securing all types of information, as well as all types of payments. Securing the online environment is key to preventing and mitigating risk associated with, for example, corporate account takeover -- where money might be moved via wire or ACH, or where fraudsters use wire transfer to move the money out of country. So, certainly there are interdependencies among your computing environment and all types of payment. With that said, though, I think the ACH network does introduce a lot of innovation -- opportunities for participants to really take advantage of the ACH network and its unique attributes, such as efficiency, ubiquity and certainly the ability to track payment card information, making it prime for really adding value to participants in the network.

KITTEN: NACHA is working with financial institutions to improve security and payments, but what is NACHA doing to help educate financial institutions about security and payments, as well as enhance innovation?

ESTEP: Well, let me start again with the rules, just as background, because the operating rules themselves for the ACH network reflect this balance of risk and innovation that I mentioned earlier. And it is through the NACHA operating rules, the private sector rule-making process and collaboration among a lot of entities that we engage financial institutions and the industry in creating a framework that defines rules and responsibilities for participants. So, one way that we engage the industry in collaboration is through a group that we call the Risk Management Advisory Group, or RMAG, and they have diligently been working to ensure that financial institutions, as well as their business clients, have an awareness of both tools and sound business practices for preventing fraudulent activity. The group is working right now to develop additional resources to help businesses and financial institutions evaluate business practices with what they are doing each day. They also have the intent to continue to update those resources with technology and techniques used by cyberthieves, for example, to continue to change. We understand it is very important to keep up with changing technology. A group such as RMAG, which is not only involved with NACHA but involved in supporting their own business and their own clients on a daily basis really, can help do that very effectively.

NACHA and Its Payment Associations

KITTEN: Now, 17 regional payments associations, such as the Payments Authority, work with NACHA on a national scale. How does NACHA work with these associations to improve communications with and innovations for financial institutions and other entities touching the payment space?

ESTEP: The Regional Payment Associations or RPA, as we call them, are our piece to the equation in both communicating to as well as providing education for the industry. You mentioned there are 17 RPAs; they provide ACH education as well as other payment education and services to those in their specific geographic area, so that financial institutions, corporations, e-commerce companies and payment technology providers across the country can take advantage of education and services in kind of a local way. Entities do have the opportunity to become a member of Regional Payment Association; via that process, small or large banks as well as credit unions can contribute to both the development as well as the future of the ACH Network. Being engaged on a very one-on-one basis in education will help them to successfully use the ACH Network.

ACH Innovation

KITTEN: And then talking about that utilization of the ACH network, what role, if any, Jan, do you see ACH payments playing in innovations within financial institutions in 2011?

ESTEP: I think in 2011, as we have operated in the past, the payment marketplace will continue to evolve and the ACH network will continue to be involved in various aspects of innovation, while continuing to work with the industry to strengthen payment solutions. So, let me just give you a couple of examples. In 2010, secure bulk payment was an initiative that NACHA had been involved with for many years that was moved into what we call commercialization. It is now available to anybody in the industry. It really provides an alternative payment solution that is a very cost effective option for consumers that wish to purchase online but do not wish to share financial information. And if the merchant they are buying from doesn't want to store account information, secure bulk payment is a great option. It's really a good example of innovation, of working with participants and being very creative, relative to risk mitigation, without sharing bank account details when you go through a payment. So, again, I think a very good combination of using technology, not only for innovation and cost effectiveness, but also great risk management.

To give you one other example, I mentioned earlier that the ACH Network did a great job of not only supporting payments but also the information with the payment. This will help in the future, with things like healthcare administrative and innovative solutions such as electronic billing delivery service. It's a great opportunity for businesses to pass invoice and billing information over the ACH Network and then request payment, and it really mitigates or reduces any concerns with the invoice and what you are paying for, because it's all done electronically. I think we will continue to see areas of innovation. Our rules will continue to change, I think, in small as well as large ways. We've had telephone payment over the network for many years, and a rule was passed last year that allows for reoccurring telephone payments. So that will be implemented in the future. Again, just another example of increased opportunity for network participants of all sizes and types.

KITTEN: Jan, I would like to go back to the discussion about corporate account takeover. Of course, this is a hot topic that we have written about quite a bit, as well as other media in the industry. I would like to know what you think institutions could do better. How could they better secure ACH transactions, and I want to be careful here. We oftentimes want to refer to it as ACH fraud, when we should be referring to it as corporate account takeover fraud, because it brings in more than just ACH. But how can financial institutions help to secure these transactions, while also reaping the benefits and innovations of ACH rails? Does it all really go back to online security?

ESTEP: Yeah, it's a really good question, Tracy, as well as a good definition. I think it goes back to the comment I made earlier. It's probably easiest for folks to think about it in an analogous way: Having an unsecure computer is the same as not locking your house. If your house is unlocked, thieves can come in and steal anything, including valuables, information, money, checks, and it all could be used for future fraudulent activities. I think the same thing can really be said cyberfraud or those activities involved in corporate account takeover. The ACH rails themselves are secure; corporate account takeover occurs when the online computer environment is breached. It is a type of identity theft when the cyberthieves gain control of private information by stealing online banking credentials; and once that happens, they can clearly then move money out of the country by wire transfer or within the U.S. via wire or ACH to a different bank account. So, nearly all of this activity, as you mentioned above, can be avoided by financial institutions through implementing some business practices or tools that flag abnormal activity or stop the activity before it can begin. You know, locking your house, keeping the computer secure is really key, and I think it is something that is awfully important to continue to emphasize, to make sure that businesses as well as financial institutions don't see securing the computing environment as a hassle, but rather as something mandatory to keep thieves out.

I'll talk about one other thing, Tracy, that I think is important, relative to the ACH Network, specifically. You mentioned that certainly your organization has focused on corporate account takeover quite a bit, and even though it is discussed in many venues, it really is relatively rare, in percentage of transactions.

Over $30 trillion is passed through the ACH Network each year, and we know that many financial institutions and businesses are using very sound business practices or there were would be frantic fraud versus the kind of one-off situations that we're seeing to date. Certainly, many have for many years deployed multifactor authentication; they are using multichannel techniques, out-of-band authentication, and are really creating strong barriers to protect access to the computing environment itself. So, there are a lot of things that have been done. There are a lot of things that can be done, and I think it is important as an industry to continue to evolve what we do and continue to educate everyone, so that they are aware and then taking steps to make sure that they are protecting their environment before something happens. There are both, I think, complex and sophisticated tools that can be used, and then there really are some things that are pretty basic -- you know, ensuring that businesses know they can't use an unsecured wireless public spot for doing financial transactions.

Again, they are using things that help, such as dual-control or out-of-band authentication; these are very basic things that we have been talking about for almost 10 years, certainly, since the first FFIEC guidance came out in 2005. So, it is important to continue those communications via education, to work in concert with each other and then really make sure that the potential for contracting a virus or downloading spyware is something that everyone knows they need to be cognizant of. And if we can do that collectively, that is key to the first step, in terms of stopping the initial spyware from being loaded on to a computer.

ACH Fraud: Not So Common

KITTEN: And you've raised a good point, Jan. Education, of course, is such an important component of any layered security approach that an institution would implement. And I wanted to go to a survey that we recently released, the Faces of Fraud survey; and in that survey, 37 percent of respondents say that they were impacted by ACH or wire fraud in 2010. That number seemed a little bit low, but based on what you've shared, perhaps it isn't. How prevalent is fraud on the ACH Network, would you say, from that perspective? Do you think that the 37 percent seems low? Do you think more financial institutions are affected and just don't know it?

ESTEP: You know, I actually think the number itself might be relatively high, because of the other facts that I've shared already, Tracy. We do know that with $30 trillion moving over the ACH Network that the number of compromises and/or the number of actual losses is a very small fraction of that. But, unfortunately, the study that you referred to does categorize both wire and ACH fraud together as corporate account takeover. So, the number you are referring to actually incorporates more than ACH activity. Corporate account activity, using money mules after a computer is infected, many times is enabled by overseas fraudsters, and we do know that wire transfer is the only mechanism that can be used to move that money quickly overseas. So, unfortunately, I think the fine-tuning relative to ACH is not possible based on that survey. But, I will reference one other survey that was completed in 2010 by AFP, the Association of Financial Professionals. They do a yearly study around risk and fraud mitigation, and they did conclude that a small fraction of fraud and fraud losses occurred on the ACH network. In fact, they did show that only 7 percent of all organizations experienced attempted or actual fraud due to ACH credit transactions. Those are the type of ACH transactions that might be involved in corporate account takeover; and among the survey's respondents, only 3 percent of them had seen an increase in ACH fraud in the last year.

So, again, I think that the education and communication are helping. It means that there might be a slight increase, and it's certainly something that we need to be diligent about. But the AFP also showed that ACH credit fraud or attempts of such fraud were much lower than fraud related to checks and payment cards. So, again, I think keeping everything in context is important, and acknowledging that this risk exposure does exist is important, too, because we need to continue to make sure that those entities that may not have been hit with an attempt or an actual fraud, are taking the proper online banking authentication and/or business action that will prevent attacks in the future.

I mentioned just a minute ago that corporate account takeover is due to and/or involves an ACH credit transaction; but I also might mention the ACH debit transactions, because, again, that is where we have seen a great decrease in what we call unauthorized debit transactions over the last few years. We've had some very significant drops over the last two years, but unauthorized debit returns is really our best indicator of fraudulent activity on the network, where someone takes an account number and then has unauthorized money taken from the account. That is, as I mentioned early, at .03 percent or less than three-hundredths of a percent of all network transactions. So, again, it is a known risk, but one that I think we have a tools and practices in place to make sure every organization along the way continues to use.

KITTEN: And I was going to ask you about security being key and an emphasis in 2011, and I'm not going to pose that question, because it definitely is going to be. But I wanted to ask you if you expect investments in ACH fraud detection technology, specifically, to be a focus for banks as well as credit unions in the coming year; and, if so, will those investments lead to greater channel integration?

ESTEP: I think that risk mitigation will continue to be a focus area into the future, and certainly channel integration to a degree is very important. Now, I think it is a key point, again, going back to the definitions that we talked about earlier, to note that any type of identity theft, password compromise or money movement could occur if credentials are stolen. So the idea of really being able to say, "What is our environment?" "How are we performing transactions, be those payment transactions or other types of information that you want to keep secure?" I think financial institutions as well as their customers can continue to evaluate how to incorporate fraud detection as well as risk-management services within their own organizations. It might be offered by online bank service providers and ACH operators, in particular, because even when we think about this layered approach, it's important. There is transaction monitoring. There is certainly anti-malware software that can be installed. There are dual controls, exposure limits, pre-notifications, IP address authentications, behavioral analytics, payments patterning, tools to secure sessions, and the implementation of layered controls is really important for everybody. I think with all these possible tools, it is really up to each organization to implement sound business practices within their environment, and that can open the door to fraud mitigation across the industry, between financial institutions and their customers; they really are robust and can help us continue to drive those numbers down.

KITTEN: And could you tell us, Jan, what you see as being the top three to five ACH payments and security investments, banks and credit unions should make in 2011? And I'm assuming that some of these security investments that you suggest will have an impact on the types of payments or the way payments are conducted on the ACH Network.

ESTEP: Yes. I think what you implement is clearly dependent on your environment, your customers, the type of activity that you perform on a computer. So, I'll raise up some general things that I do think are important and maybe we can prioritize.

The first is really to say that financial institutions should look at what I would call appropriate multilayered security. That is a general term, but it is one that says that one answer, one tool or one business practice in and of itself is not sufficient; it's really having a critical defense for the online platform, which is customized to fit the requirements of each organization and multilayered security, extending beyond just the hardware and software to what you do on a daily basis. Then the customer and/or organizational education are really key to that.

Secondly, if you think again about high-level things, I think that financial institutions should consider deploying enterprise management, and that goes back to the multichannel integration question you asked me earlier. But looking holistically across channels, across silos is important, not only for financial institutions but for businesses themselves.

Lastly is maybe focusing on the people part of it. Again, I said it earlier and don't mean to be very redundant, but hardware and software by themselves are only a piece of the transaction. Humans have the ability to understand when things don't seem right. So, doing things as a business, for example, checking your accounts on a daily basis, is something that should be standard practice. Educating your employees, investing in your employees, telling them what to look for, what to see, looking for things that might be abnormal; it can be done through human eyes as well as through very sophisticated hardware and software. So, again, investing in employees, having them understand what is normal, what the rules are, what is expected, regardless of who you are or where you sit in terms of a computing environment or a payments transaction.

KITTEN: In closing, Jan, I was going to ask you to provide some advice that we could give to financial institutions as well as businesses that would help them protect themselves against fraudulent activity, and you've named a number. So, I'd like to ask you, instead, do you see 2011 being a year of greater and stronger collaboration between financial institutions and their commercial customers when it comes to fraud prevention?

ESTEP: I certainly hope so, Tracy. I do think that businesses and financial institutions need to keep working together in partnership to ensure that sound business practices are employed on all ends, and, as I said before, in all ends of the transaction. Really, all entities need to be vigilant in protecting against all types of identity theft and all types of payment fraud, and again, can go back to maybe the first thing I said in this interview. The No. 1 thing that we're all told about ensuring personal safety is that you have to be aware of your surroundings. Again, an unsecure computer is really the same as not locking your house. So, it does come down to basics. If something is open and unsecure, thieves can come in and steal anything, and it takes awareness. I think it takes education, and as you called out in this last question, it does take really working together in a cooperative manner, in collaboration, to make sure that we can either stop or flag anything that looks like abnormal activity.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.