Account takeover, business email compromise, and impersonation fraud. Each of these terms describes a threat to financial institutions described in a joint paper published by Nacha and the Global Resilience Federation. Financial institutions should care because Nacha, or the National Automated Clearing House Association, makes the rules that govern the legal use of the ACH payments network. According to a February 2023 press release from Nacha, the network “processed 30 billion payments valued at $76.7 trillion in 2022.”
Processing these payments involves both originators, who receive permission from the recipient party to credit or debit a receiving account, the originator’s ODFI, or Originating Depository Financial Institution, the network operators, and a Receiving Depository Financial Institution, or RDFI. Information at the originating end of every transaction must be carefully tended as it is entered to ensure accuracy and a smooth process, but that’s not all. Avoiding fraud requires even greater diligence and attention. For those with an eye towards prevention, and even for those who want to understand best practices in the case of suspected fraud, ACH risk assessment and ACH risk management is a useful guide, tool, and ally.
What is ACH risk assessment?
These days, says Nacha’s Senior Vice President, ACH risk might only look like someone’s account having been debited but could also include an account that received a credit. Fraudsters trick the ODFI into sending payments to their accounts by various means.
Instead of waiting for a costly fraud event to occur, ACH risk assessment proactively allows organizations to look at each point of contact and method of receiving, processing, and storing information. It requires a look at technological capabilities and security, as well as updates to the same regularly. By no means a one-time process, ACH risk assessment is a dynamic process that changes as your organization does.
How ACH Risk Assessment Works
Hypothetical risks are a great place to start examining real-world vulnerabilities, but for an ACH risk assessment to work for your company, you should orient yourself to your specific risk environment. In finding the specific deficiencies you face, you can decide where to focus efforts. Cybersecurity is one important piece of mitigating risk, but every step in your process of information handling, storage, and transmission should be regularly reviewed in an evaluation of your organization’s risk profile. Once you have pinpointed the loose ends and less than water-tight processes, you can begin to manage them.
What is ACH risk management?
In a blog on ACH risk management, Nacha’s Senior Director of ACH Network Administration lays out “A Checklist Approach to Reduce Fraud in Payroll Origination.” The ten-step process is a fantastic reminder of the detailed and important steps to ensuring payments via ACH are sent to the right person, every time. They include basic steps like making sure you authenticate a requestor’s identity when they add or update a payee. For small companies, this step might be easy to do in person. For larger organizations, different solutions are necessary. The checklist goes on to recommend verifying the request for a change through a separate channel than was used by the requestor but with known contact information. These few steps describe a chain of strong links to keep your ACH processes safe from fraudsters and other risks.
How ACH Risk Management Works
ACH risk management, however, can look different depending on the organization seeking to employ best practices. The Office of the Comptroller of the Currency, for example, has historically offered tailored and discrete guidance for institutions such as national banks. Bespoke systems to manage your data, reporting, and observation of your systems are a significant and influential piece of keeping sensitive information safe and building customer trust for your organization.
In an attempt to help each define actionable risk management practices, Nacha publishes an ACH Risk Management Handbook as both a hard copy and an e-book. The rules in this handbook are regularly updated. The Risk Management Advisory Group works with Nacha and its Board of Directors to help come up with sound policy and guidance. Their white papers and blogs are a rich resource for payment professionals hoping to stay up to date on the latest developments in risk management.
At the same time, those seeking a solid foundation in ACH risk assessment and ACH risk management are invited to view our online, self-paced ACH Certification course. Modules on Risk Management, Reporting, and Monitoring illuminate the principles of the topic and elaborate their real-world application. The module on Fraud Trends follows, adding valuable, in-depth knowledge to any payment professional’s arsenal against attempts to deceive your organization. To dive even deeper, our eBanking Internal Audit certification includes modules on risk mitigation topics such as Effective Risk Management in ACH, modules in payments fraud, and modules in audits of eBanking such as Fundamentals of Payments Monitoring for ACH.
Fast, cheap, reliable payments are a hallmark of the Automated Clearing House network’s work. But only if every party does their part. Nacha requires it. How will you meet those compliance standards?
