Faster ACH payments are taxing banks' ability to check for fraud and criminals are taking notice.
As of September, credit-based ACH payments are now being settled within the same day. These are transactions where one person or entity is pushing money from their bank account to another person or organization, using the automated clearinghouse. Examples include direct deposit, payroll, person-to-person and vendor payments.
Where before banks had two to five days to analyze suspicious transactions, now in some cases they have only two hours. Banks haven't quite caught up with the shorter time frame for checking red flags, some say, and fraudsters have jumped on this opportunity.
"Recently we've seen more evidence of incidences of ACH fraud than we have in the past," said Andrew Davies, a vice president at Fiserv who helps financial institutions worldwide spot potentially illegal transactions.
Davies has seen recent cases of malicious software tampering with ACH files to perpetrate fraud. For instance, hackers are manipulating payroll files and adding themselves as fake employees to collect money. Some of the cases have been in the U.S.
Some banks' systems don't sufficiently scrutinize ACH files.
"A lot of their fraud filters will not necessarily have the wherewithal to break out all the transactions, look at history of the accounts on the incoming and outgoing side, look at the batches within the file, and then look at the behavior associated with the overall file from an ACH perspective," Davies said.
Money lost this way will be difficult to recover.
"Anytime you push money out, it's really hard to pull it back," said Ruston Miles, founder and chief innovation officer of Bluefin Payment Systems, a payment processor. For instance, "if it's a payroll file, the money has been pushed out, and you can't go out to the customer and pull it back."
A lot of fraud monitoring is still done manually, Miles said.
"Most banks have electronic fraud detection systems that catch transactions that don't look right and put them in an exception bin, and these banks employ floors of people who inspect the flagged transactions," Miles said. "With same-day, all that time gets crunched down, so you either have to add more people or you have to open the floodgates on your fraud detection systems or you've got to get more picky about fraud detection."
Along with faster settlement, the increasing interconnectedness of international payment systems taxes fraud investigators' skills and resources. The fact that dozens of countries are increasing the speed of payment transactions brings an increased level of risk.
"If you're settling transactions between financial institutions more frequently or in shorter time frames, and you have too many false positives or you have a limited amount of resources to remediate unusual activity, the funds … may well have moved on to South Korea in a relatively short time frame, and you're still sitting on an alert you haven't had a chance to look at," Davies said.
"I wouldn't say banks are scrambling but there's increased focus and understanding of the elevated risks associated with those transactions," Davies said.
In a way, this problem isn't new. There have long been different speeds for ACH payments. Also, in some cases you can pay to expedite ACH or bill payments.
"Many financial institutions have found that if criminals can pay a fee for expedited processing, they don't mind paying the fee, and you see a shift in many cases to these quicker mechanisms," said David Pollino, deputy chief security officer for Bank of the West.
He points out that there's an upside: Now banks have a way to risk-stack their products, knowing that the faster services are inherently more attractive to criminals.
Jane Larimer, executive vice president of ACH network administration at Nacha, said she is not aware of increased fraud over the network.
"We have not heard that at all," she said. "It's been amazingly quiet." Bank members worked to make sure they had robust risk and fraud systems during the 16-month lead-up to the faster credit payments.
"They did that work and they were ready to go on phase 1," Larimer said.
Banks aren't required to report ACH-related fraud to Nacha. "But if there was some upswing, we do hear things," Larimer said.
Pollino is also unworried about the threat of fraudsters breaking in and changing ACH files, because doing so takes a lot of work. Phishing attacks are still the biggest fraud concern at Bank of the West.
"Why hack into a system, understand a complex financial package, figure out where that file is and then change the file if you can just email the person and ask them for the money?" he said.
Next Challenge: Same-Day ACH Debits
Same-day ACH debit payments, which go into effect Sept. 15, 2017, will be even trickier for fraud prevention teams.
ACH debit transactions typically take two to three days to clear and settle, noted Steve Mott, principal of BetterBuyDesign, an advisory firm in Stamford, Conn. And banks' fraud systems take full advantage of that window.
"Some would say it's a lazy way, because it takes advantage of the time to say, 'OK, I don't have to check this stuff until I come in on Monday morning,' " Mott said.
The banks' fraud systems, controls and secondary and tertiary checks all assume the bank has plenty of time to perform those checks. Those will need to be updated.
"What's happened historically is that none of the financial institutions have wanted to change much in the way they did faster and more secure stuff through the pipes until they absolutely have to," Mott said.
Power of the Bank Account Number
In a faster-ACH-payments world, the bank account number becomes more powerful because it can be turned into cash more quickly.
To date, bank account numbers have been worth less than credit card numbers in the black market because they've been harder to use.
With same-day settlement, fraudsters will be able to use bank account numbers to make real-time purchases, such as software, movie and song downloads, and receive the items before a bank can stop them.
"If fraud starts really going there and merchants start losing, merchants will either have to add anti-fraud detection systems themselves or they may turn away from ACH payments for any real-time or near-real-time transfers, because they can't be assured of the funds," Miles said.
Americans are fairly casual about writing and sending checks, which have our full account number printed at the bottom, to anyone because of the built-in protections of time, Miles said. I recently sent a yearend tip by check to the person who delivers my newspaper. This is someone I've never met, who lives in a town I've never been to, and for all I know she could be a petty criminal. Now she has my checking account number and my bank name and routing number, as well as my address and signature.
"Now we're taking out that time buffer, making this twice a day, same day, meaning that it's more convenient and easier for fraudsters to capitalize on the account numbers."
But account numbers printed on checks are unlikely to be a large-scale problem, Miles pointed out.
"Hackers want to automate these attacks; they don't want to dig through the trash all over the country to steal a million check numbers," he said. "They want to open their laptop and see that 10,000 bank account numbers were found over the past week, through automated attack tools. So that's the big threat."
Miles suggested the banking industry needs to develop security standards like PCI. "The best way to fix the problem is to not have the fraudsters get their hands on the bank account numbers in the first place, and that comes through data security and not through authentication," Miles said. For instance, the PCI data security standard requires that payment card data be encrypted at all times; this same rule could help protect bank account data. Tokenization of account numbers could also help, he said.
Continual Improvement
As ACH payments continue to get faster, along with FedWire, Chips, and other types of payments, banks are going to have to step up their fraud analytics and security efforts accordingly. Those processes will need to be continually improved, too, Pollino said.
"As soon as you're happy with your controls, the criminals will get happy with them as well because they'll figure out a way around them," he said.
Nacha members have been upgrading their risk processes and procedures, Larimer said. "Same-day is the tipping point," Larimer said. "We're the first movement in faster payments. So they're starting here and I don't think this is the end of it."
She also noted that faster payments can lower transaction risk, especially credit and operations risk.
"And the faster you can settle things on the system, that lessens the systemic risk," she said.
One thing banks need to do is understand how the criminal rings that target them work, Pollino suggested.
"Are they looking for the small, quick score or are they looking for the larger, long-term payoff?" he said. "Criminals looking for the quick, small score might be drawn toward this type of product." The bank's fraud analytics and fraud detection strategies need to be tuned to that.
Third-party data sets become increasingly useful to help vet the parties to a transaction, Pollino said. Names, phone numbers, email addresses and account numbers can all be checked against databases run by Early Warning Services, LexisNexis, Experian and others.
"It's becoming more and more important to understand where this money is going, who's at the other end of the transaction," Pollino said. "Does your customer know who's at the other end of the transaction? What personal information is included in a transaction?"
Editor at Large Penny Crosman welcomes feedback at