As the nation’s automated clearing house network gears up to introduce same-day debits in September, observers are warning that faster processing is likely to open the door to more fraud unless businesses and financial institutions adopt new policies. Some caution the ACH network’s experience so far with same-day credits, which were introduced 10 months ago, is no indicator of the risk faster debits will bring.
“The rollout of same-day ACH credits last year went smoothly and by all accounts there haven’t been significant losses. Debits are riskier, however, and I believe the level of preparation to manage fraud in the compressed timeframes varies greatly from one institution to the next,” says Sarah Grotta, a senior analyst at Maynard, Mass.-based Mercator Advisory Group, in an email message.
NACHA, the Herndon, Va.-based rules-setting organization for the ACH, released data earlier indicating the network handled 13.3 million same-day transactions in the first quarter, up 13.6% over the fourth quarter of 2016. Those first-quarter transactions carried a total value of almost $18 billion.
The ACH’s history of comparatively low fraud losses overall may have lulled some players into a sense of complacency, Grotta fears. “Risk-mitigation resources are often focused on those products or payment types that experience the most amount of fraud. So [ACH fraud] may not be at the center of attention for many financial institutions.”
Unlike ACH credits, where one party is sending money electronically to another, debitsallow organizations to electronically pull money out of bank accounts held by consumers and businesses. Since same-day ACH, generally speaking, cuts a day out of the traditional clearing and settlement time for transactions, that leaves less time for banks to monitor incoming requests and validate the withdrawing parties. When cash is pulled from an account fraudulently or mistakenly, the network treats the incident as an unauthorized transaction, since such withdrawals are required by network rules to have the permission of the account holder.
As a result, same-day processing for debits “could introduce a lot more unauthorized returns,” warns David Barnhardt, executive vice president for product at Giact Systems LLC, an Allen, Texas, vendor of authentication technology. Giact on Wednesday released a white paper cautioning banks and businesses to tighten their defenses as the Sept. 15 introduction of same-day debits nears.
Some methods banks have traditionally relied on with debits will no longer be effective after same-day processing takes effect, Barnhardt warns. Customer reporting of suspicious activity on their online statements is one example. “There’s a lot of pre-emptive detection,” Barnhardt says. “That’s going to go away. [Cash] is going to be released before you can catch it.”
Another example is batch verification, which, Barnhardt says, will be too slow once faster debits appear. “Today, there’s a lot of batch analysis. That’s going out the window,” he predicts. Instead, he says, banks will have to move to real-time checking.
Experts suggest other measures may help control risk, including debit blocks on certain parties and ACH positive pay, a technique that matches transactions a company issues with the ones presented for payment.
Network rules will also help, experts point out, including one capping same-day transactions at $25,000. This ceiling was set “to limit the possible level of risk,” says Nancy Atkinson, principal at GTB Consulting, a Pittsburgh-based consultancy.
Barnhardt stresses his enthusiasm for faster ACH, including debits. “We do need to move faster,” he says. At the same time, though, time is growing short to prepare for same-day debits. “The mood of the [payments] industry [is that] they’re certainly thinking about this,” he says.