As the largest electronic-payments network in the United States, the automated clearinghouse continues to grow both in volume and the types of transactions it accommodates. The expansion has brought the network further from its traditional base of direct paycheck deposits and utility-bill payments into riskier types of activity, such as consumer payments to merchants for one-time purchases over the telephone or the Internet.
Operators and governors correspondingly are tightening the screws to minimize risk and fraud exposure. The network seldom has been victimized by inappropriate or illegal transactions, those familiar with its operations say. Yet the threat of fraud or transactions that are not backed up by sufficient funds is motivating NACHA, the Herndon, Va.-based organization that governs the ACH network and sets its rules, to bolster risk management.
"The biggest challenge to the ACH network is that there are crooks out there," says Elliott McEntee, NACHA president and CEO. "What you're on the lookout for, all the time, is what banks and what third-party processors are supporting those crooks." Sometimes banks are just lax in their vigilance, according to McEntee; but on rare occasions banks or processors "knowingly assist the crooks."
To prevent crooks from compromising the ACH system, NACHA has instituted a number of procedures and rules, including a new set of penalties implemented in November. For example, NACHA has increased fines for certain violations from $250 to $1,000 for a first-time recurrence, and from $1,500 to $5,000 for a third recurrence See chart.
NACHA has a team of investigators that peruses the ACH network for scams, according to McEntee. The investigators look for patterns of behavior that might suggest payments that are unauthorized by the alleged originator. "You're not just focused on people in the United States but also all over the world," says McEntee.
The organization and ACH operators also offer risk-management tools, such as caps on payments and SecureVault. SecureVault enables consumers to pay online by keeping personal and account information with the bank or credit union.
NACHA is being vigilant now that it supports consumer Web- and telephone-initiated purchases, activities that potentially are more open to abuse than business-to-business and business-to-bank transactions.
"As new applications come into the ACH world, we always look at how we monitor risk," reports Rossana F. Solaris of the Electronic Payments Network, one of two ACH network operators along with the Federal Reserve System.
That extra vigilance stems from the concern that the system potentially is more vulnerable to fraud because it has migrated from what initially was designed as a bank-to-bank environment to a more-open network. Consumer-initiated transactions, for example, now account for about one-third of all ACH activity, according to Ed Bachelder, director of research for Boston-based Dove Consulting, a division of Hitachi Consulting Corp.
"Obviously, NACHA does a very good job because the losses are low," Bachelder says. "But just as volume grows, it becomes harder to notice little things that might be happening. Something that used to be a nice, closed world is now opening up."
Payments On The Rise
The ACH system differs from other electronic-payment networks in that it settles transactions in batches, handling large groups of payments at one time. It processes both debit and credit payments, but it does not support online authorization of payments from the institution holding the funds.
The Fed, in its 2007 Federal Reserve Payments Study, said in 2006 some 2.6 billion consumer checks were processed as ACH payments instead of as paper payments, eight times the total just three years earlier.
Overall, ACH volume has experienced an annual growth rate of 18.6% over the past three years, according to the Fed. That exceeds the growth rate of debit (17.5% annually) and credit card (4.6%) transactions, according to the Fed.
The growth means NACHA and the two ACH-network operators have to think about risk management in a more integrated way, says Jim McKee, senior vice president and retail payments officer with the Federal Reserve Bank of Atlanta.
With an expansion in the range of payment forms and with electronic check conversion on the rise, says McKee, "you have to look a little more holistically at the risk tools traditionally applied to the ACH or the card systems or to processing a check." And as the network moves more to electronic processing, he adds, "that's a little easier to do."
McKee also believes more education and outreach is coming, not only for the financial institutions but also for regulatory agencies.
"We try to make sure we're engaging the regulatory side of banking so that information and guidance are going to be consistent," McKee explains. "Included in that information and guidance is making all the players aware of the risk potential within the network as well as the tools that are available to manage that risk." The objectives, according to McKee, are to strive for regulatory consistency and to help regulators who study risk profiles have as many tools as possible available to them.
NACHA and the two ACH operators endeavor to communicate with financial institutions so they understand the risk to the network and the transactions that go through it. It is, after all, the banks themselves and, in some cases, merchants that are responsible for the risks of the transactions they process through the ACH system, not NACHA or the operators.
Danne L. Buchanan, a NACHA board member and CEO of NetDeposit, a Salt Lake City-based check processor, says when when discussing ACH risk-management, distinctions must be drawn between the various types of transactions.
A prime driver of ACH growth is the increase in accounts receivable conversion (ARC). More recurring billers are converting paper checks mailed to them from customers into ARC transactions to process electronically on the ACH network.
"The real interest in ARC, which is low-risk, is in getting returns back faster," says Buchanan. In comparison, he says, telephone and Web transactions "become much riskier" because "it's difficult to authenticate people at the other end."
Growth in ARC transactions has been dramatic. In 2004, according to an electronic-payments study conducted for the Federal Reserve Bank of Atlanta by Dove Consulting, 160 million ARC transactions were processed through ACH, representing 2.1% of network activity. By 2006, ARC had reached 2.1 billion transactions, accounting for 17.5% of ACH activity.
Another relatively small ACH activity, but one that is growing, is the back-office conversion of paper checks to electronic ACH transactions. In these transactions, retailers convert checks to ACH transactions later on instead of immediately at the point of sale.
Different transactions also face different types of risk. When payroll is made through the ACH network, the risk is whether the originator has sufficient funds to cover the amount being paid out. When a Web transaction is processed, the risk is potential fraud.
NACHA investigators study reports on ACH transactions that are returned because of lack of sufficient funds or any other issue that might interrupt the flow of payment. If more than 1% of an originating financial institution's transactions are returned for unauthorized reasons, NACHA can take action, such as levy fines or suspend an organization that initiates an ACH transaction, if the institution does not take steps to quell the number of returns.
The new NACHA rules are designed to establish "stronger incentives for rules compliance" and to encourage the use of risk-management tools, according to the association.
One incentive is the stricter penalties NACHA adopted in November. The stricter rules and enforcement penalties are designed to dissuade financial institutions from disregarding NACHA's rules, allowing fraudulent activity to go through the system and creating a large number of inappropriate transactions.
"We've got a good game plan, and the new NACHA rules are going to be helpful," says McKee. "We're going to really focus on risk prevention, and we're off to a good start."
McEntee says it is uncommon for a company to use the ACH network to commit fraud, yet he acknowledges that "it does happen." And when fraud occurs, he says, "it's usually taken care of pretty quickly."
More common, McEntee says, are inappropriate transactions from banks with lax standards. In these cases, the banks generally respond when alerted to correct problems that result in unauthorized returns.
When NACHA or a company's bank tosses out an originator of a transaction from the ACH network because of suspected fraudulent activity, NACHA adds the company name to a list on a secure network to alert other ACH members.
Aware Of Risks
Being part of the ACH system is vital to all banks because of the ease and relative low cost of processing, so they have reason to be vigilant. They do not want NACHA to suspend them. Therefore, says Bachelder, "all of the parties are quite aware of the risks, and they are working very hard to stop them."
Financial institutions also can go online to monitor their own reported unauthorized returns. That way, they can take action before NACHA has to step in if the returns start to accumulate.
Next March, the new international ACH transaction code will launch. The new code standard would bring international payments within the ACH network in compliance with rules set by the U.S. Office of Foreign Assets and Control, according to Bart Cant, treasury and payments practice leader for the financial services strategic business unit of Paris-based Capgemini.
The office lists known and suspected terrorist organizations and is concerned with cracking international money-laundering schemes. To mitigate those risks, the new international ACH transaction code will demand more information on these international payment transactions.
Not only must banks furnish the Office of Foreign Assets and Control the transaction originator's name, address, account number, depository institution name and amount of funds involved, but they also must provide the federal office the same information on organizations receiving the money.
NACHA is giving financial institutions until next March to comply with the international ACH transaction code requirement so they have time to incorporate the mandates into their software packages and operating procedures.
Unlike with credit and debit cards, interchange does not apply to ACH transactions. ACH-processing fees generally can range from two cents to five cents per item, according to Bachelder. But the cost varies depending on the type of transaction and the volume, he says, so banks, which can send large batches of transactions through the system, can negotiate for fees of about a quarter of one cent per item.
Despite the cheaper fee structure of ACH for processing transactions, the structure might have one downside, according to Bachelder. Financial institutions that might be victimized by fraudsters plying the network will not have the financial cushion that interchange provides card issuers to cover fraud losses.
"It makes it very painful when [fraud] does happen," says Bachelder.
Although ACH has escaped serious compromise, NACHA and the ACH operators recognize that as the network continues to grow and expand its reach, the risk increases that someone will violate the network.
"Like spam, eventually one of these things is going to get through and cause some damage," Bachelder cautions. "With more transactions, it's going to be harder to watch them all."
NACHA has been able to keep ACH fraud very low. But as the network grows, opportunities for fraud likely will increase as well. CP