Fair Isaac : ACH Fraud Is Rising - And New NACHA Measure Leaves Gaps

If your institution saw an increase in ACH transactions last year, you're not alone. NACHA, the payments clearing house through which ACH transactions flow, reported a banner year in 2020, posting an 8.2% increase in volume and a 10.8% increase in dollar value over 2019. Additionally, ACH internet transactions rose 15% from 2019 to 2020.

As it happens, 2020 was a banner year for ACH fraud, too. The U.S. Federal Trade Commission received more than 2.2 million fraud reports from consumers, with imposter scams remaining the most common type of fraud reported to the agency. These scams are typically Authorized Push Payment (APP) schemes in which the transaction is executed by the customer directly, often via-wait for it-ACH payments.

Source: NACHA

NACHA Steps Up Its Fraud Prevention Requirements

In response to a rise in fraudulent activity targeting ACH and other electronic transactions, the WEB Debit Account Validation Rule was put into effect by NACHA on March 19, 2021.

Specifically, ACH Originators of WEB debit entries are required to use a 'commercially reasonable fraudulent transaction detection system' to screen WEB debits for fraud. This existing screening requirement is being supplemented to make it explicit that 'account validation' is part of a 'commercially reasonable fraudulent transaction detection system.' The supplemental requirement applies to the first use of an account number or changes to the account number.

There are five ways that banks can comply with the account validation rule, which are detailed here. The short descriptions are:

1. Manual validation with a voided check.
2. An ACH prenote - a $0 transaction sent to the FI specified by the end user, to verify that the routing and account numbers work. If the transaction arrives, it qualifies as a status check for that account.
3. Trial and micro deposits of just a few cents.
4. Use a verification database to validate the account.
5. Use financial institution credentials to access the end user's bank accounts

Any of these options will facilitate compliance with the NACHA WEB Debit rule, which is a considerable step up in fraud protections while still creating minimal friction in the customer experience. However, in my mind, account validation doesn't go far enough in providing fraud protection. A more holistic approach is required. Here's why.

A Panoply of Inflows and Outflows

Not too many years ago, the only inflows and outflows on checking accounts were paper checks. Today, many consumers are hard-pressed to find a single cancelled personal check on their monthly statement. There are person-to-person payments via Venmo, Zelle, and a host of other services; payments via ApplePay, SamsungPay and more; as well as an increasing number of ACH transactions. From my mobile banking app, I can even initiate a wire transfer, which in days past was reserved for making large purchases (like a house) or sending money abroad.

My point is that checking accounts are now a mini clearing house for all manner of inflows and outflows. An ACH payment may be sent a validated account, but is that payment suspiciously out of pattern? Is the transaction genuine, or is the account owner falling victim to a scam? A fraud platform that offers a holistic view of customer activity - credit and debit card transactions, P2P payments, mobile and online payments, ACH transfers are wires - can deliver more comprehensive fraud protection, while affording customers the frictionless ease of zipping money around.

Multiple Layers of Protection

FICO's new Scam Detection Score, which is part of the FICO® Falcon® Fraud Manager Retail Banking Consumer v3.0 model, is a good example of technology that addresses the larger context of an ACH payment. FICO's chief analytics officer Dr. Scott Zoldi explains:

'Humans are creatures of habit. One of Falcon's key analytic weapons in the fight against payment fraud, the behavior sorted list (B-list), leverages this fact to determine abnormality. By monitoring key attributes of an individual's payment history, B-lists learn customers' frequent, repeated behaviors (i.e., 'favorites'). Hits and misses on these favorites allow the Falcon model to decide between fraud, scam, and normal behavior.

'When a customer interacts on a non-favorite device, they have a 16x higher risk ratio of third-party fraud (UPP) as compared to first-party scam (APP). Conversely, when a customer uses their favorite device but transacts with a non-favorite credit account - for example, using their bank's mobile app on their own mobile phone that they frequently use to transfer funds, but sending to a new credit account - the risk ratio is 10x times larger for scams as compared to third-party fraud.

'Looking at combinations of favorites, and combining them with other features of abnormality associated with transaction amounts (frequencies, time of day, and many other characteristics), allows FICO's models to differentiate customers into classes of third-party fraud, APP scam and non-financial crime. In the case of scam transactions on favorite devices, the new Scam Detection Score identifies 24x the number of these transactions, compared to the standard fraud score at a typical non-fraud review rate!'

In addition, the FICO® Authentication Suite uses behavioral and biometric authentication technologies to confirm customer identities every time they interact with their financial institution. Without it, an ACH payment could be sent from a validated account by an unauthorized user, as is the case with UPP fraud and account takeover.

With rising ACH payments attracting increased attention from fraudsters, NACHA's new WEB Debit Account Validation Rule is an excellent step up in fraud protection. Extending that protection with a holistic, platform-based approach presents a giant leap.

Follow my fraud rants, raves and occasional tales of golfing woe on Twitter @FraudBird.