Faster payments have grown at breakneck speed over the past few years. In the first quarter of 2020 alone, it’s setting new records in payment volumes and payment values. Coinciding with these gains, fraud has grown increasingly more sophisticated and effective, inflicting damaging losses. How is the industry reconciling these two trends? And what more can businesses do to truly address fraud?
In an interview with Karen Webster, Melissa Solis, head at GIACT, said that KYC (know your customer) and account validation processes — as they relate to ACH payments — are ripe for change. “Some of the solutions that have been used in the past are not viable solutions today,” she told Webster.
Case in point: the trial deposit, where fraudsters can leverage the verification process, penny by penny, to make crime pay. Under the standard practice, to verify that a customer’s account and routing numbers are correct, firms will send micro-deposits (a penny, for example) asking for verification when those funds are received.
As Solis recounted, one GIACT client (prior to embracing her company’s real-time account verification solutions) found that it had lost thousands of dollars when fraudsters enrolled 16,000 times for services using a slew of fake identities — and made off with the deposits.
The New Rule
A new rule from Nacha (the nonprofit behind Automated Clearing House payments) looks to improve account validation practices, giving companies a large amount of leeway to self-determine the best ways to prevent ACH fraud.
In terms of mechanics, the WEB Debit Account Validation rule will not in fact be enforced until March of next year, which gives payments originators (including but not limited to financial institutions) time to prepare and get compliant.
The rule mandates that account verification is part of a firm’s anti-fraud efforts — before the first debit payment is ever made. And, as has been established previously, originators must use a “commercially reasonable” fraud detection system for WEB debit entries. Validation now becomes part of that system. As Solis noted, it’s a step up from previous practices — the pre-WEB Debit Account Validation mandate simply stated that payment originators had to make sure accounts were open to accept payments.
The additional measures come in tandem with the rapid increase in stimulus checks, Paycheck Protection Program (PPP) payments and other forms of government payments — all manner of debit activity, really — done via ACH.
To get a sense of scope and scale: Nacha said earlier this year that more than 26 billion payments were made on the ACH network in 2020, up more than 8 percent from the previous year. Of that tally, more than 15 billion payments were debit payments. At the same time, check payments were down more than 21 percent year over year. Same-day ACH payments, in addition, grew by 86 percent year on year.
Amid the pandemic, said Solis, “People who would have said, ‘I’m going to pay with a check’ or use a different method really got more comfortable going online to make payments. They embraced the change. But we also saw fraud increase — and the fraud looks different.”
Against that backdrop, she said, Nacha had to put new measures in place to thwart bad actors — because the status quo no longer works as well as it once did. That’s no easy task, given the fact that the fraudsters are smart, patient and organized — and they are armed with tons of data gleaned from data breaches, noted Solis. Fraud does more than just rob companies of revenues and swamp them with product returns: It spawns reputational risk, too.
Importantly, the new rule on account validation does not mandate that the payment originators must also validate ownership of the account. Digging into the rule itself, Nacha states that each originator will need to determine (depending on its business and risk profile) whether simply verifying the opening of an account is sufficient — or whether “more rigorous assessment” of verified ownership is appropriate to meet a commercially reasonable standard.
Open to Interpretation
A reasonable standard, explained Solis, is based on a number of factors, such as the volumes and types of transactions and the vertical in which the business operates.
“What’s commercially reasonable for one company may not be the same for another firm,” she noted. It’s important for companies to work with their compliance teams and fraud and risk executives (as well as outside counsel) to determine the best security frameworks.
Giving companies at least some leeway in determining what is commercially reasonable — without decreeing a minimum standard — may be Nacha’s way of acknowledging that for some companies, mandating identity verification may be cost-prohibitive. A significant number of originators not currently performing fraud detection for WEB debits could mean implementing an entirely new system, resulting in increased costs of originating WEB debits.
The ongoing dialogue between enterprises and Nacha (and the solutions on offer from firms like GIACT, through single-point APIs) can be positive steps toward making it easier and more affordable to validate and authenticate ACH transactions. That will have a positive ripple effect for providers that offer account validation solutions and services, fostering new innovations in anti-fraud efforts.
The good news, said Solis, is that many firms are already going the proverbial extra mile to make sure accounts are open and in a positive status and to authenticate ownership, even before they originate payments.
“If you’re just looking for solutions to ‘check the box,’ you’ve already lost,” she said, adding that it’s important for firms to constantly evaluate and re-evaluate their fraud solutions. “More companies are realizing they have to invest in resources upfront. That’s where you do your best work — right at the beginning.”