PYMNTS-MonitorEdge-May-2024

Easing The Intensifying Headache Of ACH Security Compliance

Accepting ACH payments is often a must for companies across verticals and business models. While often described as a legacy payment rail, it’s a tried-and-true method of moving money that’s often trusted by both the sender and receiver of a payment.

Yet for businesses accepting ACH payments, rising security and compliance requirements from Nacha have made it more difficult than ever to ensure that revenue can continue to flow — particularly as those requirements grow more complex for the legacy technology.

Speaking with PYMNTS about this particular pain point, Tempus Technologies Executive Vice President J. Brian Merena and President Jason Sweitzer described how a consultative strategy can ease ACH compliance without disrupting the payer’s experience.

“To keep you in Nacha compliance, as well as to keep the ACH process flowing, it’s a lot harder than just dumping out a file and making sure the right routing and account number gets to where it needs to go,” said Sweitzer.

Keeping Data Secure

Nacha has evolved its security compliance requirements in recent years, with more stringent rules around how transaction data is handled. As Sweitzer explained, two of the most challenging requirements surround web authentication for online ACH transactions and the upcoming requirements related to the security of routing and account numbers. The latter places a burden of encrypting and tokenizing data-at-rest (though this requirement has been pushed back as a result of the COVID-19 crisis).

According to Sweitzer, these rules can be likened to PCI-level requirements, and are particularly challenging when it comes to ACH processing. The majority of ACH applications are legacy apps, he noted, making it more difficult to facilitate data encryption and tokenization. Yet as Merena said, these capability requirements won’t be going away anytime soon.

“Security has pushed a lot of industries, especially Nacha and the check business, to pay close attention to tokenization and encryption,” he said. “That’s critical, and I think that will continue to be something of importance when a particular merchant is looking for a provider.”

Combating Fraud

Another key challenge in the world of ACH processing is how notices of change (NOCs) are handled, a key feature that can mitigate the risk of failed transactions in case a payer’s account and routing details change. This can be a particular challenge in B2B payments, considering the growing threat of redirect fraud, business email compromise (BEC) scams and other kinds of financial fraud.

In the world of card transactions, there are offerings like 3D-Security (3DS) that add an additional layer of fraud mitigation on top of card-not-present payments. There is no such offering for ACH, but according to Sweitzer, many of the same principles can be applied to ACH transactions to combat the risk of fraud — for instance, checking the IP address of wherever an ACH payment is initiated or using historical data to identify potential threats related to a certain bank account.

Each industry is different, and thus must take a different approach to the threat of ACH fraud. In the insurance or utilities space, for example, attempted ACH fraud will simply cause a provider to cut off service. In retail, however, fraud can mean shipping out a product and never receiving payment.

“The trick is to take a consultative approach,” said Sweitzer. “You can get rid of all the fraud if you get rid of all the transactions. But it’s about being consultative with your clients.”

Accelerating ACH

Indeed, many industries where fraud is rare, including the insurance and healthcare arena, are less concerned about fraud itself and more concerned about falling out of Nacha compliance. Either way, adhering to the increasingly strict security requirements of how ACH transactions are processed will become an even greater headache as accelerated ACH capabilities emerge.

Today, said Sweitzer, the market is fragmented and inconsistent, with a range of faster, same-day or real-time ACH capabilities that each have unique characteristics, yet none that has yet achieved ubiquity.

“Some banks support Zelle, some don’t. Some have high limits, some have low limits,” he said. “It gets really ugly really fast.”

Again, a consultative approach is key to ensuring that ACH processing remains compliant even when a transaction may clear and settle in real time. And enterprises won’t be able to avoid the challenge of remaining Nacha-compliant and mitigating risk in a real-time ACH environment, because as Merena noted, businesses accepting ACH transactions will be keen to embrace the speed.

“From a business perspective, they’re very interested in getting their funds sooner rather than later,” he said. “On the consumer side, some people are interested in the float, knowing it will take some time for the check to clear. But as ACH becomes more adopted in the market and measures around security like tokens and encryption are used, that could loosen up the limits out there today.”

PYMNTS-MonitorEdge-May-2024