LSEG Risk Intelligence
Nacha’s introduction of a revamped risk management framework for ACH payments marks a significant shift in tackling fraud and enhancing the reliability of transactions. With a surge in ACH Network usage and evolving fraud methodologies, the framework necessitates upgraded risk management approaches from businesses to meet new compliance standards and security needs.
- Nacha introduces a new risk management framework for ACH payments, focusing on reducing fraud and improving transaction quality.
- The framework responds to the increased use of ACH and the rise in sophisticated fraud schemes, necessitating stronger risk management in firms.
- Businesses must adapt to these changes, requiring upgrades in their risk management systems for compliance and enhanced security.
Nacha is set to move forward with its new ACH risk management framework.
Following a series of proposed rule changes and new guidance, the aim of Nacha’s effort is to reduce the occurrence of fraud, improve fund recovery, and provide an overall enhancement to the quality of transactions.
For those who use ACH to facilitate transactions, the new direction will significantly expand the number of organizations and payment types under Nacha’s risk management purview. Compliance will likely require firms to dedicate a great deal of time, budget, and expertise to enhancing their identity and payments risk management systems.
The changes come as the use of the ACH Network continues to grow. In the third quarter of 2023, ACH volume reached 7.8 billion transactions, worth $19.7 trillion total – up 3.2% from the previous quarter.
In addition, ACH B2B transaction volume increased 9.6% in the third quarter of this year while Same Day ACH payments saw an impressive 27% increase in transaction value and a 20% increase in transaction volume, reaching 212 million transactions, worth over $608 billion in value.
The greater use of ACH has not only attracted more legitimate users, but also the interest of fraudulent actors and a new set of scams designed to outmaneuver and defraud the users of ACH payments.
New threats require new protections
Nacha’s previous risk management strategies centered on shielding consumers, organizations, and their account-holding financial institutions from unauthorized debit fraud. Over time, new types of risks have evolved from targeting unauthorized debit transactions to include authorized ACH transactions.
For example, Nacha’s new risk management framework highlights substantial challenges presented by credit-push fraud. Overall, the framework contains three principal objectives: 1) increase the awareness of fraud schemes that utilize ACH payments; 2) reduce the incidence of successful fraud attempts; and 3) improve the recovery of funds after frauds have occurred.
Among some of the more recent fraud scenarios making use of ACH transactions, the Nacha’s new framework will help address the following:
- Business email compromise (BEC). A scam frequently carried out by compromising legitimate business email accounts through social engineering or malware.
- Vendor impersonation fraud. A fraud occurring when a business, public sector agency or organization receives an unsolicited request, supposedly from a valid contractor to update the contractor’s payment information.
- Payroll impersonation fraud. A fraud scheme targeting employees and human resources departments using stolen credentials. In this scenario, a fraudster changes employee payroll information for the purpose of syphoning funds.
- Account takeover. And identify fraud scheme wherein a fraudster obtains the credentials of a consumer or a business account and, once gaining access, leverages that account for their financial gain.
ACH risk management next steps
As a part of its new risk management strategy, Nacha intends to provide an all-encompassing course for new initiatives, guidance, rules and industry tools. This risk management framework identifies three areas of opportunity for rule-making that will impact nearly every ACH network participant and type of transaction:
- Defining the role of the receiving account-holding institutions in risk management.
- Enabling and providing information sharing among financial institutions for the purpose of risk management.
- Expanding and improving end-user awareness and education around risk management.
Additionally, Nacha is calling for the expanded use of funds recovery tools such as reversals and RDFI returns; standardizing information for payroll and purchases; and provisions in the written statement of unauthorized debit copy (WSUD) process that provides the ability of receivers to claim unauthorized ACH debits.
Overall, the new rules will expand the responsibility of risk management and fraud monitoring to all ACH participants. This includes the originating depository financial institutions (ODFIs), receiving depository financial institutions (RDFIs) and third parties.
In the next few months, it will be incumbent on ACH participants to review Nacha’s proposals and develop strategies to address Nacha’s rules and follow its guidance.
How to address Nacha’s new risk management proposals
LSEG Risk Intelligence can help firms navigate and prepare for Nacha’s risk management proposals, applying identity validation, account verification, KYC compliance, and multi-factor authentication throughout the customer lifecycle.
Not only can LSEG Risk Intelligence approach satisfy Nacha’s proposed rule changes and guidance, but more effectively mitigate identity and payments risk without negatively impacting customer experience.
Legal Disclaimer
Republication or redistribution of LSE Group content is prohibited without our prior written consent.
The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.
Copyright © 2023 London Stock Exchange Group. All rights reserved.
The content of this publication is provided by London Stock Exchange Group plc, its applicable group undertakings and/or its affiliates or licensors (the “LSE Group” or “We”) exclusively.
Neither We nor our affiliates guarantee the accuracy of or endorse the views or opinions given by any third party content provider, advertiser, sponsor or other user. We may link to, reference, or promote websites, applications and/or services from third parties. You agree that We are not responsible for, and do not control such non-LSE Group websites, applications or services.
The content of this publication is for informational purposes only. All information and data contained in this publication is obtained by LSE Group from sources believed by it to be accurate and reliable. Because of the possibility of human and mechanical error as well as other factors, however, such information and data are provided "as is" without warranty of any kind. You understand and agree that this publication does not, and does not seek to, constitute advice of any nature. You may not rely upon the content of this document under any circumstances and should seek your own independent legal, tax or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the publication and its content is at your sole risk.
To the fullest extent permitted by applicable law, LSE Group, expressly disclaims any representation or warranties, express or implied, including, without limitation, any representations or warranties of performance, merchantability, fitness for a particular purpose, accuracy, completeness, reliability and non-infringement. LSE Group, its subsidiaries, its affiliates and their respective shareholders, directors, officers employees, agents, advertisers, content providers and licensors (collectively referred to as the “LSE Group Parties”) disclaim all responsibility for any loss, liability or damage of any kind resulting from or related to access, use or the unavailability of the publication (or any part of it); and none of the LSE Group Parties will be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, howsoever arising, even if any member of the LSE Group Parties are advised in advance of the possibility of such damages or could have foreseen any such damages arising or resulting from the use of, or inability to use, the information contained in the publication. For the avoidance of doubt, the LSE Group Parties shall have no liability for any losses, claims, demands, actions, proceedings, damages, costs or expenses arising out of, or in any way connected with, the information contained in this document.
LSE Group is the owner of various intellectual property rights ("IPR”), including but not limited to, numerous trademarks that are used to identify, advertise, and promote LSE Group products, services and activities. Nothing contained herein should be construed as granting any licence or right to use any of the trademarks or any other LSE Group IPR for any purpose whatsoever without the written permission or applicable licence terms.
