How to Harden Your ACH Anti-Fraud Defenses

Many treasury pros' list of New Year resolutions for 2010 will include an inspection tour of their anti-fraud fortifications. The outlook on the payments front is good, with the ongoing switch to relatively secure electronic systems and away from notoriously vulnerable checks, which account for the vast majority of corporate payment fraud events. But even low-risk payment processes can be compromised by sloppy controls and may need a bit of shoring up.

Automated clearing house (ACH) transactions, traditionally a low-risk option, are no exception. The ACH channel has become a mainstay of corporate treasury operations in the past decade. According to the National Automated Clearing House Association (NACHA), the number of ACH payments soared from around 4 billion in 1996 to more than 18 billion in 2007, and the dollar value of those transactions nearly tripled, to $33 trillion, in the same period. But that success story hasn't escaped the attention of criminals, and 2009 saw a rash of corporate ACH frauds, including one that brought down a savings and loan in Pittsburgh, as I noted here.

I asked ACH payments expert Rossana Salaris how such frauds could work. Salaris is senior vice president of payments products with The Clearing House, an organization that operates payment systems infrastructure, including the Electronic Payments Network, the only private sector ACH operator in the country. She was quick to point out that there's no question here of the ACH network itself being compromised; in fact, these "front-end" frauds are essentially the corporate equivalent of identity theft. "The way we describe the network is that it's a highway; it's a way to get from point A to point B. As a network operator, our goal is to make sure that there are speed bumps and that we're filling potholes," she adds. "But in the end, every party has to make sure that they do the things that are necessary to maintain the integrity of their own institutions and their own credentials."

There's some evidence that corporate ACH users are failing to do that. The Association for Financial Professionals' (AFP) 2009 Payments Fraud and Control Survey found that one in six organizations suffered a financial loss as a result of ACH fraud in 2008, and that they "generally did so because they did not follow best practices and/or execute their own business rules as expeditiously as they should have." Many of the companies that experienced losses failed to use ACH anti-fraud tools such as debit blocks, debit filters, and positive pay.

Interestingly, the report points out that fraudsters are homing in on this weakness by exploiting the intersection of ACH and check payments. "Nearly 15 percent of organizations that received fraudulent ACH transactions were passed through fraudulent checks that would have been stopped by check-based positive pay ledgers but instead were presented as ACH debits," the AFP notes.

The lesson seems clear enough; don't skimp on ACH anti-fraud features. A relatively new tool that Salaris recommends is Universal Payment Identification Code (UPIC), a kind of account number pseudonym that companies can distribute without risking unauthorized debits. "It looks like an account number, it feels like an account number, and for the person you're giving it to, their bank will be able to put that number in just like they would any other account number," Salaris explains. "But it's not your actual account number, and they can only push credits to you through the ACH network. They can't create checks with that UPIC number, and they can't create demand drafts."

Companies should also tighten up their internal procedures, for example by reconciling their accounts more quickly, according to the AFP. In 18 percent of ACH fraud cases that resulted in financial loss, lack of timely account reconciliation was the primary reason. In addition, consider adding or revising approvals and auditing payment processes more frequently.

A few simple best practices can go a long way toward preventing takeovers of corporate credentials. The following recommendations were compiled by NACHA, the Financial Services Information Sharing and Analysis Center, and The Clearing House:

• Install and regularly update firewalls, spyware protection, and commercial anti-virus software, especially if you're using a broadband or dedicated connection to the Internet, such as DSL or cable.
• Create strong passwords with at least 10 characters, including lower- and upper-case letters, numbers, and special characters. Avoid using automatic login features.
• Prohibit the use of "shared" usernames and passwords for online banking systems and use different passwords for each website.
• Limit administrative rights on users' workstations to help prevent inadvertent downloading of malware such as viruses, worms and spyware.
• Clear the browser cache before you start an online banking session, and never leave a computer unattended while using any online banking or investing service. Don't access bank, brokerage, or other financial services information from public places.
• Immediately escalate any suspicious transactions to the financial institution; there's a limited recovery window for fraudulent transactions, and immediate escalation may prevent further losses.