.svg)
The American Bankers Association (ABA) supports plans to expand the fraud detection requirement to other parties in the Automated Clearing House (ACH) network, but is asking for more time to comply.
The bankers’ lobby group said it agrees with a proposal to expand fraud prevention requirements beyond banks that initiate or receive transactions, such as non-consumer originators, third-party service providers (TPSPs), and third-party senders (TPSs).
“It makes sense to expand the requirements beyond originating depository financial institutions (ODFIs) and receiving depository financial institutions (RDFIs), but it is important to note that this will be a huge change to all the parties to a transaction,” the ABA wrote in a letter dated July 28.
Increasing threat of push payment fraud
Currently, federal regulations require financial institutions in general to monitor transactions for suspicious transactions while ACH network rules additionally require payment-initiating banks to carry out debit transaction monitoring.
However, a recent uptake in the spread of fraud using ACH credits and other push payments has made Nacha, the governing body of the US ACH network, concerned that its rules should be updated.
Specifically, Nacha found that fraudsters are increasingly shifting their efforts to focus on ACH credits transfer fraud using techniques such as business email compromise (BEC), impersonations, account takeovers, fraudulent government aid claims and overpayment schemes.
In May, Nacha opened a consultation on a set of proposed measures that aim to improve the recovery rate of fraudulent transactions by targeting push payment fraud (i.e., credit transfer fraud).
According to the body, push payment fraud is significantly different from debit transfer fraud in the sense that the payments are often authorised and their success relies on the use of accounts at a receiving bank, either new accounts or money mule accounts.
This means that, in many cases, the receiving institution, which had so far played a largely passive role in the ACH network, may be in the best position to identify and stop fraud.
Therefore, the proposal would require receiving banks to establish “commercially reasonable fraud detection systems” that monitor their received ACH credit transactions while also factoring in account profile information and historic activity.
Based on this ongoing monitoring, the receiving bank may decide to post a transaction, return a payment request or contact the originating bank to determine the validity of a transaction.
In addition to receiving banks, Nacha proposes to require non-consumer originators, third-party service providers and third-party senders to establish a commercially reasonable fraudulent transaction detection system with respect to their ACH entries.
Meanwhile, another proposed measure would expand the ability of the originating bank to reverse a transaction for any reason, including if the sender were fraudulently induced into authorising a payment.
Currently, originating banks can only request such reversal if the payment was unauthorised or to correct errors.
If such a reversal happens, the originating bank would indemnify the receiving bank for returning the funds.
Other measures under the proposal include plans to standardise the formatting of consumer names and create two new standard descriptions for payroll and e-commerce payments.
ABA response
In response to the proposal, US banks said they support the expansion of the fraud detection requirement to other parties, but the lack of detail regarding the new requirements and associated financial institution oversight “makes it difficult to endorse the proposal as drafted”.
They argue that Nacha’s plans to implement the changes by 2024 would be a significant challenge for financial institutions as most of the 2024 IT planning and budgeting will be complete before any final rule is announced.
Instead, the ABA urges an incremental implementation, starting with non-consumer originators by September 2026, followed by the TPSs in 2027 and finally the TPSPs in 2028.
Banks have also expressed worries about the transaction monitoring requirement imposed on receiving banks, citing large costs.
“A substantial number of [financial institutions] will need to contract with outside vendors to comply with this new requirement at an unknown expense. Those [financial institutions] that will develop their own in-house compliance solution will also find this financially challenging,” bankers wrote.
The ABA also criticised the lack of details on responsibilities for monitoring transactions in multi-party relationships and asked Nacha to re-propose the rule with additional details.
“If a third party is managing an e-lockbox and sees the transaction first, are they responsible for monitoring or is it the underlying [receiving bank]? If it is the third party, what are the [receiving bank]’s oversight responsibilities?”
ACH transfers accounted for more than 70 percent of the value of all non-cash payments in the US in 2021.
Nacha says there were 30bn ACH payments made across its systems in 2022, with a value of nearly $77trn. Among the ACH transfers, credit transactions make up two-thirds of the value of all ACH payments with an average transaction value of $3,441.
