In addition, although the ACH network was once used mainly for transactions with well-known trading partners, its use for point-of-sale purchases and online and telephone transactions has grown, increasing the risk of fraud. The dollar value of consumer ACH payments made via the Internet is nearing $1 trillion annually, according to the NACHA.
Banks do provide standard treasury-management security tools to prevent an unauthorized payment from clearing a company’s account. (They have motivation to keep a lid on fraud: under rules enacted three years ago, the NACHA can fine originators that allow practices that create risk-management problems for others on the ACH network.) One common tool, positive pay, involves the treasury department supplying the bank with a register of anticipated, authorized ACH debits; the bank pays only the debits preauthorized on the list. In reverse positive pay, the bank automatically makes the payment unless the treasurer tells it not to.
These tools are “a good way for a treasurer to cut down fraud on their accounts, because you’re in control of every transaction that hits,” says Paul Tomasofsky, president of Two Sparrows Consulting, a financial-services consultancy. “But it’s a lot of work if it isn’t automated.”
The ACH debit blocks and filters are less taxing. In an ACH debit block, the business tells its bank to stop all ACH debits that come into its accounts from the ACH network. With an ACH filter, a company picks and chooses the trading partners it will accept ACH debits from and provides that list to the bank.
An even more sophisticated tool is the Universal Payment Identification Code. A UPIC is a pseudo routing and account number that allows a company to receive ACH payments without divulging its actual bank account numbers and other information to payees. A UPIC cannot be used to electronically debit an account or create a check. About 1,000 users of the ACH network employ this option, and 20 banks offer it. Interest in UPICs spiked last November when the FBI reported the escalation of payment fraud, Romeo says.
Some banks also have systems that run a risk model on every transaction to determine if it is in line with client payment behaviors. Still, not all banks offer a wide range of tools to combat corporate account takeover and fraudulent payments. In the absence of those tools, companies can use low-tech ways to combat online payment fraud, according to the NACHA warning letter.
Monitoring and reconciling accounts daily is probably the simplest way. Initiating ACH and wire transfers under dual control is another option: one person authorizes the payment file’s creation and another authorizes the release of the file. In addition, workstations used for online banking can be disconnected from internal networks and restricted from use for computing tasks, such as social networking, that can increase exposure to Trojan horses and viruses designed to capture log-in and password information.
Ironically, advances in banking mobility may be introducing more risk for corporate users of online treasury tools. Mobile interfaces provided by some banks now allow a treasurer to initiate or approve wires, track intraday balances, and review and approve positive pay exceptions. But even if mobile platforms simply enable a finance executive to check balances, risk would be heightened because the information could help a cyberthief determine which accounts to target, says Tomasofsky. “Little bits and pieces may not necessarily compromise the account by themselves, but combined they could allow the bad guy to successfully take over an account,” he says.
EPN’s Romeo stresses that the ACH network itself is safe: corporate account takeovers and other security intrusions happen outside the network, usually with the front-end banking platform. Unauthorized return rates on the ACH network have been dropping steadily.
Meanwhile, use of the network is increasing. Last year about 20% of all payments transactions were made through the ACH system, only slightly less than the percentages made via paper checks and credit-card transactions. With more and more companies offering electronic payments to trading partners and customers, and many still using paper checks with valuable information on them, treasury departments have good reasons to tighten up on payments security.