It’s hard to stop, take a breather, and congratulate yourself in the world of risk management. Fraud is always changing, and when we work hard to close a gap, another opens. Nacha’s focus on risk management continually evolves as we listen to the financial institutions and other parties that make up the ACH Network. We work with our industry participants to identify the latest findings, and update guidance and the Nacha Rules to strengthen the ACH Network. 

And now, financial institutions are telling Nacha that fraudsters are targeting them and their customers through schemes collectively known as first-party fraud. One of the frustrations with first-party fraud is that fraudsters are using the same consumer protections built by the ACH Network to take advantage of Originators and ODFIs. 

What is First-Party Fraud?

First-party fraud comes in two main forms: account opening fraud and false claims fraud. Account opening fraud affects financial institutions, digital wallets, fintechs, brokerages and other account providers that allow a consumer to open an account and fund it using an ACH debit to another account at another financial institution owned by the same consumer. The fraudster drains the newly opened account using any of a variety of methods and then files a claim of unauthorized debit at the financial institution that received the funding debit transaction (the RDFI). 

A common story we hear is, “To stay competitive, we decided to allow online account openings, and as soon as we do, the fraudsters identify us as a target.” It’s frustrating when an organization follows the Rules, does the right know your customer (KYC) processes at onboarding, and verifies the identity of the customer only to receive an R10 for the funding transaction after there is no longer an account balance left. The same story is told by brokerages, cryptocurrency firms, and wallets, and they all want to know, “How do we protect ourselves?”

An Originator can also be the victim in a false claim fraud. In this scheme, a consumer authorizes a debit to their account for a bill or service and then files a claim of unauthorized debit at their financial institution. The Originators may be utilities, loan providers, retailers, service providers or any other type of organization that allows consumers to make a payment using an ACH debit. 

Is there a solution?

Nacha’s Risk Management Advisory Group (RMAG), Rules and Operations Committee, and the First-Party Fraud Workgroup collectively are looking at ways to better identify and mitigate first-party fraud. All three groups recognize that information is one key that can help resolve disputes. We’ve already offered some initial thoughts on a role for RDFIs in identifying first-party fraud, and there will be more education and guidance issued over the upcoming months.

We are developing a number of options to provide a minimum set of standardized information from the ODFI to the RDFI, along with new guidance for RDFIs to research claims of unauthorized debits. Communication between parties and consistency in RDFI review processes for claims of unauthorized are areas where our industry can make improvements.