NACHA’s Risk Management Advisory Group: Keeping ACH Payments Safe and Secure During Cybersecurity Awareness Month…and Throughout the Year

Posted October 26, 2015

Keeping ACH Payments Safe and Secure During Cybersecurity Awareness Month…and Throughout the Year
A Q&A with Devon Marsh, chair of NACHA's Risk Management Advisory Group (RMAG)

Q. What’s the Risk Management Advisory Group? What does it do?
A. The Risk Management Advisory Group, or RMAG, focuses on establishing sound business practices for risk management, and developing rules that help ensure the strength and stability of the ACH Network and improve the quality of ACH payments. We work with NACHA staff and key industry stakeholders to advise the NACHA Board when it comes to risk management strategy.
Q. October is National Cyber Security Awareness Month, which aims to encourage vigilance and protection among all computer users. How does that align with RMAG’s mission?
A. Although the ACH Network itself is secure, the online credentials of those authorizing ACH payments can be compromised or stolen by fraudsters.  Just like National Cyber Security Awareness Month, RMAG’s goal is to encourage practices that help safeguard the online financial activity of businesses and financial institutions.
Q. What are some of the cyber threats facing businesses and financial institutions that use the ACH Network? How are they being mitigated?
A. We’ve seen a rise in impostor fraud in recent years, with fraudsters convincing businesses to create payments they should not create. This is easily fixed by authenticating all requests for payment, and by requiring an approver on all outgoing files. These steps help ensure transactions that should not have been created don’t go anywhere. Additionally, there are always risks related to human error or fraudulent transactions. The best way for ACH Network participants to mitigate these risks is through sound business practices.
Q. What are some proactive steps businesses and financial institutions can take to protect themselves?
A. Performing a risk assessment can help businesses and financial institutions better understand the threats they face. Once you’ve identified problem areas, you can work to correct them by following the NACHA Operating Rules and establishing sound business practices. Business and financial institutions should always:

  • Obtain proper authorization for transactions
  • Store and transmit ACH information with appropriate security
  • Create transactions under dual control
  • Provide system access only to users who need to perform specific tasks
  • Set limits on users and originators
  • Monitor for out-of-pattern activity

When performed in concert, they create layered security, increasing the chance that a failure at one point in the process will be corrected at another point.

Q. What other tools or resources are available to help businesses and financial institutions mitigate cyber security risks?
A. There are a host of tools resources available for both businesses and financial institutions at  Additionally, businesses and financial institutions should consider becoming part of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization created to help the financial services sector prepare for and respond to cyber and physical threats, vulnerabilities and incidents.  You can learn more at

Devon Marsh is Senior Vice President, Treasury Management & Internet Services, Risk & Compliance at Wells Fargo, and chair of NACHA's Risk Management Advisory Group (RMAG). RMAG advises the NACHA Board of Directors on risk strategy. RMAG monitors Network developments to assess risk management needs, develops sound business practices on risk management issues, initiates risk-related rules proposals, and develops new risk management tools and services.

Access: Public