July 24, 2023

RMAG Guidance on Credit-Push Fraud Response Checklists for Originators


Devon Marsh

Devon Marsh

Senior Director, ACH Network Administration


If an Originator realizes it has fallen victim to credit-push fraud, the only obvious fact may be that a payment didn’t reach the intended Receiver. Beyond that, a flurry of questions can create uncertainty at a time that calls for decisive action. A response checklist can alleviate confusion regarding immediate actions, and an after-action checklist can lay out subsequent steps to determine the extent of the problem and address vulnerabilities.

Nacha’s new Risk Management Framework identifies opportunities to improve detection and prevention of credit-push fraud and aid in the recovery of funds in the wake of a fraud event. The Risk Management Advisory Group (RMAG) has published guidance for avoiding and responding to credit-push fraud. The guidance has included checklists for payment initiation, payroll initiation, and ODFI and RDFI responses to incidents of fraud. An immediate response checklist and a post-mortem checklist can also guide an Originator’s response to credit-push fraud.

Credit-Push Fraud – Originator’s Immediate Response:

  1. Recognize that a payment went to a party other than the intended Receiver.
  2. Review payment information.
  3. Determine if transaction resulted from a scam or an error.
  4. Contact the Originating Depository Financial Institution (ODFI).
  5. Confer with ODFI about options for recovery of funds.
  6. Anticipate that the ODFI may ask for an indemnification agreement.
  7. Correct the payment information on file.
  8. Verify the corrected payment information.
  9. Initiate a corrected payment to the legitimate Receiver.
  10. Notify management of the situation.

Credit-Push Fraud – Originator’s Post-Mortem Actions:

  1. Determine the source of the fraud (e.g., a request to change payment information, an invoice or request for payment, etc.).
  2. Determine if the fraud resulted in other payments.
  3. Work through the Immediate Response checklist for each fraudulent payment.
  4. Report the scope of the fraud to management.
  5. Determine the root cause of the error.
  6. Notify local law enforcement and the FBI’s Internet Crimes Complaint Center (IC3).
  7. Determine the need to engage internal resources (Information Security, Audit, etc.).
  8. Perform remediation (virus scans, security audit).
  9. Review and update policies and procedures with compensating controls.
  10. Educate staff on proper procedures.

Nacha developed these lists with an ACH credit transaction in mind. The checklists could easily apply to a fraudulent wire transfer or other push payment. The lists are not written in stone. They offer good starting points for an Originator that may wish to customize the checklists to reflect unique processes. In implementing the response checklists, the Originator might also review its payment initiation procedures to ensure it is prepared to detect a fraudulent payment and prevent it from going out the door in the first place.