January 31, 2023

RMAG Guidance on ODFI Credit-Push Fraud Response Checklists


Devon Marsh

Devon Marsh

Senior Director, ACH Network Administration


Digital background connectivity moving

A recent Nacha blog article suggested that a checklist approach to payment initiation could help Originators comply with rules and regulations, avoid errors, and reduce fraud. Nacha’s Risk Management Advisory Group (RMAG) believes a similar approach might help Originating Depository Financial Institutions (ODFIs) respond to instances of credit-push fraud.

Nacha’s new Risk Management Framework identifies opportunities to improve detection and prevention of credit-push fraud, and to aid in the recovery of funds in the wake of a fraud event. The period immediately following a fraud event is when a checklist might be most useful. The checklist can help an ODFI consider a full set of options when an Originator has sought help in recovering a fraudulent credit payment. A checklist might also prove helpful in a post-mortem analysis of a fraud incident, after the need for a rapid response has subsided.

An immediate response checklist and a post-mortem checklist for responding to credit-push fraud might each include 10 steps.

Credit-Push Fraud – ODFI Immediate Response:

  1. Receive Complaint.
  2. Consult with Originator.
  3. Determine if transaction resulted from a scam or an error.
  4. Determine options for recovery.
  5. Contact the Receiving Depository Financial Institution (RDFI). Consult the ACH Contact Registry to obtain contact information for an RDFI.
  6. Determine funds availability.
  7. Request a HOLD on funds.
  8. Determine the need for an indemnification agreement.
  9. Determine the best method for return of funds.
  10. Recredit the Originator.


Credit-Push Fraud – ODFI Post-mortem:

  1. Check for similar patterns in rest of portfolio. 
  2. Conduct customer interview/obtain any related documentation (fraudster emails).
  3. Confer with the ODFI’s Anti-Money Laundering (AML) team.
  4. Determine the need for a Suspicious Activity Report (SAR).
  5. Determine whether to notify law enforcement (or encourage the Originator to do so).
  6. Determine need to update customer credentials or access channels.
  7. Encourage originator to perform remediation (virus scans, security audit).
  8. Direct originator to educational resources.
  9. Populate internal and external gray lists.
  10. Record event in internal management reporting tools.


As with the payment initiation checklist, RMAG developed these lists with an ACH transaction in mind. However, they could easily apply to a fraudulent wire transfer or other push payment. Of course, other payment systems may have additional obligations that apply to a financial institution. The lists offer good starting points, but they are not written in stone. An ODFI may wish to customize its lists to reflect the institution’s unique processes when an Originator contacts it to ask for assistance in recovering a fraudulent payment.