February 28, 2023

RMAG Guidance on RDFI Credit-Push Fraud Response Checklists


Jordan Bennett

Jordan Bennett

Senior Director, ACH Network Risk Management


Female smiling at computer

The Risk Management Advisory Group (RMAG) recently released blogs offering a checklist approach for Originators and for ODFIs responding to instances of credit-push fraud. These checklists can help Originators and ODFIs think through how they plan their responses to a credit-push fraud incident. 

Nacha’s new Risk Management Framework identifies opportunities to improve detection and prevention of credit-push fraud, and to aid in the recovery of funds in the wake of a fraud event. The ODFI warrants the transaction, but in many cases of credit-push fraud it is the RDFI who provides the fraudster access to the banking system. The success of a credit-push fraud scheme often relies on the use of an account at an RDFI, and it is often the RDFI that is in the best position to identify a fraud. Arguably, an important factor for detecting, stopping, and recovering funds in credit-push fraud scenarios is how - and how fast - the RDFI responds. 

Credit-Push Fraud – RDFI Incoming Credit Monitoring - Immediate Response: 

  1. Review internal anomaly detection alerts.  
  2. Conduct additional research to confirm. 
  3. Determine if the transaction resulted from a scam or an error.  
  4. Determine funds availability.  
  5. If appropriate, place a HOLD on funds. 
  6. Contact the Originating Depository Financial Institution (ODFI). Consult the ACH Contact Registry to obtain contact information for an ODFI.  
  7. Determine the need for an indemnification agreement. 
  8. Determine the best method for return of funds.  
  9. Return the funds to the ODFI. 

Credit-Push Fraud – RDFI Contacted by the ODFI- Immediate Response: 

  1. Receive contact from the ODFI. 
  2. Determine if transaction resulted from a scam or an error. 
  3. Place a hold on Funds. 
  4. Determine funds availability. 
  5. Consult with Receiver. 
  6. Determine the need for an indemnification agreement. 
  7. Determine the best method for return of funds.  
  8. Return the funds to the ODFI. 

Credit-Push Fraud – RDFI Post-mortem: 

  1. Confer with the RDFI’s Anti-Money Laundering (AML) team to ask if it detected the fraudulent credit(s).
  2. If AML detective controls detected the incoming credit, ask about characteristics of the transaction that made it stand out. 
  3. If AML Operations failed to detect the fraudulent transaction, collaborate on defining ways to detect similar transactions in the future.
  4. Check for similar transactions posting to the account of the Receiver. In addition, determine if fraudulent transaction indicates potential for credit-push fraud from same or similar originator to other accounts at the RDFI.
  5. If RDFI identifies similar transactions, repeat steps 1 through 4 for each transaction.
  6. Confer with the ODFI for each potentially fraudulent credit received.
  7. Confer with internal counsel and Receiver’s relationship manager to determine how to address the account owner (counsel, offboard, notify law enforcement, etc.).
  8. Populate internal and external gray lists.
  9. Record event in internal management reporting tools. 

As with the payment initiation and ODFI checklist, RMAG developed these lists with an ACH credit in mind. However, they could easily apply to a fraudulent wire transfer or other push payment. Of course, other payment systems may have additional obligations that apply to a financial institution. The lists offer good starting points, but they are not written in stone. An RDFI may wish to customize its lists to reflect the institution’s unique processes when credit push fraud is identified due to internal monitoring or if an ODFI contacts it to ask for assistance in recovering a fraudulent payment.