Nacha's Risk Management Advisory Group (RMAG) met in-person in October with an agenda focused on the themes of the “New Risk Management Framework for the Era of Credit-Push Fraud.” One of the main themes discussed was the role that Receiving Depository Financial Institutions (RDFIs) should play in detecting, preventing, and recovering funds from frauds that utilize ACH and other credits.
RMAG consists of a cross section of financial institutions and Payments Associations whose organizations represent many more financial institutions. An RDFI is often in the best position to identify suspicious credit payments.
Previous ACH risk management frameworks largely focused on debit origination to mitigate the impact of unauthorized debits on consumers, businesses and other organizations, and RDFIs. Debit fraud schemes by their nature tend to be concentrated and identifiable at the point of origination; mitigation and prevention measures are best implemented at that point. Unauthorized Return Rate thresholds and required debit monitoring came about as parts of previous ACH risk management frameworks. These initiatives led to an increase in awareness of debit fraud on the ACH Network and a decrease in the incidence of this type of fraud.
In the current environment, however, fraudsters increasingly make use of payments in which consumers, businesses, and other organizations send money out from their accounts. These payments are known as credit payments, or credit-push payments. Fraud scenarios such as business email compromise, vendor impersonation, and payroll impersonation all target credit-push payments. These schemes largely rely on social engineering to induce the account owner to initiate a payment. The resulting payment is knowingly sent and is therefore an authorized payment.
Distinct from debit scenarios, success in a credit-push fraud scheme relies on access to an account at the receiving institution. Funds are directed to and concentrated in an account(s) controlled by the fraudster, and then are withdrawn or sent to accounts elsewhere, including outside the U.S. These receiving accounts are often newly opened or mule accounts with limited history and activity. In these cases, the receiving, account-holding institution is often in the best position to identify potentially fraudulent credit transactions posting to these accounts because they differ from the type of deposit activity anticipated for the account.
The Bank Secrecy Act (BSA) requires financial institutions to monitor their customers for suspicious activity that might indicate money laundering and terrorist financing. RDFIs must implement strong BSA/AML programs to comply with the law. While not all fraud is money laundering, many instances of credit-push fraud can constitute the layering and integration phases of money laundering. Because financial institutions are well accustomed to monitoring account activity for signs of money laundering, RMAG believes RDFIs can apply similar logic to inbound credit payments in a way that can be fine-tuned to detect fraud, including through velocity checks and anomaly detection.
In this regard, RDFIs are not a passive participant in the flow of a payment, responsible only for the timely, accurate posting of transactions. They can draw on their experience monitoring accounts for unusual activity, and can use that experience to assess activity with an eye toward detecting possible fraud.
Incoming credit transactions that are unusual for a receiving account may be credit-push fraud, which may be money laundering. Fraudulent transactions can mean one of two things:
- A legitimate customer’s account has been compromised, in which case a fraudster has defeated data security or access controls; or
- The financial institution is banking a criminal, in which case the fraudster has made it past the financial institutions’ Customer Identification Program (CIP).
In either case, a fraudster is using the financial institution to receive illicit funds.
Determining what to do with an item after red flags are raised is a challenge under the current regulatory environment and Nacha Rules. RMAG would like to see Nacha pursue a standardized process or return code allowing the RDFI to return suspected fraudulent items to the ODFI. Allowing returns of partial amounts using the ACH Network is another option that would improve the recovery of funds after fraud has occurred. Both solutions require the RDFI to take an action that benefits the ODFI, the originator, and the ACH Network.
RMAG understands that not all fraudulent activity can be identified, and that there is the potential for false positives as the financial industry strives to recognize instances of credit push fraud. RMAG encourages industry regulators to provide clarity on the duty to act when an RDFI identifies suspicious credit items, and provide safe harbor for RDFIs acting in good faith.
RMAG members have also observed more organizations offering early funds availability to remain competitive in the marketplace. This practice is likely to expand as consumers request this service and financial institutions look to keep pace with their peers. Fraudsters and criminals also seek early availability to obtain quicker access to credits before the senders becomes aware they are the victims of fraud. Financial Institutions should consider risk-based controls to reasonably address the potential of fraudster gaining early access to illicit funds.
RMAG strongly believes receiving institutions must play an active role in fraud detection, prevention, and recovery. Solution providers will offer products to the industry as financial institutions request stronger tools to monitor incoming credits. Nacha should promote consistent monitoring at all RDFIs, communication between financial institutions, and recovery of funds through Rules changes and through the Operating Guidelines.