November 29, 2022

RMAG Offers Guidance for Risk-Based Controls to Address the Potential of Fraudsters Gaining Access to Illicit Funds


Jordan Bennett

Jordan Bennett

Senior Director, ACH Network Risk Management


RMAG Offers Guidance

RMAG's membership of risk management professionals works diligently to protect financial institutions, customers, and the ACH Network from threats posed by all types of financial crimes and fraud. These scenarios include the potential for financial institutions to be used by fraudsters to receive illicit funds from credit-push fraud schemes.

To make it harder for fraudsters to gain access to funds, Receiving Depository Financial Institutions (RDFIs) can do more than act as passive participants in the flow of a payment, responsible only for the timely, accurate posting of transactions. RMAG—Nacha's Risk Management Advisory Group—members believe RDFIs have a ripe opportunity to recognize unusual activity and prevent their financial institutions from being used by fraudsters or mules to access illicit funds. 

RMAG members offer the following guidance to help other financial institutions identify credit-push fraud and assist in recovering funds for the victims of these schemes. 

Monitoring Incoming Transactions

Anomaly detection and velocity checks come in many forms. These controls can identify suspicious activity but should not be used alone to determine the validity of an incoming credit transaction. Some financial institutions can build and monitor these controls, while others will use third-party solutions. Once a monitoring control is in place, additional research is often required to confirm whether a flagged item is likely fraud or should be posted as received.

  • Account Type and SEC Code – The correct SEC code is determined by the intended receiver of the item. Consumer SEC codes (PPD, WEB, TEL) should be used in entries to consumer accounts, while CCD and CIE SEC codes should go to commercial accounts at the RDFI. A mismatch between a commercial SEC Code and a consumer account can indicate a fraudster attempting to receive illicit funds from a business email compromise, account takeover, or vendor impersonation scheme. While it is more common for a commercial account to receive a consumer SEC code (e.g., a WEB debit to a business account), a new or a large-dollar commercial SEC to a consumer account could receive additional scrutiny. 
  • Behavioral Tolerances and Pattern Recognition – Financial institutions can set behavioral expectations and track previous transactions for their business and consumer account holders. Established relationships with recurring transactions and values are at a much lower risk for undetected fraud. Accounts receiving a higher volume of credit transactions than normal or with a dollar value not expected from the account history, especially from new originators with no previous relationship to the receiver, could receive increased scrutiny. 
  • Name Matching – The volume of transactions processed in a batch ACH environment makes name matching untenable. In addition, names with complex spellings, nicknames for the account holder, or customers using their middle names would all create instances of false positives at an unmanageable scale. However, comparison of the name on a transaction with the name on an account can be useful when an ACH payment has been flagged and escalated for review. Name comparison can be used in combination with other flags in determining the validity of an item or group of items. Credit transactions with a gross mismatch between the name on the transaction and the name on the account, or accounts suddenly receiving multiple credits under multiple names, may indicate an account is being used to receive illicit funds in a credit push fraud scheme. 
  • Dollar Tolerances – Each financial institution could set dollar tolerances for their controls commensurate with their risk appetite. An RDFI may be willing to perform fewer controls and accept the risk on incoming transactions with a value in the low hundreds of dollars but may apply additional controls to incoming credits with higher value. Restrictions on early funds availability might be appropriate for higher-dollar credits.


Communication is key to investigating flags identified by the financial institution's controls. Knowing how to quickly communicate with either the customer and/or peer financial institutions helps the financial institution gain access to information about the transaction faster and make better decisions. 

  • Notify the account relationship owner at your financial institution. The relationship owner should assist in determining whether the customer is an unwitting mule, an active mule, or the victim of an account takeover scheme. Account takeover schemes at the RDFI are used to receive illicit funds and transfer them to another account. If an account takeover scheme is determined, work with the customer to identify and remediate any weaknesses in security controls.
  • Nacha's Risk Management Portal houses the ACH Contact Registry. This registry contains contact information for all financial institutions on the ACH Network. Make sure your financial institution's contact information is up-to-date and your employees know how to access the ACH Contact Registry or to contact a teammate who has access. Timing and communication are important when your financial institution identifies a suspicious transaction. Knowing who to contact at the other financial institution and contacting them quickly can help resolve the issue and prevent delays that benefit the fraudster.

Controls on Early Funds Availability 

Early funds availability should be offered commensurate with an RDFI's risk appetite. In addition to the controls above, an RDFI should consider when to offer early funds availability to its customers and place controls on early funds to ensure this service is not abused by fraudsters. 

  • Account Type – Early funds availability is commonly offered only to consumers. Consider limiting early availability to consumer accounts only.
  • Seasoned Accounts – New accounts may be more likely to be used by mules or fraudsters to gain access to funds from credit-push fraud schemes. Consider offering early funds availability only to seasoned accounts. 
  • Limited Activity – Fraudsters might know that accounts must be seasoned before early funds availability is offered. They may open an account and wait for 30, 60, 90 days or more prior to using the account to receive funds. Offer early funds availability only after an account history has been established or on the second or third receipt of a regular recurring transaction. 
  • Types of Credits that are Accepted – RMAG RDFIs limit the types of transactions that are eligible for early funds availability. Payroll and Social Security transactions are easily identified and are the largest transactions most consumers receive on a regular basis. Limit early funds availability to specific transaction types and uses. 
  • Dollar Tolerances –RDFIs should consider limiting early funds availability to a specific dollar amount per entry (e.g., the first $500) or to a limit over a period of time, similar to ATM and remote deposit limits. This could reduce the risk from large-dollar or multiple transactions.