May 18, 2022

Why a New ACH Risk Management Framework is Needed


Michael W. Kahn

Michael W. Kahn


NASHVILLE, Tennessee—There was a time when the focus of risk management on the ACH Network was controlling unauthorized debits. But keeping the ACH Network safe means keeping up with the times and anticipating future scenarios. Today, fraud involving credits and other push type payments is a growing concern. 

“Frauds that have credit push are distinctly different than traditional debit fraud that people think of,” said Jordan Bennett, Nacha Senior Director, ACH Network Risk Management. 

Recent years have seen a rise in Business Email Compromise, account takeovers, vendor impersonations, and other frauds, all of which creates the need for a new ACH Risk Management Framework that broadens the scope of risk management to include credit push payments and their unique challenges. Nacha, its Risk Management Advisory Group (RMAG), the ACH Network Advisory Board and other concerned parties are working to develop an updated framework. 

During a May 2 update session at Smarter Faster Payments 2022, Bennett cautioned not to consider any payment method in a silo when doing risk assessments. Instead, he urged taking a wider approach, noting credit push frauds are “not unique to ACH. We have other payment systems that have this same type of fraud.”

While risk mitigation should be atop every financial institution’s list, Joseph Wood, RMAG Chairman, said there continues to be a major stumbling block. 

“We won’t talk about in real time what we’re seeing. Everybody seems to be a little bit nervous. There are privacy concerns on down the line that we have to get through. But really, we have to work together to achieve a common goal here,” said Wood.

Bennett said that while there are legitimate privacy issues, “You can share some of this information without risking privacy, if you do think it is actual fraud.” And he called on the financial community “to figure out how we can work together and share information so we can solve this.” (Read related article)

Michael Herd, Nacha Senior Vice President, ACH Network Administration, said that while Receiving Depository Financial Institutions (RDFIs) are often held harmless with unauthorized debits, “In the credit-push world we see that a little differently.”

“Funds coming inbound to an account at an RDFI is part and parcel of many fraud schemes in some way,” said Herd. “There’s a very different role for RDFIs to play in terms of detecting, preventing and recovering from those types of frauds.” In fact, Herd added, in some situations the RDFI might be in the best position to identify fraud. 
Nacha is working with consultants to help test and finalize the new framework principles, objectives and recommendations. An industry paper and other tools are expected later this summer. 

Herd stressed that the new framework is an effort to get out in front and tackle the problem.

“We’re not acting in crisis mode,” he said, adding, “But this is an opportunity to self-govern on an issue we all have in common.”