How New Nacha Rules Help Fight ACH Fraud

Nacha, the organization that governs the nation’s ACH network, has implemented two new rules for financial institutions intended to reduce the incidence of successful scam attempts and improve the recovery of funds after fraud has occurred.

The first rule introduces new risk-based practices, particularly for institutions receiving and sending funds. The second rule standardizes descriptions for different types of payments to enable institutions to better tailor their fraud mitigation.

Read on for what community banks need to know to navigate these new Nacha rules and tools that could make it easier. 

Nacha Risk Management Compliance for ODFIs and RDFIs

The first rule, on risk management, requires that both originating depository financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) implement risk-based processes to identify ACH entries initiated due to fraudulent scams.

Previously, Nacha only required ODFIs to use a fraudulent transaction detection system to screen online and mobile (WEB) debits and when using micro-entries. Now, RDFIs should be evaluating behavior signals for fraud risk, such as incoming transactions, as well as account profile information and historic activity on the receivers’ accounts. 

“These are simple changes but very impactful changes, as the ACH network is a vital part of the payment system today,” says Gregory Williamson, head of fraud commercial strategy at Nasdaq Verafin in New York City. “Financial institutions need to make sure they are adequately protecting consumers and businesses from fraud.”

Nacha did not dictate specific fraud rules and capabilities that financial institutions must put into place, nor the use of certain technology tools, Williamson says. This is because the organization wants to make sure financial institutions have the appropriate flexibility to protect their customers from fraud.

“It’s also important for banks to share information in consortiums about suspected fraud, as it’s highly likely that another bank has seen and recognized that account as a criminal account,” he says.

If financial institutions don’t follow Nacha’s new rules and implement corresponding risk management programs, they’re more likely to become a target to fraudsters and mules, exposing them to more financial losses, Williamson says. Repeat offenders could lose access to the ACH network.

The new rules for ODFIs will help identify business email compromises, says Kari Neckel, vice president of payments policy for ICBA. “For example, an HR department might require a call back if they get an email asking to move someone’s account for paycheck deposit,” Neckel says. “Banks that do originations need to reach out to their clients and make sure they are prepared.”

Authorized push payment fraud is where criminals trick people into sending money under false pretenses, Neckel says. Now, RDFIs have more leeway to ask questions about incoming deposits. For example, if a community bank sees a consumer account receiving funds addressed as “Court Bail Money,” the bank can ask questions to make sure that money isn’t being sent under false pretenses.

“These rules better arm community bankers to look at their incoming deposits and make sure they don’t have any account holders who are misrepresenting themselves or being used as a mule,” Neckel says.

Standardization of the Nacha Company Entry Description 

The second rule requires ODFIs to use the standardized company entry description “PAYROLL” for payment of wages, salaries and similar types of compensation. The amendment is intended to reduce the incidence of fraud involving payroll redirections.

The second rule also requires ODFIs to use the standardized company entry description “PURCHASE” for consumer e-commerce purchases, which can sometimes present a different risk profile compared with the online payment for services.

“This will help banks uncover accounts that might be on the receiving end of fraud,” Neckel says. “For example if someone is getting 20 payrolls on a Friday, it is not normal and is something the bank should look into.”

Implementing ACH Fraud Detection Software for Banks

Community banks should first look at many of their BSA/AML procedures, as well as consult with their core providers, as “ACH is the heart of a core’s system,” says Neckel. Similarly, any check fraud-detection tools that a bank uses to flag account data being sold on the dark web can also be used for ACH monitoring.

Many financial institutions rely on manual processes or fragmented systems to review transactions and manage ACH risk, which can create operational inefficiencies and make it harder to detect fraud patterns at scale, says Stacey Gross, senior director of commercial product management and head of ACH and instant payments at FIS Global in Jacksonville, Florida.

“With innovation moving faster than regulation, and the speed at which payments are moving, financial institutions have less time to identify and react to fraud,” Gross says. 

A unified automated payments platform can help financial institutions move money securely, efficiently and in compliance with evolving network rules and regulatory expectations, she adds.

---