Accelerating payments mean financial institutions have less time to identify fraud before a transaction clears and settles. With Same-Day ACH now a reality in the U.S., FIs are kept on their toes to mitigate this risk.
In its analysis of the Same-Day ACH rollout, NACHA found no evidence that it led to an increase in fraud attempts or successful breaches. In a survey of financial institutions facilitating Same-Day ACH for their customers – which collectively account for about 66 percent of ACH origination volumes – NACHA found that exactly zero percent reported an increase in fraud.
That doesn’t mean that fraud linked to ACH transactions is nonexistent, however. In corporate payments, while fraud is typically linked to wire and checks, the rise in Business Email Compromise (BEC) and account takeovers means ACH fraud is a growing threat, same-day or not.
“There is no magic bullet,” said Deborah Peace, CEO of ACH Alert, in a recent interview with PYMNTS about the threat of ACH fraud that companies face today.
ACH Alert, which enables financial institutions and their customers to accept or reject transactions and identify fraud, recently introduced new capabilities for clients that extend fraud detection and prevention to Same-Day ACH transactions. But Peace noted that tools like those offered by ACH Alert are just part of the fraud detection puzzle.
“The first step for corporates is to understand that they’ll never be 100 percent secure,” she explained. “When you look at the different companies that have been breached over the last five years, they’ve got some of the most sophisticated systems and IT teams, and they weren’t able to protect themselves. That’s the reality: Every system can be compromised.”
Employee education is paramount in this regard, she continued: Don’t open suspicious emails or click suspicious links. Verify transaction requests. Report any suspicious activity.
As payments accelerate, the threat of fraud becomes more pressing, with less time to identify any suspicious or fraudulent activity. And yet, according to recent data from Strategic Treasurer in its Treasury Fraud & Controls report, corporate treasurers appear too confident in their ability to protect their organizations. Nearly two-thirds said in a survey that they feel they have improved their fraught-fighting capabilities in the last year.
Despite this, nearly a fifth said they had endured losses due to check fraud, 29 percent said they endured losses due to wire fraud, and there was a more than threefold increase in the percentage of businesses that experienced a ransomware attempt.
False Sense of Protection
Companies appear to be overconfident in their ability to avoid fraud. According to Peace, part of that may stem from the fact that banks have typically been seen as the gatekeepers.
“Banks, for years, have sheltered their customers,” she said. “There is an expectation on the part of customers that banks are responsible for everything.”
In corporate payments, however, there is no guarantee that if a business is hit by fraud, the bank will compensate. Under the Uniform Commercial Code (UCC), Peace explained, banks compensate their consumers for any fraud-related losses (with some exceptions). Corporates, however, are covered under Regulation E, and therefore are not provided the same coverage.
“Consumers don’t have the same exposures businesses do,” explained Peace. “And they generally don’t carry the same balances. The risks for businesses is much larger because of the time frame and balances sitting there that can be taken.”
Shifting Responsibility
In addition to employee education, Peace said companies have to understand that the buck does not stop with the bank when it comes to fraud. Businesses, she noted, need to take the initiative on fraud detection and prevention, and with Same-Day ACH and faster payments proliferating in the U.S. payments system, corporates have to act quickly.
“The unfortunate side of it is, businesses have a very limited time to detect fraud,” she said. “Generally, they have about a 24-hour window to spot it and do something about it. Businesses need the ability to spot suspicious activity and to be able to act on it same-day.”
Daily reconciliation is critical to this capability, she said, but that isn’t necessarily a reasonable expectation – especially for smaller firms.
“If you’re a smaller company, and you have an accountant or bookkeeper on vacation, [that] could get pretty hard,” said Peace. “You could be in a position to not be able to do anything about it. And I don’t think that most businesses understand that.”
According to Strategic Treasurer’s survey, three-quarters of banks surveyed have a “formal treasury fraud control framework,” while just 29 percent of corporates had the same. The findings point to an ongoing reliance of businesses on their banks to provide the fraud detection they need to stay safe.
The risks, of course, are monstrous.
Data from the American Bankers Association found the U.S. banking industry suffered a combined $2.2 billion in losses linked to fraud in 2016 and a 16 percent increase from 2014 levels. According to PwC data, nearly two-thirds of the 49 percent of companies surveyed that have already been hit by fraud said their losses could be up to $1 million; 16 percent it could reach as high as $50 million – each.
According to Peace, businesses have to understand the risks, and cannot rely on banks to mitigate them. Instead, companies should be proactive in identifying, reporting and avoiding fraud, particularly as payments accelerate.
“There has been a lot done by financial institutions since the emergence of the corporate account takeover to educate customers about origination fraud,” said Peace. “But I think there’s been a gap as far as how much corporates understand the exposure they have. The industry could do a better job there.”