An automated clearing house network rule tightening security around Internet purchases, one of the ACH’s fastest-growing transaction categories, is set to take effect Jan. 1.
The rule change, technically an amendment, affects so-called WEB debits, which cover a wide variety of ACH-funded Internet payments. It will require merchants as ACH transaction originators to validate the customer account used for WEB debit transactions.
It’s not that NACHA, the Herndon, Va.-based governing body of the ACH network, has not had security procedures around WEB debits before. The network has required originators to use “commercially reasonable fraudulent-transaction detection,” Michael Herd, NACHA’s senior vice president of ACH network administration, told Digital Transactions News this week at NACHA’s Payments 2019 conference in Orlando, Fla. But “commercially reasonable” isn’t defined, and account validation hasn’t been mandated.
“The validation piece isn’t required today,” Herd says. “Account validation is not explicitly required.”
But it will be, come Jan. 1. The change comes as e-commerce is booming on the ACH—Internet transactions rose 10% year-over-year in the first quarter. Plus, better security is all the more important as the growing number of same-day ACH transactions speed up the payment process.
“Given the potential volume and velocity of Internet payments, certainly the time is right to take the next step,” says Herd.
How big of a disruption or changes in fraud-control techniques the tightened rule will cause for originators and the originating depository financial institutions (ODFIs) they work with is a matter of debate. “I think for many there won’t be” changes, says Herd.
Many ODFIs and merchants already are using processors and vendors that provide a variety of account-validation systems. And the ACH network itself uses so-called pre-certifications, a technique that generates a zero-dollar test transaction to the account receiving the payment request, and micro-deposits to ascertain account validity.
But both those and another commonly used method to determine if an account is valid and active have their shortcomings, some ACH experts say. Micro-deposits, for example, can enable a fraudster with stolen account credentials to verify the credentials are valid.
“That’s something the fraudsters are watching, if it doesn’t come back they know it’s a good account,” says Debbie Peace, chief executive of ACH Alert, an Ooltewah, Tenn.-based fraud-prevention services provider.
A recent white paper from Allen, Texas-based risk-control technology provider Giact Systems LLC says a strong account-validation system should encompass account status; payment history, particularly non-sufficient funds transactions and chargebacks; ownership and matches of ownership to the payment originator, and consistency in the customer’s personal identifying information.
“The only true way to protect WEB debits is through robust account validation that goes beyond simply confirming if an account is active,” the paper says.
Herd says the rule change means originators should be using “a risk-based review” to assess a transaction’s fraud potential. “We’re really not trying to target any specific types of transactions,” he says.