Cognizant of the rise of credit-push fraud, Nacha has approved a new set of rules aimed at addressing it. Credit-push fraud uses social engineering and email phishing attacks to deceive someone into sending funds to a criminal-controlled account, whether through a compromised business email, vendor impersonation or payroll fraud.
In a recent PaymentsJournal Podcast, Michael Herd, Executive Vice President of ACH Network Administration at Nacha, and Brian Riley, Director of Credit & Co-Head of Payments at Javelin Strategy & Research, spoke about how the new rules establish a base level of payment monitoring on all parties in the ACH Network. They discussed how the changing payments landscape has made these rules necessary and the next steps for organizations to take.
Changes to the System
The Nacha membership began this journey late in 2022 with the publication of a new risk management framework that identified frauds resulting from attacks such as business email compromise or vendor impersonation. These resulted in payments being pushed out from the account of the victim to the account of the criminal. That propelled the desire for stronger action against credit-push fraud.
At their core, the new rules raise the bar for fraud monitoring and transaction monitoring across all ACH participants except consumers.
“This was an expansion of focus for us from the perspective of ACH risk management,” Herd said. “Our objectives were to not only reduce the successful incidents of those types of frauds but to improve the ability for recovery after those types of frauds and payments have occurred. Everyone has a role to play in fraud mitigation and detection and recovery. All parties have a basic-level requirement to monitor transactions. It would no longer be acceptable to do nothing.”
One of Nacha’s key targets is payroll impersonation fraud. This involves an ordinary worker being spoofed into providing payroll portal credentials to a scammer. As a result, the worker’s Direct Deposit gets rerouted to a fraudster’s account.
The rules are broad-based, and to some extent all financial institutions and ACH processes will be affected. But many of the participating organizations already conduct robust fraud monitoring. Although the impact to those groups might be minimal, others that are not doing much in this area today will have a bigger lift to become compliant.
For the first time, this rule set defines a role for the receiving financial institutions with respect to transaction monitoring. Under the current Nacha Operating Rules and Guidelines, receiving financial institutions do not have an explicit role in monitoring this type of fraud. Their obligations are simply to post transactions on a timely basis and make the funds available to accountholders. Although these rules don’t shift any liabilities for transactions, receiving institutions will have requirements for transaction monitoring, which means many of them will have additional work to do.
The system is designed to look for red flags such as payroll transactions going into an account that looks like a mule account, or someone no longer receiving their regular payroll deposit. One of the rules creates a standard description for payroll transactions to make that kind of monitoring easier for the receiving institution.
“We’re following the flow of a payment from origination through the sending institution and then through to the receiving institution at the point of the receipt at the account,” Herd said. “It is intended to follow the flow of the transaction and have all the parties to it performing some level of transaction monitoring.”
Once a credit-push payment gets to a receiving account and the funds are available, the fraudulent actors are going to try to move that money elsewhere as quickly as they can. Time truly is of the essence in detection and recovery.
Fraud Happens Before the Payments
It’s important to remember that the payments are not the fraud. The fraud happens when an organization is phished or spoofed. The payments are typically authorized; the treasury or the payroll function has approved them and wants them to be issued. From the perspective of the payment network, they look like any other type of authorized payment.
With consumers changing their transaction processes more often than ever, heightened scrutiny has become increasingly necessary.
“When I look at myself versus my millennial children as an example, I haven’t seen a physical paycheck in 35 years,” Riley said. “They’ve all been Direct Deposit. And I’ve used the same bank for 30 years. But then I look at my millennial kids, and they go from fintech to fintech to bank to fintech and can move their destination bank account more times in a year than I have in my life.”
Nacha sees an opportunity to raise the bar to try to help identify these instances and aid in recovery. “Let’s say you’re the payroll office,” Herd said. “You have obligations to be able to validate changes within a payroll system. Should you just take anybody’s word that payroll should now go somewhere different? There should be some type of validation of that change order for the payroll. The same is true with vendor payments or the classic instance of the CEO saying, ‘Issue an emergency wire transfer somewhere.’”
Those transactions require validation and verification through different channels. The financial institution that processes them might be able to detect the change, or when a payment comes into an account, it might be able to detect when a mule account is suddenly receiving these new payments or a very large payment.
Next Steps
Information about the rules is already available on Nacha’s website. Anyone can sign up at no cost to receive Nacha rules information, regardless of membership. The organization will have additional resources available at its annual payments conference in May, and it will be hosting webinars on these rules changes and providing fact sheets.