What are the Fraud Risks for ACH?
Online Banking ACH and Wires
Creating ACH transactions and Wire Transfers is secure and simple with First Community Banks Online Banking. Check out our video library or ACH and Wire Guide for tutorials!
ACH Videos:
Wire Transfer Videos:
ACH and Wire Guide: Click HERE to open the guide.
Check out our helpful tips and answers to many ACH origination questions below.
Origination fraud is not new to ACH. Origination fraud occurs when an originator or third party generates invalid transactions using the name of the true originator. Use of the internet and web-based ACH origination systems has created this new vulnerability.
In one origination system hijacking scheme, perpetrators hack into the originators (your company) computer system using compromised user IDs and passwords to originate ACH credits into “mule” accounts created for the express purpose of committing fraud. Those accounts are then emptied and abandoned. The true originator’s account (your account) is debited for the invalid origination file. The credits are usually irretrievable by the time the fraud is discovered. The originator’s credentials may have been compromised by an insider within the organization or stolen through key loggers or Trojan Horse programs on the compromised computer.
Due to the risk of this type of fraud, it is essential that all computer equipment used by your company to operate First Community Bank’s Cash Management ACH Origination software is regularly updated and patched for security (including use and updating of firewall, virus protection, malware protection, and anti-spam protection). The appropriate steps should be taken within your company to ensure that all user IDs, passwords, authentication methods and any other applicable security procedure issued to your employees are protected and kept confidential and that all staff understands the need for proper user security, password controls and separation of duties.
What is the ACH Network?
The Automated Clearing House (ACH) Network is an electronic payments network used by individuals, businesses, financial institutions and government organizations. The ACH Network functions as an efficient, electronic alternative to paper checks. It allows funds to be electronically debited or credited to a checking account, savings account, financial institution general ledger account or credited to a loan account.
The ACH Network is a batch processing, store-and-forward system. Transactions are stored by financial institutions throughout the day and processed at specified times in a batch mode. This provides significant economies of scale and faster processing than check payments. All transaction information necessary to process a transaction accompanies the ACH entry.
How does the ACH Network function?
As the Originator, your company must first obtain authorization to initiate a transaction to the Receiver's account or provide notice to the Receiver that a transaction will be initiated to their account. Your company (Originator) then creates a file of ACH transactions assigning a company name that is easily recognized by the Receiver. The file is then sent to your Originating Depository Financial Institution (ODFI), which may be a bank or credit union.
The ODFI collects ACH files from Originators with which it has contractual relationships, verifies the validity of these files and, at specified times, transmits these files to the ACH Operator. The ACH Operator receives ACH files from the ODFI, edits the file to make sure they are formatted properly and distributes files of entries to the Receiving Depository Financial Institution (RDFI). The RDFI receives files of entries from the ACH Operator for its account holders. Entries are posted based upon the settlement date and account number. Periodic statements are provided to the Receiver with descriptive information about the ACH transaction, including the date of the transaction, dollar amount, payee (Originator) name, and transaction description (i.e. payroll, water bill). Originators need signed authorization to debit/credit customer accounts.
What types of controls are in place to help us combat ACH Origination fraud?
First Community Bank’s ACH Origination system utilizes multi-factor authentication by way of a secure access code that is sent out to a pre-determined telephone or e-mail address when access is requested from an unknown computer. While this will hamper a hacker from gaining access outside of your company, the risk still exists for internal fraud by one of your employees or from a hacker who has gained access to your computer system through sophisticated key loggers or Trojan Horse programs.
First Community Bank encourages companies to have separation of duties for ACH processing, in which one employee generates the ACH batch and the system requires a secondary employee to log in and approve the ACH batch. Dual-control procedures such as this go a long way towards preventing ACH origination fraud. It is also very important for your company to make a practice of monitoring your accounts online daily. Checking both your “Online Activity” and “Transaction History” screens daily within the Cash Management program will ensure that you are aware of all transactions, even when they have not yet posted to your account. The sooner ACH fraud is detected, the more successful the bank will be in assisting to recover your company’s potentially lost funds.
Who are the ACH Participants?
There are five key participants who contribute to the successful completion of an ACH transaction:
1. Your company is the Originator and has been authorized by the Receiver (consumer or company) to either credit or debit their account. When your company initiates a credit transaction to your employee's account for payroll or to a business customer's account for payment of goods and services, you are considered the Originator. Originators may also initiate debit transactions to a consumer or business account for payment of goods or services.
2. The Receiver can be either an individual or a company that has authorized the Originator (your company) to credit or debit their account. An employee is the Receiver if his or her company is initiating a payroll credit. A business partner is the Receiver if the Originator is sending a credit to pay for goods or services. The Originator can also be a Receiver, in situations where another party is initiating credits or debits to their account. The authorization is a key component of the ACH transaction, as it gives your company as the Originator the authority to send credit or debit transactions to the Receiver's account. Crediting a consumer requires only an oral agreement. However, a consumer debit must always have a written agreement. For a company, whether a debit or credit transaction, a written agreement is required.
3. The Originating Depository Financial Institution (ODFI) is the financial institution that your company has a contractual relationship with for ACH services and is responsible for sending ACH entries into the ACH Network on your behalf.
4. The ACH Operator is the central clearing facility for ACH transactions. The ACH Operator is responsible for accepting files of ACH entries from ODFls, which are then sorted, batched and forwarded to the Receiver's financial institution. The ACH Operator also performs some editing functions, insuring that mandatory information required in each ACH record is included.
5. The Receiving Depository Financial Institution (RDFI) is a financial institution with which the Receiver has an account relationship. Credit or debit entries sent to a Receiver's account will be received by the RDFI from the ACH Operator and then posted to the Receiver's account.
How are ACH funds settled?
Settlement is the actual transfer of funds between financial institutions to complete the payment instructions of an ACH entry. The Federal Reserve Bank provides settlement services for ACH entries. The timing of settlement is based upon the Effective Entry Date indicated on the ACH file and the time of its delivery to the ACH Operator. Your company as the Originator will determine the Effective Entry Date of the file you send to your ODFI. This is the date on which your company intends the entries to post to the accounts of the Receivers (employees or customers). When the ACH Operator processes an ACH file, the Effective Entry Date is read and entries are settled based upon that date, known as the Settlement Date. The Effective Entry Date in most cases is the same as the Settlement Date, but it is possible that the Settlement Date could be after the Effective Entry Date. For example, if the ACH Operator cannot settle on the Effective Entry Date due to untimely file delivery, a stale date, weekend or holiday, the ACH Operator will apply a Settlement Date of the next business day.
Digital Banking Support
Monday - Friday: 8AM - 5PM
Contact us at 231-526-4160 or digitalbanking@firstcb.com