ACH payments are electronic payments made through the Automated Clearing House (ACH) network, a US-based financial transaction system. This system handles a large volume of transactions including direct deposits from employers, payments to contractors and vendors, consumer transactions such as utility bills and insurance premiums, and person-to-person payments.

ACH payments are processed in batches and typically take one to three business days to complete. They are a cost-effective way for businesses to transfer funds without using checks, wire transfers, or credit card networks. First the originator initiates a payment, and then their financial institution batches and processes it through the ACH network to the recipient’s bank account.

However, this type of payment does have risks. In a 2022 survey, 30% of businesses reported experiencing fraud via ACH debits and ACH credits. Below, we’ll explain how to identify common ACH risks, mitigate those risks, and approach ACH risk mitigation with Stripe.

What’s in this article?

• How do ACH payments work?
  
• ACH payment fraud
  
• How to identify common ACH risks
  
• How to mitigate ACH risks
  
• Regulatory compliance and ACH risk management
  
• How to approach ACH risk mitigation with Stripe
  

How do ACH payments work?

ACH payments electronically transfer between banks via the Automated Clearing House network. ACH payments are reliable and cost-effective, with lower fees than wire transfers or credit card payments, and they’re particularly useful for recurring transactions. Here’s how the process typically works.

• Authorization: The payment originator must first obtain authorization from the payee to initiate an ACH debit or credit transaction. The payee can authorize this via a signed form, an online payment agreement, or a verbal agreement.

• Payment initiation: Once authorized, the payment originator (which could be a business, government entity, or individual) will enter the payment information into their banking system. This includes the amount of the transaction, the payee’s bank account details, and the date the transfer should occur.

• Batching: The originator’s bank aggregates all outgoing ACH transactions into batches at predetermined times throughout the day. It then sends these batches to one of the ACH operators (either the Federal Reserve or The Clearing House).

• Clearing: The ACH operators sort the transactions and route them to the recipient’s bank, checking the details for accuracy and ensuring that the payee’s account is valid for receiving the funds.

• Settlement: Funds transfer from the originator’s bank account to the recipient’s bank account.

• Confirmation: Both the originator and the recipient receive confirmation that the transaction has been processed. Businesses update their accounts payable or receivable records accordingly.

ACH payment fraud

While ACH payments are generally safe and convenient, they are—like most other electronic funds transfer methods—susceptible to certain types of fraud. Here are common ways fraud occurs with ACH payments:

• Unauthorized transactions: A fraudulent actor initiates ACH payments from a victim’s account without their consent. The victim’s bank account and routing numbers might be obtained through phishing scams, data breaches, or malware.

• Account takeover fraud: A fraudulent actor gains access to the victim’s online banking credentials and then changes the account information to divert ACH payments to their own account.

• Business email compromise (BEC): Fraudulent actors impersonate a trusted entity such as a vendor or company executive and trick employees into making unauthorized ACH payments to their account.

• Vendor impersonation: Similar to BEC, fraudulent actors pose as legitimate vendors and send fake invoices, hoping to trick businesses into making ACH payments to the wrong account.

• Fraudulent chargebacks: A customer might make a legitimate purchase using ACH but then falsely claim the transaction was unauthorized and request a chargeback, resulting in financial loss for the seller.

• Employee fraud: Employees with access to a company’s financial systems might initiate unauthorized ACH payments for personal gain.

How to identify common ACH risks

Monitoring for the following signs of potential fraud can help you stop fraud before it occurs:

Vendor fraud and impersonation

• Unexpected changes in vendor information: Be cautious if a vendor suddenly changes their bank account details or contact information. Always verify these changes through a separate, trusted communication channel before initiating any payments.

• Unsolicited invoice emails: Be wary of emails from unfamiliar vendors or those with unusual email addresses. Verify the legitimacy of the invoice by contacting the vendor directly using previously established contact information.

• Invoice discrepancies: Look out for inconsistencies in invoices such as mismatched amounts, different logos, or unusual payment terms. Double-check these details against previous invoices or contracts.

Employee fraud and internal threats

• Unusual employee behavior: Pay attention to any sudden changes in an employee’s lifestyle, financial difficulties, or secretive behavior, especially for those with access to financial systems.

• Unauthorized transactions: Regularly review ACH transaction logs for any payments that seem out of place, such as large amounts sent to unfamiliar accounts or transactions occurring outside of normal business hours.

Phishing and social engineering attacks

• Suspicious emails: Be cautious of emails that create a sense of urgency, pressure you to take immediate action, or contain grammatical errors and typos. Always verify the sender’s identity before clicking any links or downloading attachments.

• Unfamiliar requests: If you receive an unexpected request for sensitive information such as bank account details or login credentials, don’t respond directly. Contact the supposed sender through a different channel to confirm the request’s legitimacy.

How to mitigate ACH risks

Implementing the following security measures can help mitigate ACH risks and prevent fraud before it occurs.

Pre-transaction controls

• Transaction filtering and blocking: Establish filters that limit ACH transactions based on parameters such as dollar amount, transaction type, or geographic location. Businesses can also set up ACH block services to prevent unauthorized ACH debits from posting to accounts.

• Dual approval processes: Implement a system where multiple approvals are required to initiate and complete transactions. This should involve separate roles for transaction entry, verification, and authorization.

Authentication and access management

• Multifactor authentication (MFA): Require MFA for accessing financial systems and conducting transactions. This reduces the risk of account takeover from compromised credentials.

• Dedicated financial infrastructure: Use dedicated computers for financial transactions that are not used for email or web browsing to minimize the risk of phishing and malware.

Fraud detection and monitoring systems

• Continuous monitoring: Use advanced monitoring tools that analyze transaction patterns in real time to identify and flag unusual activities for further review.

• Anomaly detection algorithms: Implement machine learning or rule-based algorithms that can identify deviations from typical transaction patterns, which can be early indicators of fraud.

Data security measures

• Encryption: Encrypt all data related to ACH transactions, both at rest and in transit. This minimizes the impact of potential data breaches.

• Regular security audits: Conduct regular audits of your IT systems and business processes to identify and mitigate vulnerabilities.

Vendor and third-party management

• Third-party risk assessments: Regularly assess the security and compliance protocols of third-party vendors that have access to your financial systems or handle sensitive data.

• Service agreements and compliance: Ensure that all agreements with vendors include clauses that hold them to specific security and data handling standards. Verify their compliance through audits or assessments.

Employee training and awareness

• Regular training: Provide ongoing training for employees on the latest fraud trends, phishing tactics, and best practices for security hygiene.

• Phishing simulations: Regularly conduct phishing attack simulations to help employees recognize and appropriately react to malicious emails.

Policy development and compliance

• Clear transaction policies: Develop clear policies regarding ACH transactions, including procedures for initiation, authorization, and reconciliation.

• Compliance with regulations: Stay up-to-date and ensure compliance with relevant financial regulations and standards that govern ACH transactions, such as those established by Nacha.

Response and recovery

• Incident response plan: Develop a detailed incident response plan outlining what to do in the event of an ACH fraud incident. This plan should include procedures for notifying relevant parties, containing the damage, and recovering lost funds.

• Cyber insurance: Consider obtaining cyber insurance to help cover the financial losses and recovery costs associated with a cyberattack or fraud incident.

• Communication: In the event of a fraud incident, communicate transparently with customers, employees, and other stakeholders. Proactively address concerns and demonstrate your commitment to security.

Regulatory compliance and ACH risk management

Certain regulations and standards govern ACH payments. Compliance with these requirements helps manage ACH risk and maintain the integrity of electronic payment systems. Here are the key directives that govern ACH payments.

• Nacha operating rules: Nacha governs the ACH network and its operations, and Nacha’s operating rules provide the framework for exchanging and settling ACH payments. Compliance with these rules is mandatory for all participating financial institutions and businesses.

• Bank Secrecy Act (BSA): The BSA has reporting and record-keeping requirements that help identify and prevent money laundering activities. Businesses must implement effective Anti-Money Laundering (AML) procedures that include monitoring, detecting, and reporting suspicious activities.

• USA PATRIOT Act: The USA PATRIOT Act builds on BSA requirements by imposing stricter regulations on financial transactions to deter terrorist financing. It includes requirements for identity verification and stricter due diligence.

• Federal Financial Institutions Examination Council (FFIEC) guidelines: The FFIEC provides guidance on risk management practices within financial institutions, including those related to electronic payments and ACH transactions.

• Consumer Financial Protection Bureau (CFPB) regulations: The CFPB oversees consumer protection under the Electronic Fund Transfer Act (EFTA), which governs the rights, liabilities, and responsibilities of parties involved in electronic funds transfers.

How to approach ACH risk mitigation with Stripe

When using Stripe for ACH payments, there are certain tools you can use and best practices you can engage in to mitigate ACH risk.

Use Stripe’s built-in risk management tools

• Stripe Radar: This fraud prevention tool uses machine learning to assess the risk of each ACH payment. It automatically blocks high-risk transactions and flags suspicious activity for manual review. Customize Stripe Radar’s rules to your specific business needs, adjusting thresholds for transaction values, velocity, and other factors.

• ACH debit authorization: Require customers to authorize ACH debits through micro-deposits or instant bank verification, confirming account ownership and reducing the risk of unauthorized transactions.

Improve customer due diligence (CDD)

• Identity verification: Collect and verify customer information such as name, address, and date of birth using Stripe’s identity verification tools or third-party providers.

• Business verification: For businesses, obtain and verify relevant documentation, such as business licenses, tax identification numbers, and articles of incorporation.

• Risk-based authentication: Implement stronger authentication measures for high-risk customers or transactions such as requiring additional verification steps or limiting transaction amounts.

Monitor and analyze transaction data

• Stripe Dashboard: Regularly review the Stripe Dashboard for insight into transaction patterns, chargeback rates, and fraud indicators.

• Custom reporting: Create custom reports to analyze specific data points such as transaction types, customer segments, or geographic locations and identify potential risk areas.

• Third-party tools: Consider integrating Stripe with third-party fraud detection and prevention platforms for improved monitoring and analysis capabilities.

Optimize dispute management

• Dispute resolution: Establish a process for handling ACH disputes, including responding to customer inquiries, gathering evidence, and representing your case to Stripe or the relevant financial institution.

• Dispute prevention: Proactively address potential issues by communicating with customers through Stripe Invoicing’s automatic email reminders.

Stay informed and adapt

• Stripe updates: Stay up-to-date with Stripe’s latest product releases, security improvements, and risk management best practices.

• Stripe Sigma: If you have a high volume of ACH transactions or complex risk management needs, explore Stripe Sigma for advanced data analysis and custom reporting capabilities.

• Stripe support: Use Stripe’s support resources for guidance on implementing best practices and troubleshooting any issues that might arise.