Nacha members have approved a set of rules intended to reduce the incidence of frauds, such as business email compromise (BEC), that make use of credit-push payments.
Nacha governs the ACH Network, the payment system that enables Direct Deposits and Direct Payments in the US. There were 31.5 billion ACH Network payments made in 2023, valued at $80.1 trillion.
The new rules are said to establish a base level of ACH payment monitoring “on all parties in the ACH Network (except consumers).”
While the new rules do not shift the liability for ACH payments, for the first time receiving financial institutions (RDFIs) will “have a defined role in monitoring the ACH payments they receive.”
Jane Larimer, Nacha President and CEO, said:
“All participants in the ACH Network have a part to play in reducing the incidence of fraud, and recovering when fraud has occurred. I applaud Nacha’s members for taking this important step of self-governance.”
BEC, vendor impersonation, and payroll impersonation are some examples of fraud that result in payments being “pushed” from a payer’s account to the account of a fraudster.
The FBI’s Internet Crime Complaint Center’s 2023 annual report found “there were 21,489 BEC complaints in 2023 totaling $2.9 billion in reported losses, making it the second-costliest type of cyber-crime.”
According to the Association of Financial Professionals, “Business Email Compromise (BEC) scams are still highly prevalent and are the root cause of payments fraud at a majority of organizations.”
The new rules follow the flow of a credit-push payment “to promote the detection of fraud from the point of origination through the point of receipt at an account at the RDFI.”
When fraud is detected, the rules empower “the originating financial institution (ODFI) to request the return of the payment for any reason; the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely; and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim. An additional rule facilitates transaction monitoring by RDFIs by applying a standard transaction description for ACH credits used for payroll payments.”
The impetus for the newly approved Rules came in late 2022 when Nacha released its strategy “Risk Management Framework for the Era of Credit-Push Fraud.”
The strategy expanded the focus of fraud detection and prevention “to include frauds that use credit-push payments, including ACH credits.”
While the new rules apply to ACH payments, their principles and techniques “are more broadly applicable to all types of credit-push payments.”