New Debit Rules Pose Security Hoops for Banks — and Enterprises They Serve

“Payments fraud isn’t localized to just one industry or one business — it’s widespread and pervasive. The fraudsters are only getting more creative,” Paramita Bhattacharjee, VP and product line leader at Early Warning Services, LLC told PYMNTS.

As the new WEB Debit Account Validation Rule implemented by Nacha took effect last year, account validation practices are fully entering the digital age, readying financial institutions (FIs) and enterprises for real-time payments. At a high level, Bhattacharjee said, the Nacha WEB debit rule was created initially to address concerns of fraud on the automated clearing house (ACH) network.

Beginning last March, Nacha mandated that all ACH originators of WEB debit entries include account validation as part of their anti-fraud efforts and initiatives. A series of extensions give a hint of how complex the technical lift has been to improve account validation, she said, noting that the rule’s March 19, 2021, effective date came after an extension of the original Jan. 1, 2020, date. Organizations, perhaps unsurprisingly, needed more time to comply, given the lingering impact of COVID-19.

Nacha has also stated that it will not enforce the rule until one year after that March 2021 implementation — which means, well, this month.

Read also: Nacha’s WEB Debit Account Validation Rule Takes Effect

In terms of mechanics, the rule requires that FIs perform account verification as part of the anti-fraud initiatives.

“This applies to FIs,” said Bhattacharjee, “as well as corporations — and, basically, any organization of any size.”

Commercially Reasonable

These entities are mandated — through a rule formulated by Nacha and the Faster Payments Council in 2018 — to use a “commercially reasonable” fraudulent transaction detection system in the effort to keep firms from posting fraudulent, incorrect or unauthorized payments. Those efforts will make payments safer, she said, while enhancing the quality and improving risk management within the ACH network.

Importantly, using those fraud-detection systems, underpinned by advanced technologies, allows FIs and other organizations to meet consumer demands of fast and frictionless transactions.

As Bhattacharjee said, “the digital overdrive was accelerated by the pandemic and financial institutions are increasing their digital footprint while securing their environment.” During the pandemic, she noted, roughly a third of FIs were hit by at least some type of ACH fraud (as have most non-FI organizations), while consumers are increasingly making more payments over the internet and across mobile devices.

See also: For Banking Industry, Cloud Migration a Question of When, Not If

Many FIs, she said, may not have the resources in-house needed to comply with the new rule, and many corporations and government entities only ask their customers to enter the account and routing numbers for a payment. Firms that do not perform an account validation step won’t be compliant with the new rule.

“If they haven’t created a project to get into compliance, they will need to prioritize all of their resources very quickly,” she told PYMNTS. There is any number of use cases here — spanning payments, of course, but also new account enrollments and funding and linkages for money movement.

Bhattacharjee said accounts could be validated through several methods — manually or through microdeposits. She noted that Early Warning has a verify account solution that leverages collaborative account information: Early Warning’s National Shared Database® resource.

“We can see if a person transacting is authorized to do so on the account, whether the account is open and active, if it’s a new account, and the status of the account, including if it has a negative balance,” she added.

While validation is going on in the background, she said, the front-facing activities — in other words, the customer experience, should remain unchanged if the proper tools are in place.

As more commerce goes online, she said, we’ll see increased attempts by fraudsters to compromise credentials through account takeovers and social engineering.

Digital-first and digital-only banks are attracting more customers by making it easier for customers to onboard. And with increased social media marketing, fraudsters are targeting companies that might not yet have robust controls or lack of physical infrastructure to meet the customers face to face.

As 2022 winds on, and in the near and longer-term, she told PYMNTS, “we’ll see new evolutions of the Nacha WEB debit rule that take all of these trends into account.”

Read also: Treasury Banking’s New To-Do List: Fraud Prevention, Digital Privacy and Zero Friction