Why Banks Dread Same Day ACH


When details emerged last month of SWIFT’s software compromise, it signaled, to some, the likely start of a spree of hacking attempts. Bangladeshi hackers reportedly infiltrated SWIFT’s Alliance Access software, creating false payment instructions to initiate a transfer of millions of dollars that remain unaccounted for.

It’s bad news for SWIFT but could be worse news for banks.

According to the cybersecurity firm FireEye, which is probing the bank heist, there has been “activity in other financial services organizations that is likely by the same threat actor behind the cyberattack on Bangladesh Bank.”

In other words, the cyberthieves aren’t finished yet.

With the globalization, interconnection and acceleration of the world’s payments systems, the strategies of cyberattacks are likely to grow more sophisticated. And while businesses, consumers and FinServ players are all fueling this direction of the payments landscape, the banks, it turns out, aren’t as excited about faster payments as their customers are.

A survey published by financial security software firm NICE Actimize found that a whopping 93 percent of banks anticipate new fraud threats resulting from Same Day ACH.

More than half of the banks have no idea how they’re going to tackle those threats, either.

According to the company’s risk and fraud management expert, Wes Wilhelm, financial institutions’ uncertainty about how they’ll handle rising cyberthreats is most concerning.

“There’s been quite a bit of coverage and time to evaluate the approach to take,” Wilhelm said in a recent chat with PYMNTS. “I was surprised that folks hadn’t made their decisions yet.”

Same Day ACH is slated to see its first rollouts among U.S. banks and FIs this September. Just weeks ago, NACHA revealed its own survey on how corporates are some of the customers most ready for this progression in payments.

B2B payments and payroll were cited as two of the strongest use cases for Same Day ACH, NACHA said. The electronic payments association also pointed to FIs’ readiness for the advancement.

“Financial institutions see the value in providing new, faster payment options to their customers with certainty and surety, and Same Day ACH allows them to do that in 2016,” stated NACHA President and Chief Executive Officer Janet O. Estep.

From the looks of NACHA’s survey, banks are certainly on board with offering Same Day ACH; 86 percent plan to offer it to all clients, the survey found.

But NICE Actimize’s research uncovers doubts in how FIs can facilitate Same Day ACH securely.

The analysis found 70 percent of FIs use manual procedures to detect ACH-related fraud. While that percentage is expected to drop once Same Day ACH comes into play, the initiative dramatically shortens the window of time that banks have to review potential threats.

Wilhelm pointed to these “operational challenges” FIs will face. “They’re going to have to work with three windows a day now, instead of one,” he said, referencing the two new clearing windows to submit and settle payments.

“Fraudsters will pick up the opportunity to jump transactions right before window closure, so the FIs have less time to review them,” he continued.

There’s one type of payments fraud in particular that comes to mind, said Wilhelm, when considering some of the cyberthreats banks already have trouble dealing with today: the business email compromise.

“It puts the FI in an interesting position,” he explained. When an employee is looking to authorize a payment under the instructions of someone posing as a CEO or CFO, that means banks have to be vigilant about blocking fraudulent transactions — even when an employee is convinced it’s legitimate.

With Same Day ACH entering the picture, a bank has less time to delay a transaction — and investigate its validity — that an employee wants to initiate immediately, Wilhelm noted.

NICE Actimize also identified that same-day payroll and account-to-account transfers are likely to have the most vulnerabilities that hackers can take advantage of.

Part of the problem is that banks aren’t able to safeguard against these cyberthreats because they haven’t come to fruition yet, said Wilhelm.

“It’s an unknown unknown,” the executive explained. “We haven’t seen the first rollouts [of Same Day ACH] yet. There’s a lot of uncertainty at this stage of the process; it happens anytime you roll out a new payment system.”

While banks’ concerns over an increase in fraud aren’t unexpected, he added, and shouldn’t be too much cause for concern, those concerns are certainly legitimate.

“We know from other markets, such as the U.K., that the launch of Faster Payments is aligned with an uptick in fraud attacks and losses,” said NICE Actimize Vice President and General Manager of Fraud and Cybercrime Management Solutions Erez Zohar in a statement announcing the research. “This means that U.S. financial institutions need to be prepared with fraud strategies on day one.”

For Wilhelm, that strategy should be one that’s simple, if unorthodox.

“I think this is the appropriate time for the players to think like a crook — to design against crime,” he said. “It’s an approach of ‘it’s time to test for failure,’ as opposed to testing for functionality. Try to break it. Work around it. Look for vulnerabilities.”

An approach like this to cybercrime could allow banks and FIs to become proactive in combating the fraudsters. With a shrinking window of opportunity to react to a security breach, taking a proactive stance to protect Same Day ACH transactions might be key to stopping a heist, like the one suffered by Bangladesh Bank.

“This kind of testing is unique,” Wilhelm continued, “and takes an interesting skill set to find the right parties to test systems in ways that go beyond getting the money from point A to point B.”