Will Same Day ACH Rollout Spark A Fraud Spike?

When the U.K. introduced Faster Payments, there was an increase in fraud attacks. With the U.S. Same Day ACH rollout just two weeks away and other Faster Payments initiatives taking off, will the same happen here in the States? In the latest Faster Payments Tracker™, PYMNTS spoke with Luis Rojas, Guardian Analytics Vice President of Product Management, about how moving payments faster has an impact on cybercrime. Find that, along with the latest headlines from around the space, in this month’s Tracker.

With the Same Day ACH rollout coming in just two weeks and other faster payments initiatives taking off, financial institutions are taking significant steps to ensure the transition to a faster processing environment, including improving their payment security platforms to keep fraudsters at bay.

As quicker processing comes into play, the time is ripe for fraudsters to take advantage of potential weaknesses in their existing payments processing machinery.

PYMNTS recently spoke with Luis Rojas, vice president of product management for Guardian Analytics, an online banking security firm, about the effect of a faster processing environment, the potential for increased fraud and how to mitigate that risk.

The Mountain View, Calif.-based company has surveyed its customer base of more than 420 FIs, which have assets ranging from $100 million to more than $650 billion, about the impending Same Day ACH rollout and other faster payments initiatives.

“We’ve seen in the past that, anytime there’s been a movement toward accelerated payments, the fraudsters see that as an opportunity” to gain accelerated access to funds, he said.


How Fraudsters Attack

Faster payments create an environment in which there are shorter processing windows and more submittals throughout the day, all of which reduces the amount of time FIs have to investigate fraudulent activity because they have to do more in a shorter period of time.

When the United Kingdom introduced Faster Payments in 2008, there was a 132 percent spike in fraud as cybercriminals tried to take advantage of the reduced timeframe, according to Rojas. This fraud increase came after various financial institutions failed to implement a solid authentication apparatus to keep a check on fraudsters. In 2009, it was 14 percent higher than levels seen the previous year. And after a brief dip in 2010 and 2011, the increase continued until it peaked in 2014, according to Financial Fraud Action UK.

In the United States, Rojas predicts a comparable pattern and anticipates criminals using sneaky tactics during cyberattacks.

“People are bracing for a similar spike here,” he added. “We think that fraudsters will try to slip in during very busy times, but particularly when banks are up against the cutoff windows.”

They may also try to break up larger transactions into smaller transactions and space them out so that they become harder to detect and at least one of them has the chance to get through, he said.


Impact On Same Day ACH Rollout

If NACHA’s projections come to fruition, about 1.4 billion Same Day ACH payments will be made yearly in the decade following the complete implementation. Use cases for Same Day ACH include account-to-account transfers and same-day payrolls, to name a few.

One of the potential difficulties that Same Day ACH implementation poses for FIs relates to how they control their sensitive data, Rojas said. Mid-tier and larger banks typically have their ACH processing deployed in their data center, which allows them to maintain control of data that can be routed. However, it’s a different story for the more diminutive players from around the space.

Smaller FIs tend to rely more on hosted services and Software-as-a-Service solutions, so data doesn’t live within their custody, Rojas said. Banks also don’t want to engage in costly and time-consuming reversals.

“They’re really at the mercy of their ACH processing provider, and it resides in some external data center somewhere,” he said. Rojas suggests that companies talk with their hosting provider and explain that they must send their data for fraud scanning, with a workflow defined that allows them to do so before data is submitted for payment.

Of the 420-plus customers, Rojas said about 140 are currently using one of the company’s two ACH products, dubbed ACH-ODFI and ACH-RDFI. ODFI focuses on the origination of transactions, while RDFI concentrates on receiving transactions. About 20 percent of the company’s 5 billion transactions made every year are of the ACH variety, according to Rojas.

He said the majority of the company’s customers view the upcoming Same Day ACH implementation in one of two ways: It’s simply a regulatory compliance issue they must address now, or it’s a longer-term initiative that could lead to business opportunities.

“The banks are saying, ‘This is a way for us to attract bigger and better customers,’” Rojas stated. “They view this as an opportunity to offer better services or, in other words, accelerated payments with perhaps higher limits, as well as reduced friction to the customer experience.”

With the industry moving in this direction, Rojas believes Same Day ACH should be a boon for businesses.

“It creates a better commerce environment between originators and beneficiaries,” he said. “There’s a confluence of initiatives that are driving toward electronic payments, faster [payments] and automation.”


Risky Business

While Same Day ACH and other quicker payments initiatives may create opportunities for business, they could also increase risk for fraud. Fraudsters try to explore these vulnerabilities that they see in different payment systems and will take advantage of that, Rojas said.

One way to protect companies from cyberattacks is to use behavioral analytics instead of more rules-based solutions that have a tendency to generate false positives — something that Guardian Analytics has made a part of its offering.

Behavioral analytics don’t require the company to get in the mind of the fraudster but instead look at the statistics related to an individual’s or business’ behavior to see if it’s consistent with its past actions. If it’s not typical, then the risk appears increased, which sets off alerts.

Financial institutions must analyze their trend volumes to get a sense of the flow for how transactions come in throughout the day, Rojas said. By identifying the peak transaction times, institutions can determine if the transactions can be spread out. By doing this, these companies can also decide if they have proper staffing levels during the busiest times of day.


Faster Payments Risk-Mitigating Capabilities

While faster payments require heightened awareness and preparation for potential risks, they also equip these companies with capabilities to mitigate some risks.

For example, faster file exchanges also mean that returns can happen more rapidly, reducing some fraud risks. By moving payments between FIs more frequently, counterparty hazards can also be reduced, and credit limits may be managed more robustly. In all cases, placing proper authentication at the front end of payment transactions and secure walls around all parties and steps in the transaction is critical.


Batten Down The Emails

Security is especially important with emails. When it comes to cyberattacks, there is one kind that Rojas believes cybercriminals will use to perpetuate fraud, regardless of speed of transaction, the payments system or type of technology: the Business Email Compromise (BEC) — popularly known as CEO fraud.

Just in the first four months of 2016, incidents of such scams increased by 270 percent. A total of 17,642 reports of BEC were reported to authorities between Oct. 2013 and Feb. 2016, according to the FBI.

The cost of such attacks? A whopping $2.3 billion, the FBI reported.

“That’s agnostic to whether it gets realized as a wire or ACH transaction,” Rojas said. “When you think about the attack vector, it’s all about social engineering. It’s basically a fraudster trying to convince a legitimate user to initiate a transaction on their behalf.”

ODFIs can examine where all payments are coming from before determining which ones should be allowed to be fully processed.

“We will automatically quarantine high-risk batches, and we will release low-risk batches for payments,” Rojas said.

Fraud analysts can then review the quarantined batches and decide to accept or reject them.While the effect fraudsters will have on faster payments initiatives remains to be seen, one thing is certain: There are products and services associated with faster payments available to support the industry with risk mitigation, without which successful cyberattacks could have significant repercussions on FIs.


To download the September edition of the PYMNTS.com Faster Payments Tracker™, click the button below.


About The Tracker

The PYMNTS Faster Payments Tracker™, powered by NACHA, is your go-to resource for staying up to date on a month-by-month basis. The Tracker highlights the contribution of different stakeholders, including institutions and technology coming together to make this happen.