It’s Friday morning, and you stroll into the office at 8 AM, hot coffee in hand and high hopes for an easy day before the upcoming weekend. Those hopes are dashed when you spot two missed calls and a frantic message from an Originator. Anyone who’s worked in ACH operations knows the sinking feeling: early morning calls on payday almost always mean trouble.
Your Originator has fallen victim to corporate account takeover. A fraudster hacked into their online banking, added a fraudulent employee to their payroll template and was able to originate a $5,000 credit to their account at another financial institution.
Immediately, you should contact the RDFI to attempt to retrieve the fraudulent $5,000 credit in hopes that the funds are still there and can be returned. That recovery could salvage not just your Originator’s Friday, but your own. A quick review of the Originator’s ACH software controls reveals:
- The payroll file was submitted without validation by a second user,
- The Originator’s prefunded balance let the unusually large file slip through and
- Their exposure limit, which hadn’t been reviewed in years, was set much higher than their usual activity.
Now What?
Once you’ve discovered how the fraud occurred, it’s time to focus on future prevention for the financial institution and the Originator.
- Start by resetting all user access passwords for each authorized user of the Originator to block further fraudulent ACH Entries.
- Next, adjust the assigned limits to align more closely with the Originator’s typical activity and conduct a review of their security controls. Today’s fraudsters are sophisticated, so ACH origination without additional authentication is no longer acceptable.
- Consider requiring tokens for Originators to log in and file submissions and implementing dual control to catch errors or suspicious activity before they slip through.
While these extra steps may seem burdensome to the Originator, a little friction in the process can go a long way in protecting your Originator and your financial institution in the future.
Shift the Focus
Now the lens moves from the Originator’s processes to those of the financial institution. While prefunding helps reduce credit risk for ACH credit files, it should never replace setting proper exposure limits. In this case, the Originator’s limits were far higher than necessary, serving as a reminder that exposure limits must be reviewed and aligned with actual activity and not be left unchecked.
Establishing strict Originator controls within your institution’s online banking and core processing systems is one of the most effective ways to limit ODFI risk. Article Two, Section 2.1 – General Rule – ODFI Is Responsible for Entries and Rules Compliance of the Nacha Operating Rules & Guidelines states that an ODFI is responsible (and therefore liable) for payments originated using its routing number, as well as its Originators’ and Third-Party Senders’ compliance with the ACH Rules. The appropriate use of access controls, determining and setting exposure limits can go a long way in preventing unauthorized or fraudulent ACH Entries before they ever reach the Network.
All financial institutions should be diligent when determining and reviewing exposure limits for their Originators, ensuring they reflect baseline activity rather than being set so high that unusual transactions go unnoticed. Once established, limits should be tightly controlled within the ACH software and tailored to the type of activity an Originator is authorized to perform. For example, a payroll-only Originator should not have debit exposure, and one collecting client payments should not have credit exposure.
Institutions should also consider distinct limits based on Company ID or SEC Code, particularly for high-risk Originators or transactions (like WEB, TEL, IAT, etc.). While many institutions set equal debit and credit limits to accommodate balanced files, requiring unbalanced files and letting the system generate the offsetting on-us entry may be a safer approach worth evaluating.
Most ACH software provides the tools needed to set appropriate access controls, administer exposure limits and limit the types of transactions an Originator may create, whether it be debits/credits, SEC Code formats, frequency, etc. To protect both your institution and your Originators, clear policies and procedures should define how these controls are applied. Maximizing their use not only reduces risk for your institution and Third-Party Senders but also helps prevent those dreaded Friday morning ACH emergencies.
|
|
Don’t wait for a Friday morning ACH challenge to reveal gaps in your processes. Our Origination Support team can review your ACH operations, pinpoint opportunities for improvement, and provide practical guidance tailored to your institution. You’ll gain expert insights, actionable resources, and peace of mind. Get started today with a free, no-obligation quote! |