Attempts to defraud corporations almost always start with someone getting account information off a check. Electronic funds transfer (EFT) advocates argue that ACH security will improve only when more companies stop writing checks and start using ACH transactions exclusively.

"Payroll checks create the greatest vulnerability," says NACHA spokesman Michael L. Herd. Some crooks work for a company for a day or a week, just to get a paycheck with the company's account number and transit routing number, then try to hit the account with fraudulent debits, reports Keith Theisen, senior vice president and group product manager in Wells Fargo Bank's treasury management group.

In a classic case, one delinquent consumer–after being hounded by his credit card company to pay a bill–gave the collector over the phone checking account information and permission to debit. Unfortunately for his employer, he took the information from his paycheck, giving the credit card collector his employer's payroll account, which was debited successfully. "It wasn't for a large amount, but he did it three times before he was caught. You're vulnerable if you don't reconcile your accounts regularly," Mikols notes.

This internal ACH fraud also becomes more likely at corporations without dual controls. "A payroll clerk can pay herself $1 million by direct deposit if nobody else has to sign off on the file," Mikols observes. And as collectors of both corporate and consumer delinquent accounts more often ask to be paid immediately by ACH debit, the chance grows that one corporate officer might give the number of an account that another corporate officer had debit-blocked.

B2B debit blocks

So far, treasuries have lost a lot of time but very little cash coping with ACH fraud. The New York Life Insurance Co. saw its unblocked controlled disbursement account hit 20 times in rapid succession with unauthorized debits in March 2002, reports Richard Witterschein, corporate vice president for treasury services. "A fraud ring evidently got information from one of our checks and used it to make telephone debits to pay off credit card accounts," he explains. "We caught the transactions and were able to get them reversed."

But New York Life went on to shut down its vulnerability to future attacks by putting debit blocks on all but one account. Only a handful of known vendors are allowed to debit that account–the U.S. Post Office, one of New York Life's banks and maybe two or three others. Debits above a certain size are to be referred to treasury for review and approval, but that has not yet happened, Witterschein reports.

And, according to Alan Koenigsberg, vice president and senior global ACH product manager at JPMorgan Treasury Services, the fact that virtually all controlled disbursement accounts and most corporate direct deposit accounts now have some form of debit block in place is the reason why ACH fraud in the business-to-business space has been contained, despite the sizable increase in ACH debit traffic.

But blocks, which allow only ACH debits to an account by payees on an approved list, designate certain days on which payments can be made or set a specified dollar ceiling, are just one approach. Rather than just rely on account blocks, many companies review information reports daily in order to spot any unauthorized debits. Baltimore-based T. Rowe Price Group Inc., for example, permits "a handful" of trading partners to debit its accounts, reports Nolan North, vice president and assistant treasurer. Rather than use a bank filter, the Price treasury reconciles all accounts daily in order to catch any unauthorized debits before they are executed, he explains. "I've never heard of any attempts to hit our accounts with unauthorized debits, so I'm sure we haven't had anything significant occur," he says.

The Movado Group Inc., watch importers with headquarters in Paramus, N.J., lets the U.S. government debit its account for customs duties owed. It also allows a limited group of vendors to debit, but it filters the transactions by giving its bank a list of those authorized to debit. If they're not on the list, they can't collect, explains Frank Kimick, treasurer. "We know it works, because one authorized vendor attempted a debit before all the paperwork had gone through, and the bank blocked it and called us about it," he reports.

Under ACH rules, the party most likely to have its pocket picked by ACH fraud is the originating bank, the bank of the party attempting the debit. That bank must guarantee that all payments it puts into the ACH are authentic. When they aren't–and when the transactions are caught in time (two days for corporate accounts and 60 days for consumer accounts)–the originating bank must reimburse the victim and victim's bank and then try to recover the loss from its customer, explains NACHA's Herd.

So it is not surprising that banks have been particularly aggressive in developing new tools for combating unauthorized ACH debits. "We're beginning to see a new generation of ACH risk management products from banks that mirror their check products," Herd reports.

For instance, LaSalle and its parent, ABN Amro Holding N.V., have just rolled out a positive pay module for their ACH Control product that gives corporate customers a chance to review posted ACH debits and accept or reject them. A treasury manager can also say, in effect, "Remember this vendor I just approved and the next time they submit an ACH debit, pay them and do not report it as an exception item," Mikols explains.

ACH Crime fighter

An acknowledged bank leader in combatting ACH fraud has been Wells Fargo. Both the Federal Reserve and the Electronic Payments Network have been borrowing from that financial institution's innovative fraud prevention tools, which include an online fraud filter that allows companies to review a questionable payment, identify the originator and make pay/no pay decisions. Thanks to sizable ACH volume and its sophisticated database, Wells Fargo was able to detect fraud rings before anyone else and shut them down, saving the banking industry $10 million and winning an award from NACHA for its crime fighting.

But all these are just steps along the road to a fully electronic payment environment, and the real solution, as JPMorgan's Koenigsberg points out, is a holistic B2B payables solution, based on both debits and credits. To attract payers to electronic invoice presentment and payment (EIPP), architects are designing the systems so that the payer has to initiate payment and therefore controls the transaction. "It fits the corporate mindset better to let the payer initiate," says Treasury Strategies' Carfang. "Applying positive pay to ACH brings a sense of comfort, but where we may be headed is toward a world where almost every disbursing account is debit blocked and all the ACH transactions are initiated by the payer as ACH credits." In other words, the real mission is not simply to address the misuses and abuses of ACH but rather to design a better electronic system that meets all the needs of payers and payees.

—————-

HOW TO AVOID ACH FRAUD

For the typical corporation, shielding accounts from ACH fraud is a fairly simple three-step process, Treasury Strategies Inc.'s Tony Carfang notes:

1.Tell your banks to put debit blocks on accounts that shouldn't have ACH debits. By structuring accounts so that all authorized debits occur in only a few accounts (one or none for many corporations), the threat can be minimized substantially. No debits can occur in a blocked account.

2. On the remaining accounts that can be debited electronically, use a variety of bank filtering products to cull out suspicious ones. For example, a company can give its bank a list of suppliers like utility companies that are authorized to debit the account. No debits will be accepted from a supplier not on the list. Or a size limit can be imposed: no ACH debits over $1,000, for example. Cash management banks are scrambling to introduce debit filters, and some are more sophisticated than others, Carfang notes.

3. Reconcile all unblocked accounts daily to catch unauthorized activity. Companies have two business days to reject an unauthorized debit and get their money back. Let an unauthorized debit go unchallenged for more than those two days and it will be much harder to recover lost funds, Carfang explains. Because all fraudulent ACH transactions land in real bank accounts, unwinding them is relatively easy if they're caught soon, he adds.