Ask the Experts: Same Day ACH Phase 2 -- Obstacles and Opportunities

Phase two of same-day ACH is upon us, which means that Receiving Depository Financial Institutions (RDFIs) now need to allow for debit transactions designated as Same Day ACH to be processed and funds made available by the end of the RDFI’s business day.

While this new functionality allows for access to funds much more quickly than ever before, it also introduces a whole host of potential security concerns that need to be addressed.

Luis Rojas, a payment security veteran with 20 years’ experience developing technologies that include fraud detection and behavioral analysis, has spent the last several years focused on helping financial institutions combat rising cyber security threats. We talked with him about the implications phase two of Same Day ACH has for financial institutions, how they can use it to their advantage, and where he sees the future of cyber security preparedness heading.

Q: Does Same Day ACH phase 2 increase the threat of fraud for FIs? Well yes, of course. Any time you change how things work, you introduce a possible increase in fraud—even in new types of fraud that have never been seen before.

Ultimately, it’s important to always remember that for fraudsters, this is their job. They’re smart, resourceful, and creative. You don’t have to dig deep into the use cases NACHA suggests for Phase 2 to understand where the opportunities lie for fraudsters. For example, for a payroll application using Same Day ACH, it would not be difficult for a bad actor to insert a fake employee record, or even change the bank routing number and recipient account on an existing employee’s record. With business-to-business payments, it would also be possible for the account information on an ACH file to be manipulated, or for a new batch entry to be inserted with a money mule account.

The opportunities are truly endless for people intent on stealing money. You just can’t underestimate how creative fraudsters can and will be, so it’s important to always be on guard.

 Q: Is securing same day ACH payments just a “must-do” for banks, or are there hidden opportunities in it for them? This is definitely a great opportunity for banks. While security is something every institution has to think about and act on, very few use it as a point of competitive differentiation. That’s unfortunate because it’s really a great opportunity for banks who are doing it right to shine.

Let’s be honest -- not all fraud prevention is created equally. You can have standard cheap locking doorknobs on your house, or you can have a security system. Both technically “protect,” you, but one does a far superior job. If a financial institution can prove that they’re doing things other banks are not, such as ensuring that fraudulent transactions are stopped before they take place and that non-fraudulent transactions aren’t being held up by flurries of false-positive alerts—that’s a very compelling story to tell to potential customers.

Also, with the right solution in place, you’re building trust in a number of ways, specifically by not constantly bugging customers with calls to verify the authenticity of different payments.

Q: So what does an ideal security solution look like then, if the goal is to protect payments that are moving faster than ever before? Well, let’s start with what isn’t ideal, and that’s a general purpose, rule-based system. That’s a very blunt tool that leads to the issues I mentioned above—legitimate payments being held up because they were flagged for one reason or another, and overworked investigators weren’t able to clear them before the deadline.

If you’re talking about a dream-team type of solution, one that not only secures same-day payments effectively but also helps banks be more competitive, you’d want to look for one that uses real-time behavior analytics and machine learning.

Because solutions that use behavioral monitoring in real-time score the risk of each payment based on what’s normal for each individual user’s prior behavior, not against a set of arbitrary rules, banks see significantly fewer false alerts, which means legitimate payments flow freely and they’re able to more easily prioritize and place on hold those transactions that really do have a high likelihood of being fraudulent.

Ultimately, this is all a case of banks needing to take a fresh new look at how secure their payments really are. As new technologies are introduced, institutions have to make sure they’re always re-evaluating what protections they have in place and whether or not they’re up to the challenge of protecting against new threats. Now is that time. Banks who are letting phase 2 come and go without taking an action, simply assuming that since phase 1 didn’t bring about any issues, phase 2 won’t be a big deal either, could be facing some very big issues down the road.