Account validation is one of the most important, yet least discussed, aspects of the payments lifecycle. Having the ability to verify an account prior to approving the transaction reduces the likelihood fraud will occur. An effective account validation protocol can also decrease the amount of chargebacks and other costly mistakes that eat into a merchant’s revenue. Yet despite the benefits of being able to verify an account before approving a transaction, not all merchants have a protocol in place to do so. How will new ACH network rules affect this?
For merchants utilizing the ACH Network, this will soon change. Nacha, the organization overseeing the ACH Network, currently requires originators of WEB debit entries to use a “commercially reasonable fraudulent transaction detection system” to screen for fraud. But beginning on March 19, 2021, the rule will change to explicitly require “account validation” to be part of the fraud detection system.
Merchants relying on fraud solutions without account validation capabilities should learn more about the rule change and pursue ways to ensure compliance. For these merchants, GIACT’s white paper “Securing Faster Payments: Addressing the Account Validation Rule” is great resource to start with.
Faster payments create opportunities for fraudsters
GIACT’s white paper notes that Nacha’s rule change comes as faster payment services, including Nacha’s Same Day ACH, have seen a significant uptick in traffic recently. For instance, Same Day ACH volume grew 37% in the second quarter of 2020 compared to the same period in 2019. As Same Day volumes have grown, so, too, has the dollar amount of transactions, up 33% in the second quarter of 2020 compared to the year prior.
Experts point out that this increase in faster payment volumes increases the risk for fraud.
“With faster and real-time payments beginning to enter the mainstream of the U.S. payments industry, the risk of fraud is increasing in tandem,” said Sarah Grotta, director of Debit and Alternative Products Advisory Service at Mercator Advisory Group. “This is because bad actors are looking to take advantage of untested networks, processes, and the inherently shorter timeframes for identifying problematic transactions.”
All merchants will be impacted
Because of how critical account validation is when it comes to stopping fraud, Nacha is making it a mandatory capability for merchants. For those working to fight fraud, the change is a welcome one.
“The latest rule change from Nacha is a welcome step when it comes to strengthening fraud protections,” said Kimber Johnson, EVP, Strategic & Client Relations at GIACT. The change will specifically impact Article Two, Subsection 2.5.17.4 (Additional ODFI Warranties for Debit WEB Entries).
When the changes take effect, any payment originator (merchant) that processes WEB debits will need to have some form of account verification. All merchants using the ACH network will be obligated to do so, regardless of their size or industry. Everyone originating WEB debits, from insurance companies to loan providers, will need to comply with the rules.
Since such a large assortment of companies use the ACH network, a whole range of use cases may be impacted by the new rules. While the list is by no means exhaustive, here are some key payment examples that GIACT identified, specifically if account information is being collected by the originator:
- Insurance company payments
- Contributions to Individual Retirement Accounts, SEPs, 401Ks
- Point of sale purchases
- Utility payments
- Tax payments
- Charitable donations
- Installment loan payments, including car loans, credit cards, mortgages, HELOCs
- Membership payments
Some solutions are more effective than others
Fortunately for merchants who need to change their fraud evaluation platforms to comply with the rule change, there are many ways to do so. However, not all the solutions are equally effective at stopping fraud or working within a faster payments context.
One solution is an ACH prenotification, commonly referred to as a prenote. It is a zero-dollar transaction that an originator sends to the issuing bank prior to an actual debit or credit. It is meant to validate the routing and account number at the issuing bank before sending through the actual transaction.
While the prenote is effective at confirming the account number, it does not offer any information about the account itself, including the activity levels, status, or ownership. It also takes up to three days to complete, rendering it unhelpful for faster payments. Another salient problem is that the issuing bank is only required to respond to the prenote if the account does not exist, meaning that payments can still be sent to the wrong account so long as it’s a valid account number.
Trial deposits, also called a micro deposit, are another solution. The trial deposit approach consists of making a small deposit to the receiver’s account prior to the actual transaction in order to verify the account. However, there are issues that should be considered. First, it takes one to two business days for the trial deposit to be deposited in the account, making it incompatible with faster payments. Second, it only validates that the account can accept a payment, not who owns the account.
The white paper also explores solutions called account aggregators, which are third parties that are provided with the username and password of an account in order to login to the system and verify the account is open. When considering this solution, it is important to note that the account owner must trust a third party with their sensitive data. Furthermore, this approach can only confirm that an account is open; it does not determine the account’s standing with the financial institution.
So while these three solutions may result in a merchant being compliant with the new rules, they come with a range of problems. GIACT identified four areas that an effective verification system would validate:
- Account status
- Payment history, particularly NSF or chargeback history
- Ownership, and matching ownership to the payment originator
- Consistency of PII, including name, address, phone number, email and more
Merchants interested in having a robust fraud detection system should consider looking for solutions that meet these four criteria. One solution is offered by GIACT called the EPIC Platform. It can be implemented using a single API and covers these four areas. It also works in real-time, allowing merchants to provide a seamless experience to their customers.
If you’d like to learn more about NACHA’s rules or the EPIC Platform, you can read the white paper by filling out the form below.
