Nacha’s New Risk Management Framework: A Swift Response to Credit-Push Fraud
Taylor Swift isn’t the only one who has reinvented herself multiple times…so has our infamous friend, fraud. Just like the evolution from Fearless to Midnights, fraud has shifted from mostly unauthorized ACH debits from an individual’s account to authorized ACH credits from someone’s account. These authorized credits, also known as credit-push payments, typically result from a person falling victim to a social engineering scheme, which has a Reputation to include anything from business email compromise (BEC) to account takeovers. In some instances, these schemes can also include a bad actor impersonating a vendor, Lover, government agency, etc.
Now, this isn’t to say that unauthorized debits are no longer an issue, they most certainly are; although, Nacha’s previous frameworks included certain initiatives that resulted in a decrease of incidents, in part due to an increase in the awareness of these attempts. However, in this new era, bad actors are becoming more skilled at convincing people to fall for a scheme and, as a result, authorize a payment they wouldn’t normally authorize. In response to this evolution in payments-fraud, Nacha crafted a new Risk Management Framework that specifically targets credit-push fraud.
Nacha’s Risk Management Framework Overview:
Similar to previous frameworks, the goals for the new Risk Management Framework are “to increase awareness of fraud schemes that utilize credit-push payments, reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.”
Throughout the document, Nacha states that education about these schemes and cooperation among all parties involved are key. Think about it…it’s one thing if your debit/credit card is used without your knowledge or someone steals your account information. It’s hard to prevent something that you didn’t know was happening or was going to happen. However, it’s an entirely different situation when you knowingly authorized a payment, and it turns out that you fell victim to a fraud scheme. People typically feel a lot more shame and embarrassment from the latter, and when people are Red with shame, they’re less likely to talk about it. That’s why it’s so important to encourage your members to Speak (up) Now instead of waiting until later. If your institution doesn’t realize that these credit-push fraud schemes are occurring, then your financial institution is going to be less likely to be able to prevent them and your other members could fall victim to the same fraudulent attempts.
Once you are aware of these issue, your credit union should also communicate with other financial institutions about what is going on. This is when the “collaboration among cooperative” principle comes into play. If your credit union had a member who fell victim to a scheme, warn your credit union peers so that they can inform their members about the potential fraud attempts that are circling. If you’re not sure how to warn your other credit union peers while also keeping your member’s sensitive data safe, Nacha encourages you to utilize the Risk Management Portal and the ACH Contact Registry to spread the word about fraud issues and other pertinent information. As a reminder, it’s best practice to keep your list in the ACH Contact Registry updated, and make sure to review it at least once a year, but the more often, the better.
Nacha’s Point of View on RDFI’s and Credit-Push Fraud:
When it comes to payments and the ACH network, the Receiving Depository Financial Institutions (RDFIs) usually take on a more passive role, but in this recent Framework, Nacha notes that credit-push payments can be more easily identified by the receiving institution. That’s because, in order for a credit-push fraud attempt to be successful, the bad actor must have an account at the institution that the payment is being sent to. Nacha added that these types of accounts are typically “newly opened or mule accounts with limited history and activity,” as opposed to an account opened in say, 1989, and once the payments post to the account, it will likely be transferred to another account quite quickly. Knowing this, it’s easy to see why RDFIs have a special role to play when it comes to credit-push fraud. Nacha encourages these institutions to actively use their experience in searching for abnormal account activity and put it towards also identifying any potential credit-push fraud situations.
On the Horizon:
With all this being said, there is hope on the horizon. Nacha’s Risk Management Advisory Group (RMAG) stated that in the future, there are a couple of ways they believe Nacha can help successfully return funds that have been sent due to a credit-push fraud attempt.
First, a potential return code could be created to allow an RDFI to reject the fraudulent funds and send them back to the Originating Depository Financial Institution (ODFI). RMAG also noted that “allowing returns of partial amounts using the ACH Network is another option that would improve the recovery of funds after fraud has occurred.”
In time — and with the help of Nacha, RDFIs, members and everyone else in the financial industry, along with education, cooperation and awareness — there is hope that credit-push fraud could be significantly reduced. Maybe even to the point where it becomes an urban legend, or a financial industry Folklore. But, in the meantime, with Evermore risk infiltrating payments, specifically ACH, it's imperative for credit unions to recognize how they can utilize Nacha's risk management framework to better protect their members and institution. So, take Swift action and have your ACH staff familiarize themselves with the framework because you never know when a credit-push fraud attempt might impact your members. Are you Ready for It?
Andi Crockett is the product manager of EFT at Vizo Financial. Her role involves developing and implementing EFT services — including ACH for Business, ACH Contingency, ACH Receipt and Returns, ACH Originations, ACH Settlement, Domestic and International Wires and Foreign Check Collection — for credit unions. She also participates in planning efforts for business development, works with members and clients to manage implementation expectations and manages relationships with vendors. Andi is also an active member of the Diversity, Equity and Inclusion (DEI) Champions team at Vizo Financial.