Handling Bank Account Transfers Worldwide

This article is targeted at those who need to deal with bank accounts in different countries while processing transactions. It explains certain aspects associated with the process in different parts of the world.

Every US based business, dealing with bank accounts internationally, should pay attention at these things and the particularity of the process in each country of operation.

Globally, there are two types of systems, which are most popular today. Systems of the first type, allow for one-phase processing of fund transfers between accounts, while systems of the second type allow for two-phase processing.

One-phase processing of bank account transfers

One-phase processing is used in such countries as the USA and Canada. In these countries inter-bank fund transfers are conducted through a nation-wide clearing house. In the US, for instance, the clearing house is the Federal Reserve. A merchant has to send a file with the list of transactions to be funded (withdrawals) to the clearing house; within one or two days it gets the requested funds from the clearing house. After that the clearing house sends transaction requests to respective banks to verify the availability of funds and complete these transactions. Usually, member banks will then have certain time period (up to sixty days in the US) to either confirm transaction or decline it. If a bank declines a transaction for whatever reason, then the return is sent to the merchant, who originated the transaction, and the funds are forcibly withdrawn from the merchant’s bank account (check our article on ACH returns for details).

Two-phase processing of bank account transfers

Two-phase processing is used in the UK (BACS), EU (SEPA), and Australia. Under this approach clearing houses are also used. However (in contrast to one-phase systems), in such systems as BACS and SEPA all bank accounts must be registered within the system before any financial transactions can be processed through them. A registration file with the list of accounts is sent by a merchant to the respective financial authority (body), which issues payment mandates to merchants. (At the stage of bank account registration invalid bank accounts can be identified). Within a certain period after the registration (generally, about two weeks after the mandates are obtained) the merchant can start processing actual transactions. After that the process, generally, follows the same patterns as during one-phase processing. The clearing house contacts member banks to clear the funds. However, most of two-phase systems, usually, provide most of the responses within three days and do not require the 60-day wait period (as the accounts are already registered in the system). However, some banks may delay payments, while some other banks may dispute them post factum.

The advantage of the first system is its simplicity, while the advantage of the second system (although more complex) is its reliability. I.e. in the second case merchants have better chances of getting their money from valid bank accounts of their customers, however, implementation of a two-phase system requires more efforts.

Conclusion

If you are a payment gateway provider, processing worldwide, and you want to process in the countries, using different banking systems, you need to pay attention at the architecture of the whole process. Your main objective in this context is to make your payment gateway capable of working with both one-phase and two-phase systems, while providing your customers with a unified integration API.

Visit the UniPayGateway website if you are interested in the diagram illustrating this topic.

Merchant Fraud Protection Tools

The purpose of this article is to familiarize payment service providers and other merchant services industry players with various merchant fraud protection tools. While one of the previously published articles covered consumer fraud protection tools (from merchant’s perspective), the current article is mostly targeted at PSPs who have multiple merchants in their portfolios, and, consequently, require efficient merchant fraud protection tools to ensure stability and security of their operations.

Information on the nature of merchant fraud can be found in our articles on fraud protection aspect of payment gateway selection, chargebacks and ACH returns.

Merchant fraud protection systems are often incorporated in payment gateway software products. They are based on various criteria for monitoring of each merchant’s transaction processing activity. The incoming flow of transactions is analyzed and checked against these criteria on some regular (usually, daily, or monthly) basis. If some deviations take place, they are immediately flagged, underlying merchants or transactions can be identified, and any necessary measures can be taken as efficiently as possible.

Let us now look into the fundamental criteria, providing the conceptual basis for merchant fraud protection tools.

Some criteria are analyzed on daily basis as well as on month-to-date basis. For instance, maximum transaction amount is a criterion analyzed on daily basis only, while maximum processing volume can be analyzed both daily and monthly.

For every particular business, depending on its nature, a limit is, generally, established for one or more criteria. If the limit is exceeded, the incident is analyzed, and, if necessary, respective measures are taken.

Maximum allowed processing volumes

General transaction volume as well as transaction count are analyzed. At the basic level, maximum and minimum transaction (ticket) amount, which a merchant indicated in the merchant application, are monitored. Significant deviations from these values might indicate some type of merchant fraud.

Maximum deviation from averages

Generally, most businesses follow similar processing patterns from day to day and from month to month with no deviations from average. If any significant deviations from average are registered, they are considered a signal for checking the specific case behind the deviation. Normally, permitted deviations amount to approximately 5-10 %. If this limit is significantly exceeded, it may raise suspicions. Deviation limits should be observed in an average per-transaction amount, average daily (monthly) transaction count, and average daily (monthly) processing volume (in dollars). Generally, 60-day window is used for daily averages, and 12-month window for monthly ones.

For some types of businesses deviations from average are typical (for instance, seasonal or induced by sale of some highly-demanded product), so the criterion is not always a decisive one, but in some cases it can be helpful.

Fraud suspects

One of the signs, which may cause suspicion, is a large number of so-called micro-transactions (below $1). In some situations a large number of even-amount transactions can also be a sign of fraud. For example, if a merchant is a retail business and transaction amounts usually include taxes, an even-amount transaction is rather an exception, than a rule, while for e-commerce businesses even-amount transactions are more common.

Duplicates

Duplicates can either signify actual fraud or just a human error. Duplicates can be analyzed according to several criteria.
For some businesses too many transactions with the same amount are untypical, so this is the case when they might signify fraud. On the other hand, some businesses offer a limited number of products\subscriptions, and for those businesses many transactions with the same amount are common.
Another duplicate-related criterion is the number of transactions associated with the same card number. If the number is too large, it may be a sign of fraud.
In some cases a large number of transactions with the same amount paid using the same card (a combination of the two criteria) during a short period of time (say, a day) may also signify fraudulent activity.

Transaction types

Unusually high percentage of transactions of a certain kind in the overall transaction volume is another representative indicator. If maximal allowed percentage of credits, refunds, verifications (“zero-dollar” transactions), declines, ACH returns or chargebacks is exceeded, it may be a sign of merchant fraud being committed.

Entry mode

In terms of card entry mode there are three basic card transaction groups: swiped, keyed and CNP. If some type of entry mode is dominant for a business, a sudden increase in the number of transactions with a different entry mode may signify fraud.

Off-hours transactions

Some transactions may be submitted during the time, when the business is normally closed (for example, before 8 am or after 8 pm).
For some businesses after-hours processing is acceptable, but unusually large number of transactions submitted after hours may be a sign of potential fraud.
If transaction volume is, usually, consistently distributed across the merchant’s working schedule (for instance, most transactions happen in the morning), sudden shifts in this distribution may also seem suspicious and, potentially, indicate merchant fraud.

Merchant inactivity period

Some merchants stop processing transactions, but do not close their merchant accounts. Such merchant accounts can, potentially, be used by fraudsters. Consequently, the number of days during which there is no activity on the account, should be monitored, in order to prevent potential fraud due to merchant’s lack of attention.
Absence of activity does not signify fraud, but rather, indicates that the merchant is not using the account any more.

Frequency

Some merchants normally process transactions only on certain days of a week or a month. If such a pattern is broken (for example, a merchant normally processes on Monday, and now there is activity for entire week, or a merchant, normally processing transaction for 20 working days a month, suddenly starts processing for the whole 31 day, it may indicate fraud).

Conclusion

Monitoring of potential merchant fraud signals is critical for payment service providers, which service large numbers of merchants, and assume financial risk and liability for the merchants in their portfolios. In order to efficiently prevent fraud, such businesses need to utilize merchant fraud protection tools.

Visit the UniPayGateway website if you are interested in the diagram illustrating this topic

What is an ACH payment gateway?

What is an ACH payment gateway?

An ACH payment gateway is a kind of payment gateway that allows to process ACH transactions. Usually it connects to various banks or ACH processing networks to provide access to all of its financial institutions for its merchants.

What is the difference between ACH and credit card transaction processing?

ACH transactions do not involve payment cards – just bank accounts, so credit card transaction processing is usually performed by credit card processors/acquirers, while ACH transaction processing is, mostly, handled by banks. However, in today’s merchant services industry there are payment gateways, allowing merchants to process both credit card and ACH transactions through one and the same API.

What is a lifetime of an ACH transaction?

ACH transaction file is submitted to the bank, which, usually, forwards it to Federal Reserve, which funds a 1005 of transactions in the file. Subsequently the Federal Reserve will dispatch a request to respective banks to complete money transfers.

What is an ACH return and how should it be handled?

An ACH return is a rejection of an ACH transaction due to insufficient funds on the account or for some other reasons (complete list of ACH return codes can be found here). If at the stage, when Federal Reserve requests money from the bank, it turns out that the transaction cannot be processed, since Federal Reserve has already funded the respective merchant, it takes the money back from the bank, while the bank takes it back from the merchant. Verification of availability of funds on the account can take up to two months, during which ACH fraud can occur. Consequently, the best way to deal with ACH returns is to avoid them, i.e. check whether all the information necessary for ACH payment processing is up-to-date, whether account is not included into some blacklist, whether the account (or IP) does not come from some high-risk location, etc.

What is the role of ACH reserves in ACH payment processing?

ACH reserves represent one of the ACH fraud protection mechanisms. ACH reserve is a certain amount withheld by a PSP\underwriter from deposit of a merchant (fixed amount or percentage of ACH transactions, processed by its sub-merchants) to protect its business from potential ACH-returns. More information can be found here.

Merchant Services Reserves

The purpose of this article is to familiarize PSPs with the concepts of merchant services reserves. As mentioned in the previous article, handling of transactions that occur outside the normal processing cycle is an important consideration to bear in mind in the context of merchant funding (remittance). These transactions are refunds, ACH returns and chargebacks.

Chargebacks and ACH returns can come in within 60-day period from the time when the original transaction was processed. Consequently, the money for that transaction may already have been funded, and it is important to ensure that merchant will be able to cover the expenses resulting from these types of transactions.

The most common tool for dealing with refunds, chargebacks and ACH returns is withholding of the reserves.

Merchant services reserve concept

Generally, a merchant services reserve is a pool of money that is maintained to minimize the risk of financial fraud for PSPs (third party processors or payment facilitators). There are three reserves, which are commonly maintained, and can be dynamically adjusted every time a remittance process occurs.

The types of merchant services reserves and models for reserve formation are addressed in the sections below.

Types of reserves

Conceptually there are two reasons why reserves are maintained.

Firstly, reserves are intended to cover expenses resulting from transactions that reverse previously approved payments, and occur after the originally approved payments are already funded. Examples of those are chargebacks and ACH returns. Reserves for ACH returns and chargebacks are held because these transactions can come within 60-day period after the time of the original transaction processing.

Secondly, reserves are intended to cover expenses resulting from transactions that produce negative balance against an account (bank account) that doesn’t belong to the merchant, for example, credits and refunds. Reserves for refunds are often used by wholesale resellers, who use aggregation models (or by PSPs), as refunds for merchant’s products are withdrawn from the PSP’s account.

All merchant services reserves are always withheld by PSPs as deductions from merchant remittances. When a refund needs to be performed, the funds are taken out from the refund reserve. If the reserve is empty, no further refunds can be issues.

Merchant services reserve calculation models

Generally, a reserve can represent either a fixed amount or a percentage of processed transaction volume. These two approaches for merchant services reserve calculation are addressed below.

Reserve as a fixed amount

Under this approach a reserve represents a fixed amount of money. The approach is commonly applied to refund reserves. A certain fixed number (say, $5000) is established, providing the maximum reserve and the maximum possible amount of refunds.

Reserve as percentage

Under this approach a reserve is established as a percentage of the total volume of transactions approved. The option is more frequently used for ACH return and chargeback reserves.

A reserve percentage together with analysis time period (one or two months) is established. Every time a remittance is performed, depending on the time frame, transaction volumes processed during the last 30 or 60 days, are analyzed, respective established percentage is calculated, and the resulting amount becomes the reserve requirement. Reserve is refilled as a deduction from a remittance.

In some cases, if processing volumes increase, larger reserves may need to be withheld, while, if processing volumes decrease, some funds need to be returned back from the reserve. Sometimes, it is recommended to retain a minimum fixed amount in the reserve even if total reserve requirement is dynamically calculated. It is used as insurance against sharp decreases in processing volumes. That is why, beside percentage and time frame, chargeback and ACH reserves are often characterized by a fixed minimum reserve amount. For example, reserve amount may vary from $1000 to 5% of processed transaction volume. In such cases, if a merchant’s processing volume drops, the reserve amount cannot fall below the fixed threshold.

Example

Sliding time window 30 days
Reserve percentage 5%
Minimum reserve amount $500If volume of transactions processed during a month is $20000 then the reserve requirement will amount to $1000.
If volume of transactions processed during a month is $5000 then the reserve requirement will amount to $500 (and not $250 resulting from percentage calculation).

Conclusion

PSPs need to withhold refund, chargeback and ACH return reserves in order to protect themselves from losses induced by the respective types of transactions. Merchant services reserve amounts need to be carefully and flexibly calculated in order to provide the best solutions for both PSPs and merchants.

Payment Concepts: ACH Returns

The purpose of this article is to improve the understanding of ACH processing and the concept of ACH returns among merchants, resellers and credit card transaction processors. With better understanding of ACH processing lifecycle in general and nature of ACH returns in particular, considerable money losses from ACH fraud can be avoided.

Our previous post in this topic focused on credit card chargebacks, which are similar in nature to ACH returns. It might be beneficial to review that article before reading current one.

For those unfamiliar with the term, ACH stands for Automated Clearing House – a nationwide fund transferring network. Inter-bank transfers happen through an ACH operator – a Federal Reserve Bank or a private organization used as the central clearing facility. A more detailed explanation can be found here.

Why ACH returns are important

Misconceptions concerning сredit card transactions and ACH transactions are somewhat similar. Without a clear picture of complete credit card transaction processing cycle, people often forget about the possibility of chargebacks. Similarly, without thorough understanding of the full ACH transaction processing cycle, people often concentrate on the initial phase which includes processing and funding. Just like in the case of credit card transactions, ACH transaction approval is not the concluding phase of the processing cycle. To understand the full lifespan of ACH transactions, one needs to devote special attention to ACH returns. (To realize, the importance of ACH returns, it is sufficient to look at ACH return statistics).

Without a clear picture of the full ACH transaction processing cycle, a business can become a victim of ACH fraud. Consequently, the possibility of fraud, induced by the nature of ACH returns, should never be forgotten.

ACH return concept

An ACH return is a reject generated by the receiving depository financial institution (RDFI) in response to an ACH transaction, requiring money transfer, because it cannot be processed. The most common reasons (return codes) behind this include:

  • Insuffient Funds
  • Account Closed
  • Invalid Account Number

A complete list of return codes can be found here .

Many people think that once their ACH transactions are funded, this is the final stage of the process. Yet, ACH does not work like credit cards. For example, a person dealing with ACH transactions may think that if after two or three days the ACH return doesn’t arrive, the money already belongs to him\her. In practice the process may take up to two months. As mentioned above, the ACH transaction lifecycle involves the ACH operator, temporarily granting all the funds requested. Later the ACH operator may demand the funds back, if it turns out that the bank holding the account for which the request was placed couldn’t provide the money (possible reasons are mentioned above).

Let us take a more detailed look at how ACH returns occur.

ACH return mechanism

When a request is submitted to the ACH operator, the funds are granted. After that the ACH operator dispatches requests to the respective banks that are holding the accounts. If the request cannot be fulfilled by the bank, holding the account, the ACH operator requires the funds to be returned – and that money is taken back by means of generating an ACH return.

In addition to ACH return, there is a concept of a notice of change (NOC).
A change in bank account information of a customer may result from bank mergers, changes in account numbering schemes, etc. In cases like these, an ACH transaction is properly processed, using outdated information, but updated information to be used in any subsequent request, is returned to the submitter (merchant). This updated information sent to the submitter is called a notice of change. A notice of change requires the submitter to update the bank account information before submitting the next request. If, for instance, outdated routing number is used in a subsequent request, the transaction may not be processed, and can result in an ACH return.

Not all banks have fully automated (computerized) management systems, and in some cases they have to resolve certain issues by mail, telephone, or using other communication means. Consequently, the process of verification of funds’ availability on accounts can take up to two months. As a result, an opportunity for ACH fraud arises.

ACH fraud

As mentioned above, not all banks respond to ACH operator’s queries quick enough. A bank’s response may, take up to 60 days. Consequently, if an attacker (consumer or merchant) finds a bank with a long response time, he\she can use it to commit a fraud.

Consumer fraud

Consumer fraud can be committed by a merchant’s client. Particularly, such a client can order some product\ service from a merchant, pay for it through ACH, and get this product\service within a week. If an ACH operator needs two or three weeks to verify whether the bank account, specified by the client, actually exists and if there are some funds on it, the fraudster has the ability to use invalid account numbers for the purchase, and escape during the week between the purchase and the ACH return.

Merchant fraud

A merchant can commit a fraud against the Payment Service Provider (PSP).

Particularly, to commit a fraud, a merchant can submit ACH transactions specifying non-existent accounts whose routing numbers correspond to the “long-responding” banks. In this case the attacker’s transactions can get funded pretty quickly (as ACH operator initially grants the funds), but they will be returned after banks verify that the accounts do not actually exist (up to 60 days). But during this time the merchant has an opportunity to escape with the money, leaving the financial liability to the PSP.

There is a set of instruments merchants, resellers and processors can use to prevent ACH fraud.

ACH fraud prevention methods

The most common tools used by merchants against consumer fraud include:

  • IP-address-based filtering of accounts (if an account comes from a high-risk geographical location, the transaction is not processed);
  • identity verification against various blacklists (blacklists feature e-mails, addresses etc of potential fraudsters; if an account is on some blacklist, the transaction is declined, and there is no need for further time-consuming verification process);
  • check verification and check guarantee services. (An ACH transaction is, in fact, an electronic check. Check verification services include verification of the check-writer’s name, account number, and routing number data against different blacklists, as well as account status checks; check guarantee service requires all checks to be approved (through a terminal at the POS, voice authorization or I-check approval software installed on a PC) before being accepted).

The most efficient tools used by resellers and PSPs against merchant fraud are:

  • ACH reserves (held by processors\payment gateways and large-scale resellers to compensate potential ACH returns issued to their sub-merchants);
  • so-called “processing caps” (limiting the number and amount of transactions processed by a merchant during a fixed time interval, e.g. per week\day\month);
  • blacklists (for instance, featuring invalid bank accounts, for which ACH returns were previously generated).

Conclusion

Thorough understanding of ACH transaction processing cycle and competent implementation of respective fraud protection tools allows merchants, resellers and PSPs to prevent money losses resulting from fraudulent ACH returns.