The purpose of this article is to improve the understanding of ACH processing and the concept of ACH returns among merchants, resellers and credit card transaction processors. With better understanding of ACH processing lifecycle in general and nature of ACH returns in particular, considerable money losses from ACH fraud can be avoided.
Our previous post in this topic focused on credit card chargebacks, which are similar in nature to ACH returns. It might be beneficial to review that article before reading current one.
For those unfamiliar with the term, ACH stands for Automated Clearing House – a nationwide fund transferring network. Inter-bank transfers happen through an ACH operator – a Federal Reserve Bank or a private organization used as the central clearing facility.
Why ACH returns are important
Misconceptions concerning сredit card transactions and ACH transactions are somewhat similar. Without a clear picture of complete credit card transaction processing cycle, people often forget about the possibility of chargebacks. Similarly, without thorough understanding of the full ACH transaction processing cycle, people often concentrate on the initial phase which includes processing and funding. Just like in the case of credit card transactions, ACH transaction approval is not the concluding phase of the processing cycle. To understand the full lifespan of ACH transactions, one needs to devote special attention to ACH returns. (To realize, the importance of ACH returns, it is sufficient to look at ACH return statistics).
Without a clear picture of the full ACH transaction processing cycle, a business can become a victim of ACH fraud. Consequently, the possibility of fraud, induced by the nature of ACH returns, should never be forgotten.
ACH return concept
An ACH return is a reject generated by the receiving depository financial institution (RDFI) in response to an ACH transaction, requiring money transfer, because it cannot be processed. The most common reasons (return codes) behind this include:
- Insuffient Funds
- Account Closed
- Invalid Account Number
Many people think that once their ACH transactions are funded, this is the final stage of the process. Yet, ACH does not work like credit cards. For example, a person dealing with ACH transactions may think that if after two or three days the ACH return doesn’t arrive, the money already belongs to him\her. In practice the process may take up to two months. As mentioned above, the ACH transaction lifecycle involves the ACH operator, temporarily granting all the funds requested. Later the ACH operator may demand the funds back, if it turns out that the bank holding the account for which the request was placed couldn’t provide the money (possible reasons are mentioned above).
Let us take a more detailed look at how ACH returns occur.
ACH return mechanism
When a request is submitted to the ACH operator, the funds are granted. After that the ACH operator dispatches requests to the respective banks that are holding the accounts. If the request cannot be fulfilled by the bank, holding the account, the ACH operator requires the funds to be returned – and that money is taken back by means of generating an ACH return.
In addition to ACH return, there is a concept of a notice of change (NOC).
A change in bank account information of a customer may result from bank mergers, changes in account numbering schemes, etc. In cases like these, an ACH transaction is properly processed, using outdated information, but updated information to be used in any subsequent request, is returned to the submitter (merchant). This updated information sent to the submitter is called a notice of change. A notice of change requires the submitter to update the bank account information before submitting the next request. If, for instance, outdated routing number is used in a subsequent request, the transaction may not be processed, and can result in an ACH return.
Not all banks have fully automated (computerized) management systems, and in some cases they have to resolve certain issues by mail, telephone, or using other communication means. Consequently, the process of verification of funds’ availability on accounts can take up to two months. As a result, an opportunity for ACH fraud arises.
As mentioned above, not all banks respond to ACH operator’s queries quick enough. A bank’s response may, take up to 60 days. Consequently, if an attacker (consumer or merchant) finds a bank with a long response time, he\she can use it to commit a fraud.
Consumer fraud can be committed by a merchant’s client. Particularly, such a client can order some product\ service from a merchant, pay for it through ACH, and get this product\service within a week. If an ACH operator needs two or three weeks to verify whether the bank account, specified by the client, actually exists and if there are some funds on it, the fraudster has the ability to use invalid account numbers for the purchase, and escape during the week between the purchase and the ACH return.
A merchant can commit a fraud against the Payment Service Provider (PSP).
Particularly, to commit a fraud, a merchant can submit ACH transactions specifying non-existent accounts whose routing numbers correspond to the “long-responding” banks. In this case the attacker’s transactions can get funded pretty quickly (as ACH operator initially grants the funds), but they will be returned after banks verify that the accounts do not actually exist (up to 60 days). But during this time the merchant has an opportunity to escape with the money, leaving the financial liability to the PSP.
There is a set of instruments merchants, resellers and processors can use to prevent ACH fraud.
ACH fraud prevention methods
The most common tools used by merchants against consumer fraud include:
- IP-address-based filtering of accounts (if an account comes from a high-risk geographical location, the transaction is not processed);
- identity verification against various blacklists (blacklists feature e-mails, addresses etc of potential fraudsters; if an account is on some blacklist, the transaction is declined, and there is no need for further time-consuming verification process);
- check verification and check guarantee services. (An ACH transaction is, in fact, an electronic check. Check verification services include verification of the check-writer’s name, account number, and routing number data against different blacklists, as well as account status checks; check guarantee service requires all checks to be approved (through a terminal at the POS, voice authorization or I-check approval software installed on a PC) before being accepted).
The most efficient tools used by resellers and PSPs against merchant fraud are:
- ACH reserves (held by processors\payment gateways and large-scale resellers to compensate potential ACH returns issued to their sub-merchants);
- so-called “processing caps” (limiting the number and amount of transactions processed by a merchant during a fixed time interval, e.g. per week\day\month);
- blacklists (for instance, featuring invalid bank accounts, for which ACH returns were previously generated).
Thorough understanding of ACH transaction processing cycle and competent implementation of respective fraud protection tools allows merchants, resellers and PSPs to prevent money losses resulting from fraudulent ACH returns.