Years behind UK banking initiative Faster Payments Service (FPS), US banks have finally approved a proposal to allow consumers and businesses to send same-day electronic payments (Same-Day ACH) among the nation’s 12,000 financial institutions. This same-day payments rule, approved by NACHA, The Electronic Payments Association ®, is a game-changer for consumers, businesses and government entities as they call for the creation of two new same-day settlement windows, meaning that funds will move among financial institutions three times per day rather than once—opening up tremendous opportunities for anyone who needs to move money faster. While NACHA is confident that quicker processing will benefit everyone involved, banks and other financial institutions will now need to review thousands of transactions in a shorter timeframe, leading to a significant increase in staff and operational costs, not to mention the increased potential for fraudulent activity due to sheer volume and rapidness of review.
The need for speed
Same-Day ACH and real-time payments are examples of how the industry is finally beginning to listen to their customers, working to provide a number of payment options that will enable customers to choose the speed and features they prefer to make their payments.
Today, most ACH payments are settled on the next business day, and are most commonly used for online bill payments, mortgage repayments and the direct deposits of payroll. Since ACH operates on banking days only, payments settle at 7:00 pm the night before each banking day. That means payments submitted on Thursday after 7:00 pm are sent for settlement only on Sunday at 7:00 pm, unless Monday is a banking holiday. Many businesses have complained that the schedule of submission for settlement is rigid and inefficient.
A study by the Federal Reserve found that when presented with payment speeds of “instant”, one hour, 12 hours, 12-24 hours or 2-3 business days, 69 percent of consumer payers and 75 percent of business payees preferred “instant” or one-hour payment speeds. Understanding the market’s demand for faster payment has led NACHA to finally develop a new rule allowing for speedy payment in what the organization hopes will be an efficient and safe way.
Rolling out Same-Day ACH payments
To ease the implementation process, NACHA’s new rule, which will go into effect September 23, 2016, will give US banks three years to employ faster payment capabilities, allowing financial institutions time to efficiently scale up to meet the requirements.
Phase 1: ACH credit transactions will be eligible for same-day processing, supporting use cases such as hourly payroll, person-to-person (P2P) payments and same-day bill pay. Two processing windows will spread the volume throughout the day and lessen the strain on resources at the end of the day.
Phase 2: Same-Day ACH debits will be added, allowing for a wide variety of consumer bill-payment use cases such as utility, mortgage, loan and credit card payments. The structure of the same-day debit payments will be the same as the credit payments in Phase 1: two processing windows at 10:30 am and 3:00 pm Eastern Time, and settlement taking place at 1:00 pm and 5:00 pm.
Phase 3: Faster ACH credit funds availability requirements will be introduced for Receiving Depository Financial Institutions (RDFIs); funds from Same-Day ACH credit transactions will need to be available to customers by 5:00 pm RDFI local time.
The road to fraud
While banks and businesses both want a faster way to move money, data and a variety of other financial-service products across physical and digital borders, the high volumes of payments and the speed at which the funds are transferred could potentially allow fraudsters to take advantage of the new system. This happened in 2008 when the UK moved to faster payments, attracting the attention of fraudsters who seized the opportunity to steal and get away with money before being detected. Online banking fraud losses in the UK went from £22.6 million in 2007 to £52.2 million in 2008 and £59.7 million in 2009, before they started to drop again; but even by 2012 there were still £39.6 million in online banking losses.
With shortened review times and thousands of additional transactions per day, cybercriminals could potentially compromise user accounts by taking advantage of the new submission deadlines, submitting a large volume of payments right before the deadline, leaving analysts too overwhelmed to adequately monitor the transactions. Other fraudsters may target third-party senders instead, hiding fraudulent payments within larger ACH batches. Because of the speed with which fraudsters will be able to access the funds and move them out of reach, it is critical for banks to have a plan already in place when NACHA’s new rule is implemented.
The graph below illustrates the process that will occur when the new ACH regulations come into effect. There will be two clearing windows daily, the first with a submission deadline of 10:30 am and settlement at 1:00 pm (i.e., Deadline 1) and the second with a submission deadline of 3:00 pm and settlement at 5:00 pm (i.e., Deadline 2). Banks will now be left with only 2 to 2.5 hours, as opposed to a day or more, to process payments and ensure that none are fraudulent.
Mitigating the risk of being scammed
To ease the risk of fraud as same-day payments soon become the norm, banks and financial institutions must anticipate potential weak spots and remedy them before the new rule comes into effect.
To deal with the increase of transactions and reviews, some banks may choose to hire more fraud analysts. The problem with this is that employees are expensive, and even with more analysts, some fraudulent payments are bound to get through. As institutions are working to reduce operating costs, adding more employees will only increase these costs and likely do very little to stop fraud.
The expected rise in fraud attempts coupled with a shorter time to review risky transactions requires a more efficient and faster way to review and approve payments.
It will be paramount for banks to assess and choose the right fraud-prevention security platforms, and establish that they can handle additional real-time fraud traffic. Once the regulation takes effect, fraud-attempt numbers will grow, along with the introduction of new types of attack vectors. Current security controls such as transaction-based anomaly detection, device identification and MitB (Man-in-the-Browser) infection detection will become less effective at mitigating risks. Incumbent solutions will need to be complemented with a new-generation fraud-prevention solution that can detect new types of malware and remote-access attacks, and that cannot be easily circumvented.
Banks may also decide to invest in the use of continuous behavioral authentication instead of relying on manual reviews. Behavioral biometric authentication allows banks to validate that a genuine user submitted a transaction without the need to manually review and phone him/her to confirm. Using traditional authentication measures (e.g., tokens and SMS one-time passwords) does little to prevent new-generation fraud and impedes on a user’s experience. Only frictionless authentication solutions that detect account takeover at any point during the transaction can effectively validate a user’s identity while keeping operational costs low.
Banks must make sure to evaluate the technology solutions currently available for automatically reviewing payments and create a comprehensive plan that will be ready to be implemented when the new rule goes into effect. The most important thing to do is to act now—fraudsters have already started planning their attacks; you can take that to the bank!