Nacha Update: Integrated Risk Management for Banks

The National Automated Clearing House, aka Nacha, is the governing body for ACH transactions across the country. It provides a framework and establishes rules for safe, reliable, and quick ACH transfers. The organization regularly updates the frameworks and regulations to upgrade the security of the ACH network. Over the years, it has established a well-defined ACH risk management framework to identify best practices and customers’ emerging needs. We have described the latest updates to the risk management framework to help you process transactions securely.

Introducing the New ACH Risk Management Framework (RMF)

The primary role of Nacha’s risk management strategies include:

• Bringing the ACH community together and revisiting the most critical and emerging needs
• Offering a guide of rules that will come up in the near future, and other vital initiatives
• Demonstrating ways for effective self-governance

Why Do We Need a New Risk Management Framework?

Payments over the ACH network are incredibly safe. The clear need for authorization forms makes ACH one of the safest EFT (Electronic Funds Transfer) payment methods. Recently, Nacha introduced the updated risk management framework to curb risk and fraud scenarios further. With this new framework, Nacha will be able to reduce the amount of fraud in the following cases:

• Account takeovers
• Payroll impersonations
• Business email compromise (BEC)
• Vendor impersonations
• Fraudulent use of micro-entries
• Fraudulent claims for benefits - unemployment, PPP loans, tax refunds

The need for a new framework arose because fraud related to credits and credit returns are not covered in the existing rules and risk framework for forward and return transactions. Moreover, in several cases, there are no returns to monitor. Also, the receiving financial institutions are not covered by the current rules and risk frameworks for monitoring transactions.

The Principles of the New Framework

The new framework highlights enhanced communication and collaboration to identify fraudulent behavior/accounts before mishaps. These principles leverage the framework of the latest open banking models to help financial institutions openly share critical data. This approach to risk management will ensure:

• Open communication between financial institutions to convey general information on fraudulent scenarios
• Real-time alerts in case of fraud detection
• Recovery of funds
• Implementation of tools like the ACH contact registry to facilitate enhanced communication between banks and credit unions
• Sharing critical fraudulent information with corporate end-users

The core idea behind this new information security policy is to minimize the turnaround time for action after fraud detection. A financial institution can help other institutions quickly identify risks and notify them with open communication. 

Nacha controls all ACH transactions. However, risk management techniques extend beyond just ACH. Modern-day digital payment technologies/methods such as mobile wallets and peer-to-peer (P2P) payments are hard to control. So, the need for self-governance, education, and solid frameworks is now more critical than ever. The four main components of modern-day payment security now include:

• New Risk Management Framework
• Nacha’s Operating Rules
• Corporate Enterprise Risk Management (ERM) Technologies
• Federal Information Systems

Major Elements of the New Framework

Fraud on the ACH network is fundamentally different from debit fraud; therefore, the network requires unique ways of controlling these frauds. The credit-push payments are other than debit fraud in the following ways:

• They are not unique/specific to individual payment methods
• Authorization fraud (due to human error) is replicable
• New/Mule accounts at an RDFI

Existing Project Progress

Nacha has collaborated with Curinos (formerly Novantas), a research and consulting firm, to test and finalize the new framework principles. Over the next few months, the firm will:

• Identify potential metrics for payment transfers
• Refine key questions to identify further potential risks
• Speak with several financial institutions to gather insights via in-depth interviews
• Speak with non-financial institutions such as ACH operators and Insurance companies to get additional insights
• Report findings back to Nacha

The financial institutions that will adopt the new framework and openly collaborate with other financial institutions and federal agencies for information sharing will have a tremendous competitive advantage for fraud prevention. They will also adopt more mobile wallet and other advanced payment technologies faster without compromising on the security aspects. 

Updates from Risk Management Advisory Group (RMAG)

October 2021 marked the beginning of this new project when RMAG started collaborating with Nacha and financial institutions to implement the new framework. Since then, they have managed to discuss the following cases:

• Details of modern-day fraud scenarios 
• Best practices on identification, recovery, and information sharing with ACH participants
• Inclusion of service providers to mitigate risks
• Risk associated with new models of mobile payments
• Anamoly detection
• Balance between risk management and customer experience (how to detect and prevent fraud while adopting faster payment systems)

As of 2022, RMAG is focused on improving communication across various financial institutions. It is also focusing on the following tasks before moving on to the next stage:

• Identifying legal issues with regards to information sharing
• Collecting and tracking various types of fraud data
• Mapping fraud cases with the Federal Reserve’s Fraud Classified Model

The future initiatives of this project include:

• Monitoring and reporting best practices for all ACH network participants
• Standardizing data for ACH format across various channels and use cases

Check out the latest article by Nacha that urges financial institutions and ACH participants to improve information sharing.

How Can You Get Started with the New Framework?

Financial institutions, service providers, and all other participants in the ACH network are responsible for adopting the new enterprise risk management framework. Here’s how you can get started:

• Identify Your Role: All participants in the ACH network have different roles in increasing the network’s security. You should identify your roles and responsibilities to implement the new framework. Speak to experts from Nacha on how you can contribute. 
• Partner with Relevant Complementary Agency: Financial institutions should partner with third-party service providers and vice-versa to enhance open communication.
• Actively Educate Your Customers: Service providers should educate their customer financial institutions on the best practices.
• Implement Stricter Security Measures: Adopt the latest cybersecurity measures such as tokenization and encryption to minimize fraudulent behavior. 
• Practice Self-Governance: Educate internal employees on the best security practices. Work with service providers and cybersecurity experts to conduct a periodic security check of your systems.

How Can iCG Help?

iCheckGateway.com (iCG) is a Nacha-preferred partner for ACH solutions and automation. We stay updated with the latest Nacha norms to offer safe ACH and credit card payment processing technologies. We also actively educate our customers on the latest Nacha rules to help them carry out transactions within compliance measures. Moreover, we offer the following advanced security measures to enhance the safety of your payment processes: 

• PCI-compliance
• Check verification
• Account validation

Adopt safe, fast, and reliable payment technologies with us today. Discover our complete catalog of innovative payment solutions. 

Ready to take the next step? We work with ISOs, ISVs, and merchants directly to help them mitigate risks and adopt the latest payment services. Speak with our payment experts today to know more.