Hi all, Julie here. Head of Content and Community at Orum.
Our CEO Stephany Kirkpatrick recently spoke at a Finnovation and Sila event along with the founders of Alloy, Sardine and Moov. The topic was ACH Fraud, timely since ACH was created 50 years ago. Anyways, there were tons of great insights from these payments experts, so I wanted to highlight a few of my favorites.
There are several points of failure
The shutdowns in early 2020 created a huge rush for as many companies that are capable of going virtual to do so. Much like anything, when something is rushed there are bound to be gaps in security that will be exploited. This is still relevant two years later because fraudsters are still going through their rolodex of businesses that converted to virtual which makes the process of finding these vulnerabilities somewhat slow. Not to mention, the boldness of the fraudsters is high.
ACH is a rules based framework since it is batch based. According to Stephany and other panelists, whenever there is a rulebook on how to operate this system, there is a rulebook on how to break it. Unfortunately, fraudsters have gotten their hands on this rulebook and the set of published rules hasn’t changed.
There’s also a number of differences between card transactions and ACH. Unlike card networks, there is no one intermediating and resolving disputes with ACH. This makes ACH cheaper, but potentially with higher levels of fraud. Another reason for this is that banks are more incentivized to tackle credit card fraud as it is their money on the line vs ACH fraud where it’s the account holder’s liability.
High volume and a need for speed
In high volume environments, there is always a bigger concern for the potential of fraud. The best effort to differentiate the good from the bad is to establish, the best you can, trusted access to whichever feature/product you are offering. Trusted access can be obtained by learning and tracking device level information about a user. The way we use our phones and our computers are very specific to a person. Technology today can track thousands of indicators from a device that all add up to a fingerprint of sorts on a person.
On top of this, people want everything instantly in the 21st century. It used to be common to wait days or weeks for packages to arrive, no more. People want the same for money movement. This means there is less time to look over transactions and more room for error. Companies should rely on as many data points as they can to make the best decision possible for an onboarding event, transaction request, or both. In addition to using all of the information we have available to us to make a decision, it is also crucial to have a strong team of analysts and data scientists to ensure the decisions we are making are the correct ones. Keeping a close eye on rule performance and being able to adjust rules/settings as soon as we see an issue will make sure our good customers are impacted as infrequently as possible.
Multi-layer controls are a must and you’re going to have to make changes as you scale
It’s of the utmost importance that your architecture has breadth, depth and is flexible. Your best choices at one time might be different than at another time in the future. Every company needs to be prepared to change its thought process at scale milestones. They can keep their traditional rules methodologies in place while also calling in the more advanced features to solidify their rules. This might be due to a changing landscape, new technologies, or an evolving customer base. You might start with one target customer but the product evolves and attracts another set of customers that you need to make changes for.
KYC checks, velocity limits, and historical behavior can go a long way in preventing fraud
Know-Your-Customer is a process of ascertaining the identity of a user and establishing the genuineness of the evidence presented to establish the identity. Depending on the extensiveness of the means employed to verify the identity, the KYC process may confirm that the identity exists but may not be able to guarantee that the identity has not been fabricated or has not been compromised.This means companies need to use a plethora of tools and information that’s available. Fundamental behavioral checks such as velocity limits, deviation from historical activity, sudden spikes — basic indicators that traditional financial institutions have long relied on — can go far in detecting and mitigating fraudulent activity. Just like the banks have been doing for ages, good old velocity, limits, standard deviation can make a huge difference on fraud rates.
Examples of velocity controls would be limiting net new end users to one transaction attempt per two hours, setting lower limits, and preventing the net new end user a second transaction until it is successful.
Other valuable tools include requiring multi-factor authentication, especially if rules/models isolate transactions for potential fraud, or requiring users to verify credentials on a periodic but irregular basis. Not to mention, companies should be continually analyzing returns to segment user characteristics and refine rules/models.
Putting all of this together, my main takeaway came in one quote from the founder of Moov: “You’re going to get hit by fraud, so start planning for it sooner rather than later.” It’s something we can and should continuously get better at preventing, but will never go away. On the positive side, at least we have amazing leaders like the ones on this panel leading the charge to help fight fraudsters.
This is something that we at Orum have been lightning focused on from the start. Being able to leverage our intelligence backed smart routing system not only makes the companies working with us more successful, but leads to happier end consumers as well. If you want to learn more, reach out below!