Somewhere around 1972, a group of banks in California created the first ACH scheme. Since then, this incredibly durable transaction type has established itself as the bedrock of inter-bank money transfer in the United States. Its ubiquitous reach and user familiarity combined with an ultra-low external cost of acceptance resulted in ACH attracting many well known fintech solutions including PayPal and Zelle among others. However, this popularity also attracts fraudsters. Like any other payment schemes, ACH is vulnerable to fraud at multiple points in its transaction lifecycle and now that the ACH system is enabling multiple settlement windows throughout the day, preventing and detecting fraud has take on a new imperative.
These factors contributed to my growing interest in the ACH system and as a researcher, drove me to seek out and talk to thought leaders in the industry. I was most interested in speaking with individuals that have deep experience in leading companies that provide fraud solutions to the ACH market in order to gain an informed perspective on the state of the ACH market now and in the future. Therefore, it was my good fortune to meet Debbie Peace, CEO of ACH Alert, at a recent NACHA conference. Her company, ACH Alert, provides critical fraud prevention and detection services and tools to financial institutions and other partners across the United States. A true thought leader in ACH and payments fraud and dispute management, she has guided the company since its founding in 2008 and kindly allowed me to publish (most) of our discussion. I know you’ll find it as interesting as I did.
Let’s start at the beginning and ask your opinion as to why are ACH payments so durable?
I believe, the key to this durability is the fact that it is standardized and there is a governing group. It's durable because it's solid, consistent, and all the systems support it. If you look at what's happening with real-time payments, different networks are trying to establish themselves, but not all systems and financial institutions support them. In other countries, they have a small number of institutions, but in the U.S., we have thousands of banks and credit unions.
It’s the standardization that's so powerful. It will always have its place in the market, due to its low cost and pricing to the end user. Real-time payments are going to be priced higher and that will have to be passed on to the end user. At the same time, real-time payments risk cannibalizing high margin payments like wire transfer.
In your recent white paper, you speak at length about the problems with the current Positive Pay process and how it could be improved through automation. The impact on an institution’s bottom-line can be significant - why aren't they more aggressive in addressing this issue?
In my opinion, there are two main reasons for this kind of inertia. First, there hasn't been a systemically viable alternative option for improving Positive Pay. Second, it's very hard to get money allocated to spend to simply reduce cost, so institutions tend to focus on revenue-generating strategies or meeting compliance objectives.
Now, let’s return to faster payments and consider it through the lens of Positive Pay. I’m not sure that the market has really thought through the entire value chain for faster payments, so for example, the return process is not automated in real-time. I believe there is a use case for real-time commercial and consumer payments, in particular, consumer payments need more real-time. But, the challenge on the business side is that they're already dealing with very high speed requirements for fraud due to UCC 4A, so if corporates got compromised in real-time, how would this amplify fraud risk? Fraud has increased in the last five years, and now it's higher than it's ever been. Checks are number one and wire is number two. So put real-time on top of this and see what happens.
Recently you also wrote about the FFIEC Guidelines for layered security. Do you believe that U.S. regulators will eventually become as prescriptive as some of the international regulatory bodies when it comes to fraud, privacy and security protocols?
If you mandate something and set the standard and the standard fails, the governing body is responsible. For example, the FFIEC are recommendations only and I don't see the government providing the answer. I don’t believe they’d want to be responsible and then fail in some way. Better to put it in the hands of the institution and let them figure it out based on logical guidelines.
What have found to be the highest barrier most financial institutions face when trying to reconfigure their ACH fraud roadmap?
If I were a business originating entries, I would have a process in place that would validate every entry, where it's going, and if it's approved to go to that destination. If not, there would have to be an automated process to let the originator approve the transaction. For business customers, with no Reg E protection, I would ensure that customers know a transaction is coming in and can be returned in an allowable timeframe. It is at this point in the transaction where an institution can take the largest hit.
If an institution is going to accept an originating entry, the due diligence needs to be solid since there is a 60-day return window. This means institutions need to be able to underwrite origination customers. In my experience, this underwriting is often based on a long-standing relationship and banks tend to approach it like a loan. So, look at the problem we're having with ACH which are not new problems. This is why standardization is so important and if bank management doesn't understand this, they're not going to invest in capital to solve them.
Let’s finish our conversation talking about newer means of authentication like biometrics, which is often not well understood from an implementation perspective. Case in point - Voiceprint - can you explain how your company approached incorporating Voiceprint into its product roadmap and what the implementation of this technology is really like?
I thought it was important not to try and build this technology from the ground up and so decided to look for a best-in-breed solution already in the market. We wanted to build a system that examined transactions post log-in, and then analyze the transactions. For example, in one use case, we wanted to eliminate the need for an agent to call back a wire transfer originator to verify the transaction. In our solution, we use our existing IVR to allow the user to verify or reject the transfer meaning voiceprint sits behind the IVR. ACH Alert defines the rules, IVR is the communication link, and then the voice biometric system is where the voiceprint is stored and verified. This kind of solution strategy allowed us to incorporate voiceprint quickly and efficiently into our fraud workflows and build it using a system already familiar to our end users.
This was a conversation that covered quite a bit of ground, but listening to a true voice of experience led me to some important conclusions. First, as exciting as Faster Payments is, after all this is the first really new scheme in the U.S market in quite some time, the devil is in the details. Faster payments will eventually lead to faster fraud and that problem has to be solved for when you're talking about high dollar corporate payments. Second, standardization and ubiquity are very high hurdles to jump over, which is exactly why schemes like ACH are so durable. Finally, without government mandates, the market is left to sort it out on its own and at the end of the day, profits will drive the agenda. .