The Field Report with Tom Field

ACH Fraud by Any Other Name

ACH Fraud by Any Other Name

Question: What's been the hottest story of the year?

Answer: The struggle between banks and businesses over losses resulting from ACH fraud.

When the conversation turns to solutions, we just hear vague replies about education, awareness and shared responsibility. Lot of talk, not so much action. 

I mean, no brainer, right? It's all we've been talking about since we first heard of the legal conflict between PlainsCapital Bank and its customer, Hillary Machinery, which lost $800,000 to the fraudsters in 2009.

The FDIC even convened a symposium on the topic a couple of weeks back, and all anyone was talking about was ACH fraud, right?

Well, wrong. Kinda.

It seems like some industry groups no longer want us to use the term ACH fraud to refer to this string of crimes - they think it's a misnomer. Instead, they'd like us to use the slightly more cumbersome name "corporate account takeover." (I'd use the acronym, but I'm thinking CAT might have a hard time being taken seriously.)

The argument, as articulated by NACHA, the payments association, is that the term ACH fraud misleads people. The reasons:

  • It's not about the network - rather, the crime is corporate identity theft. Calling it ACH fraud means that businesses focus on the payment, not the crime.
  • Often it's wire fraud - focusing solely on ACH leaves a major vulnerability out of the picture.
  • What about the business? - more of a perceptual concern, that if we focus solely on ACH, then we're ignoring security measures that business can implement long before the transaction is initiated.

As NACHA representatives wrote to me: "It's our hope that by using consistent language, we raise awareness of the starting point of the fraudulent activity - the online banking credentials - and help mitigate fraud by educating the community on best practices and safeguarding at the entry point."

OK, I see the point. First of all, financial services organizations want to hammer home the notion that the businesses, as well as the banks, have more than a little skin in this game - there are measures they can take to help ensure the security of their transactions. And, second, ACH fraud, while accurate, is limiting.

Mind you, "ACH fraud" is a heck of a lot easier to squeeze into a headline than is "corporate account takeover," but that's my challenge - not the industry's.

From this point forward - in fact, starting a couple of weeks ago - we'll do our part to promote the term "corporate account takeover," and we'll minimize our usage of "ACH fraud" as an umbrella description of all fraud losses suffered by businesses and municipalities.

Of course, a bigger question remains, and the FDIC's symposium did little to answer it. Namely, what are banking institutions, businesses, regulatory bodies and service providers actually going to do to stem the flow of these fraudulent transactions? We've got a lot of groups now acknowledging and talking publicly about the problem. But when the conversation turns to solutions, we just hear vague replies about education, awareness and shared responsibility. Lot of talk, not so much action.

The PlainsCapital/Hillary settlement notwithstanding, this fraud trend isn't abating, nor are we coming any closer to resolving the core conflict over who's responsible when businesses are fleeced by fraudulent banking transactions.

So, call it ACH fraud, call it corporate account takeover, call it anything. It's still the banking crime du jour, and all that commercial customers care about is "When are we going to solve it?"

Any new ideas?



About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.