The holiday season, once marked by bustling malls, has transformed into an online frenzy of clicks and carts. But while shoppers hunt for deals, fraudsters are hunting for profits...
How New Nacha Rules Reshape the Fight Against APP Fraud
by Thiago Silva
In the digital-oriented world, convenience often comes at a cost. While Automated Clearing House (ACH) payments offer a fast and easy way to transfer funds, they’ve also become a target for fraudsters, whose work is further potentialized by the plethora of generative AI made available in recent months. In this scenario, Authorized Push Payment (APP) fraud, a specific type of ACH fraud, has been on the rise, causing significant financial losses for both individuals and institutions.
But change is afoot. In a move designed to bolster security, the National Automated Clearing House Association (Nacha) has implemented new rules mandating broader fraud monitoring for ACH transactions. Let’s delve into the world of APP fraud, explore how these new regulations will impact financial institutions (FIs), and understand how Transmit Security’s solutions can help you prevent these scams.
How APP fraud works
Cognitive-behavioral psychology describes several situations in which one cannot reflect before acting due to an automatic thought. These thoughts are ingrained mental shortcuts that trigger immediate emotional and behavioral responses, often bypassing critical thinking.
Now, picture this: you receive an email— like the one shown below— claiming that your bank noticed unusual activity in your account, and to ensure the integrity of your funds, you need to move your money to a new, safer account the bank has automatically created for your convenience.
Although most experienced Internet banking users will surely say they would be suspicious, the truth is that due to automatic thoughts, many customers may often fall for this type of scam in a stressful, no-time-to-rationalize situation.
That’s how APP fraud, also known as push payment fraud, thrives. Scammers employ various tactics to trick victims into initiating ACH push payments from their accounts. These tactics can range from impersonating legitimate businesses (e.g., utility companies and government agencies) to creating fake invoices or exploiting social engineering techniques.
The rise of APP fraud can be attributed to several factors. The inherent speed and ease of ACH transactions make them attractive to fraudsters. Unlike credit card transactions, where chargebacks offer some protection, reversing ACH payments can be a complex and lengthy process.
Furthermore, the increasing reliance on digital payments creates more opportunities for exploitation. With many consumers managing their finances through mobile apps, a single click can unknowingly initiate a fraudulent transfer.
How are FIs fighting back (but falling short)
Luckily, financial institutions are not oblivious to the threat. Many have implemented measures like transaction monitoring and positive pay systems, which allow businesses to verify the legitimacy of outgoing ACH payments before processing.
However, these strategies have limitations. Traditional monitoring systems often rely on static filters, which sophisticated fraudsters can bypass. Positive pay, while effective for businesses, isn’t a viable solution for consumer accounts.
Nacha steps in: New rules mandate proactive monitoring
Nacha is the national clearinghouse that governs the electronic account-to-account money movement in the United States. Its new rules, mandated in late 2023, require all participants in the ACH network, except consumers themselves, to implement fraud detection and monitoring programs. This applies to Originating Depository Financial Institutions (ODFIs), Receiving Depository Financial Institutions (RDFIs), and Third-Party Senders (TPS).
The rules aren’t a simple “check the box” exercise. Nacha emphasizes a risk-based approach, requiring FIs to tailor their monitoring programs to the specific risks they face. This could involve analyzing transaction patterns, identifying suspicious activities, and implementing real-time alerts.
Among other fraud detection and prevention rules, Nacha establishes the possibility of RDFIs refunding the transferred amounts if a transaction is deemed suspicious without waiting for a request or customer claim. The new rules also state that the ODFI can request a refund of the money “for any reason.”
These regulations will be rolled out in a phased approach, starting in October 2024 and extending through early 2026. This staggered rollout allows FIs time to adjust their processes and implement the necessary technology since these rules are moving from “just” best practices to a compliance requirement status.
The impact of these measures will be significant. FIs will need to invest in fraud detection solutions, train staff on new protocols, and potentially adjust their customer communication strategies. By proactively monitoring for fraudulent activity at all times, FIs can minimize losses, protect their customers and maintain trust in the ACH network.
Disrupting deception: How Transmit Security fights APP fraud
As we have shown, fighting APP fraud requires a multi-pronged approach. Nacha’s new regulations establish a crucial foundation for increased vigilance, and an innovative solution like Transmit Security’s Detection and Response is the best fit to grant that.
Since fraudsters and scammers rely on creating a sense of urgency and bypassing critical thinking, our solution disrupts this deception by introducing a checkpoint at the point of transfer.
Imagine you’re tricked into initiating a fraudulent ACH payment through your banking app. Typically, such a transfer would be seamless and instantaneous. Here’s where Transmit Security steps in. Our technology detects red flags associated with the transaction, such as:
Unknown recipient or an atypical bank
Known bad actor on fraud blocklist
An unusually large amount of money, above risk tolerance threshold
Inconsistency with spending patterns
Detecting any of these red flags will trigger our second step, which consists of quickly interacting with the two parties to find out if the recipient is truly who they say they are and why the money is being transferred. This provides more information to assess the level of risk and halt the transaction if APP fraud is detected.
This seemingly small hurdle also throws a wrench into the fraudster’s plan. The pause allows the user a moment to reflect, question the legitimacy of the transfer, and potentially identify the deception before any funds are lost. Remember, in the fast-paced world of APP fraud, time is the scammer’s enemy, and automatic thought is their most important ally. A moment of hesitation introduced by our solution can be the difference between a successful heist and a foiled attempt.
In addition, our solutions are able to add AI-powered, dynamic questions and verifications which eliminate yet another scammer’s valuable advantage: The predictability of how machines and people may function under certain circumstances.
But that’s not all. Based on dynamic authentication methods such as risk-based authentication (RBA), we can assess the level of risk involved in a given transaction and adapt the authentication requirements in real-time.
Suppose our systems detect any transactional, behavioral or cognitive risk indicators, for example. In that case, we can verify the recipient’s identity with the highest level of assurance (LOA) by asking for a photo ID and a live selfie. It’s an easy process which, with our automated Identity Verification service, only takes 2 minutes.
And if the recipient (a potential scammer) has a prepaid phone number, a recently created email address or a new/unusual bank account, it will also be enough for us to consider the transaction suspicious and challenge the money transfer.
On top of that, Transmit Security’s approach is designed to be adaptable. As fraudsters refine their tactics and the popularization of GenAI democratizes and enhances scams, it’s crucial to move beyond traditional reactive methods and be prepared for emerging frauds and threats.
With advanced anomaly detection, Transmit Security Detection and Response is able to detect anomalies and fraud modus operandi so your systems are always one step ahead of evolving attacks.
Finally, our solution also relies on dark web threat intelligence, as our Threat Research team permanently monitors the dark web to keep an updated, ever-growing dataset of email addresses, targeted mule accounts, phone numbers, and IDs of devices associated with APP fraud. These measures ensure a constantly evolving defense against the ever-changing threat landscape.
A brighter future for secure payments
The rise of APP fraud is undoubtedly posing a challenge. However, Nacha’s new rules represent a significant step towards a more secure future for ACH payments. By mandating proactive fraud monitoring, these regulations will compel FIs to prioritize security and empower them to better protect their customers.
Learn more about Detection and Response or speak to our experts to start implementing Transmit Security APP fraud protection methods for a more secure and trustworthy financial landscape.
Thiago has been fascinated by languages and technology since he was a kid. Growing up in the 90s, he was astonished by each new technology or gadget he discovered— he still keeps his first cell phone on display in his home. After getting a degree in Languages and Literature, he pursued a Master's and a PhD in Linguistics and has been writing for the tech industry ever since. He's worked with edge computing and CDNs for almost three years at Azion Technologies and is excited to dive deep into the CIAM and cybersecurity world.