Industry alert: NACHA warns of risks in C2C ACH Debits

Verafin keeps you ahead of emerging fraud trends to mitigate risks from ACH Fraud

November 28, 2017 by Nasdaq Verafin

NACHA has turned the risk spotlight on Consumer-to-Consumer (C2C — also known as Account-to-Account (A2A) or Peer-to-Peer (P2P)) debit payments again. Over the past six months we have seen a steady flow of warnings within the industry about the dangers of the origination of ACH debits.

To complicate the situation, it is increasingly difficult for FIs to keep pace with ever-evolving threats like C2C fraud. The 2017 ISMG Faces of Fraud Survey, released in October, indicates that 52% of respondents, comprised of banking and security leaders at institutions ranging in asset size from $500M to $20B, feel “today’s fraud schemes are too sophisticated and evolve too quickly to keep pace.”

It is clear criminals see C2C debit transactions as an opportunity. Through working partnerships with client institutions and the analysis of anonymized ACH transaction data across institutions within the Verafin Cloud, Verafin’s product development teams quickly recognized the fraud threat that C2C debit transactions represent — using that information to develop and deliver analytics that are protecting institutions utilizing its FRAMLx software.

NACHA guidance for managing C2C risk

This week, NACHA published an Operations Bulletin entitled, “Managing the Risks of Consumer-to-Other-Consumer Debits.” The bulletin offers guidance to financial institutions (FIs) that allow C2C debits.

Specifically, NACHA highlights the elevated levels of risk inherent in these transactions, particularly for the ODFI, and goes so far as to strongly discourage the facilitation of these consumer payments unless the ODFI is “certain of its full compliance with all rules that apply to the origination of all ACH debits, regardless of the nature of the Originator.”

Of course, in an increasingly competitive banking landscape, where consumers are demanding that their FI deliver both speed and convenience, the option to abandon consumer-valued product offerings is often impractical. It is important that in addition to the topics that NACHA outlines for FIs allowing C2C debits, institutions utilize effective fraud detection strategies for these transactions.

How criminals are profiting from C2C transfers

Currently, many institutions will establish holds on originated C2C ACH debits as a risk mitigation technique. However, the effectiveness of even an extended hold is extremely limited and adds to customer inconvenience. While it can work if the ACH is returned due to Non-Sufficient Funds (NSF), in the case of an advanced scam or account takeover the RDFI customer has a 90-day window to indicate the ACH was unauthorized, leaving the ODFI liable.

The following basic description illustrates how a criminal takes advantage of this situation and how the ODFI faces a serious threat of fraud loss:

Alice opens an account online at Bank A. She has also illicitly compromised an account, belonging to Harold, at Bank Z.

Alice establishes a C2C debit relationship between her Bank A account and the compromised account at Bank Z.

Without Harold’s knowledge, $10,000 is transferred from Harold’s Bank Z account to Alice’s Bank A account. As a security measure, Bank A has a two-day hold on the availability of funds from ACH debit transfers. After the two-day hold passes, Alice withdraws the $10,000.

A week later, Harold logs into his account and spots the missing money. Bank A returns the funds, suffering a $10,000 fraud loss.

How Verafin’s FRAMLx technology is preventing fraudulent ACH activity

Utilizing early knowledge of advanced fraud trends and the ability rapidly deliver product analytical enhancements in its cloud environment, Verafin’s FRAMLx software includes ACH fraud detection functionality that alerts institutions to potentially fraudulent ACH debit transfers, allowing them to investigate and stop withdrawals before a loss occurs.

Risk-scored ACH fraud alerts include evidence cards that describe the potentially fraudulent activity occurring. An investigator is immediately aware there is an unusual ACH WEB deposit and is provided with additional information including:

  • the account’s exposure,
  • if the customer is new to the institution, and
  • the relationship the range of products the customer has with the institution.

The investigator can also view all details of the unusual transaction(s), including value, date, time, and RDFI name and location. To further aid the investigator in making a quick decision, Verafin alerts include account balance graphs and historical transaction overviews.

Putting the spotlight back on the criminals

Institutions that combine advanced fraud detection analytics and the ACH debit transaction strategies NACHA outlines in their recent bulletin put themselves in a position of strength. These FIs can confidently offer their customers the increasing convenience they desire while also minimizing the risk of fraud loss.

By shutting these fraudsters down, FIs are turning the spotlight away from ACH transactions and back onto the criminals.

Want to learn more about how Verafin can help you detect and prevent fraud loss? Visit our ACH Fraud Solution page.


Nasdaq Verafin provides cloud-based Financial Crime Management Technology solutions for Fraud Detection, AML/CFT Compliance, High-Risk Customer Management, Sanctions Screening and Management, and Information Sharing. More than 2,500 financial institutions globally, representing more than $8T in collective assets, use Nasdaq Verafin to prevent fraud and strengthen AML/CFT efforts. Leveraging our unique consortium data approach in targeted analytics with artificial intelligence and machine learning, Nasdaq Verafin significantly reduces false positive alerts and delivers context-rich insights to fight financial crime more efficiently and effectively. To learn how Nasdaq Verafin can help your institution fight fraud and money laundering, call 1-877-368-9986.