Avoiding Automated Clearing House (ACH) Fraud

ALBANY, NY | Automated Clearing House (ACH) payments are electronic payments that move funds between bank accounts using the ACH network. This system is managed by the National Automated Clearing House Association (NACHA) and is used for electronic payments such as direct deposits, payments to contractors, automatic bill payments, and peer-to-peer transfers.  Unfortunately, ACH fraud is on the uptick.  According to the Association for Financial Professionals’ 2024 Payments Fraud and Control Survey Report, 80% of the responding organizations were victims of payment fraud attacks/attempts in 2023.  This reflects a 15-percentage point increase from the preceding year.  Thirty percent of respondents reported that after a successful fraud attempt, their organizations were unable to recover the funds lost due to the fraud.¹2024 AFP Payments Fraud and Control Survey Report (afponline.org).

Electronic transactions from personal “consumer” accounts are subject to Federal Reserve Regulation E, 12 C.F.R., Part 20.  These regulations limit a consumer’s liability for unauthorized transactions if the transactions are reported within 60 days.  Unfortunately, Regulation E does not cover ACH payments made from business or corporate accounts.  Non-consumer accounts instead are addressed by Article 4A of the Uniform Commercial Code (UCC).

While UCC Article 4A makes a bank responsible for any unauthorized electronic payment orders made on a non-consumer account, ²Section 4A-204(1)(a)a bank may shift the risk of loss to its customers in two ways.  First, a payment order initiating an electronic transfer is deemed authorized and effective if the customer, or the customer’s agent, acting with actual or apparent authority, authorized the order. ³Section 4-A-202(1).Second, if the customer and the bank have agreed that authorization for payment orders will be verified by a security procedure (e.g., an access code, PIN, biometrics, encryption, or callback procedure),⁴ Section 4-A-201. a payment order is effective if (1) the security procedure is commercially reasonable; and (2) the bank accepted the payment order in good faith, in compliance with the security procedure, and in compliance with any written agreement or instructions from the customer restricting acceptance of payment orders.⁵Section 4A-202(2) In this later case, the bank may avoid the loss by proving that a fraud resulting in an unauthorized ACH payment was attributable to the customer:

Breach of a commercially reasonable security procedure requires that the person committing the fraud have knowledge of how the procedure works and knowledge of codes, identifying devices, and the like.  That person may also need access to transmitting facilities through an access device or other software in order to breach the security procedure.  This confidential information must be obtained either from a source controlled by the customer or from a source controlled by the receiving bank.  If the customer can prove that the person committing the fraud did not obtain the confidential information from an agent or former agent of the customer or from a source controlled by the customer, the loss is shifted to the bank.⁶Section 4A-203, Advisory Comment 5.

Under Article 4A the burden is on the business owner to notify the bank if there is a disputed transaction.  Businesses can have a window as short as 24 hours in which to report an unauthorized ACH transaction.

Banks regularly take the position that frauds resulting in an unauthorized ACH payments result not from the banks’ failure to comply with security procedures, but from the customers’ failure to properly safeguard banking information or technological assets.

To minimize the risk that your business will fall victim to ACH fraud, The Townes Law Firm, P.C., recommends that the following best practices be considered:

• Consider carrying Cyber Insurance coverage. Cyber Insurance can protect you against cyber-related losses.
• Monitor your account transactions on a daily basis. Regularly review bank statements and identify any discrepancies that could indicate fraudulent activity.  If you find anything unusual, alert your bank immediately.
• Use as few electronic devices as possible. Keep the processing of your financial activities limited to as few machines as possible and limit the use of those electronic devices for other activities such as web surfing.
• Avoid public Wi-Fi networks.  Public Wi-Fi can be unsecure and vulnerable to attack. Fraudsters can use this vulnerability to steal information or install malicious software on your device without you knowing.
• Be wary of using free, web-based email accounts. These are more susceptible to being hacked. Make sure at least two-factor authentication is available.
• Verify by phone. Always call the vendor, customer, or business partner to verify payment information.  Use previously known numbers and not telephone numbers provided in an email or text requests.  Never initiate changes based only on email or text communications.
• Be cautious of new payment information. Beware of email requesting that a routine wire payment be sent to a new account.
• Match your payments to legitimate invoices. Fraudsters can pose as trusted vendors requesting payment. Ensure that payment requests match legitimate invoices before sending payments.
• Verify before clicking on a link or opening an attachment in an email or text. It may appear to be from someone you know, but it may be a fraudster phishing for your password, business bank account, or other sensitive information, and links may expose your systems to malicious software, viruses, and other dangerous content.
• Double-check email addresses. Fraudsters can use email addresses that make their email communications look legitimate.
• Do not respond to email as verification. Do not respond to the requester by email.  A fraudster can control a spoof email account or obtain access to a valid email account so it can intercept your email response.
• Beware of a sense of urgency. Fraudsters often insist that funds be wired or transferred immediately. These requests often ask that the client be contacted only through email instead of through other channels.
• Be careful when posting information to social media and company websites, as fraudsters may use this information.
• Consider financial security procedures that include a two-factor authentication process or dual control for electronic funds transfers.
• Create intrusion detection system rules that flag emails with extensions that are similar to company email but not exactly the same (i.e., “.co” instead of “.com”). If possible, register all Internet domains that are slightly different from the actual company domain.
• Staff training. Train staff to recognize phishing attempts, social engineering tactics, and red flags associated with ACH fraud. Educate them on proper procedures for handling ACH transactions and reporting suspicious activity.
• Segregation of duties. Implement a system in which different employees handle tasks such as initiating payments, approving transactions, and reconciling accounts.  This reduces the risk that a single employee will manipulate the system for a fraudulent purpose.
• Keep your business systems up to date. Install available updates and patches regularly.
• Use a quality antivirus solution.

The Towne Law Firm, P.C. (TLF) has the experienced team you need to help resolve your technology law concerns, whether as a business or an individual. As technology advances in both the private and governmental sectors, new technology effects all business enterprises. All business owners are vulnerable no matter their industry. Cybersecurity is a prevailing issue as businesses grapple with challenges to security as it relates to email, unprotected personal devices, unencrypted data, and even firewalls.