When a financial institution’s customer is tricked into sending a payment, there has often been little recourse for the victim. As credit push fraud becomes increasingly prevalent—amplified by sophisticated technologies—the financial services industry must strengthen its protections.

This is why Nacha has developed a framework of fraud management rules that will go into effect next year. In a recent PaymentsJournal podcast, Devon Marsh, Managing Director, ACH Network Rules & Risk Management at Nacha, and Elisa Tavilla, Director of Debit Payments at Javelin Strategy & Research, examined the requirements of the new rules and the steps financial institutions can take to comply and better protect their customers.

Attacking an Emerging Fraud Trend

Many bad actors have shifted away from attacks like account takeovers because financial institutions have implemented more robust fraud defenses.

As a result, the path of least resistance now runs through the end user, as evidenced by the rise of automated push payment (APP) fraud. These social engineering attacks have become increasingly convincing, with cybercriminals leveraging artificial intelligence and cybercrime-as-a-service tools.

The sophistication of these attempts makes it difficult even for well-informed users to distinguish scams from legitimate communications.

“Recently, from personal experience, I’ve been getting more communications from the financial institutions that I do business with, alerting me of the various types of new scams to be aware of—many of which seem to involve credit push payments or authorized payments,” Tavilla said.

“These include impersonation of a bank or sending SMSs with links that often express an urgency,” she said. “Last week I got a number of them saying I owed toll payments for states that I never even visited.”

As one of the most predominant payment methods in the U.S., ACH transactions are a common target for criminals. Nacha recognized this threat and began developing its fraud monitoring and risk management rules in 2022.

“We took an approach to develop a risk management framework to attack a developing, emerging fraud trend in credit push payment fraud,” Marsh said. “The risk management framework was well-received; we proposed some rules, the industry approved them, and that’s where we are today. We have some rules that have been implemented and then some that are pending implementation in 2026 to address credit push fraud.”

Risk-Based Processes and Procedures

The rules going into effect next year pertain to transaction monitoring, instituting a requirement for originators, third-party senders, and originating depository financial institutions (ODFIs).

The framework requires fraud monitoring for all transactions, including traditional and Same Day ACH. Under the framework, all ACH Standard Entry Class codes for both debits and credits must be monitored. This monitoring need not be completed prior to processing payments. While monitoring prior to processing is ideal, it is not required by the rule.

“It’s ideal if it’s done prior, but what the rule calls for are risk-based processes and procedures to detect fraudulently initiated payments,” Marsh said. “There’s a separate rule—it’s very similar—but it requires receiving depository financial institutions to monitor incoming credits that they receive.”

One of the most important aspects of the new regulations is that they require all financial institutions to institute processes and procedures—not technical solutions.

“That’s great if an organization wants to implement technology, but the rule would certainly allow for manual processes and existing processes—as long as they take that risk-based approach, they are documented processes, and they are effective within the organization’s risk tolerance,” Marsh said.

Assessment and Analysis

The first step for many financial services companies is to conduct a risk assessment and establish their risk appetite.

“Probably every organization today has something—even if it’s in the back of their mind or intuitive—that says this just doesn’t seem right,” Marsh said. “What are those things that make it not seem right today? Formalize the recognition of those things that aren’t quite right and make that part of your processes and procedures.”

A red flag could be an ACH Standard Entry Class code that is not appropriate for the receiving account, or an unusually high dollar volume going into an account that typically has a low threshold. For example, if a consumer account that normally only receives a paycheck as its largest deposit suddenly receives a $50,000 corporate transaction, this should be flagged as suspicious activity.

Many organizations already have solutions in place that can identify these red flags to some degree. However, after reviewing the requirements of Nacha’s new rules, they will have to perform a gap analysis to determine where their existing processes stand compared to the new paradigm. From there, they can begin to close these gaps.

To do so, many organizations will turn to third-party providers. While this can be an effective model, financial institutions must ensure that all parties have a clear understanding of their roles and responsibilities under the new framework.

This vendor vetting and implementation process is likely to be intensive, especially as the rules’ effective date draws near.

“There are technology providers out there who provide automated solutions or other tools that require more resources and implementation,” Tavilla said. “This would be a good time to start exploring appropriate partners and solutions in preparation for when the new rules go into effect next year.”

When a Fraudulent Transaction Occurs

Although these rules strengthen fraud monitoring procedures, their scope doesn’t end with fraud detection.

If a receiving depository financial institution (RDFI) detects a fraudulent transaction, the regulations dictate specific actions which institutions should incorporate into their procedures.

For example, after the RDFI has resolved the transaction—either by returning the payment to the originator or freezing the funds in the receiver’s account—it should conduct a thorough evaluation of the receiver.

“Is this an unwitting money mule?” Marsh said. “Is this a good customer who got maybe scammed into receiving the payment and is coached to send it on to the fraudster somewhere else? Or is the RDFI actually banking the fraudster? The response would be very different in those cases. They may need to talk to their AML team, because a money mule is literally involved in money laundering.”

In addition to assessing the involved accounts, Nacha provides a checklist of actions that a fraud victim can utilize in their recovery efforts.

For instance, the guide can walk an originator who has been scammed into sending a fraudulent payment through the process of contacting the financial institution and notifying them of the transaction details. The checklist can also guide them on how to contact the RDFI and request that it either freeze or return the funds.

There is also a post-mortem aspect of the checklist, which coaches the fraud victim through evaluating how they were scammed and what they may have missed, to help prevent future attacks.

“On the more technical side, the best tool we’ve got for bank-to-bank communication is through Nacha’s risk management portal,” Marsh said. “The originating institution can receive a call from their originator, recognize that they have to contact the RDFI, and they can use our contact registry to look up who they need to speak to in the ACH fraud department at the other financial institution.”

Along with the checklist, Nacha also provides tools for exchanging documents. An RDFI may respond that they have frozen funds and can return them, but first require a letter of indemnity (LOI). The ODFI can then send the LOI to the receiving institution using the Secure Exchange feature in Nacha’s Risk Management Portal.

Doing Nothing is Not an Option

Increased communication between financial institutions is a critical component of the cooperative effort needed to combat the rising threat of fraud.

This concerted collaboration is not only integral to accelerating industry-wide adoption of Nacha’s new rules, but also essential for their effective enforcement.

“The way Nacha is ultimately going to enforce this is indirectly, we have a requirement for a Nacha rules compliance audit, so we query the industry and we challenge to see who has completed their audits and if they’re compliant with the rules,” Marsh said.

“Beyond that, a more targeted approach is any stakeholder in the industry can file an allegation of a rule violation through Nacha’s National System of Fines,” he said. “If they see a shortcoming in an organization based on the transaction they’ve dealt with, they could possibly file a rule violation if they think someone’s not following these rules.”

Additionally, Nacha has established a Credit-Push Fraud Monitoring Resource Center, offering guidance and tools tailored to assist in complying with the new rules.

Although many financial institutions have been proactive in the fight against fraud, they should still use this opportunity to ensure their systems are fully optimized.

“With regard to transactions, we have made the point many times in training and speaking events that doing nothing is not an option,” Marsh said. “It’s not satisfactory for an organization to say we conducted a risk assessment, we don’t consider any of our transactional activity risky, so we’re not going to do monitoring. That’s not acceptable.”

The post What to Expect When Nacha’s Fraud Monitoring Rules Take Effect appeared first on PaymentsJournal.