Proactivity a Must to Expose Lurking ACH Risks
Whether it's a member's auto loan payment that's automatically deducted each month or a small business processing payroll online, automated clearing house risks are in the spotlight more these days. The risks can be confusing and can vary with each type of transaction, according to CUNA Mutual Group.
To help clear though the fog, more than 1,000 people registered for a Feb. 19 webinar hosted by the company on such topics as emerging problems with online account takeover fraud and unauthorized origination of outgoing funds. The session also covered the risks of originating debits as deposits or loan payments and operational issues for the receiver of fraudulent credit and debit transactions.
On the ACH credit receiving end, with money mule scams where a person transfers money acquired illegally in person or electronically on behalf of someone else, credit unions were reminded that they do have some protections. Roger Nettie, senior consultant, risk management at CUNA Mutual, told attendees that credit unions should only return funds that still exist and only if they get a letter of indemnification from the issuing institution. The same process applies for wire transfers. Another scenario on the ACH credit receiving end, involves issues Treasury reclamations after a joint owner removes funds, Nettie said. For instance, a member is deceased but their Social Security checks are still coming with the joint account holder taking the funds. This type of situation is preventable for credit unions if a reclamation notice is sent saying the funds need to be returned and a response is needed on a timely basis. This action also applies to issues with IRS tax refunds of which the recipient's name is not on the account, Nettie said.
“With ACH, you generally don't have the responsibility to match the names. However, if you become aware of a mismatch, you are expected to send (the refund) back or contact the IRS and notify them of the mismatch,” Nettie explained.
Unlike the ACH credit receiving end, Nettie said fortunately, there are not a lot of loss problems on the ACH debit receiving end because the system is designed with “generous return rights” that allow 60 days for consumes to make returns. “The problem area is understanding member liability under Regulation E. If a member reports unauthorized transactions that have hit their account, the credit union is liable for anything within 60 days – it doesn't matter when you got the notification,” Nettie said.
Even though members can work the issue out with the vendor first, Nettie said there could potentially be a little danger if the credit union does not conduct their own investigation, which is required under Regulation E. One area where CUNA Mutual has seen problems is with business accounts, Nettie said.“Credit unions are giving Reg E disclosures; they’re giving a lot of extra protection to businesses that you don't need to. We recommend traditional account disclosures for checks with 30 days to report.”
When credit unions are originators of ACH credit transactions, online fraud losses are likely to occur, Nettie said. Accounts can be taken over online or a business member's account come into unauthorized payroll processing, he explained. If a credit union is using a corporate credit union or corresponding bank, wire losses can easily drift into the several million-dollar range. The big problem is the malware that infects credit union computers and the security option of answering a challenge question just isn't enough anymore, he said.
If a credit union is doing originations for business accounts, Nettie emphasized that it's critical to have a written agreement in place. Along those lines, understanding credit risk is important. Once a credit union accepts a payroll file and it goes into the system on a Wednesday for settlement on Friday, it is obligated to make that payment.
“The risk comes into play when you don't know when the business member will process the funds,” Nettie said. “I actually worked with a larger credit union years ago that was doing payroll for a large medical group. Well, the credit union never got paid and as a result of this, decided to exit the ACH payroll business. You have to know that the company's financials are in good shape and you can require pre funds.”
When credit unions are the originators of ACH debits, there is the risk of a booster payment, Nettie said. That's when a member has a credit card with a $5,000 limit, for instance, that has been maxed so the user wants to use a check or ACH payment, submit it to the financial institution and immediately run up that limit. Meanwhile, the booster payment is going through an account with no funds, Nettie said. He advised not releasing all of the available funds immediately.