s Internet commerce grows at rates many times that of the economy overall, there are increasing pressures to expand the payment options so that greater numbers of consumers can join this buyer community. Credit cards typically have accounted for more than 98% of Internet consumer purchases.

It is widely known that almost 50 million consumers are either without a credit card or are within 5% of their buying limit but have disposable income in their checking accounts. Consequently, the electronic low cost access to consumer checking account funds makes the Automated Clearinghouse (ACH) an attractive payment alternative to credit cards for Internet merchants. This document details the fraudulent activity associated with Internet payments with special emphasis on ACH fraud issues and preventive measures.

Executive Summary

The scope of this white paper covers a range of Internet fraud types: transaction-level fraud, identity theft and merchant-level fraud. While there is some commercial usage of ACH payment over the Internet, the focus of this report is upon consumer retail payments. Before delving into these topics, let's first look into the features of the ACH network that represent fraud exposure.

• No Real-Time Authorization Mechanism - The ACH network does not provide the confirmation in real-time that a consumer account exists or has funds in it.
• 60-day Right of Recredit/Return - The NACHA Rules permit consumers to return ACH debits as unauthorized for up to 60 days from the settlement date.
• Batch Settlement - All ACH transactions are processed in batch mode, meaning that funds transfer and returns notification may take one to two banking days to process. A fraudster could conduct many fraudulent transactions and it would take days or, in the case of unauthorized transactions, months for a financial institution or merchant to detect the fraud.
• No Match between Name and Account Number - ACH payments settle on the basis of the account number provided in the authorization. The NACHA rules do not require a check to determine if the name of the consumer authorizing the payment matches that account number.
• Lack of Standardized Account Number Structure - There is no national database of ACH account number structures. This makes it extremely difficult to validate account number structure before submission of items into the ACH network.

A payment service with the five previously listed deficiencies is open to considerable fraud exposure that will either be absorbed by the originating depository financial institution (ODFI) or the Internet merchant. With the exception of merchant fraud described below, in most cases the retailer is going to absorb the fraud losses as a result of signing the ODFI/Originator agreement.

ACH Fraud Categories

1. Unauthorized Transactions

   In the physical world, a customer's signature is required to provide evidence of assent to debit their checking account via ACH. On the Internet, obtaining both identity and assent is difficult at best. The governing law for electronic consumer payments is Regulation E, and for a transaction to be valid there must be "similar authentication" for Internet-initiated transactions. The test needed to satisfy this regulation is two-fold:

   • Evidence of Assent - The authorization must be clear and conspicuous. Consumers must be able to acknowledge that they are providing permission to debit their bank account for a specific amount on a specific date/period.
   • Evidence of Identity - The Originator must ensure that authentication provides evidence of the consumer's identity.
   These requirements are difficult for most Internet retailers to satisfy, and they translate into a major loophole for consumer accountability. Lacking a mechanism for being able to match the consumer's name to an account number, this level of integrity authorization is unavailable to payment settlement parties in an ACH Internet transfer. Furthermore, there is no automated means for a merchant to respond to a chargeback through the ACH network.

2. Returns/60-day Right of Recredit

   This Reg. E protection was designed to ensure that consumers had at least one checking account billing cycle to review their bank statement for any unauthorized electronic debits. Compounding this risk is the fact that the consumer's financial institution is under no obligation to determine the validity of the consumer's dispute.

   This lack of settlement finality represents a major exposure to both the ODFI and retail merchant. A number of smaller commercial banks have been run into bankruptcy by signing fraudulent Internet merchants that have made ACH deposits and never fulfilled their side of the consumer's transaction and then became buried in ACH return-item chargebacks after the merchant has withdrawn deposits.

3. Consumer Fraud Against Merchants

   The ACH batch file depository feature opens merchants to exposure of various types of fraud - especially if the merchandise is shipped following purchase. ACH returns can take two to four days to be received, depending on the deposit timing and the nature of the return. Examples include NSF, account closed or no account on file.

4. Fraudulent Use of Stolen Bank Accounts

   This type of fraud occurs as a result of identity fraud; it can take 30 days or more for it to be identified and for measures taken to recover the losses. Criminals can use a stolen identity to wipe out a victim's credit, finances and reputation because of the speed and anonymity of Internet transactions.

   The source of details needed to take over an identity are extensive and include employer files, bank personnel, government employees, Internet merchant customer service staff, etc. Change-of-address forms are typically used to route broker, bank and credit card statements before a concerted identify fraud is committed, including ACH transfers.

5. Transaction-Level Fraud

   There are three primary categories of this type of fraud:

   • Transport Vulnerabilities - Interception of financial data, user names and passwords transmitted in an unsecure environment. An attacker monitors Internet network traffic to accumulate funds-transfer details for future use. Once these detail are accumulated on a number of accounts, a large batch of ACH deposits are made into a merchant's account and funds are withdrawn before returns become noticeable.
   • Price Changes - Fraudulent modification of the original transaction approved by the consumer - typically, the merchant increases the amount of debit.
   • Username and Password Cracking - This is accomplished through a combination of multiple attempts to gain access to confidential information or authority to make purchases. Various shopping cart programs have been identified as relatively simple to penetrate and capture customer credit card and ACH account details.
6. Merchant-Level Fraud

   Sensitive personal information can be compromised in a number of ways within Internet merchant organizations:

   • Employee-Initiated Fraud - points of vulnerability include programmers and database administrators, customer service representatives, accounting and finance personnel.
   • Fraudulent Auction Sellers - According to FBI internet fraud center, over 60% of internet fraud complaints are auction related. The simplest approach is for the seller to accept payment and never fulfill on their side of the transaction. By capturing the victim's financial information, the exposure now exists for making additional purchases at other online merchant sites. Triangulation is another auction fraud that starts with the purchase of merchandise (typically electronics) from a reputable merchant using fraudulent bank account information for the ACH transfer. The ship-to address is the home of the "winner" in an on-line auction who has paid the criminal and transferred their banking information - thus setting off another round of fraud.
   • Spoofing - This is the process of impersonating a reputable organization to obtain financial details from unsuspecting consumers. This typically is done either by e-mail on "counterfeit stationery" or through the creation of a duplicate Web site. Once on the Web site, offers are made to collect banking account information that is used to originate fraudulent ACH transfers.
   • Merchant Non-Delivery/Bankruptcy-Related Fraud - The victim's funds are collected but merchandise is never delivered or bankruptcy is declared prior to delivery of goods.
   • Hacking into a Legitimate Merchant Site - A hacker breaches a merchant's security and gains access to their database of customer financial account information.

Fraud Impact on Various Parties to Internet ACH Fraud

1. Consumers

   According to this report, the average online auction fraud loss was $478 in 2001. For identity fraud, the losses can extend much further than monetary loss, to include credit damage, employment and reputation. The larger cost to society is the Internet commerce that is never conducted by tens of millions of consumers who have security and fraud concerns.

2. Merchants

   Merchants not only bear the financial loss of the merchandise fraudulently taken from them but also the shipping costs, payment and chargeback fees. Beyond these losses are the investments needed to prevent fraud, such as screening services, system security and insurance fees.

3. Financial Institutions

   Fraud generates a series of costs, starting with customer calls about disputed transactions, internal records research and retrieval, fraud prevention and detection systems along with extensive regulatory reporting and insurance premiums. These costs exist on both the consumer and merchant side of these transactions.

4. Payment Networks

   Non-bank payment processors incur substantial costs and losses as originators because of ACH fraud along with investments in fraud-detection technology and security barriers to unauthorized access to confidential customer information.

Managing Fraud Risk Exposure

1. Fraud Prevention

   This section of the white paper describes the need for real-time verification, fraud screening and customer and merchant authentication. Of course, in a batch, offline settlement system such as ACH, none of these capabilities exists. Internal audit and control procedures are listed, including separation of duties, background screening of employees and education. There also is mention of the need for merchant screening and secure data-management controls.

2. Fraud Detection

   This section addresses the listing of risk filters to identify aberrant transaction characteristics, primarily in merchant ACH deposits. This precaution applies to the ODFI. Unfortunately, there are no such protections for the Receiving Depository Financial Institutions. For the RDFI in ACH processing, all incoming debits and credits are assumed to be valid and are automatically posted to their customer's accounts. Most commercial bank accounts restrict ACH access to their funds because of past fraud losses that have been widely publicized in corporate banking publications.

3. Remediation

   The process of assisting fraud victims to recover their losses and to identify and prosecute fraud criminals. This section of the report describes fraud reporting, investigation and recovery of losses.

   In conclusion, this document does an excellent job of detailing the various fraud exposures inherent in processing ACH payments over the Internet. Unfortunately, it is unable to provide the reader with assurances that available ACH technology or internal banking controls are anywhere close to those provided by the credit/debit card industry for managing this type of risk.

Web Sites for More Information on Internet Fraud

www.gocsi.com

Computer Security Institute

www.ftc.gov/bcp/menu-credit.htm

Federal Trade Commission Consumer Protection Site for Credit and Payment Services

www.occ.treas.gov

Office of the Comptroller of the Currency, regulator of national banks

www.techtv.com/cybercrime/aboutus/story/ 0,23008,3363041,00.html

CyberCrime Glossary

www.iafci.org

The International Association of Financial Criminal Investigators

www.treas.gov/topics/law-enforcement/index.html

U.S. Department of Treasury Law Enforcement

Eric Thomson is Executive Vice President of Profit Source Advisors. He can be reached at eric.thompson@profitsource.us .