View PDF

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

l l★K

Federal Reserve Bank of Dallas
2200 N. PEARL ST.
DALLAS, TX 75201-2272


July 21, 2003

Notice 03-36


The Chief Operating Officer of each
financial institution and others concerned
in the Eleventh Federal Reserve District
Managing the Risk of ACH Debit Entries

This notice is to inform you of ACH business practices that can impact your financial
institution and ways you can manage the risk associated with ACH debit entries.
As you know, the Automated Clearing House offers a fast, inexpensive, and reliable
means of making payments. It has also been a very safe payment mechanism for the past 30
years. As a result of these characteristics, the volume of ACH payments has grown substantially
in past years, and new types of ACH payments have been introduced recently that promise
further increases in ACH volume. The newest forms of ACH transactions include Internet
authorized payments, debits authorized over the telephone, and check-to-ACH conversions at the
point-of-purchase or the lockbox.
While the new business opportunities created by the expansion of the ACH are good
for the industry, the ACH operators are detecting increased risks associated with some of these
new ACH debit transactions. In some instances, dishonest persons are using the ACH to
originate unauthorized debits. This rise in unauthorized debit entries creates customer service
issues for receiving financial institutions whose customers’ accounts are hit by unauthorized
debits and creates risk for the ACH system as a whole. However, the greatest risk associated with
unauthorized debit entries is the financial risk to an originating depository financial institution
that introduces the unauthorized entries into the ACH system. Over the past year, there have
been million-dollar court cases filed to recover losses from fraudulent transactions, with the
ultimate financial burden falling on the originating financial institution because the originating
company is no longer in business.

For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal
Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012;
Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810.

-2Risk Management Tools
It is important to note that not all TEL and WEB entries are fraudulent; nor are all
companies or third parties that originate such entries involved in fraudulent activity. There are
many important and efficient uses of these new services. The risk to an originating depository
financial institution can be effectively managed using methods familiar to all bankers.
1. Before you permit your bank’s customer to originate ACH debit entries, you
should take adequate steps to know your customer and its business. If your
customer is using WEB entries, make sure that the customer is obtaining the
necessary authorizations. If the customer is originating TEL entries, be familiar
with the NACHA Operating Rules regarding the circumstances in which TEL
entries may and may not be used. In accordance with the rules, determine the
creditworthiness of the customer. Familiarity with your customer’s business
practices is an important protection against the losses that your bank might incur
if your customers violate the applicable rules.
2. Make sure your contracts with your customers that originate ACH debit items
require your customer to follow all the NACHA rules. Know the NACHA rules,
especially your responsibilities and liabilities for payments settling against your
3. Monitor ACH returns. Pay special attention if your bank receives significant
numbers of ACH return items that relate to debits originated by one customer.
Your institution’s daily settlement advices from the Federal Reserve will itemize
the dollar volume of ACH returns being charged to your account and provide
insights as to the need for further investigation of individual originators.
4. If your bank’s customer is a third-party service provider, know your customer’s
customers. Make sure that the party that actually obtains the funds from ACH
debit entries originated through your bank has followed all the rules. You may
need to require your customer to disclose the terms and conditions under which
your customer does business with its customers. Once again, creditworthiness
checks are effective tools. Most companies will be happy to assist and be
5. Be cautious in allowing any of your customers to use your bank’s electronic send
and receive capabilities to an ACH operator. Your bank is responsible for settling
all ACH transactions that are originated using your routing and transit number.
The “know your customer” principle takes on huge importance when you hand
your customer the keys to your bank’s Fed settlement account. In addition to
performing due diligence prior to permitting customers to use your bank’s
electronic access to an operator, it is important to monitor the account activity of
customers who access the ACH using access capability.


6. Consider establishing a “return reserve” requirement for customers originating
certain types of ACH debits through your bank. Fraudulent firms are likely to
respond to such a requirement by taking their dishonest enterprises elsewhere.
Prudent risk management practices such as these should allow your institution to take
advantage of the opportunities afforded by today’s ACH network while protecting your financial
To help illustrate the risks associated with these new ACH debit transactions, the
Federal Reserve System has developed a business case that, while fictional, demonstrates the
financial liability that an originating financial institution can bear with respect to these new
transactions. The business case is attached at the end of this notice.
For additional information on managing the risks associated with ACH debits, please
reference OCC Advisory Letter 2001-3, Internet-Initiated ACH Debits/ACH Risks, and
NACHA’s Operations Bulletin, Telephone-Initiated (TEL) Entries, dated September 19, 2001.
In addition, financial institutions can take advantage of educational and training materials
available from NACHA and local ACH payments associations.
If you have any questions concerning the issues addressed in this notice, please
contact one of the following account executives:
Rick Flansburg
Michele Hitchings
Jim McCammon
Susan Vice
Kathy Waggoner

(210) 978-1661
(713) 652- 9141
(214) 922-5491
(214) 922 -5430
(713) 652-9146

Paper copies of this notice or previous Federal Reserve Bank notices can be printed
from our web site at

A Worst Case Fiction: The Bank of Anytown Failure
As of December 31, 2001, the Bank of Anytown was a small institution with $5 million in
Tier 1 capital and $38 million in total assets. Early in 2002, a third party processor, AutoCo,
approached the Bank with the idea of originating ACH debit transactions for Scamco, a
telemarketing firm and customer of AutoCo. Though intrigued, the Bank indicated that they did
not have the technical capability to originate large numbers of ACH entries. AutoCo offered to
do so on behalf of the Bank and offered to pay the Bank a share of the Scamco fee income. The
Bank allowed AutoCo to use their electronic access capabilities to originate the transactions to
the ACH operator and settle the items through the Bank’s Federal Reserve settlement account. In
essence, the Bank was pleased to have the AutoCo/Scamco business, become an ACH originator,
and derive new fee income.
AutoCo then began to originate through Bank of Anytown large numbers of Scamco’s
one-time consumer payments as ACH debits. In February, AutoCo originated $10 million in
debit entries on behalf of Scamco. In March, the totals reached $15 million. Also during March,
the Bank of Anytown began to receive a significant number of returns based on claims made by
receivers that the original debit entries from Scamco were unauthorized. At first, Bank of
Anytown was able to debit AutoCo’s large account balance to cover these return items. By the
beginning of March, everything unraveled. AutoCo made large withdrawals from its accounts at
the bank. Shortly afterward, federal law enforcement agents arrived at the Bank with a court
order freezing AutoCo’s accounts and inquiring about Scamco. The newspapers reported that
AutoCo’s operations were shut down. Some of AutoCo’s senior managers were arrested. Others
were said to have left the country. But even after AutoCo dissolved, a deluge of ACH return
items continued to pour into the Bank of Anytown. Each day, the Bank of Anytown’s Fed account
was debited for hundreds of thousands of dollars for the ACH return items.
When the Bank of Anytown contacted its ACH operator for help, the operator explained
that under NACHA Rules and Regulation E, the receiving banks had the right to return ACH
debit entries if the receivers said the items were unauthorized, and the Bank of Anytown was
financially liable for settling the return items. Quickly, the Bank of Anytown’s capital
evaporated, and the bank was declared insolvent and placed in receivership on April 1, 2002.
Although the Bank of Anytown story is fictional, it points to an important lesson. A bank
that permits a fraudulent party to introduce unauthorized debit entries into the ACH in effect
gives that party the ability to loot the bank’s Federal Reserve account. If an originator introduces
$1 million in fraudulent debit entries through an originating depository financial institution that
gives the originator immediate credit, the originator may easily disappear with the proceeds from
the ACH entries long before the originating bank becomes aware of the fraud. Returns of
unauthorized ACH entries may not start to come back to the originating bank until after the
receivers of the unauthorized debits receive and review their bank statements, identify the
unauthorized entries, and initiate the return process through the receiving depository institutions.
Regulation E gives a consumer at least 60 days after the transmittal of a bank statement to report
an unauthorized electronic fund transfer. Moreover, in some states, laws provide for the return of
such items well beyond the existing ACH return timeframes, sometimes as much as two years.

-2Most of the $1 million in fraudulent debit entries that the fraudulent party originated through the
originating bank will come back as debits to the originating bank’s Federal Reserve account
during the three months or so after the fraudulent entries were introduced into the ACH system.
While this case involves a third party processor originating entries for a fraudulent
telemarketer, similar schemes are being employed by companies like Scamco originating entries
directly through financial institutions that are active ACH originators, but that do not have
sound “know your customer” business practices.

Federal Reserve Bank of St. Louis, One Federal Reserve Bank Plaza, St. Louis, MO 63102