Walter Houser

An Introduction to ACH Security

ACH (Automated Clearing House) payments are subject to federal regulations and are managed by the National Automated Clearing House Association (NACHA). To register within this network, users must provide the following information:

  • Usernames
  • Passwords
  • Bank details
  • Routing numbers

These registration steps bear similarities to the Payment Card Industry Data Security Standard PCI-DSS for credit cards. But ACH payments are not obligated to adhere to PCI-compliant standards. Therefore, merchants are encouraged to implement additional layers of protection, including:

Merchant-Specific Registration

Users must establish individual relationships with payees and recipients by supplying the requisite routing number and bank account information. The SEC requires that each new customer provide detailed financial information before opening an investment or banking account.  The Know Your Customer (KYC) compliance is mandatory for all financial institutions and financial services companies. Compliance levels are determined by the number of transactions processed annually.

Micro Validation

After establishing a relationship with a merchant, the payment processor adds two small deposits into the user’s bank account. The user must then verify the exact penny amount of these deposits to initiate money transfers, akin to the validation process used by PayPal.

Tokenization and Encryption

Some payment providers MAY include data encryption and tokenization in their ACH offerings, resembling security measures required by the credit card industry.

Secure Vault Payments (SVP)

Secure Vault Payments is an online payment option added to a website’s checkout page, allowing users to initiate ACH transactions without disclosing sensitive financial data. Users authorize transactions directly through their online bank accounts. It’s not clear to me how the institution guards against replay attacks, key-logging, and other attacks.

ACH vs. Wire Transfers

Aside from ACH payments, wire transfers offer another way to send money between banks. Wire transfers involve electronic payments sent through networks like the Federal Reserve Wire Network, SWIFT (Society for Worldwide Interbank Financial Telecommunications), or CHIPS (Clearing House Interbank Payments System). Key points to consider include:

  • Wire transfers can be used for domestic or international transfers, with associated fees.
  • International wire transfers are generally more expensive, while some banks allow for fee-free incoming domestic wire transfers.
  • Wire transfers facilitate quick movement of funds, often within an hour, making them suitable for large transactions.
  • Wire transfers are very difficult to impossible to reverse.

Security Concerns and Safeguards

Fraudsters can execute ACH fraud with just two pieces of information: a checking account number and a bank routing number, often obtained through targeted phishing emails. They use malicious software to install keyloggers, stealing bank account passwords. In terms of security, ACH payments offer several advantages:

  • ACH requires entering bank account information only once, reducing exposure compared to paper checks. This assumes that the user’s PC and/or connection to their financial institution is not compromised.  All bets are off for an adversary-in-the-middle attack.
  • ACH payments move funds directly from your account to the intended recipient, mitigating the risk of checks being stolen or lost. Of course, care must be taken in setting up the initial relationship.
  • Federal law protects you in case of fraud or ACH errors, provided you report the issues to your bank within sixty days.
  • ACH payments are not irrevocable or immediate, making it challenging for thieves to quickly access and withdraw funds. However, time is of the essence if the customer wants to stop a fraudulent transaction.
  • Recipients typically require an American bank account, providing law enforcement with necessary identification for potential legal actions in cases of fraud or illegal activity.

The Electronic Fund Transfer Act (EFTA) is a federal law that provides some guardrails for consumers against fraud and account errors. The EFTA covers most types of transactions, including ACH transfers, and provides relief to consumers from fraudulent electronic transactions.

According to this law, “If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.” If you report a fraudulent transaction after two days but within 60 days, your losses are likely to be limited to $500. [i]

Customers should verify that the merchants they do business with use these security features. Additionally, customers can take steps to protect their information during electronic transactions, such as ACH transfers, credit card payments, and online banking. NACHA provides a list of best practices for reference. [ii]

[i] Consumer Financial Protection Bureau. (2023). § 1005.6 Liability of consumer for unauthorized transfers. Retrieved from https://www.consumerfinance.gov/rules-policy/regulations/1005/6/

[ii] ACH Risk Management Handbook, 8th Edition, July 2023, National Automated Clearing House Association (NACHA), https://www.nacha.org/products/ach-risk-management-handbook.

search previous next tag category expand menu location phone mail time cart zoom edit close