Is Now the Time to “Think Like a Crook”?
November 3rd, 2015
Now that NACHA members have approved the plans to extend ACH processing to include same day processing and same day funds availability, what steps should fraud managers at financial institutions be taking to be sure that they are not overlooking issues or gaps that could lead to fraudsters taking advantage of the speed and special characteristics of this new environment.
As a first step, with respect to Same Day ACH (SDACH), fraud managers might gather together a small group of individuals (4 to 7 usually works best) with extensive ACH (system) and Fraud (management) experience to learn how to think like a crook. While that may seem counter-intuitive, perhaps it is the “method acting” of the financial crime world. To use Professor Paul Ekblom’s phrase now is the time to “design against crime”.
With their knowledge and experience in the ACH payment system and fraud management, the working group should focus its discussions from the point of view of a fraudster. They should ask each other questions like, “How can I use SDACH to help further fraud schemes?” “How can I use SDACH to steal money?” “How would we use SDACH to move stolen money?” In short, in order to think like a fraudster, look for vulnerabilities that SDACH may create or expand.
Call the working group whatever suits your fancy: the Crook Committee, the Faster Fraudster Working Group or, my favorite, the Fraud Red Team — with a nod to Greenway Solutions. No matter what you call your assembled group of subject matter experts, here is some food for thought to prime their discussions. On the NACHA website the value and benefits of SDACH are quite accurately listed. Some of these include: same day processing with faster funds availability; intra-day posting with funds availability of credits to DDA accounts; funds from ACH credits available by 5:00 p.m. local time; and the all-encompassing new innovation opportunity to independently offer and price new products and services to be delivered via the new, optional same day ACH capability.
While the last benefit needs to wait for a future discussion, because it currently is one of those challenging “unknown unknowns,” the other benefits are fair game for your hypothetical SDACH fraud working group. So think about how Same Day ACH could potentially benefit fraudsters.
Here is a list of topic ideas designed to kick-start and seed the conversations to get the process of vulnerability assessment initiated:
- Payroll Fraud with SDACH: Stealing “Same Day Delivery” payroll deposits by altering the RDFI account number and circumventing the Batch Control Record hashing process.
- Bill Pay Fraud using SDACH: Setting up a new fraudulent bill pay entry or fraudulently altering an existing bill pay entry to create a “Same Day Delivery” payment.
- Account to Account Transfer Fraud using SDACH: Setting up fraudulent account to account transfers with “Same Day Delivery.”
- Person-to-Person Transfer Fraud using SDACH: Setting up new (one time or recurring) P2P entry or alter an existing recurring P2P entry to create a “Same Day Delivery” transfer.
So let’s close with this thought. It is the Halloween season and everyone likes disguises. So we hope that you and your team enjoys putting on the masks of fraudsters for a good cause — and, in the course of this exercise that it leads to some good insights as to where speed might be opening up the door to fraud. The more you and your team of fraud managers start to think like crooks, the more you can identify potential vulnerabilities to remediate. We hope this season that you are able to find your way around the tricks – and that your Working Group enjoys the treats of your journey.