Automated Clearing House (ACH) payments are popular because they’re low-cost and accessible. But they come with risks the same as reeiving a paper check. This is an issue especially for returns. Often returns are the result of fraud or insufficient funds, an ACH return is a rejected or incomplete payment. 

In addition, companies often implement ACH holds of 4 days to prevent returns (To make sure funds clear). But this approach limits a customers ability to get the most out of a service or move their money, hurting their ACH experience.

With the ACH network processing 7.7 billion payments in the first quarter of 2023, preventing returns can have a major impact on businesses. Understanding and assessing ACH risk can give your business the benefits of ACH while curbing its downsides.

Why use ACH?

ACH is a US bank-linked payment method, meaning it moves money from one bank account to another. It’s run by the National Automated Clearing House Association (Nacha) and is often described as the digitization of checks.

Compared to its physical predecessors, like cash and checks, ACH is convenient and remote-friendly. Plus, It’s incredibly common, with the ACH Network having processed Thirty Billion payments in 2022 valued at nearly $77 Trillion.

ACH is ideal for recurring payments like autopay, which helps people make payments on time. Other common use cases include some peer-to-peer (P2P) payments and direct deposit. Because many people prefer ACH, offering ACH can also help businesses meet customer preferences.

ACH risks: lost funds and fraud

Returns

The biggest issue companies have with ACH is returns. If a company has already released funds to a customer and is hit with a return, they have to eat the cost unless they’re able to collect it from the user. Returns are common with ACH because there is no real-time verification of transaction information, and typical payments take 1-3 days to process unless payers are using same-day ACH (Coming soon to HowToPay). 

This settlement window creates the possibility for people to use money from their account before the payment settles. This can increase the likelihood of an insufficient funds return (code R01), for which the merchant will incur a fee. On the consumer side, it increases the risk of over-drafting an account, too. This is one of the most common ACH return scenarios and can really hurt the customer experience.

Returns can happen at the bank or customer level. Bank initiated-returns may be the result of things like insufficient funds, closed accounts, or invalid account numbers, and these returns are typically submitted and reported within two business days. Some customer-initiated returns are due to the customer revoking authorization, claiming the payment was never authorized, or that it did not follow agreed-upon terms. Customers have up to 60 calendar days to inform their bank that the payment should be returned for these reasons.

Confidia/HowToPay maintains return rate thresholds that companies must meet. Too many returns can lead to fines or jeopardize a company's ability to remain in the network and process ACH payments in the future. These thresholds have shifted over time, so it can also be challenging for companies to keep up with changing regulations.

Fraud

Another major risk for ACH is fraud, with ACH debits being the second most popular payment method targeted for fraud in 2021. In addition to non-fraud returns, the lack of real-time verification for ACH transactions also contributes to fraud challenges. HowToPay uses KYC to limit this risk. 

For example, in ghost funding, fraudsters fund online accounts using ACH, knowing they do not have sufficient funds. If the product or service does not prevent the user from actioning on the funds until they settle, the fraudster can make purchases using the account’s “ghost” or not existant funds. For this reasion we delay confirming approvals by 3 working days. 

Fraudsters can use stolen account information to transfer money to accounts they control or pay for goods via ACH. Some examples include:

• Account takeover (ATO) attacks involve criminals gaining control of accounts using stolen credentials.
• Phishing attacks where malicious emails or websites are designed to steal credentials are another common cause.
• First-party fraud involves using your own personal information to commit fraud. With ACH, this could look like a fraudster controlling two accounts and debiting money from one account to the other using a fintech service. Then, reporting that they did not authorize the debit. If the fintech service refunds the money, the fraudster has now profited off the transaction.
• Social engineering attacks can take a variety of forms, but they all involve tricking people into sharing sensitive information, like account details or login credentials.

→ Need to reduce the risk of ACH fraud and returns?

We strongly suggest waiting 4 day working days before shipping and or supplying goods paid via ACH. ACH is like receiving a paper check. The check can be deposited into your account but can be returned or rejected removing the funds.

More on applying for ACH see: https://news.howtopay.com/news/ach