Automated Clearing House (ACH) electronic payments are bank to bank payments made in batches and processed through the ACH network. They are generally used to pay vendors, make employee direct deposits, or receive money from other businesses. All ACH transactions are overseen by the National Automated Clearing House Association (NACHA).
As with all online payment and money transactions, ACH payments are a target of social engineers. Social engineers manipulate employees into performing actions or divulging confidential information they should not. This is best countered with documented internal controls and training for employees. Employees should be trained at the time of hire and at least annually. Internal controls for ACH transactions should include:
- segregation of duties
- information security
- a payee verification process and
- active monitoring
Segregation of duties for ACH payments includes having one person input the payment and having a separate person verify and approve the payment. Segregation between the accounting and approval functions should also be in place.
Restricted access to banking information is an important security measure. Any ACH related forms should not be publicly accessible, and sensitive material shared over emails should be encrypted. The ability to edit banking information should be limited and have specific protocols in place. Electronic payment files should be set to read only. Dollar limits and ACH blocks on selected accounts are also important controls as well as multi-factor authentication.
Staff should always verify any account information given. This could be a video call if the payee or employee would be recognizable or by phone. Contact information should be on file and confirmed if changed. Active monitoring consists of checking the ACH payment remittance receipt, reviewing bank accounts daily, and reviewing payee lists for approved ACH payments.
ACH transactions are generally a safe and inexpensive way to pay vendor invoices and make direct deposits. NACHA estimates that fewer than 0.03% of ACH transactions are returned as unauthorized. ACH payments were approximately $29 billion in 2021 according to NACHA. While these transactions are relatively safe, errors can be made, and appropriate care should be taken.
An ACH payment can be reversed under certain circumstances, but NACHA has strict reversal rules. Reversals must occur within 5 business days of the transaction, and a reversing file should be submitted to your bank within 24 hours of discovering the error. Furthermore, only certain situations qualify for approval of the reversal. Reversals can be approved if the payment was for the wrong amount, made to an incorrect payment recipient, or if a duplicate transaction occurred. Partial amount reversals are not permitted. Not all transactions can be reversed. For example, if a fraudster impersonates an employee and asks for a change in bank routing number that your company inappropriately approves and processes, you may have difficulty recovering the funds.
You should review your bank’s policies regrading ACH transactions and fees. For example, your bank may not waive insufficient funds charges if an ACH to be reversed resulted in a negative balance.
If you have any questions about appropriate controls for ACH transactions, feel free to reach out to us for additional information.