If you've worked with us lately, you know we are really digging into ACH procedures due to all the fraud going around lately. We've often been quoted, "The only real compromises and penetrations we've seen lately has been ACH fraud." And other than the ever annoying debit card fraud, the aforementioned quote is true.
We've been working on an ACH best practices post for a while now, but when we were asked by the Texas Bankers Electronic Crimes Task Force on our opinions about ACH best practices, it really got the ball rolling.

Keep in mind the following is from a technology and FFIEC controls point of view. There are obviously other NACHA and banking controls that you may employ, but if you are doing all the things listed below...your in good shape.

1) MULTI-FACTOR AUTHENTICATION: We aren't talking about just authorizing a picture or answering security questions either. These controls are easily averted by keyloggers. The best multi-factor that we have seen is actually something you know (password) and something you have (token, One Time PINs from email or text).

2) DUAL CONTROL on CUSTOMER SIDE: Most financial institutions employ dual control for processing ACH much like the way wires are processed. However, not enough force dual control from cash management users. While the likelihood that one account is compromised is high, the likelihood that two accounts within the same cash management account are slim. This likelihood is even lessened when the enterer is using a different computer or network than the verifier.

3) ENDPOINT SECURITY on CUSTOMER SIDE: Computers at client sites aren't always as secured as what we are used to within Financial Insitutions. AT MINIMUM, we recommend active anti-virus/anti malware, personal firewalls activated, current OS patch levels, network logins, screensaver timeouts and physically secured computers in low traffic areas.

4) IP RESTRICTION: One of the lesser used security measures is IP restriction where ACH requests and/or Cash Management authentications are only accepted from approved IP addresses. That way, if credentials are compromised, fraudulent files must still be sent from approved IPs.

5) TREASURY MANAGEMENT AGREEMENTS: I know lawyers are way better at reducing liability within these agreements, but consider putting language in your agreements that minimum security standards must be upheld and list these minimum controls (see #3). Bonus tip: Way too often we find that agreements aren't fulled executed or are out of date. Be sure to include agreement reviews when reviewing limits and the customer relationship.

6) LIMITS: Customer usage of ACH should be a dynamic process and reviewed regularly on a risk based process. For example, a customer that sends 8 files a month worth millions should be reviewed more regularly than the company that does payroll twice a month at 50K.
Also, limits should be set at a reasonable level and adjusted if necessary. Just because the company that sends 50K payroll files monthly sends a 100K file once a year in December doesn't mean their limits need to be 110K. The once a year file should be an exception instead of the rule.

7) OVER LIMIT PROCEDURES: Procedures need to be in place to send an ACH file over normal limits. This includes having the owner of the account sign an exception, approval from the officer on the account and placing holds on the funds. This all goes to say that your ACH staff is checking on ACH limits in the first place. Furthermore, too often limits are set daily. We like to see limits set on a daily AND monthly basis to reduce exposure. Potentially a 10K daily limit would allow fraudsters to expose much more than a 50K monthly limit.

8 ) ONSITE REVIEWS: Remote Deposit best practices have incorporated an onsite review at customer locations. This can be done for ACH as well considering the exposure here is much higher than with remote deposit. This onsite review should include everything noted on #3 and auditing user credentials to access cash management systems.

9) THIRD PARTY SECURITY SOFTWARE: To be honest, I'm weary of how well these applications work, but they are worthy of investigation. They claim to detect any viruses already on machines, disallow hijacked sessions and blocking sites known to harvest credentials. A couple to check out are Prevx and Iovation.

10) DISKS!?!?!?!? When all else fails, go old school and make your clients bring in NACHA formatted disks, run a virus check on it, check the totals and that it was brought in by legitimate clients.