Protect Your Medical Practice from ACH Network Fraud Schemes

October 2, 2013

Fraud involving the Automated Clearing House (ACH) network and small businesses is growing. Here's how practices can protect their accounts.

Fraud involving the Automated Clearing House (ACH) network and small businesses has grown rapidly. The trend will likely continue because of the growing number of ACH transfers, the ease of perpetrating ACH fraud, and the limited time allowed to businesses to challenge fraudulent transfers.

ACH transactions are much too convenient for medical practices to abandon them. Fortunately, there are many ways a practice can protect its accounts.  

What is the Automated Clearing House?
It is a network that uses the Federal Reserve System to transfer funds between financial institutions. Member institutions agree to abide by the regulations promulgated by NACHA, which manages the development, administration, and governance of the ACH network, and is not a governmental institution.

The number of transactions has exploded over the last decade with the increased adoption of Internet banking and the addition of transaction codes that increase merchant access to the network. For instance, the TEL transaction allows for a one-time ACH debit to be created based on a telephone authorization, and the POS transaction allows merchants to convert a consumer's paper check to a one-time ACH transaction. (This is not the same thing as converting a paper check to an electronic check, as allowed by Check 21.)

Medical offices should be set up to receive ACH or electronic transactions from payers. Not only will the transaction travel through the network much more quickly than a paper check will travel through the mail, the funds will be immediately available to the practice.
ACH payments or debits are also very convenient. Regular payments can be set up for regular vendor payments and individual transfers can be ordered through Internet banking.

How does ACH fraud work?
The first type of fraud involves a debit transaction generated outside the practice. All the crook needs is the routing number of the practice's bank and the number of a target account. When the transaction comes in, the bank will honor it in the absence of some safeguards addressed below.

The second method of fraud usually involves an e-mail to someone in the practice. When the e-mail is opened, a Trojan program is installed. As soon as the PC is logged on to an online banking site, it captures the logon and password. It is then a simple matter for the crook to take over the practice's associated bank account through the online banking application.

Early detection is vital.
Consumers have 60 days to alert their bank of a fraudulent transaction and request the return of the funds to their account. The financial institution to which the funds were transferred must comply with a timely made request.

Commercial entities, like a medical practice, have as little as one business day to alert their bank of a fraudulent transaction. After the interval for complaining is past, neither financial institution has an obligation to restore the funds. Some financial institutions may return the money, depending upon their relationship with the practice, but the sums are often too large for that to be feasible.

How can a practice protect itself?
• Establish multiple accounts.
It is prudent practice for the payroll account to be used only for that purpose. The account is funded with the preparation of each payroll. Most of the time, the account has a zero balance or something close to it. A practice might also want to have a separate account to receive ACH credits from payers; a debit transaction would be conspicuous as fraudulent.

• Utilize available services. Financial institutions offer several ways to safeguard an account from ACH fraud.
ACH Block – refuses all ACH debits and credits; appropriate for reserve funds.
ACH Filter – automatically refuses all ACH transactions for an account that are not on a pre-approved list of originating companies; some financial institutions can also reject transactions based on dollar limits.
ACH Review – allows practices to review the transactions before they are posted; the review must be timely.

• Insist upon effective multi-factor authentication. A password is one form of authentication. Multi-factor authentication is much more secure. Additional authentication methods include a second password, challenge questions, and tokens.

• Check each account that allows ACH transactions at least once every business day. Someone in the practice should be responsible for daily review of the activity in each practice account that allows ACH activity.

ACH is a terrific tool for businesses and consumers. Make good use of it, and safeguard your money from its misuse.