Originally published on PYMNTS.com
There’s much to look forward to as the September rollout of Phase 2 of Same Day ACH (Debit Pull) looms, but David Barnhardt, executive vice president of full-service payment and verification solutions provider GIACT, thinks there’s just as much reason for caution.
“I don’t know if we’ll see rapid adoption [of debit pull] out of the gate,” Barnhardt said. “I think people are going to slowly fill it out.”
The EVP noted there are a couple of reasons why, and he believes those reasons will result in a more cautious and piecemeal adoption than FIs expect.
First, Barnhardt said, some banks and processors have said they’ll have to qualify customers who wish to adopt same-day ACH debit to be sure those customers have actual use cases necessitating same-day debit, such as emergency bill payments. He also said additional mitigation techniques will need to be put in place before authorizing the withdrawals to avoid customers ending up on the issuer’s remediation list due to unauthorized returns.
Second, Barnhardt questioned whether enough customers will have reason to want to use same-day ACH payments, particularly given the potential fees associated with the service compared to their current process for payments, like setting up auto-pay for recurring bills.
Third, as an ex-banker, Barnhardt worries whether the early adopters of such a service will be the fraudsters themselves.
“New products and services are very widely adopted by the fraud community at the outset. I was in the bank for many years, and every time we rolled [out] a new product or service, the true first adopters were predominantly the fraudsters, because they wanted to figure it out. They wanted to defeat it. They wanted to easily get money.”
According to Barnhardt, that puts pressure on beefing up the customer enrollment process. Many wrongly emphasize transactional monitoring over enrollment monitoring, because the transaction is the point of compromise. But Barnhardt emphasized a strong enrollment process can mitigate fraudulent transactions. It creates customer intelligence across the organization through a comprehensive view of the customer’s identity and profile before reaching the point of transaction, where funds, goods or services are rendered. If transactions are compromised, the problem isn’t bad transaction validation, Barnhardt said, but the fact the culprit wasn’t properly validated at the outset when the stakes were lower.
Barnhardt had some suggestions on how firms can avoid those situations.
Leave Legacy Behind
Barnhardt advised retiring legacy systems, which keep enrollment, payments and authorization systems in silos, unable to pass information fast enough (or, in some cases, at all) to make the right decisions. He noted faster payments call for faster verification, and a customer’s profile must be known across the organization to facilitate faster transactions in the future.
Verify, Then Trust
Before fraudulent “customers” reach the window of opportunity to transact, Barnhardt said banks should settle for nothing less than total verification. That, he said, means building an internal consumer profile that can be shared across the organization so, if the same customer returns for another transaction and none of his or her information has changed, that customer can transact freely — like on Amazon with one-click purchasing.
When information changes, he said banks should require another round of validation and that it’s OK to introduce friction. If a customer has a new credit card, billing address, phone number or email, it is better for him or her — and for the business — to be safe rather than sorry.
Check and Double-Check
Barnhardt said banks should cross-check identities using social platforms. That’s not to say Facebook or LinkedIn should, or even could, be the sole source of verification, but Barnhardt explained these platforms can be the source of relevant information when used with other tools. A fraudster may be using the right Social Security number and date of birth but a different phone number or email.
The customer’s true contact information will most likely lead to a social profile. If it doesn’t, he said, that should trigger the firm to take a closer look.
Don’t Be Used by Use Cases
Finally, Barnhardt suggested banks begin to develop a sense of who might have a use case for same-day ACH debit transactions and how the system could be abused in those situations.
Bill collectors and collections services are one type of business, he said, that could be extremely susceptible to unauthorized returns, because someone who’s desperate to keep the lights on for another few days could be desperate enough to commit identity fraud by giving someone else’s account to pay for that utility, just to get the collector off his or her back.
Child support and alimony payments are another category Barnhardt said is rife with identity fraud. There is a great desire to get funds quickly to a recipient who needs them, so same-day ACH debit push would be a very appealing option. But it’s also an opportunity to scam the system by giving a false account number for such payments, he emphasized.
As organizations move toward Phase 2 of Same Day ACH, Barnhardt said he and his team have been spending a lot of time speaking with issuers about the possibilities for real-time verification, an option that is available to them regardless of the technology environment present in their organizations, he said.
Barnhardt also said one of the reasons GIACT created the EPIC Platform API is to help issuers find their way to a faster and more comprehensive enrollment and verification protocol, and to give them the capability to append payment information in a separate, later session. The API can also bridge the gap between siloed systems as firms transition away from those legacy solutions.