Originally published in The DBA Magazine; Volume 6 Issue 2 Fall 2016

In the current environment, running a debt buying or collection shop of any size is fraught with difficulties. Aside from the constant state regulatory changes, legislative scrutiny, and the ever present risk of changing technologies, each and every collection agency and debt buyer needs to be aware of direct impacts on their businesses. This article details multiple areas bringing the importance of a solid electronic payment policy (Automated Clearing House “ACH” Policy) to the forefront of each and every Chief Compliance Officer’s purview.

In the first quarter of 2016, “there were 5 billion Direct Deposits and Direct Payments – the first time ACH volume has exceeded this milestone in a single quarter – growing 6.1 percent over Q1 2015. The total dollar value transferred over the Network grew to more than $10.6 trillion, marking an increase of 4.5 percent over last year.” The staggering numbers associated with electronic payments have certainly moved significantly away from the “paper check” processing seen less than a decade ago.

Three important factors when accepting electronic payments as a means to resolving consumer accounts include verification, trend analysis, and risk mitigation. This article details items each and every company processing electronic payments should be aware of, within the context of a collections and debt buying environment.

Verification, and the process of secondary verification steps is an easy, yet often times overlooked. By eliminating the confusion surrounding single-party verification, the number of errors or payment returns, drops below a tenth of a percent.

Trend analysis pertaining to payment incidence, as well as the frequency and reason for stop payments or other non-sufficient fund type transactions is the cornerstone in identifying any outstanding risk or lack of compliance with state or federal laws.

Finally, the evaluation of risk within the context of potentially fraudulent transactions should be a driving factor determining the frequency and consistency of regular policy and process audits and remediation.

Having managed an outside agency network for over a decade, even shops of substantial size and scope find themselves falling behind in the race for compliance. Multiple policies needing creation in that time frame run the gambit from Anti-Money Laundering (AML), to National Automated Clearinghouse Association (NACHA) requirements for business accounts, to Equal Credit Opportunity Act (ECOA) and the disparate treatment of consumer settlements.

AML policies have only within the last ten years become a common written policies required by most major creditors as a qualifier for purchasing consumer debt. When evaluated within the context of regular and consistent review and revision, these written policies serve to ensure that both internal operations, as well as all 3rd party vendors, maintain the highest levels of compliance. Strong written policies covering these topics are a matter of necessity; regardless if your payment processing department is one person or 20. This article serves to illuminate some of the confusion surrounding the ACH and electronic payment process through the understanding and trend analysis from leading payment vendors in the collections space. Furthermore, by having a better understanding of the following items, internal compliance departments can better incorporate these high level issues into their own internal and external, written policies and procedures.

Businesses accepting credit cards not present or keyed in payments face a unique challenge as they do not have access, in most cases, to the physical credit card. In addition, as Europay, Mastercard and Visa (EMV) technology continues to bring greater security to credit card present transactions, fraudsters are turning their attention more so to this channel. However, fraud prevention strategies and safeguards available to help minimize credit card not present help to prevent, but not eliminate, fraud. Businesses that accept card not present payments should approach risk management in a layered method: customer authentication, fraud profiling, and data security.

To start, a business must have the proper means in place to ensure customer authentication. Businesses should take advantage of the account verification service through their credit card processor to compare the billing address provided by your customer with the billing address on the card issuer’s file before processing a transaction. These addresses should match. Card security codes, the 3 or 4-digit number on the card issuing bank of the card, can also be verified through your credit card processor. Providing this code is used to verify that the customer is in physical possession of a valid card during the transaction.

For businesses offering online portal for customer-initiated payments, a login locking feature should be in place which will lock out customers after a defined amount of failed login attempts. For even more security, businesses can also use the customer’s Internet Protocol (IP) address to determine the location of the person attempting the transaction. This can be researched via free sites such as IP-Lookup.net or a merchant can automate the process more with an application program interface product. Businesses can also offer the ability for customers to take advantage of the Verified by Visa and MasterCard SecureCode programs. These card specific programs provide a means for cardholders to authenticate themselves to their card issuers through the use of personal passwords they create when they register their cards with the programs.

Next, a business should monitor all transactions for characteristics that are usually found in cases of fraud by the use of fraud profiles. Fraud profiles created include characteristics indicative to fraud in that business’s particular service or product type. Example characteristics include:

• Multiple transactions in a short period of time;
• Multiple card numbers used;
• Multiple declines; and
• Previous case(s) of fraud and/or chargebacks associated with the account

Not every transaction that has a certain characteristic will result in fraud. When fraud profile scoring is too sensitive, the result is an unnecessary amount of false positives. The information gathered from these fraud profiles must be scored and used in a way that puts in place proper system checks and procedures to determine next steps. An example system check would be to restrict the number of times a customer can incorrectly enter credit card information. Fraud profiling software and tools are available for purchase if a business does not have the resources to monitor the profiles internally.

Lastly, businesses need to ensure the security of its entire website and e-commerce processes. Payment Card Industry (PCI) compliance and tokenization should be terms well known and understood by all businesses that accept payments. All systems and services used to process payments must be PCI- compliant at every step of the process. Businesses should ensure that their payment processor and the software used to service payments is PCI compliant.

In addition to verifying PCI compliance, businesses should also ensure that the process of tokenization is in place. Tokenization is the process by which the primary account number (PAN) is replaced with a proxy value known as a token. The PAN cannot be determined by the proxy value and is thereby worthless to a third party. This process can be easily explained as the same process that occurs when purchasing a subway token; payment is provided and a token is given in its place. Tokenization not only further secures the PAN but also reduces the efforts needed to satisfy PCI requirements by an estimated 25 percent. If a company wants to eliminate a software’s PCI requirement 100 percent, hosted tokenization is another option. This option tokenizes the information in the same fashion but the PAN never enters the software.

By enacting fraud prevention methods, businesses not only minimize the costs these transactions bring with them but will also result in better relations with both your customers and banking partners. All parties feel more secure in their part in the payment process.

Many debt buyers accept ACH payments as an electronic alternative to paper checks. ACH payments can be accepted over the phone, without having to wait for a check to arrive in the mail. Paper checks can even be converted to ACH transactions to allow faster processing.

The Automated Clearing House is a network that processes electronic funds transfer between bank accounts using a batch processing system.

While there are many benefits of the ACH payment processing systems, there is – as with any payment methods – a potential for fraud. ACH fraud occurs anytime there’s an unauthorized funds transfer from a bank account. Unfortunately, ACH fraud can result in the loss of hundreds of thousands, and sometimes even millions, of dollars.

ACH (debit) and check fraud accounted for 53 percent of payment fraud losses in 2015, according to the Association for Financial Professionals 2016 Payments Fraud and Control Survey. This is up slightly from 52 percent in 2014. ACH (debit) alone counted for just 10 percent of the 2015 payment fraud losses, up from 7 percent in 2014. (The statistics do not segment ACH check conversion fraud.)

A cyber thief only needs two basic pieces of information to commit ACH fraud: a checking account and routing number. The information is easier for cyber thieves to gather than you may realize.

Phishing is one of fraudsters’ favorite ways to gain access to bank information. In a phishing attack, a criminal tricks the victim into giving up financial information by posing as a legitimate business.

The fraudsters may also use a computer virus, hidden in an email, to obtain bank login information then transfer funds out of your bank account to theirs. For example, cyber thieves may attempt to trick an employee with a “Notice of Underreported Income” email that claims to come from the IRS. When the recipient clicks the link inside the email or opens the attachment, a computer virus is installed on their computer. Once installed, the computer virus can look for passwords or other information, and then send that information back to the criminals who initiate transfers from the victim’s bank account to their own.

In some instances, the computer virus itself may be coded to initiate the bank transfers once it has gathered sufficient bank account information, without any additional action from the cyber thief.

While not technically considered ACH fraud, debt buyers can also experience losses when consumers make a payment via check or ACH knowing the account is inactive, when there are insufficient funds in the account to cover the transaction, or even with stolen bank details.

Larger companies with more payment accounts have the highest likelihood to be targets of ACH fraud, according to the Association of Financial Professionals. According to Elizabeth Whalen for DigitalTransactions.net, companies with less than $1 billion in revenue are slightly more likely to suffer a loss from ACH fraud. These organizations are more likely to use ACH and may lack the strong information technology systems necessary to thwart cyber thieves.

Fortunately, compared to other payment methods, ACH fraud occurs less frequently; however, once a cyber criminal’s attack on an organization is successful, they’ll often continue until they’re stopped.

Not all ACH fraud attempts will be successful. Only 11 percent of companies that were victims of at least one ACH fraud attempt suffered a financial loss. When companies adopt protective measures, the risk of being impacted by ACH fraud decreases.

In conclusion, all companies that accept online payments are at risk of being defrauded. Appropriate written policies and procedures to diminish those threats and protect the company are imperative. When companies implement secure verification methods, trend analysis and risk mitigation into their policies and procedures, they take steps to reduce payment fraud.

#About the Authors

• General Counsel & Chief Compliance Officer Laurie is responsible for leading the internal processes for promoting and ensuring Pay- mentVision’s compliance with laws, regulations, company policies and agreements, compliance risk management, mitigation, and recovery efforts, and internal reporting programs. She is also responsible for formulating and implementing PaymentVision’s policies and procedures and making sure they are communicated across the company.

• Erick Bzovi is the co-founder of HealPay, a fast growing payment software company located in Ann Arbor, Michigan. A leader in the ac- counts receivable space, HealPay’s Consumer driven payment solutions are designed to take hassle out of bill payment. Prior to Heal- Pay, Erick co-founded the online ad network Outdoor Hub Media, now known as Carbon Media Group. There he was responsible for growing the network to 350+ publishers, 8 million unique visitors and 150 million monthly impressions.

• President/Chief Operating Officer, Absolute Resolutions Corp./Absolute Collections Corp. In his position as President/COO, Mark is responsible for all facets of Operations at ARC/ ACC including management of personnel and creation and administration of policies. Mark has been involved in the stratifica tion of over 700 individual transactions, as well as the analysis behind pricing and expected liquidations for over 17 Billion in purchased accounts. Mark is also a frequent speaker on topics ranging from Data Security, Operational Best Practices, Historical Industry Analysis, Encryption Methodology, and Relationship Building.