Fraud Prevention Series: Controls Over Automated Clearing House Transactions
Automated Clearing House (ACH) debit transactions include electronic checks or direct debit payments. Noted below is a summary of key controls that need to be in place to prevent fraudulent ACH transactions.
Note: For purposes of the discussion below, the term “company” has been used for the entity initiating an ACH transaction. The term “company” can be used interchangeably with any entity initiating an ACH transaction, such as a government agency, a nonprofit corporation, a partnership, a trust, etc.
How the ACH System Works for Vendor Payments
The process is as follows:
1. A vendor pre-authorizes the company to initiate a transaction to their bank account. The authorization includes an agreement between the company and the vendor before ACH transactions can take place.
2. The company logs into the website of its bank, and prepares a batch of transactions to be paid through ACH, and that batch is then electronically submitted to the bank.
3. The bank transfers the information to the Federal Reserve Bank’s Automated Clearinghouse Division. The clearinghouse processes the information and deposits the payment(s) into the vendor’s account.
Basic Internal Controls Over ACH Transactions
Adequate Segregation of Duties:
With respect the ACH cash disbursements of a company, at a minimum, a separation of duties should exist between the following individuals:
• Person(s) in charge of maintaining the vendor master file
• Person(s) who are involved in reviewing, processing and approving a vendor invoice or other disbursement transaction, and
• Person(s) entering ACH transactions online.
Use of ACH Filters:
ACH Filters enable account holders to provide their bank with a set of pre-defined criteria (e.g., designated payees or dollar-amount limits) against which the bank can “filter” ACH debit transactions that do not meet these criteria.
Use of ACH Blocks:
ACH Blocks allow account holders to prohibit any ACH debits from being made from specific bank accounts.
Basic Internal Controls Over ACH Transactions (Continued)
Positive Pay for ACH Transactions:
Positive pay for ACH enables an account holder to review a list of ACH debit requests that have not been pre-authorized, and allow the account holder to decide whether to pay or reject the transaction.
ACH “Account Alerts” from Bank:
Many banks make a service available, whereby key officers or officials can receive an email, text or voice-mail message “account alert” from the bank when any large or unusual ACH transactions occurs. These account alerts may be tailored to the need of the company. For example, a company officer may wish to receive an account alert for any ACH transaction exceeding a defined dollar amount, or when a new ACH vendor is established.
ACH Transaction Alerts from Within the Company:
A company may have the ability to monitor ACH transactions within its financial accounting software (such as through the use of SQL database software). Email alerts could be sent to key officials when large or unusual ACH transactions occur within the company’s financial accounting system.