Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

ACH fraud: Lessons for AML programs from a recent court case

Michelle M. Lucci, CSS, CRCM
September 7, 2023
Read Time: 0 min

Court case: Credit union held liable for ACH fraud losses

A construction company argued the financial institution "failed to establish a reasonable routine" for monitoring suspicious activity alerts tied to ACH.

Learn strong approaches to identifying, evaluating, and reporting suspicious activity in this BSA Guidebook

Download now

Under appeal

Credit union held liable for ACH fraud losses

Those in the business of fighting financial crime might want to take notice of a recent U.S. District Court case in Virginia. The credit union defendant was found liable for fraudulent ACH transactions amounting to $559,000 deposited into their member’s account and then quickly dispersed.

The plaintiff is a construction company that fell victim to ACH fraud initiated by business email compromise. The rerouted destination for the construction company’s vendor payments was to the credit union in this case. An existing member’s new account at the credit union was involved.

Staying on top of fraud is a full-time job.
Let the Abrigo Advisory Services team help when you need it.

Connect with an expert

Staffing, monitoring

Consider 6 tips to fight ACH fraud

The credit union has appealed the decision to the U.S. Fourth Circuit Court of Appeals. Nevertheless, the case provides several valuable lessons for BSA Officers and financial institutions’ AML/CFT and fraud programs.

  1. Watch for red flags in ACH Standard Entry Class codes. Detecting and swiftly acting upon mismatches in beneficiaries and ACH Standard Entry Class Codes (SEC) is critical in order to detect fraud. There were four substantial ACH payments from the construction company intended for one of their suppliers. The beneficiary account, however, was an individual personal account, which should have been an immediate red flag. Another red flag: each ACH payment contained the SEC of CCD (Cash Concentration Disbursement) which should only be used with corporate credits and debits to commercial business accounts.
  2. ACH warnings/exceptions matter. Don’t ignore warnings and exceptions generated from the ACH system. Often, those alerts mostly likely are routed to the operations area of the financial institution. The BSA/AML staff should ensure that they promptly review these alerts, which are constantly being triggered. Although this task is not typically directly under the BSA/AML umbrella the ACH function is part of the FI’s program.
  3. Raise your hand about ACH risks. If ACH system alerts are not being reviewed in a timely manner, speak up. The operations area should communicate with the BSA/AML area if this function is failing. The financial institution’s Chief Operating Officer and/or the BSA/AML Officer should alert and escalate this situation to the attention of the bank’s Chief Executive Officer and Board of Directors.
  4. Short staffing is no excuse. If staffing shortages are an issue, prioritize the most important alert types and frequency. In this case, the ACH system generated both exceptions and warnings with the former being the most serious and requiring manual intervention. However, for mismatched SEC codes, only warnings are generated. A system that could notify the financial institution when a particular account is generating more than one warning in a specified time frame could help trigger timely staff review. In this case, however, the court said the credit union “failed to establish a reasonable routine to monitor alerts that warned of suspicious activity” regarding the account.
  5. Monitor new account velocity. Pay attention to new accounts with high-velocity transactions. In this case, the member was not new, but the account was. The member also offered an illogical reason for opening the account, which should have raised another fraud red flag.  Once the account was open the ACH payments were deposited, and the funds withdrawn through various methods. If a rules-based monitoring system had been in place the scenarios would have alerted for the high velocity and the significant amounts of the incoming transactions into a new account. Also, be sure your system includes new accounts in its monitoring and not just new members or customers.
  6. Optimize your monitoring system. Review the scenario parameters and default settings of the rules-based monitoring AML software system. Default settings are designed to be generally effective for most software customers. However, AML system optimization, or parameter tuning, is critical for monitoring to be risk-based and the most effective for your FI’s market, products, and customer or member base. A robust model validation program to independently review these settings should be part of the compliance program and your institution’s model risk management.

FFIEC Exam Manual

ACH fraud risk: placement vs. layering

The FFIEC BSA/AML Examination Manual discusses the fraud risk that ACH transactions can bring to financial institutions. However, the manual focuses on how ACH is sometimes used in the later stages of a fraudulent or money laundering scheme (layering and integration stages). It is silent on the ACH fraud risk to financial institutions in the placement stage, which tends to be related to a fraudulent transaction in an illicit scheme.

The industry is experiencing a blurring of the traditional lines between the fraud and the BSA/AML/CFT departments. To keep current, it would be wise for BSA/AML Officers to expand their purview and risk analysis to include this scenario if they have not done so already.



Considering combining your AML & fraud teams?
Learn about the benefits and logistics in this whitepaper.

DOWNLOAD Send me related content
About the Author

Michelle M. Lucci, CSS, CRCM

Regulatory Compliance Director
Michelle Lucci, Abrigo’s Regulatory Compliance Director, has over 30 years of banking experience and is a Certified Sanctions Specialist (CSS), a Certified Regulatory Reporting Manager (CRCM) and a Certified Anti–money Laundering Specialist (CAMS). Prior to joining Abrigo, she served as a Commissioned FDIC Bank Examiner for both Risk Management and Consumer Compliance in the New York and Atlanta FDIC regions, acted as Examiner-In-Charge

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.