The Missing Piece in Fraud Prevention
If you ask an AI agent to provide an overview on fraud, the agent surveys the current content and generates content. It will accurately tell you that trends to watch include AI-Powered Social Engineering; Identity Theft and Synthetic Identity Fraud; Real-Time Payment (RTP) Fraud; and Supply Chain Fraud [impersonating vendors]. But then in telling you how to manage fraud, it clearly isn’t connecting the dots. What connects all those trends is something Nacha, the organization that governs banks’ and their customers’ use of the $86T ACH Network, has been talking about for years: the rise of Credit-Push Fraud (CPF).
Credit-Push Fraud occurs when malicious actors exploit gaps in organizations’ sophistication or operations to access their deposit accounts and then push out deposits to fraudulent accounts, from which the funds are quickly transferred, in order to prevent claw backs. By “organizations” we mean customers of banks that banks permit to initiate fund transfers (business payments, Wires, ACH, etc.). It’s those customers that are the targets and victims of social engineering, identity theft, RTP fraud, and vendor impersonations. CPF is rapidly evolving as fraudsters learn new techniques to dupe customers or penetrate their systems, and rapidly move funds. But the key piece that’s missing in the conversation is: how do we shore up those gaps in customers’ sophistication and operations?
It’s bank customers – organizations like your local school district, doctor’s office, pet supply store….all of them, without differentiation by sector, size or geography – that are now the frontline of fraud prevention. To fraudsters, they’re the front door of the bank, and we need to focus on the customer to close that door.
What is Credit-Push Fraud?
In 2022, Nacha said a new type of fraud had eclipsed debit fraud as the predominant threat to bank account holders. Debit Fraud involves debiting funds from a customer’s or organizations’ bank account without obtaining proper authorization from the account holder. For a long time it was Nacha’s main focus, and most of Nacha’s Rules and official Guidelines address this fraud. And many of the tools the industry developed for fraud prevention were designed for debit fraud, including transaction monitoring, measuring return rates, etc. Those are still important tools (debit fraud still exists), but fraudsters have adapted.
In 2022, Nacha said:
Now, however, the most significant fraud threats to bank account holders involve fraud and scams that result in money being sent out of their accounts using credit payments, including ACH credits, wires, cards, and other instant and digital payments.
They said this in an article titled, “A New Risk Management Framework for the Era of Credit-Push Fraud,” as Credit-Push Fraud (CPF) is the name for this new, pernicious trend. In the article, Nacha said that our old Framework (including those solutions mentioned above) don’t work for CPF, as fraudsters have developed techniques to circumvent them (such as masking fund payments to look like a customer’s normal practices). To deal with this new fraud, Nacha said we needed to evolve in two key ways:
- Better information sharing (and more information)
- “All participants” in payments must work together
To combat this fraud, we need to focus on the bank customer as the target and primary victim. For proactive fraud prevention, we both need information about their sophistication and operational gaps, and we need them to assist in monitoring for it. In other words, we need to empower the customer to be the fortified front line against fraud, while obtaining data about their operations that banks can use proactively to identify points of high risk across their customer networks.
What’s an example of Credit-Push Fraud?
There are many ways fraudsters exploit organizations’ gaps in sophistication and operations to access their deposits. As listed above, they use social engineering (phishing, vishing, etc.) to steal banking credentials, they pose as employees or vendors requesting payment to “a new bank account,” they impersonate managers (such as via business email compromise, or BEC), and increasingly use AI-generated voices for all of the above. They also use old-school penetration and account takeover. Here’s a classic (and true) example:
Fraudsters hacked into an organization and watched their payment routines. As soon as the CEO left on vacation, the fraudsters sent an email in his name to the CFO (business email compromise) saying, “My wife and I have gone on a cruise, but I need you to transfer some funds for an acquisition we just made, in three payments of $700,000 spaced one week apart. You can’t reach me, but I’ll be checking in.” Not catching the pretense, the CFO followed through.
To the bank, these were valid payment orders from their client, and the amounts and cadence were not extraordinary for the organization. By the time the CEO checked in, over $2M had been sent through a series of foreign bank accounts and was lost.
It wasn’t the bank’s mistake, but the customer, facing ruin, blamed the bank and threatened a lawsuit. Facing the prospect of reputational harm and loss of an important customer, the bank covered much of the loss.
It’s important to note: this could all have been avoided if the customer had the right practices in place—verification and dual control, not to mention training on social engineering techniques used by fraudsters.
Net effect: fraudsters take advantage of gaps in customer sophistication and processes that are invisible to their banks.
Do you have a strategy for Credit-Push Fraud?
It’s critical for your bank to begin to ask: how do we sensitize and empower customers to manage the risk of their operations, and enable bank staff to manage that remote operational risk in a proactive, targeted, efficient and effective way? As you go through this journey, Nacha’s Credit-Push Fraud Monitoring Resource Center offers relevant content and links to providers that help with these issues. Among them, LexAlign uniquely addresses the customer layer of Credit-Push Fraud prevention.
To learn more about LexAlign’s role in fraud prevention, schedule a demo here.
A Practical Look at the New Nacha Fraud Monitoring Rule
A Practical look at the New Nacha Fraud Monitoring Rule
Reflecting on the Importance of the New Fraud Monitoring Rule
Co-written by Aliya Haider and Trevor Lain
Imagine walking into a bookstore and trying to find where this topic lives. Is it in the finance section, next to books on strategy? Or is it over in true crime, with stories of social engineering and fraud? Or maybe it belongs in technology and cybersecurity, where code meets crime.
The truth is, fraud risk and compliance today touch all those shelves at once. It’s about financial operations, human behavior, and evolving digital threats—all converging in ways that make Credit-Push Fraud one of the fastest-growing financial crimes.
That’s why context matters. The new Nacha Fraud Monitoring Rule isn’t just another compliance update buried deep in a rulebook. It’s a response to shifting fraud patterns that every bank, every business, and every participant in the ACH Network needs to understand—because it sits at the intersection of finance, technology, and trust.
Fraud Is Evolving – and Fast
In financial services, fraud never stands still. Over the past decade, financial institutions invested heavily in reducing debit fraud. Those efforts worked. But as controls tightened, criminals adapted, shifting their focus to a type of fraud that is harder to detect and even harder to recover from: Credit-Push Fraud.
Credit-Push Fraud happens when criminals convince a legitimate account holder to authorize a payment under false pretenses—often through schemes like Business Email Compromise (BEC). The transaction looks legitimate because the account holder “approved” it. By the time the fraud is discovered, the funds are often long gone, having passed through multiple accounts, often across international borders.
For businesses and their banks, these schemes are devastating. Fraudsters target operational vulnerabilities like remote work environments, insufficient dual controls, and employees unfamiliar with intrepid social engineering threats. The result is not just financial loss but also customer distrust, reputational damage, and potential litigation risk for financial institutions.
The Regulatory Response – A Call Upon All Participants
Years ago, recognizing these emerging threats, Nacha took action. In 2022, it called for a New Risk Management Framework to strengthen fraud resilience across the ACH Network. A key principle of that framework was simple but profound: fraud prevention is no longer just the bank’s job—it’s everyone’s job.
The ACH Network is vast, and its participants include banks, Third-Party Senders, Originators (often businesses), and service providers. Fraudsters exploit the weakest link in this chain, and often that weak link is not the bank itself but the business customer, who controls the security and compliance of ACH originations. Nacha’s answer: bring those customers into the fraud prevention effort explicitly.
The New Nacha Fraud Monitoring Rule
The new Fraud Monitoring Rule (Subsection 2.2.4) requires non-consumer Originators and Third-Party Senders to establish and implement risk-based processes and procedures to identify unauthorized or fraudulently induced transactions and review and update those processes at least annually to adapt to evolving fraud risks.
This rule isn’t just regulatory housekeeping. It represents a strategic shift: fraud monitoring is now a formal duty for parties beyond the bank. Every participant has a defined role in spotting and mitigating fraud.
Banks Still Hold the Ball
For banks, particularly Originating Depository Financial Institutions (ODFIs), this doesn’t mean liability is shifting away. In fact, Nacha has made clear that the new rule does not change the ODFI’s fundamental responsibility for transactions originated through its systems. Banks must still ensure their customers—Originators and Third-Party Senders—comply with Nacha’s rules.
The implication is clear: financial institutions need visibility into their customers’ compliance practices and must verify that customers have appropriate fraud monitoring controls in place. Relying solely on contractual agreements or one-time onboarding assessments isn’t enough when fraud patterns evolve so quickly.
Why Now, Who Cares?
The answer is straightforward: because fraud has changed, and the rules must follow. Credit-Push Fraud attacks take advantage of operational gaps at the business customer level. Nacha’s rule closes some of those gaps by ensuring that everyone—banks, customers, and service providers—is actively monitoring for fraud.
For banks, this means moving beyond minimum compliance toward proactive oversight of customer operations. Tools like automated compliance self-assessments, remote customer risk scoring, and self-guided fraud monitoring programs are becoming essential.
This isn’t just about checking a regulatory box. It’s about protecting the integrity of the ACH Network, safeguarding customer trust, and reducing systemic fraud risk.
LexAlign introduces Security for Electronic Banking Self-Assessment
Helping banks’ business customers self-assess and manage their security risk.
AUSTIN, Texas – April 19, 2023 – LexAlign PBC, a leading provider of solutions that empower frontline fraud defense, announced today the introduction of a new product—Security for Electronic Banking Self-Assessment. For the first time, financial institutions can, with minimal staff effort, do a meaningful audit and help not just a select few but all of their commercial customers better protect themselves from the kinds of devastating attacks that are increasing every year.
“Electronic banking has moved financial activities outside the security of the banks’ walls to their remote business customers. Unfortunately, fraudsters are taking advantage of these customers to the tune of billions of dollars per year, making the millions of dispersed sites where SMBs do electronic banking the new frontline for fraud,” stated Trevor Lain, Founder and CEO of LexAlign. “We see this as a two-sided information problem. On the one side, SMBs lack access to the expertise to understand the rules, risks, and responsibilities that apply to their banking activities and where their operational gaps are. On the other side, banks lack visibility and data they need to both measure and manage the risks posed by their SMB customers. We created LexAlign to solve this problem, empowering both banks and their customers to manage the risks of fraud, money laundering, and mistakes.”
Strictly following applicable regulatory guidance, LexAlign’s Security for Electronic Banking Self-Assessment helps banks’ business customers identify their security gaps and provides detailed guidance on how to remediate them. It also acts as a training vehicle for educating them on the risks and recommended practices. Performing such a self-assessment is reasonably required by law or the customer’s banking agreement. This new Self-Assessment is critical for all business customers doing electronic banking and is also an essential component of an RDC and ACH risk management program.
The Security for Electronic Banking Self-Assessment is LexAlign’s second product, a Self-Assessment for Remote Deposit Capture (RDC) was released in 2021. A Self-Assessment for ACH is under development with a planned release in late summer 2023.
By providing an automated way for banks to identify and remediate gaps in, and train, their business customers while empowering them to help themselves, LexAlign replaces the need for on-site audits and training and has been called the “missing piece” in AML and fraud risk management.
About LexAlign PBC
LexAlign makes it possible for banks to monitor and manage the risk of business customer financial activities, addressing an issue that costs banks and their most valuable customers billions of dollars annually. LexAlign automates customer compliance and security audits, education, and support so that Risk Management is proactive, targeted, efficient, and routine—enabling financial institution staff to focus on growth, not compliance. To learn more about the products offered by LexAlign, please visit https://lexalign.com/.
LexAlign introduces Remote Deposit Capture (RDC) Self-Assessment
Helping banks’ business customers self-assess and manage their RDC risk.
AUSTIN, Texas – April 30, 2021 – LexAlign PBC, a leading provider of solutions that empower frontline fraud defense, announced today the introduction of its first self-assessment for treasury products and services focused on Remote Deposit Capture (RDC).
Regulators expect banks to manage the risk presented when customers handle basic banking activities like digital check deposits. Fraud and mistake lead to huge costs for banks and their customers. Reg CC was recently revised to make clear that banks that offer RDC are responsible for all network costs created by their customer. Despite best efforts, banks struggle to measure and manage such remote operational risk at scale.
“Today, highly trained, and hard-to-hire treasury staff spend a huge amount of time on arduous and non-scalable manual processes: those used to manage the substantial risk of costly fraud and customer mistakes associated with a financial institution’s treasury products and services”, stated Trevor Lain, Founder and CEO of LexAlign. “This is a massive opportunity cost, not to mention a chore without obvious benefit for both staff and customers. By automating those tasks and reducing the time spent per customer from several hours to a few minutes, the LexAlign solution enables substantial improvements in back-office operations, customer compliance monitoring and support, customer experience, and ultimately the financial institution’s back office efficiency ratio.”
The Remote Deposit Capture Self-Assessment helps banks’ business customers identify their gaps and provides detailed guidance on how to remediate them while providing the bank with visibility into the operational risk of each of its commercial customers.
By providing an automated way for banks to identify and remediate gaps in, and train, their commercial customers while empowering them to help themselves, LexAlign replaces the need for on-site audits and training and has been called the “missing piece” in AML and fraud risk management.
About LexAlign PBC
LexAlign makes it possible for banks to monitor and manage the risk of business customer financial activities, addressing an issue that costs banks and their most valuable customers billions of dollars annually. LexAlign automates customer compliance and security audits, education, and support so that Risk Management is proactive, targeted, efficient, and routine—enabling financial institution staff to focus on growth, not compliance. To learn more about the products offered by LexAlign, please visit https://lexalign.com/.