Who Is Liable for Unauthorized ACH Fraud?

Automated Clearing House (ACH) transactions are a fundamental electronic payment method in the United States, facilitating direct deposits of paychecks, bill payments, and transfers between bank accounts. The ACH network, overseen by Nacha, enables electronic money movement between banks and credit unions. These transactions often offer an efficient and cost-effective alternative to paper checks or wire transfers. However, the increasing reliance on digital payments has led to a rise in associated fraud. Understanding who bears financial responsibility for such fraud is important for consumers and businesses alike.

Defining ACH Fraud

ACH fraud involves any unauthorized transfer from a bank account using the ACH network. This typically occurs when malicious actors gain access to a victim’s bank account and routing number, which are often the only pieces of information needed to initiate a fraudulent transfer. Common tactics include phishing scams, malware to steal account information, and account takeover, where criminals obtain login credentials. Fraudulent activities also include business email compromise (BEC), where criminals impersonate or hack email accounts to deceive employees into sending funds to incorrect accounts via ACH.

It is important to distinguish unauthorized transactions from erroneous ones; an unauthorized transaction occurs without consent, while an erroneous transaction is a legitimate payment sent with an incorrect amount or to the wrong recipient. This distinction influences how disputes are handled and the liability framework applied.

Liability for Consumers

Consumers benefit from federal protections for unauthorized ACH transactions, primarily under Regulation E. This regulation establishes the rights, liabilities, and responsibilities of participants in electronic fund transfer systems. Financial institutions are generally responsible for unauthorized transfers, but a consumer’s liability depends on how quickly they report the fraudulent activity. Prompt notification limits financial exposure.

If a consumer reports an unauthorized electronic fund transfer within two business days of learning of the loss or theft of an access device, their liability is limited to $50. This prompt action significantly reduces potential losses. If they fail to report within this two-business-day window, liability can increase to $500 for transfers occurring after this period but before notice.

Consumers have a broader timeframe to report unauthorized transactions on periodic statements. They must report within 60 calendar days of the statement containing the first unauthorized transaction to avoid unlimited liability for subsequent transfers. If not reported within 60 days, they may be responsible for all unauthorized transfers occurring after that period. Upon notification, financial institutions must investigate the claim and report results to the consumer, often providing provisional credit during the investigation period.

Liability for Businesses

The liability framework for businesses affected by ACH fraud differs from consumer protections, primarily governed by the NACHA Operating Rules and Uniform Commercial Code (UCC) Article 4A. Unlike consumers, businesses do not have the same federal protection under Regulation E. These rules emphasize robust security procedures for businesses. Under UCC Article 4A, financial institutions are generally responsible for unauthorized electronic payment orders on non-consumer accounts. However, a bank can shift the risk of loss to its business customers if it demonstrates it implemented a “commercially reasonable security procedure” and followed it in good faith.

A security procedure is commercially reasonable if it accounts for the customer’s wishes, circumstances (like transaction volume), alternative security procedures offered, and industry practices. For example, if a bank offered multi-factor authentication that a business declined, the business might bear the loss.

Businesses have significantly stricter reporting requirements than consumers, sometimes as little as 24 hours from the settlement date, to report an unauthorized ACH debit to their financial institution to avoid liability. The agreement between a business and its financial institution often outlines specific security procedures and reporting obligations, which determine liability in fraud cases.

Disputing Unauthorized ACH Transactions

Discovering an unauthorized ACH transaction requires immediate action. The first step is to contact your financial institution as soon as the unauthorized activity is identified. This immediate notification allows the bank to begin investigating the claim and potentially prevent further unauthorized debits. While phone communication is possible, following up in writing is advisable.

When contacting your bank, provide specific details about the unauthorized transaction, including the date, amount, payee, and a clear explanation of why it was unauthorized. Some financial institutions may require a formal Written Statement of Unauthorized Debit (WSUD) to initiate the dispute. Maintain detailed records of all communications.

Upon receiving your dispute, the financial institution will begin an investigation. For consumers, banks must complete investigations within 10 business days, though this can extend to 45 calendar days, often with provisional credit. Businesses may have different investigation timelines based on their agreements and NACHA rules. The financial institution will communicate the outcome of their investigation, determining if funds are returned.