Authentication is a crucial step in the ACH transfer process. In a nutshell, authentication validates that senders and recipients have valid bank accounts, and that they are who they say they are. Without proper authentication, participants in an ACH transaction run the risk of misdirected or insufficient funds—not to mention costly and time-consuming processes to reverse any errors. Authentication historically has been an inefficient process, where it has been used at all—limiting further ACH adoption.
More recently, digital authentication services have drastically improved authentication. They deliver real-time, accurate outcomes. NACHA, the trustee and rulemaking body for ACH, recently examined both traditional and newer digital authentication mechanisms, evaluating pros and cons.
ACH represents one of the major payments systems in the United States today (along with cards, cash, checks, and wire transfers). Due to its low cost and wide accessibility to nearly anyone with a bank account, ACH has gained popularity especially for bill payment and payroll direct deposit, which together make up over half of ACH transfers. There are approximately 25 billion ACH transactions annually totaling over $40 trillion, and ACH expansion has outpaced economic and population growth in recent years.
Despite its benefits, a key challenge for the ACH system has historically been the multi-day processing timeline. To meet demand for faster transactions, the ACH ecosystem has evolved. Last year, NACHA introduced same-day ACH credits, with same-day ACH debits to follow in September 2017. Same-day ACH has the potential to compete with products like Visa Direct for uses such as paying hourly workers at the end of a shift instead of every two weeks.
These evolutions, however, will be of limited usefulness without broader adoption of enhanced digital authentication. Traditional authentication processes are intended to prevent misdirected or unauthorized payments—but have limited effectiveness against other types of errors, such as insufficient funds. In contrast, digital authentication methods can prevent a broader array of errors.
What is account validation, anyway?
Account validation is used loosely in the ACH world, where it’s roughly equivalent to authentication. According to NACHA research, at least 75% of industry participants state that they would like their account validation to certify that:
The routing and transit number is valid
The account number is valid for a given financial institution’s routing and transit number
The name on the account matches the name claimed by a party to the ACH transaction
The account is eligible to receive an electronic entry
Anecdotally, it’s also important for many large and smaller users of ACH to prevent a broad array of ACH return codes, including both insufficient funds (known as “R01”) and administrative errors (all others, such as a closed account). New digital authentication methods can prevent certain ACH error codes like these that were largely not preventable using traditional account validation methods.
ACH account authentication methods
As outlined previously in Fin, there are three legacy methods of ACH account authentication that have been widely used for many years. All of these techniques can be used for credit and debit transactions, for both one-time and recurring payments.
In this method, a counterparty to an ACH transaction obtains a consumer’s check to manually confirm the account and routing number. Alternately, a counterparty may contact a consumer’s bank in order to validate this information.
Manual validation typically work best for one-off ACH transactions—and certainly not for organizations processing a high volume of ACH. Even when volume is low enough for manual validation to be pragmatic, the process can be beset by delays (how many consumers regularly carry their checkbooks these days?!) and human error.
Pre-notes involve sending a $0 transaction through the ACH network to validate that a routing and account number combination are valid.
The process typically takes several days, and verifies only that an account and routing number combination exists—not the name on the account or account balance. But the process requires little effort on the consumer’s part, particularly relative to microdeposits.
Microdeposits are the most common form of account authentication, and likely familiar to anyone who has, for example, opened and funded an online brokerage account. With microdeposits, a party to an ACH transaction deposits one to two small amounts (typically less than a dollar) into a consumer’s account. The consumer then checks the account and verifies the deposit amounts.
Microdeposits require three to four days, in most cases. Additionally, they place a high burden on a consumer to go through a multi-step process of logging into their bank account, viewing deposit amount(s), and communicating with the ACH counterparty to verify these amounts. Finally, microdeposits confirm only that a consumer has access to an account, but not that the name on the account matches a user’s claimed name, or that sufficient funds exist in the account for a debit payment.
Instant, credential-based authentication
There are several flavors of digital account authentication; credential-based authentication offered by third-party providers (like Plaid!) has gained popularity of late. In this method, a user enters his or her online bank account credentials, typically without leaving an ACH counterparty’s website or customer portal. Credentials are securely passed to the financial institution. In our case, authentication can usually performed in 11 seconds or less.
In addition to the obvious speed benefit—under a dozen seconds, instead of three-plus days!—this validation method offers several advantages:
- It can protect against a wider array of administrative ACH return codes, by returning fields such as account holder name, address, account type, and phone number that help protect against fraud.
- It can certify that a consumer has sufficient funds to initiate a debit transaction.
- It can be used for recurring debits to certify that a consumer has sufficient funds immediately prior to each subsequent transaction—with no additional work required by the consumer.
- It is easier for consumers—no need to remember cumbersome routing and account numbers, or continually log in to their bank website to verify microdeposits.
- It is more secure than other methods because routing and account information—which are difficult to change if compromised—do not directly exchange hands.
Although third-party authentication services are generally not offered for free, many participants in the ACH ecosystem find that the benefits outlined above far outweigh the small per-transaction cost of utilizing such services. Returns materialize on the bottom line—as well as in the form of less hassle and inconvenience from pesky ACH returns.
Tying it all together
Plaid was founded with the belief that everyday consumers—not just large financial institutions—deserve access to the best payments technology to help ease their financial lives. If you’re interested in learning more about making authentication easier, you can find more resources on our website.