A2A v. Reg E
Making irrevocable payment methods revocable
Introduction
This post was inspired by a Payments Dive article: NACHA’s fraud rules land. The new rules harden ACH credit push transactions against fraud and scams. The biggest change puts more responsibility on the Receive bank to monitor for abuse. Previously most of the responsibility for fraud was on the Originating bank; but, it is the Receive bank who serves the crook, so they should have heightened responsibility. These rules are welcome, if overdue.
Although ACH is ancient, the same problem has come up across newer A2A methods including: RTP/Fednow, Zelle, and Stablecoins. All those methods started out real-time and irrevocable, but when they migrate to retail commerce, they run into US Reg E and its equivalents outside the US.
Reg E empowers a consumer to demand reimbursement for any unauthorized transaction (i.e., fraud) and for a variety of common commerce events like returns, never-delivered, wrong goods, etc. Merchants love the irrevocability of the new A2A methods but in commerce, irrevocability isn’t consistent with the law.
In scams, consumers do “authorize” the transaction – they were just tricked into doing so by the scam artist; Originators do not bear legal responsibility, however, Washington thinks they should be take it anyway. As a result, you may have noticed notifications in Zelle before you send, warning you of common scams.
This post will review why fraud and scams are hard for A2A methods to address, how the A2A networks are addressing them, and what that implies for shifting commerce off cards – including via Agentic methods.
What did NACHA announce
The most common ACH use cases do not involve Consumer Commerce:
Direct Deposit of wages, dividends, pension payments etc. (B2C)
Direct Debits for Bill Pay (C2B)
Originated Credits, usually used for B2B payments (e.g., paying suppliers)
Increasingly, ACH is deployed for non-recurring, consumer commerce payments. ACH has modest but growing share versus cards. Merchants like the low cost of ACH (no interchange), but they don’t like the exceptions, particularly “Returns” – the ACH equivalent of bounced checks.
ACH is batch, and for Direct Debits, the receiver doesn’t know if the target account has enough funds. Open Banking aggregators, led by Plaid, have addressed this by peeking at the account balance before submitting the Debit. That works to lower returns, but the Plaid fee closes the cost gap with debit cards or simply retaining the returns risk. ACH was not designed for ad hoc, consumer commerce transactions.
ACH’s delayed settlement also makes it a target for fraud and scams. NACHA calls this Credit Push fraud:
Fraud typically occurs due to account takeover (ATO). The criminal takes control of the send account and sends out money without the account owner’s permission
Scams typically occur via social engineering. The scam artist tricks the account owner into sending funds voluntarily
Historically, A2A payment methods focused on Fraud more than Scams, so most of the sanctions, technology investments, risk controls, etc. were at originating banks. But for scams, the originating bank did nothing wrong. The real account owner did send the funds.
More recently, the networks realized the criminal is always on the receive side. Some bank or fintech allowed a crook past their KYC processes. That is the original sin, but afterwards the receiving bank didn’t monitor inbound payments enough for unusual activity. In scams, the networks held the originating bank responsible even though they did everything right.
The new NACHA rules rebalance responsibility. This is from the Payments Dive article, but bolding at the end is mine:
“The rules require all parties involved in an ACH transaction — including receiving financial institutions, third parties, and originators — to proactively monitor for fraud, rather than react once a fraudulent transaction has been detected…”
… The rules also empower a financial institution originating the transaction to request the return of a payment and financial institutions receiving the transaction to delay the availability of funds for any suspect transaction …
… Receiving institutions can also return a suspicious transaction without waiting for a fraud claim. It is the first time receiving financial institutions will have a defined role in monitoring the ACH payments they receive”
Historically, when originating banks complained about fraud to receiving banks, the receivers had limited incentive to respond promptly. Now they do. They may close bad accounts faster, perhaps recovering some of the lost funds. Closing such accounts faster also makes fraud and scams harder to scale.
