Nonprofit Resources

print
4.16.26 | , , , |

Six Must-Haves for a Secure ACH Approval Policy

Automated Clearing House (ACH) fraud remains a growing risk for churches, nonprofits, and educational institutions, especially during periods of high activity, staff transitions, or operational change.

A common scenario unfolds when an organization receives what appears to be a legitimate email from a trusted vendor requesting changes to their bank account and routing information. The request references prior invoices and is processed without independent verification. Later, the organization’s leadership discovers that payments to the vendor went to a fraudulent account, often after significant funds have already been disbursed.

Fraud schemes like these are increasingly sophisticated and difficult to detect, as fraudsters know exactly what to look for and how to deceive their victims. ACH fraud can affect organizations of any size and can result in significant financial loss and operational disruption that can take years to recover from.

How to Reduce the Risk of ACH Fraud

Fortunately, there are several practical steps you can take to mitigate your organization’s risk. We recommend that you:

  • Ensure accounting and finance personnel receive regular fraud-awareness training so they can recognize the warning signs of suspicious or fraudulent emails.
  • Confirm whether your financial institution offers positive pay, an automated fraud-prevention service in which your bank checks the ACH transaction details presented for payment against those that are pre-authorized.
  • Establish and consistently follow a strong ACH approval policy.
What to Include in an ACH Approval Policy

An effective ACH approval policy should include these six key elements:

  1. Dual control authorization – Require at least two individuals for every ACH transaction. One individual should initiate the transaction, and the other should independently review and approve it. Dual control not only deters fraud but also protects staff by eliminating single-person responsibility for the use of funds.
  2. Authorization limits – Establish monetary limits for all ACH transactions and approvals. Lower-dollar transactions may be initiated and approved by designated individuals, while higher-dollar transactions should require approval from an executive or board member. Review authorization limits periodically to ensure they remain appropriate.
  3. Account validation – All routing and account numbers for new or changed accounts should be independently verified before being processed. This typically includes confirming bank account information through a trusted, known point of contact using information already on file. In the scenario above, a simple call to the vendor before updating the account information would have prevented the fraud.
  4. Security protocols – Require token-based, multi-factor authentication for individuals authorized to approve ACH transactions. This security measure helps ensure that only approved personnel can release funds on behalf of the organization and reduces the risk of unauthorized access.
  5. Documentation – Require written or verified electronic authorizations for all ACH debits. This documentation should clearly show approval history and be kept on file for audit purposes.
  6. Prenotification – Use a zero-dollar “pre-note” transaction to verify the accuracy of account information before transmitting actual funds. While pre-notifications often require a three-day buffer to allow for processing, they are a best practice to help reduce the risk of incorrect or fraudulent account charges.

By establishing a strong ACH approval policy that is reviewed and updated annually, implementing positive pay, and providing ongoing fraud-awareness training for accounting and finance staff, you can significantly reduce the risk of ACH fraud.

If your organization would like assistance reviewing your ACH controls or strengthening your fraud-prevention practices, please contact us. You can also learn more about CapinCrouse’s fraud and forensic accounting services and access informative fraud prevention resources here.

 

Authors:
Nathan Davis, Partner, CRI Advisors, LLC | Partner, CRI Capin Crouse Advisors, LLC | Partner, Capin Crouse, LLC*
Richard Lindley, Audit Manager

print

Leave a Comment