Protect Against Security Risks When Using Automated Clearing House Transaction Files

Copyright © 2017 NARPM®. Reprinted with permission from the July 2017 issue of the NARPM® Residential Resource magazine. For additional information about the National Association of Residential Property Managers, visit www.narpm.org,

By Chuck L. Kelley, RMP®

Thousands of property management companies pay owners and vendors using Automated Clearing House (ACH) transactions. Most of us use ACH because it’s built into the software we use, it’s easy, and convenient. One of the most common methods to facilitate an ACH transfer involves a file, usually referred to as a National Automated Clearinghouse Association (NACHA) file. In this article, we are going to explore what the risks are, why a NACHA file is dangerous, and how to protect yourself and your company.

Let’s start by talking about the risk and why it matters. Ask yourself this question: “What would happen to your company if you lost all the money before you could pay your owners?” The answer is probably that you would go out of business. The answer might even be more severe, resulting in lawsuits and prison bars. No matter how big or small your company is, can your company survive if you lost other people’s money? Every time money is sent via ACH, the entire company is at risk.

Before we can dive into why a NACHA file is dangerous, we need to understand how a NACHA file is used. Every software package and banking system is a little different, but most of them operate similarly. Using your property management software, you decide how much to pay owners. Then, your software creates a NACHA file and you upload it to your bank’s website. Your bank transfers money into other people’s accounts based on the account numbers and routing numbers in the NACHA file.

So, what is a NACHA file? Most would assume that a NACHA file is a secure encrypted file, but unfortunately, it’s not. It’s just a simple text file that anyone can read. You can open any NACHA file with any text editor and see all the info. It’s just setup in a specific way so that the bank knows what to do with it. There is no encryption or verification that the data is correct. It’s just a text file, renamed with a different file extension. The crux of the problem is that it would be trivial for anyone to change all the account numbers and routing numbers in a NACHA file.

Computers are inherently complex, and VERY hard to make secure. We all take computer security for granted and just assume we are secure. Even if you are using great passwords with 2-Factor Authentication, keeping everything updated, and not surfing strange websites, it’s still hard to make sure your computer is secure. In fact, did you know that in 2014, Technewsworld.com reported that 33% of ALL computers are ALREADY infected with malware! You are probably thinking, but I have antivirus software. Well, in February 2015, Tripwire.com reported that 70% of malware infections go undetected by antivirus software. If you have read this far and thought this couldn’t happen to you, think again.

The real danger is when the NACHA file is sitting on your computer, before you upload it to your bank. It’s trivial for someone to change a NACHA file. It’s also trivial for a hacker to put a virus on your computer to modify NACHA files, so you send all the money to them instead of your owners. Unfortunately, this happens regularly to property management companies. From a hacker’s point of view, it’s extremely easy, and the payoff is huge. Hackers target property management companies because we transfer large sums of money with ACH and usually have very little understanding of computer security.

I hope I’ve convinced you that using ACH is not as secure as you may have originally thought. Before you go running to your accountant screaming to stop using ACH, let’s discuss how to protect yourself.

There are essentially three ways:

1. Stop using ACH and go back to mailing checks. This would be more secure, but most owners have come to expect direct deposit and most property management companies have moved away from checks. Checks also have their own security concerns.
2. Don’t process a NACHA file on your computer. Many property managment software companies have a feature where they can do the ACH within their system and their bank. Some call it an eCheck instead of ACH. Consider using that instead of downloading a file to your computer. You get all the benefits of ACH, but without the risk. Most companies do charge for this service, but usually it’s a nominal fee compared to the risks.
3. Verify your ACH batch every time.

• Get a new computer you know hasn’t been compromised, keep it updated, and lock it down as much as possible.
• ONLY use that computer for ACH and never use it for anything else.
• After uploading the NACHA file, view the processed ACH batch from inside your bank’s website.
•  Go through the list line by line and verify each account number and routing number. This is a very labor intensive and time consuming task. It’s important that you check every single payment. To avoid detection, many hackers will only change a couple of payments, not the whole batch.

If you have any questions about this process, please reach out to your software company, bank, and insurance provider to see what protections they have in place for this. They will probably say that there is no protection in place, and they will not cover any of the lost money initiated by your company via an ACH transfer. Unfortunately, this means the risk is entirely on your company. Take the steps now to protect yourself, your business, and your reputation.

This article came from the May 2018-Vol49-1 edition of the bulletin.