Back to All
improved

ACH risk mitigation

April 3rd, 2024

Release date

Apr 3, 2024

Release type

Actionable – Updates impact platform experience

Summary

Zero Hash is introducing identity checks for ACH account creation, along with fraud and risk checks for ACH transaction requests.

Identity checks ensure that the Zero Hash participant on file matches the bank account owner information. Zero Hash conducts fuzzy matching with Plaid data to determine if the account is safe to use or not.

Risk checks help mitigate return risk for platforms by ensuring money is only moving when authorized. Risk rules guarantee that an excessive number of bank accounts aren’t linked for a single participant, multiple transactions are not in flight at the same time, and transaction limits are not exceeded.

With both identity checks and risk rules, Zero Hash is introducing new statuses to external accounts and to ACH transactions.

Action required

Identity checks

When reaching POST /payments/external_accounts you will first receive a “pending” status in the API response. There will be subsequent webhooks with external account updates, such as “approved”, to let you know the external account is ready for use.

Note: This means there will be a delay between requesting a linked bank account and it being available for use. Delays are typically between 1 and 20 seconds.

External account statuses

The following external account statuses are emitted via webhook. Platforms are notified at account creation and at any point throughout the lifecycle of the account.

StatusDefinition
pendingAccount creation requested, basic validations passed, and Zero Hash is running identity checks.
approvedIdentity checks passed and the account is created and ready for use.
rejectedIdentity checks failed and the account cannot be used.
closedEither the account was returned as closed when making a payment request, or the end customer actively closed their account.
lockedZero Hash risk and compliance team was alerted to suspicious activity and locked the account for further investigation.
disabledZero Hash risk and compliance team investigations resulted in a positive hit of suspicious activity and the team determined that the account can no longer be used.

Note: Most often lock and disable actions will be at the whole participant level, rather than individually at the account level. See Participant status updates for more.

Risk checks

Platforms may or may not be subject to certain risk checks. An evaluation is done when onboarding with Zero Hash to gauge ACH risk. Based on this risk, certain rules are applied for a launch period and throughout a platform’s ACH program.

Potential rules

Rules may include:

  • Count of linked bank accounts
  • Count of transactions over a certain period
  • Count of transactions in flight
  • Daily and weekly transaction amount limits
  • Debit (from bank account) and credit (to bank account) amount limits
  • +others

Response based on rules

If no rules are triggered, the request proceeds and platforms see results based on the processing of the account creation or transaction requests. If rules are triggered, platforms receive messages detailing the rule that was hit.

For external accounts, if risk rules are hit, then the account is not created and platforms receive an error message.

Sample response with error for external accounts:

{
  "errors": [
    "account rules: failed max_account_number(accounts_count_by_participant)"
  ]
}

For transaction requests, Zero Hash will respond to the request with a “submitted” status. We will then run risk checks. If no rules are hit, the transaction proceeds as expected. If rules are hit, Zero Hash updates the transaction status to “rejected” and emits a webhook with the updated status.

Sample webhook with reject for transaction request:

{
  "participant_code":"ABC123",
  "type":"debit",
  "transaction_id":"0220358e-6053-43e1-9f94-bb1a09ff2fc7",
  "payment_status":"rejected",
  "rejected_reason":"max_transaction_amount(max_transaction_amount_per_transaction)"
}

Webhooks

Platforms are notified of status updates via webhook. Platforms should ensure they’re subscribed to participant status, external account status, and ACH payment status webhooks.

For more information, please refer to our public documentation.

Endpoints impacted

  • POST /payments/external_accounts – identity and risk checks
  • POST /payments – risk checks
  • POST /payments/execute – risk checks [new endpoint coming soon]
  • Webhooks – identity and transaction status updates

Coming soon

Closing linked bank accounts

In the coming months, Zero Hash will add an endpoint for closing an account connection. This means that end customers can request removal of a specific bank account for ACH payments.

Expanded risk rulesets

Zero Hash is continually improving transaction monitoring and may expand on request reject reasons in the coming months.