ACH Tokenization

SAN FRANCISCO -- The latest meeting of NACHA’s Payments Innovation Alliance began Tuesday morning with a roundtable discussion on a new tokenization strategy for the ACH Network. The purpose of the conversation was to inform the newly formed Payments Innovation Alliance Tokenization Task Force.

One key question: If tokens are introduced, what happens to the routing transit account numbers that originators have now? “Would those numbers be replaced,” asked one member. “Let’s say today I have a routing transit account number, tomorrow I get a token. Is my instruction to throw that other information away? What’s to stop me from just keeping that?”

Another member added that there are multiple numbers that theoretically need to be tokenized. “Are we talking about tokenizing the routing number and the account number?” she asked. “Or are we talking about tokenizing the account number and letting the routing number stay?”

The task force is considering three tokenization options:

ODFI model: The originating bank is required to tokenize originators’ account data and detokenize it before it is put into the network as part of an ACH transaction.

RDFI model: The account holding bank is required to issue and manage tokens, so that ODFIs and originators never have the account number, just the token.

Hybrid model: The ODFI tokenizes the originator's account data, however, RDFIs can issue tokens if they choose to do so, and those tokens supersede the ODFI tokens.

Each model has its advantages and risks. Members were asked which party in the transaction should not be given the true account number. Although there was no general consensus, several members voiced their opinion that the biggest risk of a data breach is at the originator level, as corporations are generally seen as having weaker security than financial institutions.

The goal, said one Alliance member, should be to replace the large caches of data that are out there. “How do we lock down the data that is out there, with hundreds of thousands of originators? We all know the potential risks to consumers, so if you could lock down those big data caches you could take that risk out of the network—the risk of downward effects of large data breaches,” she said.

She noted that the RDFI model would provide an extra layer of security for consumers because it would allow RDFIs that issue tokens to disable them if needed. “We’ve had cases where people have gone to their RDFI and repeatedly said, ‘I haven’t authorized these payments, the bad guys keep hitting this account.’ In that scenario, the RDFI would be able to disable the token and it could not be used to hit the receiver’s account again,” she said.

The task force is currently working on a whitepaper for its tokenization strategy going forward. They expect to have more definite answers on their strategy by the next Alliance meeting.

Time for a universal standard?

Some members feel that the current solutions being discussed aren’t ambitious enough. One consultant told AFP that the models discussed are only solving for today’s problems, when we should be looking to tomorrow. “We need a model that is much more forward thinking,” he said.

The consultant reiterated comments made during the discussion that when controls are put in place to secure one payment type, fraud simply jumps to something that is less secure. For example, wherever EMV chip technology has been implemented (most recently in the U.S.), card-not-present fraud has surged. Members noted that there is currently a fear that, as tokenization efforts have increased on the card side, fraud could jump to the ACH network.

Therefore, we need to be moving towards a standard—something like International Bank Account Numbers (IBANs). But if we do that, we need to realize that we would have to move away from the current model, noted one Alliance member. “We need to decide of we want to preserve the existing structure, by which banks issue their own account numbers—there’s no standard by which those are issued,” he said. “Or do we move to an IBAN standard that’s issued by the government or by NACHA that says, from now on, all your account numbers will be unique?”

The consultant told AFP that a more powerful standard that would apply to all payment rails is what banks and corporates should be working towards. “I don’t think we can get there yet, but that’s what we need to be looking at,” he said. “I’m talking about something quite ambitious. But we have to start thinking about putting the building blocks in place.”