Processes

Are ABA Files Leaving You Exposed?

Niek Dekker
7 Min

For anyone in Accounts Payable, ABA files are a simple fact of life. Little thought is given to generating, uploading or processing ABA files, and whether they represent a risk to your organisation.

Take a deep dive into ABA files, what they are, how they work and how you can ensure you’re not at risk when relying on ABA files.

What is an ABA file?

An ABA file is a text based file.

The term “ABA” refers to the Australian Banking Association. It is named such because it is a standard used by most Australian banks for processing batch payments through online banking portals. Because payments are often sent between banks, the formatting of ABA files needs to align with the requirements of the Australian Payments Network (formerly the Australian Payments Clearing Association or APCA) – an association of financial institutions that facilitates inter-bank payments.

ABA files are widely used by Australian organisations whenever they need to process batch payments, whether in the form of supplier invoices or employee salaries.

How do ABA files work?

ABA files are simple text files.

There is always an initial row, known as a “type 0” record that contains headers. Under this comes multiple “type 1” rows – with one row for each of the payments you will be processing. At the bottom comes a “type 7” row which contains the totals.

There are a range of formatting requirements, such as the width of columns, the number of characters that need to be used and whether the data needs to be left or right aligned. Thankfully, most ERP and payroll systems will generate ABA files meeting all the specific formatting requirements – so you don’t need to manually format the document yourself.

Here is an example of what an ABA file may look like:

image-copy-component
Source: https://www.researchgate.net/figure/Example-of-an-ABA-text-file-to-instruct-a-bank-to-make-payments_fig1_272821408

How should an ABA file be set up?

Whilst it would theoretically be possible to manually create an ABA file – it would likely be a slow and painful experience.

As mentioned above, there are many specific formatting requirements.

These days, most ERP systems used by Australian organisations are able to generate ABA files easily using the information you enter into those systems. That’s why it is crucial that all information entered into your ERP, and by extension your Vendor Master File, is accurate.

Read our three part series on having a clean Vendor Master File:

Some of the supplier data you will need to enter into your ERP so it can generate accurate ABA files includes:
Data Point Description.
BSB 6-digit numeric code with a hyphen between the first and last three digits
Account Number Numeric code that may also contain hyphens or blanks. If an Account Number begins with zero, a hyphen must immediately follow any initial zero(s), e.g. 00-1234.
Account Name Can include any characters as this field is simply a comment box and is not used by the banks when processing a payment.

How are ABA files generated?

If you want to process batch payments, you’ll need accounting software that can generate ABA files in the correct format, such as an ERP.

Once all the payment information is entered into your ERP, including the supplier data mentioned above, you will be able to export the ABA file from your ERP. This will be a text-based file which should then be saved in a secure, password-protected folder. It is important that access to this folder is restricted in order to limit the opportunities for malicious actors to manipulate the data in the ABA file.

How do I upload or import the ABA file into my online bank portal?

Once you have generated a payment file in your ERP system, you can download the ABA file before uploading or importing it into your online banking portal.

Every bank has its own online banking portal.

Once you login, you should see an option to upload your ABA file into the portal in order to process the batch payment.

Most banks provide guidance on how to do this if you require any assistance:

Why am I getting an error when uploading an ABA file?

There are a range of reasons why you may be getting an error when uploading your ABA file to your online banking portal.

In most circumstances, it will be due to the data in the file not being formatted correctly.

Some common errors can include:

  • No hyphen between the first three and last three digits of the BSB number
  • Incorrect account number length, which should be nine digits
  • Dates that do not follow this format: DDMMYY
  • Totals in the “type 7” row that are not accurate

Unfortunately there is one error that you will not see, but it would help tremendously if you did see: Cases where the Account Name does not align with the beneficiary BSB and Account Number.

When funds are transferred according to the data contained in ABA files, the banks make no effort to ensure the Account Name entered matches either the BSB or Account Number entered. In fact, the Account Name field is treated as nothing more than a comment box. It is therefore essential that you have a system in place to ensure you are in fact transferring funds to the intended recipient.

Do not rely on the information contained in the Account Name field alone!

Are ABA files secure?

Unfortunately, not.

Given that ABA files are simple text files, they remain particularly vulnerable to manipulation, whether by outsiders or insiders intent on defrauding your organisation.

Recent warnings by Australian banks point to malicious software, or malware, being released into the wild that specifically targets ABA files. This particular strain of malware appears to fraudulently modify the beneficiary account details that are listed within ABA files.

According to reports, this particular malware is able to identify and then alter an ABA file prior to an Accounts Payable (AP) officer importing it into their organisation’s online banking portal. Such risks are heightened in cases where an ABA file is generated quite some time prior to a batch payment being processed. Any timing delays simply provide attackers more opportunities to manipulate the data in the ABA files.

External attackers are not the only risk when it comes to ABA files. Internal threats should also be taken seriously.

If too many individuals within your organisation have access to ABA files, you run the risk of someone deliberately manipulating payment details. Due to the fact that ABA files are simple text files, editing the information contained in them is easy. It is critical that you have controls in place to restrict the number of people who have access to the folders and files in which you keep ABA files.

You should also ensure that your IT department maintains comprehensive logs over all people and devices that access those folders and files, so if any internal fraud occurs, you have the ability to fully investigate the matter.

Restricting access to folders and files according to a “Need to Know” basis is essential for safeguarding your ABA files.

How can I secure my ABA files?

Given the fact that ABA files are text-based files, they are particularly vulnerable to manipulation by malicious actors, both external and internal.

Follow these steps to protect your organisation from ABA security threats:

  • Always ensure that ABA files are saved in folders that are password-protected
  • Limit the number of staff members that have access to these folders
  • Export ABA files from ERP systems shortly before the time when you intend to process the batch payment
  • Never send ABA files via email or other messaging service – any colleagues that need access to an ABA file should access the file via the password-protected folder
  • Implement segregation of duties policies to ensure that the individual who generates an ABA file is not the same individual who verifies its accuracy
  • Ensure the IT department maintains detailed logs of everyone who accesses ABA files and the folders in which they are stored
  • Implement a tool that automatically verifies all outgoing payments in real-time as you are processing them

How can Eftsure help?

With Eftsure sitting on top of your accounting processes, ensuring your ABA files remain accurate and you are paying the intended recipient becomes easy.

Due to the text-based nature of ABA files, fraudsters routinely look for ways to adjust BSB and Account Number data, resulting in payments being transferred to a bank account they control. And due to the fact that banks are unable to match a beneficiary’s Account Name with either their BSB or Account Number, until now there’s been no easy way for your AP officers to ensure you’re not being defrauded.

However, with Eftsure’s real-time verifications, you’ll receive alerts of mismatched supplier banking details, helping you identify and block any potentially fraudulent activity.

Contact Eftsure today for a comprehensive demonstration of how we can help keep your organisation secure.

 

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.