Summary of recent and upcoming NACHA Operating Rule Changes
Increasing the Same Day ACH Dollar Limit
Effective March 20, 2020
This change impacts Originators of Same Day ACH transactions and all Receivers
Increases the per-transaction dollar limit for Same Day ACH transactions to $100,000
- Currently, Same Day ACH transactions are limited to $25,000 per transaction
- While the current limit covers approximately 98% of ACH transactions, there are many use cases for which a higher dollar limit will better enable end users to utilize Same Day ACH. For example, a higher transaction limit would better enable:
- B2B payments, in which only approximately 89% of transactions are currently eligible
- Claim payments, which are often for larger dollar amounts and are time sensitive in nature
- Reversals for a larger pool of transactions, including all Same Day ACH transactions
Differentiating Unauthorized Return Reasons
Effective April 1, 2020
This change impacts Originators
The rule re-purposes an existing, little-used return reason code (R11) that will be used when a receiving customer claims that there was an error with an otherwise authorized payment. Currently, return reason code R10 is used a catch-all for various types of underlying unauthorized return reasons, including some for which a valid authorization exists, such as a debit on the wrong date or for the wrong amount. In these types of cases, a return of the debit still should be made, but the Originator and its customer (the Receiver) might both benefit from a correction of the error rather than the termination of the origination authorization. The use of a distinct return reason code (R11) enables a return that conveys this new meaning of “error” rather than “no authorization.”
Supplementing Data Security Requirements
Effective on June 30, 2020
This change impacts Originators and TPSP (including TPS)
The existing ACH Security Framework including its data protection requirements will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically. Implementation begins with the largest Originators and TPSPs (including TPSs) and initially applies to those with ACH volume of 6 million transactions or greater annually. A second phase applies to those with ACH volume of 2 million transactions or greater annually.
- Phase 1 – June 30, 2020 for Originators and Third-Parties with ACH volume greater than 6 million in 2019
- Phase 2 – June 30, 2021 for Originators and Third-Parties with ACH volume greater than 2 million in 2020
ACH Contact Registry
Effective on July 1, 2020
This change impacts only Financial Institutions
All financial institutions participating in the ACH Network will be required to register contact information with Nacha for personnel or departments responsible for ACH operations and fraud/risk management. The contact information will be available for other registered ACH participating financial institutions, Payments Associations, the ACH Operators, and Nacha for operational, fraud, and risk management issues in the ACH Network (e.g., proof of authorizations, ACH-related system outages, erroneous payments, duplicates, reversals, fraudulent payments, etc.). Contact information will be only for those parties own, internal use and limited to these purposes.
- Beginning July 1, 2020 All financial institutions participating in the ACH Network will be required to register contact information with Nacha for personnel or departments responsible for ACH operations and fraud/risk management.
- All FIs must register contact information by October 30, 2020
- Registration will be done via the Risk Management Portal.
- The registry of financial institution contacts will be made available to registered financial institutions, the ACH Operators, and Payment Associations to use in addressing and resolving ACH operations and risk management situations.
Reminders of responsibilities with current NACHA Rules for Originators
Notification of Change (NOC)
Originators must respond to Notifications of Change by making corrections within six banking days of receipt of the NOC information or prior to initiating another entry to the Receiver’s account, whichever is later. (Note: Special requirements apply to NOCs received in response to prenotification entries and to Single Entries. These are discussed in more detail below.)
NOC received in response to a prenotification entry
- An Originator must make all changes contained within an NOC related to a prenotification entry; however, the Originator’s timing requirements for action can differ, depending on when the NOC is made available to the ODFI. For a timely NOC (that is, an NOC made available to the Originator’s ODFI by the ACH Operator by the opening of business on the second banking day following the prenote’s settlement date), the Originator must make the requested changes before transmitting a “live” entry to the Receiver’s account. For an untimely NOC (that is, an NOC made available to the ODFI by the ACH Operator after the opening of business on the second banking day following the prenote’s settlement date), the Originator must make the requested changes within six banking days of receiving the NOC information from its ODFI or prior to transmitting the next entry, whichever is later
NOC Received in response to a Single Entry
- By definition, a Single Entry is a credit or debit entry based on a Receiver’s authorization for a one-time transfer of funds to or from the Receiver’s account. No subsequent entries may be originated unless separately authorized by the Receiver via a new authorization. The NACHA Operating Rules, therefore, allow an Originator discretion in determining whether to make the changes requested in any NOC related to an Entry identifiable as a Single Entry. Originator action on NOCs related to entries bearing any of the following SEC Codes is optional, at the Originator’s discretion: ARC, BOC, POP, RCK, and XCK Entries, as well as TEL and WEB entries bearing a Single Entry indicator (“S” or “blank” for TEL and “S” for WEB).
Internet Initiated/Mobile Entries (WEB)
Debit WEB entries are used by non-consumer Originators to debit a consumer based on an authorization that is communicated, other than by an oral communication, from the Receiver to the Originator via the Internet or a Wireless Network. Originators of WEB transactions must establish commercially reasonable methods of authentication to:
- Verify the identity of the Receiver;
- Detect fraudulent transactions;
- Establish secure internet sessions; and
- Procedures to verify the validity of the receiving bank’s routing number.
Originators of WEB transactions must conduct an annual data security audit to ensure that Receiver’s financial information is protected by security practices and procedures that ensure the financial information the Originator obtains from Receives is protected by commercially reasonable security practices that include adequate levels of:
- Physical security to protect against theft, tampering, or damage;
- Administrative, technical, and physical access controls to protect against unauthorized access and use; and
- Network security to ensure secure capture, transmission, storage, distribution and destruction of financial information.
This audit requirement can be met in several ways. It can be a component of a comprehensive internal or external audit, or it can be an independent audit that uses a commercially reasonable generally accepted security compliance program. An Originator that is already conducting an audit of these practices and procedures for another area of its business is not required to have two separate audits; however, the audit should address adequate levels of data security for the Originator’s ACH operations. Possible re-tooling of ACH Originators’ fraud detection systems ◦Or implementation of a system for Originators who currently do not perform any fraud detection for WEB debits
Telephone Initiated Entries (TEL)
A TEL is a consumer debit entry that is authorized orally via the telephone. A TEL may only be transmitted in circumstances in which:
- There is an existing relationship between the Originator and the Receiver; or
- There is not an existing relationship between the Originator and Receiver, but the Receiver originated the telephone call to the Originator.
The Originator and Receiver are considered to have an existing relationship when either:
- There is a written agreement in place between the Originator and Receiver for the provision of goods or services, or
- The Receiver has purchased goods or services from the Originator within the last two years.
An Originator of TEL transactions is required to:
- Establish and implement commercially reasonable procedures to verify the identity of the Receiver.
- Establish commercially reasonable procedures to verify routing numbers are valid.
Authorization Requirements. Originators of TEL transactions must obtain the Receiver’s explicit oral authorization before initiating a debit entry to a consumer’s account. For both Single Entry and recurring TEL entries, the Originator must clearly state during the telephone conversation that the consumer is authorizing an ACH debit entry to his account. The Receiver must explicitly express consent. Silence is not express consent. The following are additional authorization requirements:
- The date on or after which the Receiver’s account will be debited;
- The amount of, or a reference to the method of determining the amount of, the debit entry to the Receiver’s account;
- The Receiver’s name or identity;
- The account to be debited;
- A telephone number that is available to the Receiver and answered during normal business hours for customer inquiries;
- The method by which the Receiver can revoke the authorization;
- The date of the Receiver’s oral authorization; and
- A statement by the Originator that the authorization obtained from the Receiver is for a Single Entry. If the entry is to be recurring, then the timing, number, and/or frequency of the transactions should be outlined.
In addition to these requirements the Originator must comply with all requirements related to telemarketing practices including the Telephone Consumer Protection Act (TCPA) and all updates to these rules as they may be implemented.