If you accept customer payment authorizations via your website or a mobile payment app, a new account validation requirement in the Nacha Rules will apply to those payments starting in March 2021. Here is what you need to know to be ready.
Nacha, formerly known as the National Automated Clearing House, manages the ACH network’s development, administration and governance. The Nacha Operating Rules define financial institutions’ roles and responsibilities and establish clear guidelines regarding each participant in the ACH network.
An upcoming change to the Nacha Rules, aimed at reducing or preventing fraud, will impact your business if you allow consumers to authorize you to initiate ACH payments from their deposit accounts via the internet or a mobile device. Such ACH payments are given the standard entry class code “WEB” and are known under the Nacha Operating Rules as “WEB Debit Entries.”
Because WEB Debit Entries always have been susceptible to fraud, the Nacha Rules required originators of WEB Entries (i.e., the payees who initiate such payments with the consumer’s authorization) to establish and implement commercially reasonable:
- Fraudulent transaction detection systems to screen WEB Debit Entries.
- Authentication methods to verify the WEB Debit Entry receiver’s identity (the depositor of the consumer deposit account that will be debited).
- Procedures to verify the routing number used in the WEB Debit Entry are valid.
Nacha’s new Supplementing Fraud Detection Standards for WEB Debits Rule is intended to reduce fraud by requiring originators to “validate” consumer accounts before the first debit from the consumer’s account. The rule change explicitly identifies account validation as a required part of an originator’s “commercially reasonable fraudulent transaction detection system.”
This means that any time a consumer authorizes a payee to initiate an ACH debit from the consumer’s deposit account (either one-time or recurring payments) online or via a mobile device, the payee must validate the consumer’s deposit account before initiating the first payment using the account number the consumer provides. Although the Nacha Rules do not define “validate,” additional frequently asked questions guidance posted to Nacha’s website clarifies the meaning.
The FAQs section says, “At a minimum, the originator must use a commercially reasonable means to determine that the account number to be used for the WEB debit is for a valid account—that is, that the account to be used is a legitimate, open account to which ACH entries may be posted at the (consumer’s bank).”
The rule change does not require originators to validate that the consumer who authorizes the payment is the owner or an authorized user of the account.
The rule change applies only to WEB debit entries. Your business may originate ACH entries that this rule change does not impact.
For example, the rule change does not apply if the ACH entry is a credit entry (i.e., would result in funds being deposited into the consumer’s account); the account to be debited is not a consumer account (i.e., is established in the name of an entity rather than an individual, and/or is established primarily for business purposes); the ACH entry is not authorized via the internet or a wireless network; and/or the authorization is communicated orally (i.e., an ACH entry with the “TEL” SEC code).
If you obtain authorization to initiate ACH debits at the time the customer signs a retail installment contract or lease, you might be wondering whether this rule change impacts your business. The answer will depend on how the customer delivers the authorization to your business.
The validation rule would not apply if the consumer provides the authorization in some manner other than the internet or mobile device. However, if the consumer delivers the authorization from a computer or device via the internet or a wireless network, the validation rule would apply.
How Can We Validate?
The Nacha FAQs provide the following examples of methods you could use to satisfy the new validation requirement, but each comes with challenges:
- ACH micro-transaction verification typically involves two steps: The payee makes a small deposit (usually just a few pennies) into the consumer’s account, and the consumer confirms the amount deposited. This process can take a couple of days, and anecdotal information indicates consumers often fail to complete the process.
- Pre-notification entries, sometimes referred to as a “pre-notes,” are non-monetary ACH entries. The payee sends a pre-notification entry through the ACH network to verify the account is valid. If the account is not valid or is not set up to receive ACH entries, the consumer’s bank will respond with that information. Like the micro-transaction process, the pre-notification process can take a couple of days, and the Nacha Rules require you to wait to initiate payment entries until three business days after you send the pre-notification entry.
- Commercially available account validation database service compares the account and routing number information provided to a database of previously validated accounts. Nacha’s Account Validation Resource Center webpage includes a list of third-party vendors that offer this service. This method is virtually instantaneous, but the database will not contain all consumer accounts, and you would need to pay for the service. More information is available at https://www.nacha.org/content/account-validation-resource-center
- Account validation APIs use an application program interface (API) and a secure digital connection to the consumer’s bank to retrieve the account and routing numbers from the consumer’s online banking interface. This method also is virtually instantaneous, but it requires the consumer to share online banking login credentials to gain access to online account information. Anecdotal information indicates many consumers are unwilling to do this because of privacy and information security concerns.
What If We Use a Payment Processor?
Under the Nacha Rules, the originating depository financial institution (i.e., the bank for the originator) warrants to the receiving depository financial institution (i.e., the bank that holds the consumer’s account that will be debited) that the originator established and implemented a commercially reasonable fraudulent transaction detection system to screen the debit WEB entry.
Under the amendments to this rule, the fraudulent transaction detection system must validate the account to be debited for the account number’s first use. Therefore, under the Nacha rules, the originator is responsible for validating the account, not the payment processor. That said, the originator can establish and implement a system that relies on its payment processor or a third-party vendor to provide account validation services.
When Does the Account Validation Rule Become Effective?
The account validation rules are effective March 19. The FAQs state that “(a)s of the effective date, originating WEB debit entries with the first use of new account numbers would not comply with the rule if the fraudulent transaction detection system does not include an account validation component.”
However, in October, Nacha issued Operations Bulletin No. 7-2020, which states that, because of COVID-19’s impact on organizations’ staffing and resources, “Nacha will not enforce this rule for an additional year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions.”
A word of warning: We do not view this announcement as permission to do nothing until March 2022. The implication here is that, if you are not working in good faith to implement solutions as quickly as possible, your noncompliance could result in an enforcement action.
If you have not yet implemented your solutions (or at least started the process), you need to do so, soon.
Ryan Stinneford is a partner in Hudson Cook’s Maine office. He can be reached at 207-541-9553 or [email protected]. Katie Hawkins is an associate in Hudson Cook’s Maine office. She can be reached at 207-210-6836 or [email protected]. This article is provided for informational purposes and is not intended, nor should it be taken, as legal advice.
