ACH News and Updates
If you are a business that originates ACH, the ACH Rules can feel overwhelming. However, it’s extremely important that you, as an Originator, understand and abide by the ACH Rules. Luckily, there are several ways you can understand your responsibilities without breaking much of a sweat. We want to share some of the resources Nacha and EPCOR experts have created for businesses like yours, to make ACH Rules compliance a little easier.
Obtaining Proper Authorizations
Effective Date: September 17, 2021
Nacha implemented a set of new ACH Rules “Meaningful Modernization”. These Rules were designed to improve and simplify the ACH user experience by:
- Adopting new technologies and channels for the authorization and initiation of ACH payments
- Reduce barriers to use of the ACH Network
- Provide clarity and consistency around some ACH authorization processes
- Reduce some administrative burdens related to ACH authorizations
Authorization Requirements for Consumer (PPD) Transactions
Debit Transaction Authorization
- Must be in writing and signed or similarly authenticated prior to initiating an ACH entry
- Needs to be easily identified as an authorization and state the term clearly (amount and timing of debits)
- Must state how the Consumer can revoke the authorization
- A copy of the authorization must be provided to the Consumer
- You must be able to make a copy of the authorization available to BSB upon request
- Authorizations must be securely retained and kept for two years after the last ACH debit to the Consumer
Authorization Requirements for Commercial (CCD) Transactions
- A written agreement must be in place between you and the other company
- Agreements do not have a specific format requirement but you must obtain the Receiving Companies agreement to be bound by Nacha Operation Rules
- Trading Partner agreements should contain authorization requirements and procedures as agreed upon by the parties
- Agreements must be securely retained
As an ACH Originator, your company must follow the rules and guidelines for the creation, submission, and processing of electronic files. These are set by the National Automated Clearing House Association (Nacha), an organization which manages the development, administration, and governance of the ACH Network. Your company may access the Rules online at the link below. Failure to comply with the ACH Rules can lead to termination of services and/or fines imposed by Nacha. The Bank may contact your company periodically to verify your internal ACH procedures and policies.
Each ACH transaction must be accompanied by a standard entry class (SEC) code. An SEC code defines how authorization for the transaction was obtained. Some SEC codes may only be used for transactions sent to a consumer, business account, or both. SEC codes must be used appropriately and in accordance with Nacha Rules.
Exposure limits are a required control every Originating Depository Financial Institution (ODFI) must have in place for each Originator.
The 2019 ACH Rules state, “An ODFI must perform due diligence with respect to the Originator or Third-Party Sender sufficient to form a reasonable belief that the Originator or Third-Party Sender has the capacity to perform its obligation in conformance with these Rules.”
Limits can be set at the Company level per day and per transaction. You can also set each of your users to a level per day and per transaction as long as it is equal to or less than the Company level.
BSB has evaluated and set your limits based on your ACH contract. BSB recommends that each Company evaluate its employee’s limits to ensure strong controls and minimize risk. If have any questions, please contact email@example.com
Supplementing Data Security Requirements- Phase 2
Effective Date: June 30, 2022
For originators and Third-Parties with ACH volume greater than 2 million in 2020, whose ACH Origination or Transmission volume exceeds 2 million Entries annually are required to protect DFI Account Numbers used in the initiation of Entries by rendering them unreadable when stored electronically. This volume includes ALL entries across ALL your banking relationships.
The Rules are neutral as to the methods/technologies that may be used to render data unreadable while stored at rest electronically. Encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers, are among options for Originators and Third-Parties to consider.
If you feel you have reached this threshold or are getting close, please contact firstname.lastname@example.org.
Prevention and Detection of Corporate Account Takeover
Corporate Account Takeover is a type of business identity theft where cyber thieves gain control of a business’ bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves.
Business Email Compromise is a cyberattack involving hacking, spoofing, or impersonation of a business email address. Victims receive an email from what appears to be a trusted source. Email typically contains a phishing link, malicious attachment or request to transfer money into a cybercriminal bank account.
How can you combat business fraud?
- Implement multi-factor authentication for company email accounts & financial websites
- NEVER give anyone else your multi-factor codes
- Train employees how to recognize scam/fraud activity
- Do not call back phone numbers in email or text messages
- Use your trusted information to call customers or vendors when verifying information
BSB recommends conducting a yearly security review to ensure your systems are secure.
Notification of Change Education
A Notification of Change (NOC) is a non-dollar entry transmitted by a Receiving Depository Financial Institution (RDFI) to notify you that information contained within an entry is incorrect or outdated and must be changed.
The ACH Rules require your company to make the requested changes within six (6) banking days of the receipt of the NOC or prior to the initiation of another ACH entry.
In your ACH contract (page 3) you have specified the person(s) to receive this notification.
BSB may pass along any fines received based on your non-compliance.
If you have any questions on what is incorrect or need any assistance, reach out to our Treasury Team.
Return Limit Training/Rules
Nacha requires all Originating Depository Financial Institutions to monitor return rates of their Originators. Enforcing this rule ensures the ACH Network quality is improved by reducing the incidences of exceptions and returned entries.
In general, the return rate threshold for unauthorized returns is 0.5% based on:
- The number of debits returned divided by the number of debits originated for the preceding 60 days or two calendar months.
- The number of debits returned for the preceding 60 days or two calendar months divided by the number of debits contained within the files in which the original forward entries were transmitted
If your company’s unauthorized returns don’t exceed 0.5% then nothing needs to be done today, however adhering to or following best practices will help you stay below the threshold. Having a return ratio above the limits could result in a potential disruption of services.
It is important that you address each return to ensure your team is clear on the troubleshooting required when a return code occurs.
EFFECTIVE APRIL 1, 2022, we will no longer be sending pre-note files automatically when you add a payee.
Pre-notes are zero-dollar entries that precede the first live entry.
The purpose of the pre-note is to verify account information. Pre-notes are optional unless you send WEB entries.
If a pre-note is sent, rules must be followed:
- An Originator that chooses to transmit pre-notification entries may initiate live dollar entries as soon as the third (3rd) banking day following the pre-note’s settlement date, provided that no return or NOC related to the pre-note is received by the Bank by the opening of business on the second business day following the settlement date of the pre-note.
- The Receiving Bank is required to verify the account number on the pre-note, but they are not required to validate the name of the payee on the pre-note.
- If a pre-notification results in a Notification of Change (NOC), the Originator must typically make the required changes prior to initiating a “live” entry.
- If a pre-notification results in a returned item the Originator must research the problem according to the Return Reason Code.
Your method for gathering account information determines the SEC code you must use. If you gather information via the internet, a mobile device or through email (not on a standard form), you will be creating a WEB entry. If you gather information in this manner, you must notify BSB and follow the pre-note and other WEB originating rules.
If you have any questions or concerns, please reach out to the treasury team at email@example.com.
There is a two-phase Nacha Rule that will define and standardize Micro-Entry formatting and practices.
These changes are being put in place to improve the effectiveness of Micro-Entries as a means of account validation; to better enable Financial Institutions and other parties to identify and monitor Micro-Entries; to improve ACH Network quality.
The changes will take place in two phases but it is recommended to begin the new rules now.
Phase I – Effective Sept 16, 2022:
A Micro-Entry is an ACH credit of less than $1, and any offsetting ACH debits, used for account validation. Credit amounts must be equal to, or greater than, debit amounts, and must be transmitted to settle at the same time.
- Originators must use “ACCTVERIFY” in the company entry description field.
- Company name must be easily recognizable to Receivers and the same or similar to what will be used in subsequent entries.
Phase II – Effective March 17, 2023:
- Originators must use commercially reasonable fraud detection. This includes monitoring forward and return Micro-Entry volumes.
Same Day ACH Dollar Limit Increase
Same Day ACH payments will be further enhanced with a new $1 million per transaction limit!
Effective Date: March 18, 2022
The use of Same-Day ACH has grown dramatically since its introduction in 2016. The National Automated Clearing House Association (Nacha) approved to increase the Same Day ACH to limit $1 million per-transaction. This goes into effect March 18, 2022.
This rule will apply to all Same Day ACH entries: credits and debits. Previously, Same-Day transactions maxed out at $100,000.
Your current ACH limits (ACH agreement page 18) are still in place. If you would like to have your limit reviewed, please send your request to the Treasury team at firstname.lastname@example.org.
What is a Third Party Sender
Third Party Senders are a type of Third-Party Service Provider. They have these basic characteristics:
- They are an intermediary on behalf of an Originator and ODFI
- They act on behalf of an Originator or another Third –Party Sender
- They must have an Origination Agreement with the ODFI of the entry
Third-Party Service Provider is an organization that performs any function on behalf of the Originator, Third-Party Sender, the ODFI or the RDFI
“Nested Third-Party Senders” are a Third-Party Sender that has an agreement with another Third-Party Sender to act on behalf of an Originator and does not have a direct origination agreement with the ODFI. They are required to be addressed in the ACH agreement.
Your ACH agreement is solely between Bennington State Bank and your company. If you think you utilize Third Party Senders, Third-Party Service Providers, or Nested Third-Party Senders, contact the Treasury department at email@example.com.
EPCOR Log In Information
To ensure compliance with current regulations, all ACH Originators have access to a free online version of the National Automated Clearing House Association (Nacha) Operating Rules. The Nacha Rules are published annually and are subject to change. The ACH Rules can be accessed at https://achrulesonline.org.
See Epcor Corporate User Webpage link below.