Bennington State Bank ACH Newsletter
May 27, 2024
Thank you for choosing The Bennington State Bank for your commercial banking needs!
This ACH Newsletter is filled with helpful information and exciting updates. The BSB Treasury Team is dedicated to helping your business succeed!
New Registry Required
Your Beneficial Ownership Information Requirements
by Emily Nelson, AAP, APRP, NCP, Manager, Payments Education, EPCOR
With a new year comes new changes, and an important change came from the Financial Crimes Enforcement Network (FinCEN). FinCEN’s purpose is to safeguard the financial system by identifying individuals involved in tax evasion, money laundering, and even terrorist financing. FinCEN’s most recent requirements largely impact small businesses by requiring them to file and report Beneficial Ownership Information (BOI). The final ruling which implements the BOI filing and reporting requirements was released in September 2022. However, FinCEN needed time to develop a filing and reporting platform, which is why small businesses are just now being asked to file and report BOI directly to FinCEN. Let’s discuss the requirements for reporting, timelines in which you must file, and possible repercussions if you do not file.
Who is Required to Report this information?
Reporting companies are divided into two categories, domestic and foreign:
- A domestic reporting company is defined as a corporation, limited liability company, or any other entity created by filing a document with a secretary of state or any similar office in the United States.
- A foreign reporting company is defined as an entity, including corporations and limited liability companies, formed under the law of a foreign country that has registered to do business in the United States by the filing of a document with a secretary of state or any similar office.
To put this more plainly, an entity is a corporation or limited liability company registered to do business in the United States under state, local, tribal, or federal law.
Information Required to be Reported
The reporting company, domestic or foreign, is required to identify itself and report specific information for each beneficial owner. The four pieces of information required include the beneficial owner’s name, birthdate, address and unique identifying number and issuing jurisdiction from an acceptable identification document. Essentially, a U.S. driver’s license would suffice for the identification document.
Regarding who is considered a beneficial owner, one form of beneficial ownership is someone who exercises substantial control over the reporting company. Another form would be someone who owns or controls at least 25% of the reporting company’s ownership interests. You’ll be able to find examples of substantial control and other frequently asked questions in the link provided at the end of the article.
Where and When to Report Information
Potential Consequences
Final Thoughts
If you have any questions, visit fincen.gov/boi
Fighting Email Compromise and Impersonation Scams
by Trevor Witchey, AAP, NCP, Senior Director, Payments Education, EPCOR
Fraud attempts with ACH, wire and presumably FedNow®/RTP® payments often occur when a member of an organization falls for a scam impersonating an employee, HR official or vendor. Whether it be through a fraudulent email or some other means of digital communication, businesses like yours are losing funds every single day.
Fraudsters are constantly searching for their next victim, and while steps can be put in place to mitigate certain attacks such as adding tough layers of security to online platforms to prevent account takeover or keystroke logging malware, fraudsters have moved on to coercing the users of those online platforms to willingly give up their credentials or send fraudulent payments on their behalf.
Nacha is currently in the process of implementing new ACH Rules to help reduce credit-push type fraud seen on their network. And, while online attacks from fraudsters are not new, most financial institutions have implemented new systems, more detailed procedures and more interrogative callback processes while having the most commercially reasonable security protections on their online platforms. Although these security measures are certainly helpful, it’s still very common for those who use email as their primary form of communication to fall for impersonation scams asking for login credentials or requesting the individual to send a fraudulent payment.
It’s Time to Try a Different Approach
Regardless of the kind of payments your organization sends, there is always a chance you could fall victim to fraud.
Most ACH Originators send payroll credits or utility debits to the same individuals repeatedly, while most businesses send the same ACH or wire payments to the same vendors or suppliers. To make things efficient and reduce errors, many reuse templates on online platforms or have a fixed list that helps generate an ACH file reusing the same account information. Sound familiar? If so, this could become an issue if the account information suddenly changes.
If the payment you’re sending is to a new account, a more elaborate set of procedures should be performed by your organization before forwarding that payment to your financial institution. The checklist below can assist your organization in confirming the legitimacy of the payment information before any funds are transmitted.
| Yes/No | Questions to Ask Before Sending |
|---|---|
| Has due diligence been performed on the Receiver/Beneficiary? | |
| Did you verify the identity of the Receiver/Beneficiary? | |
| Do you know the beneficial owner(s) or any relevant company official to verify the legitimacy of the Receiver/Beneficiary? | |
| Did you perform secondary communication with the Receiver/Beneficiary to verify instructions? | |
| Did you verify with another employee of the commercial Receiver/Beneficiary? | |
| Was an invoice received legitimately and then verified with secondary communication? | |
| If recurring Receiver/Beneficiary, were they contacted as to why account information has changed? | |
| For recurring Receiver/Beneficiary, did you verify with known contact about changed info? | |
| Any contact with the Receiving or Beneficiary financial institution about newer account info? | |
| Is this payment within the normal scope of operation? | |
| Are you convinced this is a legitimate payment and won’t take a loss for it? | |
| Is upper management aware of this account change? |
If the majority of checkmarks are missing from a list like the above, then really question the risk of sending a payment to the new account. It’s better to ask questions first than act hastily and regret the decision later.
The key to mitigating fraud is to think and perform more procedures regarding payment requests to brand new account information or new clientele. The more thorough you are, and the more serious you take verifying the legitimacy of account information, the better off your organization will be.
Considerations for Implementing the New Risk Management Rules
Recent years have seen a rise in Business Email Compromise, account takeovers, vendor impersonations, and other frauds, all of which create the need for a new ACH Risk Management Framework that broadens the scope of risk management.
All participants in the payment system have roles to play in working together to combat fraud.
A policy statement has been issued by Nacha’s Board of Directors “urging all participants to implement adequate controls and/or systems to detect and prevent fraud.” A policy statement is not a rule, but during a two-phase amendment, your company is required to establish and implement risk-based processes and procedures to identify entries suspected of being unauthorized or authorized under “false pretenses”.
Phase 1 is effective March 20, 2026, and Phase 2 is effective June 19, 2026. Fraud monitoring is required regardless of the Standard Entry Class (SEC) code, or payment type, initiated and it is intended to reduce the incidence of successful fraud attempts.
Get ahead of the game! Your organization may require implementation of, or updates to, risk-based processes and procedures to identify and detect fraudulent transactions. Start pondering on methods to spot fraud and set up mechanisms for it. Remember, these systems don’t necessarily have to be automated. Consider options like Multi-Factor Authentication (such as physical tokens or 2FA), Band Authentication (a type of two-factor authentication involving secondary verification through a separate channel alongside the usual ID and password), providing file totals, dual control, and e-alerts. If you find yourself in need of guidance, don’t hesitate to contact your Treasury Team at BSB for support.
Same Day ACH
Same-Day ACH is an improvement to the ACH network that allows the processing of credit, debit, and return transactions several times a day. The Originating Depository Financial Institutions (ODFIs) can send and settle Same-Day ACH transactions to accounts at any Receiving Depository Financial Institution (RDFI). Payment system users are embracing Same Day ACH and the numbers are proving it.
Led by strong growth in Same Day ACH and business-to-business (B2B) payments, the ACH Network securely handled 31.5 billion payments valued at $80.1 trillion in 2023. Payment volume for the year was up 4.8% from 2022 while payment value grew 4.4%. 2023 marked the 11th consecutive year in which ACH Network value has increased by more than $1 trillion.
Same Day ACH volume increased 22.3% and 41.2% in value, to 853.4 million payments worth $2.4 trillion. Since its inception in September 2016, Same Day ACH volume has surpassed 3 billion payments and $6 trillion.
If you are not signed up for Same Day ACH and would like more information, contact our Treasury Team.
Originator – Things to Know
Your Responsibilities as an Originator
- Obtain proper authorizations, dependent upon the transaction type, and retain authorizations for two years past revocation.
- If requested by the Bank, provide a copy of the authorization. BSB may request to see your authorizations from time to time as part of an annual audit.
- Send entries on the proper date.
- Give appropriate notice to the debtor if changing the amount or date.
- Cease subsequent entries when notified.
- Make necessary changes to payee account information within six (6) banking days upon receipt of a Notification of Change or before another entry is sent.
- Protect the banking information received to originate transactions.
- Returns must be processed by the Receiving Bank within 24 hours of settlement. Returns that are unauthorized beyond 24 hours are the company’s liability and any disputes may have to be settled outside of the banking network. BSB recommends that you view your account activity daily.
Other Resources
As part of NACHA rules (the rules that govern ACH and the bank’s payments), we are required to provide education to our ACH originators on an annual basis. Below is a link to the NACHA website which includes the full copy of the rules along with recent changes. Also is a link to EPCOR’s corporate user webpage, which provides us with education and advice on ACH transactions. The link provides quick tips, FAQs, and a newsletter that is sent quarterly.
Included in the second link, you will find a great video “ACH Security Framework for Originators” that will help you to understand what is expected of you as an originator when it comes to obtaining and retaining authorizations. If you have any questions, please contact the Treasury Team.
We encourage you to watch the video linked below, available at no charge to you on the EPCOR website.
- On the EPCOR website, you will need to “Add to cart” and “Place order” to watch this free video.
- This video offers valuable insights into what is expected of you as an originator when it comes to obtaining and retaining authorizations.
We sincerely appreciate your continued partnership with Bennington State Bank and look forward to supporting your business’ growth and success! If you have any questions, please feel free to contact the BSB Treasury Team.
