As a payment compliance specialist, it is critical to stay abreast of the latest NACHA (National Automated Clearing House Association) rule changes. Two sets of amendments are set to take effect this year—on June 21 and October 1, 2024. Some of these changes will impact originators and merchants significantly, emphasizing the need for proactive adjustments to compliance and operational strategies.

June 21, 2024: Minor Rules Topics

The first wave of changes focuses on minor rule topics. Minor changes to the Rule have little to no impact on ACH participants and no significant processing financial impact.

1. General Rule /Definition of WEB Entries– The updated NACHA rule clarifies the use of WEB entries, which are transactions initiated by a consumer over the internet or a wireless network. The new definition eliminates confusion by specifying that all consumer-to-consumer credits must use the WEB SEC code, regardless of the internet or wireless network being the method of initiation.
2. Definition of Originator– The updated rule provides a clearer definition of an Originator, stating that it is the party authorized by the Receiver to credit or debit the Receiver’s account at the RDFI (Receiving Depository Financial Institution). This clarification helps in precisely identifying the responsible entity in a transaction, thus reducing ambiguities and potential disputes between parties involved in ACH transactions
3. Originator Action on Notice of Change– This rule requires Originators to take prompt action upon receiving a Notice of Change (NOC) from the RDFI. The NOC indicates necessary corrections to the information within an ACH entry. Originators must make the specified changes within six banking days or before the next entry, whichever is later.
4. Data Security Requirements– The updated rule extends the data security requirements to all non-consumer Originators, Third-Party Service Providers, and Third-Party Senders.
5. Use of Prenotification Entries– The revised rule on prenotification entries provides clarity on their use and the handling of responses from RDFIs. Prenotification entries are optional but recommended for verifying account information before initiating live transactions. Originators can use these entries to ensure that account details are correct, reducing the risk of errors and rejected transactions. If an RDFI responds to a prenotification with a NOC, the Originator must address the indicated issues promptly
6. Clarification of Terminology – Subsequent Entries– The rule clarifies the term “Subsequent Entries,” referring to entries that follow an initial authorization. These can be initiated by the consumer through actions such as phone calls or online requests. The updated rule allows greater flexibility in the use of Standard Entry Class (SEC) codes for these subsequent entries, accommodating various methods of initiation and ensuring that authorization requirements are met appropriately

October 1, 2024: Risk Management Topics

The second set of changes, effective October 1, centers around risk management, reflecting NACHA’s ongoing efforts to enhance the security and reliability of the ACH Network:

1. Codifying Expanded Use of Return Reason Code R17– The updated rule codifies the expanded use of Return Reason Code R17 to enhance the identification and management of fraudulent activities. This rule includes the following specifics:
   • R17 + “QUESTIONABLE”: The addition of the word “QUESTIONABLE” in the return addenda record signifies a potential fraud alert on the receiving bank account. This helps financial institutions quickly identify transactions that may require further scrutiny for fraud
   • Impact on Unauthorized Return Rates: These returns will not be counted in unauthorized return rates, thus not affecting the metrics used to evaluate the frequency of unauthorized transactions
   • This new Rule also includes references to a newly defined term, False Pretenses: The inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”
     This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations, and complements language on “unauthorized credits” (account takeover scenario). It does not cover scams involving fake, non-existent or poor-quality goods or services.
   • Expanded Use of ODFI Request for Return/R06–This rule expands the circumstances under which an Originating Depository Financial Institution (ODFI) can request a return of an entry using Return Reason Code R06 (Return per ODFI’s Request). This expansion aims to provide more flexibility and tools for ODFIs to manage erroneous or problematic entries, ensuring better correction of mistakes and reducing potential risks associated with such entries
   • Ensure your loan management and payment processing systems are updated for NACHA’s new R17 rule. This rule allows RDFIs to use Return Reason Code R17 with the descriptor “QUESTIONABLE” in the Addenda Information field to flag transactions that may be suspicious or fraudulent. Updating your systems will help differentiate these returns from routine account errors and maintain compliance with NACHA’s standards.
2. Additional Funds Availability Exceptions– The rule introduces new exceptions to the funds availability requirements, allowing RDFIs more time to investigate suspicious transactions before making funds available to the account holder. This extension is critical in scenarios where there is a high likelihood of fraud, enabling RDFIs to ensure that the transaction is legitimate before releasing the funds. This change aims to reduce the risk of fraudulent withdrawals and losses for both the financial institution and the account holder
3. Timing of Written Statement of Unauthorized Debit (WSUD)– The rule modification allows for greater flexibility in the timing of signing a WSUD. Specifically, it permits the WSUD to be signed and dated by the Receiver on or after the date the unauthorized debit entry is presented, even if the debit has not yet posted to the account. This change simplifies the process for receivers to dispute unauthorized debits and facilitates quicker resolution of such issues​
4. RDFI Must Promptly Return Unauthorized Debit– This rule mandates that Receiving Depository Financial Institutions (RDFIs) must promptly return any unauthorized debit entries once they are identified. This requirement ensures that unauthorized debits are addressed quickly, minimizing the impact on the account holder and reducing the potential for further fraudulent activity. It emphasizes the responsibility of RDFIs to act swiftly in protecting their customers’ accounts from unauthorized transactions

For further details on these rule changes, visit NACHA’s official website on minor rules topics and risk management topics.

Preparing for Compliance

For originators and merchants, preparation is key to ensuring compliance with these new rules:

• Review and Update Systems: Ensure that all payment processing systems are updated to align with the new data specifications and validation requirements.
• Train Staff: Conduct comprehensive training sessions for relevant staff to familiarize them with the new rules and their implications.
• Enhance Fraud Detection: Invest in advanced fraud detection and prevention technologies to meet the updated standards.
• Audit Third-Party Relationships: Conduct thorough audits of third-party sender relationships to ensure compliance with the new risk management requirements.

By proactively addressing these changes, originators and merchants can mitigate risks, ensure compliance, and continue to facilitate secure and efficient ACH transactions.