InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Nacha’s new rules intends to reduce business fraud that uses credit-push payments
On March 18, Nacha announced rule amendments intended to reduce the incidence of frauds that leverage credit-push payments, such as vendor impersonation and business email compromise (BEC). While, importantly, the rules will not shift liability for ACH payments as between the parties, they will establish obligations on originating financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) to monitor the sending and receipt of payments for potential fraud, and they will empower the same to flag potentially fraudulent payments for action. Specifically, the rule amendments will allow “the originating financial institution (ODFI) to request the return of the payment for any reason, the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely, and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim.”
As part of the amendment announcement, NACHA cited the FBI’s Internet Crime Complaint Center’s 2023 annual report, noting that BEC, vendor impersonation, and payroll impersonation are examples of fraudulent activities “that result in payments being ‘pushed’ from a payer’s account to the account of a fraudster,” and that there were 21,489 BEC complaints totaling $2.9 billion in reported losses in 2023, making BEC the second-costliest cybercrime category.
The first set of rule amendments are effective October 1, which, among other things, allow an RDFI to use return code R17 for potential fraud, including for “false pretenses,” and an ODFI to request a return from an RDFI for any reason, including fraud. The first set of amendments also provided RDFIs “with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses,” subject to Regulation CC. Finally, the RDFI will be required to promptly return any unauthorized consumer debit by the 6th banking day after it reviewed a consumer’s signed Written Statement of Unauthorized Debit.
The first set of rule amendments will be followed by subsequent (phase 1 and phase 2) amendments. The phase 1 amendments, effective March 20, 2026, will, among other things, require ODFIs, and non-consumer originators, third party providers, and third party senders with an annual ACH origination volume of six million or more to implement or enhance appropriate risk-based process and procedures to identify fraudulent transfers. Under phase 1, NACHA will also require RDFIs with ACH receipt volumes of 10 million or more to establish risk-based processes and procedures to identify fraudulent activity. The second phase, effective June 19, 2026, will require fraud risk monitoring for the remaining non-consumer originators, third party providers, and third-party senders.
NACHA Proposes Rules To Improve ACH Network Quality
On November 12, NACHA, which manages the development, administration, and governance of the ACH network, released two proposed rules that it describes as complementary approaches to improving ACH Network quality by reducing the incidence of exceptions. The first proposal would improve NACHA’s ability to identify and enforce rules against “outlier” originators by: (i) reducing the existing return rate threshold for unauthorized debits from 1% to 0.5%; (ii) establishing a 3% return rate threshold for account data quality returns, and an overall debit return rate threshold of 15%; (iii) clarifying permissible and impermissible practices for the collection of ACH debits returned for insufficient funds and other reasons; and (iv) explicitly applying certain risk management rules to third-party senders. In addition, the proposed rule would expand NACHA’s authority to initiate enforcement proceedings for a potential violation of the NACHA Rules related to unauthorized transactions. The second proposal would establish economic incentives for originating institutions and their originators to improve origination quality, and provide partial cost-recovery to receiving institutions for handling exceptions. Specifically, the rule would apply fees when: (i) the proposed economic incentives are fees that would be applied to instances when a receiving institution; (ii) returns an ACH transaction due to incorrect account data within the transaction; (iii) corrects information within an ACH transaction and sends the correction back; or (iv) returns an ACH transaction due to a problem with the receiver's authorization. NACHA is accepting comments on the proposals until Monday, January 13, 2014.
NACHA Bulletin Addresses Reinitiation of Returned Debits
On July 15, the Electronic Payments Association (NACHA), the organization that manages the ACH Network, issued a bulletin that describes the provisions of NACHA’s operating rules regarding the “reinitiation” of returned ACH debit entries and the collection of return fees. With respect to the “reinitiation” of returned ACH debit entries the bulletin outlines the limited circumstances under which the rules permits originators and originating depository financial institutions (ODFIs) to reinitiate returned entries. First, an originator or an ODFI may reinitiate a returned entry up to two times if the entry was returned for reasons of insufficient or uncollected funds. Second, an originator or an ODFI may reinitiate a returned entry for reason of stop payment, but only if the receiver of the entry reauthorized the reinitiation after the return of the original entry. Finally, unless authorization has been revoked, an originator or an ODFI may reinitiate an entry returned for any other reason, as long as the originator or ODFI has corrected or remedied the reason for the return. In instances where authorization has been revoked, an originator or ODFI may not be reinitiated. Additionally, in order for a reinitiation of a returned entry to take place within the ACH Network, it must take place within 180 days of the settlement date of the original entry. With respect to the collection of return fees, the bulletin explains that (i) a return fee entry may be initiated only to the extent permitted by applicable law, and only for an entry that was returned for reasons of insufficient or uncollected funds; (ii) originators and ODFIs must provide specific prior notice prior to charging return fees; (iii) return fees must be specifically labeled as return fees in any entry description; (iv) only one return fee may be assessed with respect to any returned entry; and (v) a return fee may not be assessed with respect to the return of a return fee entry (i.e., no “fees on fees”).
NACHA Proposes Clarification of Third Parties in ACH Network
On May 20, NACHA, the organization that manages the ACH Network, requested comment on proposed changes to the NACHA Operating Rules to clarify the definitions, roles, and responsibilities of third parties in the ACH Network. The proposal explains that third parties are performing roles in ACH processing that were not contemplated at the time third parties were first addressed in the rules, and that the line between third parties and originators may sometimes be blurred. The proposal includes specific changes related to related to (i) clear Identification of the originator in consumer debit authorizations; (ii) third parties and receiver authorizations; (iii) definition of third-party sender; (iv) definition of third-party service provider; and (v) third-party sender and third-party service provider audit requirements. Comments on the proposal are due by June 28, 2013.
NACHA Proposes Guidelines for Use of QR Codes for Consumer Bill Pay
On August 30, NACHA – The Electronic Payments Association, proposed guidelines to facilitate the use of Quick Response (QR) codes for consumer bill payments. A QR code is a type of barcode readable by a mobile device equipped with a QR application. The guidelines, developed by NACHA’s Council for Electronic Billing and Payment, seek to establish a single QR code format to serve consumer bill pay needs through a variety of channels, including a biller’s website, a financial institution’s online bill pay website site, or other aggregation bill pay websites. The proposal recommends guidelines for the QR code size and format, billing data to be included, and encoding format. NACHA has requested comment from interested parties by September 19, 2012 and expects to prepare a final version of the guidelines before the end of 2012.