InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Nacha’s new rules intends to reduce business fraud that uses credit-push payments
On March 18, Nacha announced rule amendments intended to reduce the incidence of frauds that leverage credit-push payments, such as vendor impersonation and business email compromise (BEC). While, importantly, the rules will not shift liability for ACH payments as between the parties, they will establish obligations on originating financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) to monitor the sending and receipt of payments for potential fraud, and they will empower the same to flag potentially fraudulent payments for action. Specifically, the rule amendments will allow “the originating financial institution (ODFI) to request the return of the payment for any reason, the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely, and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim.”
As part of the amendment announcement, NACHA cited the FBI’s Internet Crime Complaint Center’s 2023 annual report, noting that BEC, vendor impersonation, and payroll impersonation are examples of fraudulent activities “that result in payments being ‘pushed’ from a payer’s account to the account of a fraudster,” and that there were 21,489 BEC complaints totaling $2.9 billion in reported losses in 2023, making BEC the second-costliest cybercrime category.
The first set of rule amendments are effective October 1, which, among other things, allow an RDFI to use return code R17 for potential fraud, including for “false pretenses,” and an ODFI to request a return from an RDFI for any reason, including fraud. The first set of amendments also provided RDFIs “with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses,” subject to Regulation CC. Finally, the RDFI will be required to promptly return any unauthorized consumer debit by the 6th banking day after it reviewed a consumer’s signed Written Statement of Unauthorized Debit.
The first set of rule amendments will be followed by subsequent (phase 1 and phase 2) amendments. The phase 1 amendments, effective March 20, 2026, will, among other things, require ODFIs, and non-consumer originators, third party providers, and third party senders with an annual ACH origination volume of six million or more to implement or enhance appropriate risk-based process and procedures to identify fraudulent transfers. Under phase 1, NACHA will also require RDFIs with ACH receipt volumes of 10 million or more to establish risk-based processes and procedures to identify fraudulent activity. The second phase, effective June 19, 2026, will require fraud risk monitoring for the remaining non-consumer originators, third party providers, and third-party senders.
SEC announces final rule for filing fee disclosure and payment methods modernization
On October 13, the SEC announced a final rule to adopt amendments to modernize filing fee disclosure and payment methods, which is intended to improve filing fee preparation and payment processing. Operating companies and investment companies (funds) pay filing fees when participating in some transactions, which include registered securities offerings, tender offers, and mergers and acquisitions. According to the SEC, the amendments revise most fee-bearing forms, schedules, and associated rules to require that companies and funds include all required information for filing fee calculation in a structured format. The amendments also create new options for ACH and debit and credit card payment of filing fees and remove options for filing fee payment by paper checks and money orders that are infrequently used. According to a statement by SEC Chair Gary Gensler, these amendments, “will make the filing process faster, less expensive, and more efficient for SEC staff and market participants.” The final rule is effective January 31, 2022, except for certain amendments that are effective May 31, 2022.
Fed governor discusses modernizing payment systems for community banks
On February 27, Federal Reserve (Fed) Governor Michelle W. Bowman spoke before the Banking Outlook Conference held at the Federal Reserve Bank of Atlanta on ways the Fed can increase transparency and modernize payment services for community banks. Bowman stated that the Fed is “uniquely positioned as a provider of payment services and as a supervisor of banks to ensure that our nation’s evolving financial system works for community banks.” Bowman discussed how the Fed can achieve this objective by, among other things, (i) adopting an additional same-day automated clearinghouse (ACH) window, which “will allow banks and their customers, particularly those located outside the eastern time zone, to use same-day ACH services during a greater portion of the business day”; (ii) implementing FedNow, which would, as previously covered by InfoBytes, “facilitate end-to-end faster payment services, increase competition, and ensure equitable and ubiquitous access to banks of all sizes nationwide”; and (iii) encouraging partnerships between community banks and fintech firms to “leverage the latest technology to provide customer-first, community-focused financial services and provide customers with efficiencies, such as easy-to-use online applications or rapid loan decisionmaking.” Bowman highlighted the Fed’s fintech innovation office hours, as well as the Fed’s recently launched fintech innovation webpage (covered by InfoBytes here), and emphasized the Fed’s desire to hear directly from banks and fintech companies on innovation challenges.
With respect to third-party service providers, Bowman proposed several important initiatives for the Fed to help community banks effectively manage their third-party relationships and access innovative new technology. These include providing clear, consistent due diligence guidance on third-party relationships to provide uniform standards that are aligned with guidance issued by the OCC and other banking agencies. Bowman also suggested increasing the transparency of its third-party supervisory program by releasing information that may be useful about key service providers to community banks, and tailoring regulatory burdens for community banks with assets under $1 billion.
Colorado UCCC administrator issues guidance on alternative loan changes
On January 4, the administrator of the Colorado Uniform Consumer Credit Code issued a memo providing introductory guidance on alternative charge loans in response to Proposition 111, which amends the state’s Deferred Deposit Loan Act (DDLA) and takes effect February 1. (See previous InfoBytes coverage here.) Among other things, Proposition 111 reduces the maximum annual percentage rate that may be charged on deferred deposits or payday loans to 36 percent, eliminates an alternative APR formula based on loan amount, prohibits lenders from charging origination and monthly maintenance fees, and amends the definition of an unfair or deceptive practice.
The memo—issued in response to creditors currently offering loans under the DDLA who have expressed an interest in offering loans imposing the alternative charges allowed by Colo. Rev. Stat. § 5-2-214—explains that such alternative charges may only be charged if (i) the financed amount is $1000 or less; (ii) the minimum loan term is at least 90 days but no more than 12 months; (iii) installment payments are scheduled in substantially equal periodic intervals; (iv) Truth-In-Lending disclosures show the loan is unsecured; (v) a creditor has not taken any collateral as security for the loan, including a post-dated check or certain ACH authorization; (vi) an ACH agreement reached with a consumer is voluntary and not required by the loan; and (vii) the loan has not been refinanced more than three times in one year.
6th Circuit affirms no breach of contract for processing ACH transactions in order received
On July 6, the U.S. Court of Appeals for the 6th Circuit affirmed a district court’s decision, holding that there was no breach of contract between a consumer and a bank arising from the order in which the bank processed automated clearing house (ACH) transactions against the consumer’s checking account. According to the opinion, the consumer brought two state law breach of contract claims against the bank alleging that the order in which the bank processed ACH transactions against his checking account resulted in eight initial overdraft fees. Addressing the first breach of contract claim, the appeals court rejected the consumer’s argument that the agreement required the bank to process ACH transactions in the order incurred by the consumer. According to the agreement, “transactions will be processed ‘as they occur on their effective date for the business day on which they are processed’”—not necessarily the actual date that the transaction was initiated. Under the ACH Guidelines, the “effective date” is the date when the merchant presents the transactions to the ACH Operator (the Federal Reserve). Specifically, the bank processed the transactions in the order presented in the Federal Reserve’s batch files. The 6th Circuit also rejected the consumer’s second breach of contract claim, which asserted that the bank’s initial debiting of eight overdraft fees violated the parties’ agreement. Under the terms of the parties’ agreement, the consumer was not required to pay more than five overdraft fees per day, and while the initial debiting of the eight charges constituted a breach, the next-business-day reversal eliminated any damages. Accordingly, the appeals court affirmed the lower court’s decision to grant summary judgment in favor of the bank.
Federal Reserve Board Amends Policy on Payment System Risk
On August 25, the Board of Governors of the Federal Reserve System (Board) published in the Federal Register an amendment to Part II of its Policy on Payment System Risk (PSR Policy) in order to “conform to enhancements to the Reserve Banks’ same-day automated clearinghouse (ACH) service.” Posting rules set forth in the PSR Policy govern the times that credits and debits are posted to institutions’ accounts at the Federal Reserve Banks and determine an institution’s intraday account balance and whether the institution has incurred a negative balance (i.e., a “daylight overdraft”).
Changes to the PSR Policy include the following:
- An ACH derived returns function to enable institutions to generate returns via FedLine Web using information from the forward ACH items received through FedACH. The function is intended for institutions that lack the ability to generate returns on their own. Because the derived returns function uses information not available until the day after the processing day for forward ACH items, the Reserve Banks will provide users of the function an interim solution: a same-day paper return option for same-day forward entries greater than $10,000.
- Clarification of posting times for paper returns and paper notifications of change of prior-dated items. Because these items are manually processed by Reserve Bank staff during normal business hours, the Board has announced that posting will now only occur at 5:00 p.m. The PSR Policy has been modified to remove the 8:30 a.m. posting time. However, depending on when the Reserve Banks receive FedLine Webs returns and FedLine Web notifications of change, these items will continue to be posted at 8:30 a.m. and 5:00 p.m.
Details regarding amendments to the “Procedures for Measuring Daylight Overdrafts,” including specific details corresponding to the 8:30 a.m., 1:00 p.m., and 5:30 p.m. transaction posting times, are also included in the Board’s policy statement.
Noncash Payment Growth Highlighted in Sixth Federal Reserve Payments Study
On June 30, the Board of Governors of the Federal Reserve issued its sixth payments study entitled The Federal Reserve Payments Study 2016: Recent Developments in Consumer and Business Payment Choices. The study includes data on business and consumer noncash payments made in the United States in 2015. Among other things, the study details the differences between business and consumer payments in 2015 compared to those from 2000, general-purpose payment card use in 2015, and increases in use of alternative payment methods.
According to the report, the most popular noncash payment types among consumers were, in descending order: non-prepaid debit cards, general-purpose credit cards, checks, and finally, ACH debit transfers. For businesses, however, ACH credit transfers were the most popular, then checks, general-purpose credit cards, and non-prepaid debit cards. Consumers wrote fewer than half the number of checks in 2015 than they did in 2000 but almost doubled the number of noncash payments that they made. Businesses also cut check-writing by more than half but differed from consumers by more than doubling the number of ACH transfers that they initiated during the same period.
General-purpose or “network-branded” cards accounted for more than 65 percent of noncash payments in 2015. The data showed that 60 percent of these card accounts carried revolving debt, while 40 percent of accounts were paid in full each month.
Information on fraudulent payments also was collected and should be available in the third quarter of this year.
FDIC Restricts Bank's Card Businesses Pending BSA Compliance Enhancements
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.