ACH Quality and Risk Management Topics

Effective on June 21, 2019

BACKGROUND:

ACH Quality and Risk Management Topics - there are three amendments that relate to Quality of the network and Risk Management. Each amendment has its own unique effective date.

Return for questionable transaction

Effective June 21, 2019

The R17 Return Reason Code will be amended to include the ability for RDFI’s to return entries that appear questionable or suspicious. Currently RDFI’s do not have a defined Return Reason Code to return an entry to alert the ODFI that the entry appears suspicious. The RDFI only has the option of the standard administrative reasons R03 (No Account/Unable to locate account) or R04 (Invalid Account Number Structure). This new Return Reason Code will draw attention to the entry and can be separated from routine account number issues. When a RDFI chooses to return an entry using R17 “QUESTIONABLE” will need to be in the Addenda Information field of the return. The option to return entries for this reason is completely optional and at the discretion of the RDFI.

The R17 Return Reason Code will continue to be used in the NACHA coordinated opt-in program with federal and state tax agencies for the return of questionable tax refunds. Also, the R17 Return Reason Code will continue to be used for returns involving required field errors. ODFI’s will be able to determine if the entry was returned for questionable to suspicious reasons by the Addenda Information field containing the word “QUESTIONABLE”.

WHERE CAN I LEARN MORE:

NACHA: https://www.nacha.org/rules/return-questionable-transaction

 

Fraud Detection Standards for WEB Debits

Effective January 1, 2020

Currently Originators must use commercially reasonable methods to screen WEB debits for fraud. The amendment to this rule adds a new layer for fraud security to their detection system. Originators will be required to add account validation to their fraud detection system. This change applies to first time account numbers or changes to account numbers. Originators will not to valid existing customer account numbers unless there is a change to their account number. How Originators choose to validate account numbers is at their discretion as long as it is considered commercially reasonable.

 

WHERE CAN I LEARN MORE:

NACHA: https://www.nacha.org/rules/supplementing-fraud-detection-standards-web-debits

 

Supplementing DATA Security Requirements

Implemented in 2 Phases: June 30, 2020 and June 30, 2021

These changes were created to enhance the confidentiality and integrity of Protected Information when stored electronically. This rule expands on the existing ACH Security Framework to specifically require large, non-financial institution Originators, Third-Party Service Providers and Third-Party Senders to protect account numbers used in ACH entries by rendering them unreadable when stored electronically. This rule aligns with existing PCI requirements so industry participants are expected to already be reasonably aware ad familiar with this requirement. This rule only applies to account numbers collected and stored electronically and does not apply to records that are stored on paper.

Implementation will roll out in 2 phases starting with the largest Originators, Third-Party Service Providers and Third-Party Senders. Phase one is effective on June 30, 2020 and any Originators, Third-Party Service Providers and Third-Party Senders that originates 6 Million or more ACH Transactions in a calendar year will need to be compliant with this rule. Phase two is effective June 30, 2021 and any Originators, Third-Party Service Providers and Third-Party Senders that originates 2 Million or more ACH Transactions in a calendar year will need to be compliance.

 

WHERE CAN I LEARN MORE:

NACHA: https://www.nacha.org/rules/supplementing-data-security-requirements