Rules

Rules

 

NEACH is your source for information on recent and upcoming changes to the NACHA Operating Rules. Stay informed about ACH payment requirements, review current and upcoming Rules, including each Rule’s impact and details, as well as quickly access additional information from NACHA – The Electronic Payments Association, from one convenient location.

RISK MANAGEMENT TOPICS

Effective Date - October 1, 2024

 

These Rule amendments become effective on Oct 1, 2024 and are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.
 

Details
 

Included in this portion of the Risk Management Rule amendments are:
 

  • Codifying Expanded Use of Return Reason Code R17,
  • Expanded Use of ODFI Request for Return/R06,
  • Additional Funds Availability Exceptions,
  • Timing of Written Statement of Unauthorized Debit, and
  • RDFI Must Promptly Return Unauthorized Debit.

Technical


Codify Use of Return Reason Code R17


This rule will explicitly allow, but not require, an RDFI to use R17 to return an entry that it thinks is fraudulent.

  • Such use is optional and at the discretion of the RDFI.
  • The rule retains the current requirement to include the descriptor QUESTIONABLE in the return addenda record for such use.
  • The amendment is intended to improve the recovery of funds originated due to fraud.


Some RDFIs already may be able to identify an ACH entry that is fraudulent and want to return the entry on this basis.

  • There currently is no defined Return Reason Code for this use.
    • Unauthorized reasons are based on a customer contact, dispute or claim.
  • The Rules provide for using the return code that most closely approximates the reason for the return.
    • Nacha guidance has been that R17 is likely the closest return code for incidents of potential fraud.


This new Rule also includes references to a newly defined term, False Pretenses:

  • the inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”


This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations, and complements language on “unauthorized credits” (account takeover scenario).  It does not cover scams involving fake, non-existent or poor-quality goods or services.



Expanded Use of ODFI Request for Return/R06


This rule expands the permissible uses of the Request for Return to allow an ODFI to request a return from the RDFI for any reason.

  • The ODFI would still indemnify the RDFI for compliance with the request.
  • Compliance by the RDFI would remain optional.
  • An RDFI’s only obligation to the ODFI would be to respond to the ODFI’s request.
    • Regardless of whether the RDFI complies with the ODFI’s request to return the Entry, the RDFI must advise the ODFI of its decision or the status of the request within ten (10) banking days of receipt of the ODFI’s request.
  • This rule is intended to improve the recovery of funds when fraud has occurred.



Additional Funds Availability Exceptions


This rule provides RDFIs with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses.

  • The additional exemption provides RDFIs with a tool under the Rules regarding questionable entries.
  • RDFIs are still subject to requirements under Regulation CC for funds availability.
  • The rule is intended to improve the recovery of funds when fraud has occurred.
  • The rule is not intended to otherwise alter an RDFI’s obligation to promptly make funds available as required by the Rules.  An RDFI cannot delay funds availability because it has not screened an ACH credit; but it can delay funds availability if its fraud detection processes and procedures identifies a flag.


Currently, the Nacha Rules provide RDFIs with an exemption from funds availability requirements if the RDFI reasonably suspects the credit entry was unauthorized.

  • This exemption encompasses cases of account takeovers, in which a party that is not the Originator is able to initiate an ACH credit from the Originator’s account.


This new Rule also includes references to a newly defined term, False Pretenses:

  • the inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”


This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations, and complements language on “unauthorized credits” (account takeover scenario).  It does not cover scams involving fake, non-existent or poor-quality goods or services.



Timing of Written Statement of Unauthorized Debit (WSUD)


This rule will allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver (either by posting to the account or by notice of a pending transaction), even if the debit has not yet been posted to the account.

  • Through digital notifications and alerts, a consumer may be able to report an unauthorized debit prior to the debit posting to his or her account.
  • Allowing such a debit to post after being reported may cause harm to the Receiver.


When a consumer account holder notifies an RDFI of an unauthorized debit, the RDFI must obtain a signed Written Statement of Unauthorized Debit (WSUD) to return the debit.

  • The current Rules require that the WSUD be dated on or after the Settlement Date of the Entry.


This rule is intended to improve the process and experience when debits are claimed to be unauthorized.


The amendment does not otherwise change the requirement for an RDFI to obtain a consumer’s WSUD.



RDFI Must Promptly Return Unauthorized Debit


This amendment will require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth Banking Day following the completion of its review of the consumer’s signed WSUD.

  • The amendment is intended to improve the recovery of funds and reduce the incidence of future fraud.
  • The prompt return of an unauthorized debit alerts an ODFI and an Originator to a potential problem.
  • This is also true in first-party fraud schemes in which the party who disputes the debit Entry is the same party who benefits from the original entry.
  • A prompt return supports controls that an Originator may have enabled, such as a hold on funds or delayed shipment of merchandise.
  • This amendment does not change reasons or requirements for obtaining a Written Statement of Unauthorized Debit.


Quick responses can be significant when responding to fraud. In the days immediately following posting of an unauthorized debit Entry, any delay in processing a return may expose the ODFI or Originator to additional risk.


Impact


Codify Use of Return Reason Code R17

Effective date – Oct 1, 2024
Codification of this practice should become effective as soon as possible; use will be optional by RDFIs (i.e., no compliance obligation by the implementation date).


Anticipated Benefits

  • Provides clarity on the use and meaning of the R17 Return Reason Code.
  • RDFIs would have a return reason to use at their option.
  • ODFIs/Originators/Third-Party Service Providers would potentially receive funds back in questionable situations, while receiving a clear message related to the reason for return.
  • Enhances an ODFI’s and an Originator’s ability to prevent future transactions.


Potential Impacts

  • Technical changes are not expected to be significant for FIs or other parties, as R17 with the QUESTIONABLE descriptor is in use today. Documentation may require updating.
  • Education is required for proper usage by each participant.
  • RDFIs should be cognizant of the potential for false positives.

 


Expanded Use of ODFI Request for Return/R06

Effective date – Oct 1, 2024
Codification of this practice should become effective as soon as possible; use would be optional by ODFIs (i.e., no compliance obligation by the implementation date).


Anticipated Benefits

  • Creates additional opportunities to recover funds lost to fraud.
  • Aligns the Rules language for this return with anecdotally-understood current business practices for some Originators/ODFIs.
  • Provides more flexibility for ODFIs that want to indemnify and request the RDFI return a transaction for any reason.


Potential Impacts

  • May require procedural changes ODFIs and RDFIs.
  • Education and documentation for all participants on the new reason.



Additional Funds Availability Exceptions


Effective date – Oct 1, 2024
Codification of this practice should become effective as soon as possible; use would be optional by RDFIs (i.e., no compliance obligation by the implementation date).


Anticipated Benefits

  • Improves the potential for recovery of funds when fraud has occurred.
  • Provides participants with an additional tool to manage potentially questionable or suspicious transactions that fall under the authorized fraud category.
  • Provides additional time for RDFIs and ODFIs to communicate before funds availability is required.


Potential Impacts

  • RDFIs taking advantage of this exemption are required to contact the ODFI to inform them of the exemption.
  • RDFIs may need to update policies and procedures to take advantage of the expanded use.



Timing of Written Statement of Unauthorized Debit (WSUD)


Effective date – Oct 1, 2024
Codification of this practice should become effective as soon as possible; use would be optional by RDFIs (i.e., no compliance obligation by the implementation date).


Anticipated Benefits

  • Moving transaction data more quickly can help manage risk.
  • RDFIs could obtain WSUDs from account-holders prior to an unauthorized debit posting to the account.
  • Receivers may be less impacted by unauthorized, and potentially fraudulent, transactions.
  • ODFIs, Third-Party Senders and Originators may receive returns more quickly.


Potential Impacts

  • Changes are not required for RDFIs. RDFIs may want to explore ways to use electronic notifications and alerts, and electronic WSUDs.
  • Education for RDFI front-line and operational staff is expected for proper usage and to gain full benefit of this Rule change. 



RDFI Must Promptly Return Unauthorized Debit

Effective date of October 1, 2024
Some implementation effort by some RDFIs.

  • Some RDFIs might need to adjust return processes to achieve timing requirement.
  • Avoids overlap with other effective dates proposed.


Anticipated Benefits

  • Accelerating some returns can help manage risk.
  • RDFIs that currently delay returns would be made whole more quickly through the return settlement process.
  • ODFIs, Third-Party Senders and Originators would receive some returns more quickly, reducing their exposure to losses and to future unauthorized debits.


Potential Impacts

  • Some RDFI may need to improve procedures for processing extended returns after receiving a customer’s completed WSUD.


RDFIs may need to educate operations staff and update procedures related to handling consumer unauthorized debit claims.

 

For information on ACH Rules, please visit: www.nacha.org/newrules

Theme picker