Phase 2 of Nacha’s Micro-Entry Rule became effective as of March 17, 2023, stating “Originators of Micro-Entries will be required to use commercially reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes.”
And therein lies the uncertainty. The statement “commercially reasonable fraud detection” has historically been a point of confusion for financial institutions (FIs), precisely because it has a degree of ambiguity and what may be “commercially reasonable” for one institution may not for another one. Calls to the NEACH Payments Hotline around Micro-Entries nearly always seek clarity on what constitutes “commercially reasonable,” asking “What should monitoring look like for my organization and is what we’re doing enough?” This Member Update seeks to provide some clarity on those questions.
Why Micro-Entries Matter in Fraud Detection
Backing up and looking at this rule from a wider perspective, Nacha’s efforts were designed to support FIs in fraud detection. Micro-Entries provide a lot of information. These transactions can be telling about underlying behavior from an account, what’s going on with the transactions, and where FIs need to pay attention. While often used for legitimate account validation, micro-entries also can be leveraged by fraudsters for nefarious purposes. For instance, these entries are used by fraudsters to identify a valid account they can exploit. With screening in place for suspicious or anomalous activity, FIs can identify and flag these transactions before they grow into larger-dollar fraud.
This new Rule requires ODFIs to establish some key practices in their fraud processes, including:
- Ensuring Micro-Entries are in return volumes – ODFIs need to include Micro-Entries in transaction monitoring and ensure they are included in return rate reporting. If these Micro-Entries are unauthorized debits, they need to be incorporated to the .5% threshold, and they also should be reflected in the FI’s overall return rate.
- Monitoring for out-of-the-normal activity and suspicious behaviors – It’s also about knowing and understanding your Originators. If they normally have around 10 transactions in a period and all of a sudden you are seeing thousands, something is awry. ODFIs need to have screening in place to be able to detect that kind of activity.
- Evaluating return transactions – In addition, the type of return matters. Often, “account not on file” or “account closed” returns can be indicators of fraudsters fishing for information. ODFIs need to pay attention to these Micro-Entry returns and what they can signify.
“Commercially reasonable fraud detection” encompasses the above scenarios, ensuring that Micro-Entries are an area of focus for the ODFI.
For RDFIs, these Micro-Entries follow standard exception processing scenarios. Yet, when issuing returns back to the ODFI, they may be in the best position to call out potential fraud and more quickly react. RDFIs may be able to work with the ODFI to rectify the situation before it escalates to a higher level of fraud.
The Micro-Entry Rule begins to pave the way for RDFIs to play a more active role in fraud prevention, as is outlined in Nacha’s ACH Risk Management Framework. In fact, the latest round of potential Rules (Request for Comment: ACH Risk Management 2023; and Request for Information: ACH Risk Management 2023) being evaluated by Nacha would put some of the onus on the RDFI for supporting fraud monitoring.
How NEACH Can Help
Micro-Entries may constitute a small number of ACH transactions, but they can play a large role in fraud prevention. They are breadcrumbs that may lead us to greater issues, so FIs need to make sure they are picking them up and investigating anything out of the ordinary as they continue on their payments journey.
But this can be a complicated topic with a number of scenario-specific gray areas. NEACH is always available to address specific questions on the Rule through our Payments Hotline (855-NEACHQA). We are here to work through details with you and be your partner in determining when “commercially reasonable fraud detection” is at play, so don’t hesitate to reach out with questions and to let us know when you need further clarification.
AUTHOR: Elyssa Morgan, AAP, APRP
Vice President, Membership
As the VP of Membership for NEACH, Elyssa focuses on developing and implementing strategies to stay connected with current membership and educate on the value of membership. Connect with Elyssa to read more of her blogs, articles, and posts.