NEWS: Nacha, the organization that governs the ACH network, announced that its members approved a new set of rules aimed at reducing the incidence of frauds, such as business email compromise (BEC), that make use of credit-push payments. Push payments are where the payer takes the initiative to send money to the payee.
While these rules do not alter the liability for ACH payments, they do assign a defined role to receiving depository financial institutions (RDFIs) in monitoring the ACH payments they receive. The announcement goes on to say:
“All participants in the ACH Network have a part to play in reducing the incidence of fraud, and recovering when fraud has occurred,” said Jane Larimer, Nacha President and CEO. “I applaud Nacha’s members for taking this important step of self-governance.”
BEC, vendor impersonation and payroll impersonation are some examples of frauds that result in payments being “pushed” from a payer’s account to the account of a fraudster. The FBI’s Internet Crime Complaint Center’s 2023 annual report found there were 21,489 BEC complaints in 2023 totaling $2.9 billion in reported losses, making it the second-costliest type of cyber-crime.
*****
The new rules follow the flow of a credit-push payment to promote the detection of fraud from the point of origination through the point of receipt at an account at the RDFI. When fraud is detected, the rules empower the originating financial institution (ODFI) to request the return of the payment for any reason; the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely; and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim. An additional rule facilitates transaction monitoring by RDFIs by applying a standard transaction description for ACH credits used for payroll payments.
The following risk management rules become effective on October 1, 2024, and are part of a larger risk management package intended to reduce the incidence of fraud and improve the recovery of funds after fraud has occurred:
- The rules explicitly allow, but not require an RDFI to use return reason code R17 to return an entry that it thinks is fraudulent. The rule retains the current requirement to include the descriptor “questionable” in the return addenda record.
- The rules expand the use of the ODFI request for return R06 return code. They allow an ODFI to request a return from the RDFI for any reason. The ODFI would still indemnify the RDFI for compliance with the request. The RDFI must advise the ODFI of its decision or the status of the request within 10 banking days of receipt of the ODFI’s request.
- The Additional Funds Availability Exceptions rule provides RDFIs with an additional exception from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses. RDFIs are still subject to requirements under Regulation CC for funds availability.
- The written statement of unauthorized debit (WSUD) rule will allow a WSUD to be signed and dated by the Receiver on or after the date on which the entry is presented to the receiver, even if the debit has not yet been posted to the account. The current rules require that the WSUD be dated on or after the settlement date of the entry.
- When returning a consumer debit as unauthorized, the RDFI must do so by the opening of the sixth (6th) banking day following the completion of its review of the consumer’s signed WSUD.
- Phase 1 – Requires all ODFIs, and each non-consumer originator, third-party service provider (TPSP) and third-party sender (TPS) with annual ACH origination volume in 2023 of 6 million or greater to establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud.
- Phase 2 on June 19, 2026 – this rule will apply to all other non-consumer originators, TPSP and TPS with annual ACH origination volume of less than 6 million in 2023.
- Phase 1 – Requires RDFIs with annual ACH receipt volume of 10 million or more in 2023 to establish and implement risk-based processed and procedures designed to identify credit entries initiated due to fraud.
- Phase 2 on June 19, 2026 – this rule will apply to all other RDFIs with annual ACH receipt volume of less than 10 million in 2023.
- Established two new defined Company Entry Descriptions; PAYROLL for payroll entries, and PURCHASE to describe e-commerce purchases. Participants are able to better identify certain purposes of transactions.
The new rules work towards the goals of reducing and recovering from credit-push fraud. You can learn more about the new Nacha operating rules on their website, or contact your regional payments association with questions on the final rules.