Fraud in the payments space is nothing new. In fact, it is fairly pervasive across the (now numerous) available payment systems. And despite the clear benefits of faster payments, the advent of faster, more easily accessible methods of payment has given rise to new opportunities for fraudsters.
From bill payment and payroll to the “behind the scenes” funds settlement mechanisms of various payment applications we use daily, one of the primary payment systems used by consumers and businesses alike is the ACH network. The National Automated Clearing House Association (“Nacha”) establishes the rules governing the ACH network (“Rules”). In March of 2024, Nacha voted on and approved 15 amendments to the Rules, including several revisions that are intended to strengthen the ACH network participants’ ability to detect potential fraud and to efficiently recover funds in the event that fraud does take place (collectively, the “Risk Management Topics”). Several of these Risk Management Topics go into effect on October 1, 2024, while others that may require more lead time from a technical perspective have staggered effective dates over the next few years. Understanding the requirements, and the opportunities, presented by these new Risk Management Topics is critical for financial institutions and corporations, alike. Below is a high-level summary of the new Risk Management Topics for your consideration.
- Expanded use cases of the R17 and R06 Return Reason Codes. When a financial institution receives a debit or credit entry from another financial institution through the ACH network, the Rules permit the Receiving Depository Financial Institution (“RDFI”) to return that entry to the Originating Depository Financial Institution (“ODFI”). The RDFI must follow explicit parameters set forth in the Rules surrounding the return of these ACH entries, including that a Return Reason Code, identifying the reason for the return, be attached to the returned entry. The new revisions to the R06 and R17 Return Reason Codes provide both ODFIs and RDFIs with more discretion with respect to the return of entries they suspect to be fraudulent.
Prior to October 1, 2024, the R06 Return Reason Code was used by ODFIs to request that the RDFI return an entry that was either an “Erroneous Entry” (which is narrowly defined) or that was a credit entry initiated without the authorization of the Originator. The new revision allows ODFIs to use R06 to request a return from the RDFI for any reason.
The R17 Return Reason Code was previously used by RDFIs to return entries that: (a) it could not process; (b) contained an invalid account number and which the RDFI suspected was initiated under questionable circumstances; or (c) the RDFI or Receiver identified as being an improper reversal of an entry. As revised, RDFIs can use R17 to return entries they believe to be initiated under “questionable circumstances” without requiring that there also be an error with the account number. This include entries transmitted without an Originator’s authorization and entries that are originated under False Pretenses (as defined below).
Financial institutions should ensure their internal procedures reflect the new use cases of R06 and R17, and corporates should be educated in their additional avenues for requesting/ initiating returns through their financial institution.
Risk Management Topic | Key Takeaways | Effective Date |
Expanded Use of ODFI Request for Return (R06) | An ODFI may now request that an RDFI return any entry for any reason at all, including suspected fraud. The RDFI still maintains sole discretion in deciding whether to honor the requested return, but now it must give the ODFI a response within 10 banking days. Importantly, the ODFI will still need to indemnify the RDFI for such requested returns. |
Phase 1 – October 1, 2024: ODFIs may begin using R06.
Phase 2 – April 1, 2025: RDFIs will need to have procedures in place to respond timely to an R06 request.
|
Codifying Expanded Use (R17) |
An RDFI may (but is not required to) return any entry it believes, in its sole discretion, is fraudulent. RDFIs exercising this right to return must do so within the 2 Banking Day time frame and must include the descriptor “QUESTIONABLE” in the return addenda.
|
October 1, 2024 |
- Additional Funds Availability Exceptions. Previously, the Rules allowed an RDFI to delay funds availability of ACH credits to a Receiver if the RDFI reasonably believed it was an unauthorized credit entry (e.g. in the event of an account takeover of an Originator’s account). As revised, the Rules will now also allow an RDFI to delay funds availability if it reasonably believes that a credit was unlawful, suspicious, or otherwise sent under False Pretenses. The revised Rules define “False Pretenses” as “the inducement of a payment by a Person misrepresenting: (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.” This definition is intended to cover common fraud scenarios like business email compromise, vendor impersonation, and other payee impersonations where the Originator is induced by a third party to authorize an entry. Identifying what is, and what is not, an instance of False Pretenses is nuanced; for example, while a business email compromise or vendor impersonation that induces someone to make a payment to a fraudster would constitute False Pretenses, a corporate account takeover or a payment intentionally made to a legitimate Receiver who then uses the funds for something other than for the Originator’s intended purpose would not. RDFIs will need to review their internal policies and procedures with respect to monitoring potential unauthorized credits and credits initiated under False Pretenses.
Risk Management Topic | Key Takeaways | Effective Date |
Additional Funds Availability Exceptions |
An RDFI may, but is not required to, delay funds availability (subject to applicable law, including Regulation CC) if it suspects it was originated under False Pretenses, not only if it was unauthorized.
|
October 1, 2024 |
- Timing of Written Statements of Unauthorized Debit (“WSUDs”) and Prompt Return of Unauthorized Debits. The existing Rules require that an RDFI receive a WSUD from consumers on or after the Settlement Date (as defined in the Rules) of an unauthorized debit in order to return it as unauthorized. However, technological developments have created an environment where a Receiver may become aware of a pending unauthorized debit before its actual Settlement Date. The new revisions to the Rules allow for more flexibility in the timing of a consumer completing a WSUD. The existing Rules were also silent as to exactly how quickly an RDFI was required to take action based on a WSUD it received from a consumer Receiver; it merely required that entries returned as unauthorized be transmitted to the ODFI within a certain timeframe. Now, there is a requirement that RDFIs return such unauthorized entries no later than the opening of business on the sixth (6th) Banking Day following the completion of their review of the Receiver’s signed WSUD. The revisions related to consumer WSUDs and unauthorized debits are designed to allow Receivers and RDFIs to more quickly respond to potential unauthorized debits, thus mitigating risk of additional fraudulent transactions and helping make the affected parties whole more quickly. RDFIs will need to review their internal policies and procedures associated with the handling of WSUDs and returning entries as unauthorized.
Risk Management Topic | Key Takeaways | Effective Date |
Timing of WSUDs |
WSUDs may be completed by a consumer Receiver on or after the date on which the entry is presented to the Receiver, even if that is prior to the debit posting to their account.
|
October 1, 2024 |
Prompt Return of Unauthorized Debits |
An RDFI must return a consumer Receiver’s unauthorized debit for which it has received a WSUD no later than the 6th baking day following the completion of the RDFI’s review of the completed WSUD, but in no case later than the 60th calendar day following the settlement date of the original debit.
|
October 1, 2024 |
- Fraud Monitoring by Non-Consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs. The current Rules require non-consumer Originators to, among other things, use commercially reasonable fraudulent transaction detection systems when originating WEB debits and also when originating Micro-Entries. However, there was no corresponding requirement with respect to other SEC codes or to credits other than Micro-Entries. The revised Rules will require non-consumer Originators, as well as Third-Party Senders, Third-Party Service Providers, and ODFIs, to develop risk-based policies and procedures to identify fraudulent transactions more broadly. Importantly, a risk-based analysis cannot be used to conclude that no monitoring is needed on a going-forward basis. All non-consumer Originators, Third-Party Senders, Third-Party Service Providers and ODFIs are required to, at a minimum, conduct risk assessments to identify, qualify, and quantify the risks they face. All impacted parties should evaluate their current policies and procedures, update them accordingly, and continue to review them on an annual basis and update as needed.
Risk Management Topic | Key Takeaways | Effective Date |
Fraud Monitoring by Non-Consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs. |
Non-Consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs must implement fraud detection systems to detect and prevent fraud for both debits and credits in general, including:
(a) establishing/ implementing risk-based processes and procedures relevant to the role it plays in the authorization or transmission of entries that are reasonably intended to identify entries that are suspected of being unauthorized or authorized under False Pretenses; and
(b) reviewing such processes and procedures at least annually and making appropriate updates to address evolving risks.
|
Phase 1 – March 20, 2026: All ODFIs and certain Third-Party Senders, Third-Party Service Providers, and non-consumer Originators with annual origination volume in 2023 that exceeded 6 million entries will need to have these processes in place.
Phase 2 – June 19, 2026: All other Third-Party Senders, Third-Party Service Providers, and non-Consumer Originators will need to be compliant with the new Rule. |
- Credit Monitoring by RDFIs. Historically, the onus has been on Originators and ODFIs to safeguard against fraudulent credit entries entering the ACH network, with the RDFIs having been largely omitted from that responsibility. However, RDFIs are in the unique position of being able to recognize when a Receiver’s account is receiving atypical credit entries (for example, based on their typical account balance, or the age of the account). Thus, under the revised Rules, RDFIs will now be required to establish and implement processes and procedures to help identify and mitigate fraudulent credit entries. RDFIs should update their internal policies and procedures to include this new monitoring obligation, and should ensure staff is appropriately trained to perform whatever monitoring the RDFI decides to implement.
Risk Management Topic | Key Takeaways | Effective Date |
RDFI ACH Credit Monitoring |
RDFIs will need to implement processes and procedures to identify unauthorized credit entries as well as credit entries initiated under False Pretenses, and to annually review their processes and procedures and make any indicated updates. The addition of this monitoring responsibility does not modify or supersede the ODFI’s warranty that the entries it introduces to the network are authorized, nor does it reallocate liability between ODFIs and RDFIs.
|
Phase 1 – March 20, 2026: RDFIs with receipt volume exceeded 10 million entries in 2023 will need to be compliant with the new Rule.
Phase 2 – June 19, 2026: All other RDFIs will need to be compliant with the new Rule.
|
- Standard Company Entry Descriptions: PAYROLL and PURCHASE. The Company Entry Description field of ACH files already exists under the Rules; it is a 10-character field and is used to identify batches containing certain types of entries, including for reversals (REVERSAL) and for reinitiated entries (RETRY PYMT). The new updates to the Rules will require that non-consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs (as applicable) also use two new Company Entry Descriptions: (a) PPD credits for the payment of wages or other similar compensation must include the Company Enty Description of “PAYROLL”, and (b) e-commerce purchases, which are debits authorized by a consumer online for the online purchase of goods, must include the Company Entry Description of “PURCHASE.” The goal in adding these qualifiers is to help all of the network participants more readily identify, and monitor, transaction types that are frequently associated with fraudulent transactions. Non-consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs (as applicable) will need to ensure they are categorizing their payments and using these new Standard Company Entry Descriptions in creating their files.
Risk Management Topic | Key Takeaways | Effective Date |
Standard Company Entry Descriptions | Certain transactions will require the use of PAYROLL and PURCHASE Company Entry Description field of the ACH file. | March 20, 2026, but Originators may begin using these codes prior to the Effective Date. |
While the above Risk Management Topics may require substantial changes to the policies and procedures of the affected participants, the overarching result is expected to be a more secure network that is more readily able to stave off, combat, and ultimately remedy fraud.
Please contact us if you have any questions or concerns about how the Risk Management Topics will affect your institution.