Updates to NACHA Rules
Notification of Change
Effective: June 21, 2024
Originators may, at its discretion, make changes to an NOC related to a Single Entry regardless of the SEC Code.
- Previously required flag to identify certain TEL and WEB entries as single entries is no longer required by the rules
Data Security Requirements
Effective: June 21, 2024
Each non-consumer Originator, each Third-Party Service Provider and each Third-Party Sender must render account numbers unreadable when stored electronically.
- Applies to entities whose annual ACH origination volume exceeds 2 million entries
- Newly covered entities must comply by June 30 the year after triggering the 2 million threshold for the first time
- Grace period does not apply to entities already covered by the rule
ACH Rules and Risk Management
Effective: October 1, 2024
- Use is optional by RDFIs ( i.e. no compliance obligation by the implementation date)
This rule explicitly allows, but does not require, an RDFI to use R17 to return an entry that it thinks is fraudulent
- Such use is optional and at the discretion of the RDFI
- The rule retains the current requirement to include the descriptor QUESTIONABLE I the return addenda record for such use
- The Rules provide for using the return code that most closely approximates the reason for the return
- The amendment is intended to improve the recovery of funds originated due to fraud
Expanded Use of ODFI Request for Return-R06
Effective: October 1, 2024
This rule expands the permissible uses of the Request for Return to allow an ODFI to request a return from the RDFI for any reason.
- The ODFI still indemnifies the RDFI for compliance with the request
- Compliance by the RDFIs remains optional
- An RDFI’s only obligation to the ODFI is to respond to the ODFI’s request within 10 banking days of receipt of the ODFI’s request
- This rule is intended to improve the recovery of funds when fraud occurs
Additional Funds Availability Exceptions
Effective: October 1, 2024
- Use is optional by RDFIs (i.e.., no implementation or compliance obligation by the effective date)
New working language to better define new use cases:
“An RDI that reasonably suspects that a credit Entry is unauthorized or was authorized by the Origination under False Pretenses is exempt from the funds availability requirements of this Subsection 3.3.1. An RDFI invoking any such an exemption must promptly notify the ODFI”
- The inclusion of “reasonable steps” is intended to acknowledge and accommodate circumstances in which it is not reasonable for an RDFI to promptly notify the ODFI; e.g., an event involving a large volume of entries
- The rule is not intended to alter an RDFI’s obligation to promptly make funds available as required by the Rules. An RDFI cannot delay funds availability because it has not screened an ACH credit; but it can delay funds availability if its fraud detection processes and procedures identifies a flag
- This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations, and complements language on “unauthorized credits” (account takeover scenario). It does not cover scams involving fake, non-existent or poor-quality goods or services
Timing of Written Statement of Unauthorized Debit (WSUD)
Effective: October 1, 2024
This rule will allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver (either by posting to the account or by notice of a pending transaction), even if the debit has not yet been posted to the account
- Through digital notifications and alerts, a consumer may be able to report an unauthorized debit prior to the debit posting to his or her account
- Allowing such a debit to post after being reported may cause harm to the Receiver
When a consumer account holder notifies an RDFI of an unauthorized debit, the RDFI must obtain a signed Written Statement of Unauthorized Debit (WSUD) to return the debit - The current Rules require that the WSUD be dated on or after the Settlement Date of the Entry.This rule is intended to improve the process and experience when debits are claimed to be unauthorized