File Name: nacha operating rules and guidelines .zip
Nacha Rule Books
No part of this publication may be reproduced, retransmitted, transferred or displayed, in any form or by any means, electronic or mechanical, including by photocopy, digital transmission, recording or any information storage and retrieval system, without the prior written permission of NACHA. Requests for permission to make copies or otherwise reproduce, retransmit or otherwise exploit content of any part of this publication should be mailed or ed to: Permissions NACHA The Electronic Payments Association Sunrise Valley Drive, Suite Herndon, VA This publication is designed to provide accurate and authoritative information in regard to the subject matter covered.
If legal advice or other professional assistance is required, the services of a competent professional person should be sought. NACHA manages the development, administration, and governance of the ACH Network, the backbone for the electronic movement of money and other related data, providing a safe, secure, reliable network for direct consumer, business, and government payments.
The ACH Network is governed by fair and equitable rules that guide risk management and create certainty for all participants. Large and small financial institutions of all kinds jointly govern and utilize the Network, facilitating billions of payments annually such as Direct Deposit and Direct Payment. As the migration from paper to electronic payment continues, the cost-effective ACH Network will grow and enable innovation that strengthens the industry with creative payment solutions.
This rulebook serves as the definitive source of information governing the exchange and settlement of electronic fund transfers through the Automated Clearing House ACH Network. The Rules are organized around the types of participants in the ACH Network and acknowledge the major roles played by originating and receiving financial institutions, therefore dedicating large sections to each of these roles.
The Rules explicitly recognize that originating financial institutions are the entry points into the ACH Network for corporate users and third parties, and that these financial institutions are responsible for those parties compliance with the Rules. The introductory pages of this section contain the following material. Interpretations contained in this section are as binding as the NACHA Operating Rules themselves and have been issued to clarify the provisions of the NACHA Operating Rules or to provide guidance about whether a particular use or application is consistent with the Rules.
Such interpretations may also have been issued for other purposes, as deemed appropriate by the Board. Network Administration Fees: This section details the amounts of both the annual and per-entry fees, as determined from time to time by the Board of Directors of the National Association. Read this section first to get an overview of recent developments and their impact on your. The body of the NACHA Operating Rules contains language relating to both current rules and rule changes that will take effect later in the year.
This edition of the Rules contains current rule language, followed immediately by the new rule text, which is in italics and highlighted. Rule changes within the text are indicated by a marker in the left margin, with approval and effective dates for those changes noted at the bottom of the page. A Participating DFI must comply with all other requirements of these Rules with respect to all other Entries or other aspects of the same Entry, including the timely transmission of Return Entries and the availability of funds from Entries.
ORxi Network Administration Fees OR Index OG 1 Chapter 1 Overview of the System OG 1 Chapter 2 Legal Framework OG 12 Chapter 4 General Rules OG Chapter 53 Interpretative Rules The NACHA Board believes that the Automated Clearing House Network must maintain the highest standards of fraud prevention to retain the integrity of the payment mechanism and the trust and confidence of its users.
Therefore, the NACHA Board resolves and strongly urges that all participants implement adequate control systems to detect and prevent fraud and abusive financial transactions. This interim policy is not intended to address data comparable to that contained in ACH files that is obtained from other sources, such as check collection. This interim policy is effective September 28, Compliance with this interim policy will not be enforced as a rule until NACHA has adopted a formal rule regarding data breaches; however, the Board expects that institutions will take advantage of the notification procedures described here in order to better manage the risk arising out of data breaches that involve Consumer-Level ACH Data.
This interim policy does not supersede any other data breach notification requirements to which ACH Network participants may be subject under applicable law or regulation. Data Breach Event For purposes of this interim policy, a data breach is defined as the loss, theft or unauthorized access of Consumer-Level ACH Data by or from any ODFI or Originator or any of their respective third-party service providers using the ACH Network, or any affiliate of the foregoing under circumstances indicating that the misuse of such information has occurred or is reasonably possible.
Consumer-Level ACH Data With respect to this interim policy, Consumer-Level ACH Data means the following information with respect to consumer customers of an RDFI gathered by an ODFI or Originator or any of their respective third-party service providers for the purpose of initiating ACH transactions: 1 a bank account number together with a bank routing number; or 2 the customer s name together with the customer s social security number This policy does not apply to information that is received for any other purpose, such as bank routing numbers and account numbers that are used in check processing.
Consumer-Level ACH Data that are created from checks in connection with ACH check conversion or truncation programs are covered by this interim policy. Those policies and procedures should include escalation of any breach to appropriate personnel within the organization in a timely fashion, and in the case of Originators and third party service providers, prompt notice to the designated security contact at the ODFI.
Approximate cause s of the breach incident 2. Approximate date of the breach incident 3. Approximate size of the affected population victims 4.
The type of data exposed 5. Other relevant findings that may be included in the notification are as follows: 2 8. Any mitigating factors 9.
NACHA may provide a standardized form that may be used for purposes of notification in accordance with this policy. ODFIs should not wait to complete their investigation before providing initial notice if sufficient information has been elicited i to conclude that a data breach likely occurred and that misuse of Consumer-Level ACH Data is reasonably possible and ii to allow RDFIs to take meaningful action in response to such notice.
While ODFIs are free to choose the Database or Databases that they use and to which they contribute, the more institutions that use the preferred Terminated Originator Database provider, the more useful it will be for each participating ODFI.
ODFIs should independently perform due diligence to determine how this information will factor into their decisionmaking and monitoring processes. ODFIs are free to choose the Database s in which they participate, but ODFIs should consider, at a minimum, contributing to and consulting the preferred Database in order to take advantage of the synergies provided by that centralized facility. This information sharing will help ODFIs, as gatekeepers to the Network, to have a more complete risk profile when determining whether or not to begin origination for an Originator or Third-Party Sender.
Cyber-thieves are becoming increasingly sophisticated at exploiting vulnerabilities in corporate systems in order to commit fraud. Corporate Account Takeover, a type of corporate identify theft in which cyber-thieves steal a business valid online banking credentials, has recently been on the rise and represents a risk to ACH Network participants even though the roots of this criminal activity are not in banking systems themselves.
Policy Statement Corporate Account Takeover is particularly pernicious because once a cyber-thief obtains a company s valid online banking credentials; the thief can use those credentials in a variety of ways. The thief may initiate funds transfers out of the compromised business account by ACH or wire transfer to the bank account of associates within the U. In some cases, the perpetrator may also be able to gain access to and review the business account details, such as account balances, activities and patterns, enabling the perpetrator to mimic the legitimate users and initiate transactions undetected.
Cyber-thieves employ various methods to obtain access to the banking credentials from legitimate businesses, including mimicking a legitimate institution s website, using malware and viruses to compromise the legitimate business system or even using social engineering to defraud employees into revealing security credentials or other sensitive data. For example, corporate systems may be compromised by 1 an infected document attached to an , 2 a link within an that connects to an infected website, 3 employees visiting legitimate websites especially social networking sites and clicking on the infected documents, videos or photos posted there, or 4 an employee using a flash drive that was infected by another computer.
In each case, the infected system is then exploited to obtain legitimate security credentials that can be used to access a company s corporate accounts. ODFIs should vigilantly and proactively protect against this type of fraud in various ways, including implementing systems designed to prevent and detect attempts to access a business banking credentials and actual unauthorized access to the business banking accounts, and by keeping their own customers informed about the importance of implementing their own systems and sound business practices to protect themselves.
Indeed, keeping customers informed of evolving risks can be an effective method to combat cyber-thieves before they get access to the banking system. The types and significance of the risk to each ODFI will vary depending on the financial institution, its business and its systems and processes. It is essential that ODFIs and other ACH participants, such as Originators and Third-Party Senders, take a risk-based approach tailored to their individual characteristics and their customers to avoid losses and liability for themselves and other ACH participants.
ISSUE NACHA has been asked whether the practice of using a one-time PPD entry for the conversion of a check received at the point of purchase rather than processing such a transaction as a POP entry which was specifically designed for electronic check conversion is consistent with the Rules.
NACHA understands that under this practice a retailer receives a consumer s check at the point of purchase and stamps the back of the check with authorization language for an electronic debit. The consumer then signs the authorization on the back of the check. The retailer later processes the check, captures the MICR information from the check, and originates a PPD debit entry for the amount of the check.
The retailer may also provide the consumer with a copy of the authorization language on the consumer s receipt or on another document. The check, which is voided by the merchant and returned to the consumer at the point of purchase, is used to capture the consumer s routing number, account number, and check serial number, which are used to generate the ACH debit entry to the consumer s account. For example, authorizations for POP entries do not need to refer to an ability to revoke the entry, because revocation would not be practical for POP transactions where the customer obtains the goods or services and then leaves the point of purchase.
The Rules require that the BOC entry contain specific information, including, but not limited to, the Receiver s bank routing number, account number, source document check serial number, and dollar amount of the check.
This authorization must be in writing and signed or similarly authenticated by the consumer, and the consumer must be provided with an electronic or paper copy of the authorization.
The authorization must be readily identifiable as an authorization and must clearly and conspicuously state its terms, as well as indicate that the Receiver may revoke the authorization by notifying the Originator in the manner specified in the authorization. The authorization process must evidence both the consumer s identity and his or her assent to the transaction.
Further, the Rules require that the PPD entry contain certain information, including, but not limited to, the Receiver s bank routing number and account number. Similarly, it could be argued that because, for example, the rules for POP and BOC entries do not require the Originator to provide the Receiver with a copy of the authorization at the point of sale, the requirements of POP and BOC entries and PPD entries are alternative ways of accomplishing the same general type of transaction.
Recognizing the importance of providing a legal framework within the Rules that would protect ACH participants with regard to the initiation of pointof-purchase entries, in March , the NACHA Voting Membership approved an interim rule designed to expand the definition of the PPD entry format to allow its use in initiating one-time ACH debit entries for purchases made at the point of purchase.
This interim rule was, however, only intended to be a oneyear interim rule to permit the implementation of a newly created Standard Entry Class Code for point of purchase transactions-the POP entry. The rules for POP and BOC entries also establish requirements for the provision of information on the Receiver s bank account statement to enable the Receiver to identify the converted check and the location where the payment was made.
These unique requirements were intended to mitigate risk and reduce customer service problems. These requirements do not apply to PPD entries and therefore the use of PPD entries for conversion of checks received at the point of sale could result in more risk to ACH participants and customer service issues.
For example, the PPD format cannot accommodate the inclusion of the check serial number from the Receiver s source document. Similarly, the rules for PPD entries do not require the placement of this information on the Receiver s bank account statement.
This interpretation does not address the accumulation by a single merchant of multiple purchases at that merchant e.
This aggregation may be attempted across multiple merchants and multiple transactions types e. Accordingly, the issue has arisen whether such aggregation is permissible under the Rules, and if so, how such transactions should be handled within the existing Rules.
Moreover, since the payee of such transactions may be different from the Originator who obtains the Recipient s authorization, which name should be included in the Company Name field of the ACH message?
The PPD code may be used for a properly authorized ACH transaction that represents a single payment on a separate account regardless of whether there have been multiple charges by the consumer to that account i. If the original enrollment for an ACH service was performed on the internet, the WEB code may be used for a properly authorized ACH transaction that represents a single payment on a separate account regardless of whether there have been multiple charges by the consumer to that account i.
This fourteen 14 day window provides a clear dividing line between payments on an account, such as monthly bill payments e. A separate authorization of payment in this context must be a specific authorization of the specific total amount to be debited at that time, and a separate specific authorization must be obtained from the consumer each time another payment of fourteen 14 days or less is made. For clarity, the use of a debit card at the point-of-sale does not constitute a separate specific authorization for this purpose.
Furthermore, the SEC Code Allocation Chart attached hereto provides guidance on the appropriate SEC Code to use in connection with transactions based on how an ACH service is being used and how the original authorization for that service was obtained. For example, if an Originator provides a debit card to consumers that can be used for a variety of transactions pursuant to a written, standing authorization to debit the amount of those transactions to a deposit account at an RDFI, the transactions should be handled as follows: Each use of the debit card at a point-of-sale terminal should be treated as a separate POS transaction; each use of the debit card at an ATM should be treated as an MTE transaction; and each use of the debit card to make purchases on the internet should be treated as a PPD transaction.
By contrast, if the Originator obtains the consumer s original standing authorization for the same product via the internet, the transactions should be handled as follows: Each use of the debit card at a point-of-sale terminal still should be treated as a separate POS transaction; each use of the debit card at an ATM still should be treated as an MTE transaction; but each use of the debit card to make purchases on the internet should be treated as a WEB transaction.
As indicated above, the Originator may not aggregate multiple transactions across multiple payees. However, if the account offered by Originator is only billed to the consumer for periods of more than fourteen 14 days, then those transactions may be processed as a single bill payment transaction under the PPD or WEB code, respectively, for the total amount owing at the end of such period.
For example, in the card product above, the ultimate payee is the merchant or owner of the ATM where the card is used, not the Originator that issues the card. Similarly, in a bill payment service, the ultimate payee is the biller, not the provider of the bill payment service.
As noted, the Chart addresses only products that can be used on a recurring basis rather than individual entry transactions, which are not at issue in this Interpretation. The first row of the Chart addresses products that are physically used at the point-of-sale for retail purchases.
Box A addresses products for which both enrollment and use occurs at the point-of-sale. This is the quintessential transaction for which the POS code was originally developed. Box B addresses products for which the original enrollment occurred on the internet, but which are then used at the physical point-of-sale.
Updates to the NACHA Operating Rule Changes 2021 and 2022
Additionally, the included appendices contain details on Rules enforcement, annual audit requirements, a complete table of return reason codes and formatting specifications. Qualifying WesPay members will automatically receive annual complimentary access to the Nacha Operating Rules. Read our FAQs about this great member benefit. Member Copy FAQ. Order Today!
Nacha Rule Books
Read Frequently Asked Questions. There are six ACH Operations Bulletins posted by Nacha in ; four of them explain the updates to the Rules due to changes at financial institutions and extensions of effective dates in light of the current situation; and confirming some Rules changes with current effective dates remaining. In addition, this webinar will provide all the details necessary to help participants in the ACH Network remain compliant with the amendments going into effect for and , two of which were recently approved for effective dates in for Unauthorized Returns and the ACH Contact Registry!
Store Home. Search Store.
Embed Size px x x x x No part of this publication may be reproduced, retransmitted, transferred or displayed, in any form or by any means,. Requests for permission to make copies or otherwise.