Risk Management at NACHA

Mitigating Risk

Protection for Network Participants

Overview Icon

Ensuring the safety and security of all ACH Network payments users is NACHA’s foremost concern.

We’re dedicated to managing risk from every angle by working with the industry to address potential issues before they affect the ACH Network. Our comprehensive Risk Management Strategy, NACHA Operating Rules, policies and tools, along with the input of our Risk Management Advisory Group, help maintain the safety and security of ACH payments.

Benefit Icon

Risk Management Strategy

To ensure Network innovation and growth while minimizing risk, NACHA employs a carefully thought-out and balanced Risk Management Strategy. Since implementing this strategy, we’ve seen a significant decrease in unauthorized debits along with a dramatic increase in transaction volume across the ACH Network.
Network participants and NACHA members informed the plan by contributing their expertise. In formulating the different aspects of our strategy, we interviewed ACH stakeholders, who stressed the value of due diligence, continuing education, communication from NACHA and Rules enforcement. Interviewees also emphasized the importance of evolving ACH Network trends and their risk implications.
By combining member and stakeholder input with our own research into card networks, risk mitigation tools and industry trends, we’ve been able to establish a dependable, effective Risk Management Strategy. Members can download the full Risk Management Strategy, linked to the right-hand navigation bar; the Risk Management Strategy executive summary is also linked and is available to the public.

Benefit Icon

NACHA Interim Policy on Data Breaches

Breaches of consumer accounts, transactions and other personal information continue to make headline news, attracting the scrutiny of regulators and lawmakers at all levels. Businesses and financial institutions can experience significant damage to their reputations when they’re seen as negligent or deficient in their preparedness for such data breaches.
NACHA’s Interim Policy on ACH Data Breach Notification Requirements (“Interim Policy”) which took effect on September 28, 2007, requires that:

  • ODFIs notify NACHA of a breach of consumer-level ACH data
  • ODFIs notify RDFIs about  the ACH data breach incident 

An ODFI is required to make the appropriate notifications when they know, or reasonably suspect, that consumer-level ACH data has been lost, stolen or otherwise subject to unauthorized access and may be misused. See the full Interim Policy, linked in the right-hand navigation bar.

Benefit Icon

WEB eResources

WEB Standard Entry Class (SEC) code transactions, or Internet-Initiated/Mobile Entries, are one of the fastest growing areas of Direct Payment via ACH. As more organizations look for sound business practices and solutions to offer WEB payment options, NACHA developed eResources to support businesses and financial institutions in implementing and using the WEB code.

These eResources will help organizations broaden payment options for customers of all types, realize efficiencies of electronic payments, and have necessary guidance to fully understand ways to address compliance, security and risk factors. They seek to expand knowledge and understanding among all stakeholders in the industry, supporting effective implementation of WEB transactions.

  • Encryption is a core technology that underpins the security of the ACH Network. The eResource, based on information gathered from industry professionals, underscores its value and generates greater awareness about the need for methods for all ACH Network participants to combat data threats and attack scenarios.
  • Authentication in the ACH Network is a common challenge among all ACH Network participants, particularly for WEB transactions. The eResource covers relevant risk management requirements for WEB in an effort to help participants better understand authentication technologies that are available on the market.
  • Authorization involves determining what information should be collected and retained so that there is adequate proof in the event that a transaction is challenged--a common challenge among ACH Network participants that originate or process WEB ACH consumer debit transactions. The ability to prove that a transaction was properly authorized is highly dependent on the attributes of the authorization process and any underlying processes used to validate identity, all of which may vary among institutions, transaction types and operating models.

View the eResources in the right-hand bar.

Benefit Icon

Risk Management Advisory Group

The Risk Management Advisory Group (RMAG) works with industry stakeholders and key NACHA staff to continually assess risks faced by Network participants. The group makes recommendations to NACHA about risk education, tools and resources, risk mitigation policies and potential rule changes.
In particular, RMAG has provided input on the development of key Rules, such as Network Enforcement and Risk Management and Assessment, published white papers on risk management, and contributed its expertise to developing NACHA’s Terminated Originator Database. The group continues to play a leading role in counteracting potential risks to the ACH Network.
RMAG is proactive and relies on member collaboration in order to help NACHA and the industry maintain a safe, efficient and high-quality ACH Network.