This ACH Operations Bulletin provides guidance to Participating DFIs that originate Automated Enrollment Entries (ENRs) on behalf of customers seeking to reroute Federal government benefit payments to a prepaid card.
AUTOMATED ENROLLMENT ENTRIES
The Automated Enrollment process allows DFIs to transmit, via the ACH Network, electronic enrollments for future ACH credits and debits that will be originated by Federal Government agencies. An Automated Enrollment Entry (ENR) is defined in the Nacha Operating Rules (Rules) as “a Non-Monetary Entry initiated by a Participating DFI to an agency of the Federal Government of the United States on behalf, and at the request, of an account holder at the Participating DFI to enroll in a service that will enable Entries to such Person’s account at the Participating DFI.”
Recently, the U.S. Department of the Treasury, Financial Management Service (FMS) made Nacha aware that Federal Government agencies are experiencing fraud in cases where ENRs are used to reroute government benefits from existing bank accounts to prepaid debit cards. Some prepaid card issuers allow consumers to enroll online via their websites to receive government benefits on their prepaid card. Fraudsters are purchasing a prepaid card, and subsequently using the card issuer’s web site to reroute government benefits from the legitimate receiver’s account to the fraudster’s prepaid card. The web site enrollments are batched and submitted as ENRs via ACH by the issuer or by another financial institution on its behalf. It is important that DFIs who originate ENRs understand the rules for these enrollments and the risks involved by warranting these entries.
LIABILITIES AND RESPONSIBILITIES
In transmitting ENR entries, DFIs are subject to the liabilities and responsibilities relating to the initiation of enrollment entries as governed by the provisions of Title 31 of the Code of Federal Regulation (CFR), Part 210. FMS will hold financial institutions liable for providing incorrect enrollment information. Financial institutions, therefore, should carefully review all Direct Deposit enrollment procedures. Section 210.4(a) lists the requirements of including that “the agency or the RDFI that accepts the recipient's authorization shall verify the identity of the recipient " ” FMS applies the foregoing requirement to the financial institution that submits an ENR (i.e., the ODFI of the ENR) because either 1) it will be the RDFI of the resultant credit entries that are initiated in reliance of the RDFI’s authorization, or 2) it is originating the ENR on behalf of the RDFI of the resultant credit entries.
Section 210.8 (b)(2) states that:
“An RDFI that accepts an authorization in violation of §210.4(a) shall be liable to the Federal Government for all credits or debits made in reliance on the authorization. An RDFI that transmits to an agency an authorization containing an incorrect account number shall be liable to the Federal Government for any resulting loss, up to the amount of the payment(s) made on the basis of the incorrect number. If an agency determines, after appropriate investigation, that a loss has occurred because an RDFI transmitted an authorization or notification of change containing an incorrect account number, the agency may instruct the Service [FMS] to direct a Federal Reserve Bank to debit the RDFI’s account for the amount of the payments(s) made on the basis of the incorrect number. The agency shall notify the RDFI of the results of its investigation and provide the RDFI with a reasonable opportunity to respond before initiating such a debit.”
Again, financial institutions should be aware that FMS applies this liability to the financial institution that originates an ENR, regardless of whether that financial institution is also the RDFI of the resultant credit entries or is working on behalf of the RFDI.
ACH Network participants should follow existing rules and regulatory guidance on customer authentication, including the FFIEC supplement to the Authentication in an Internet Banking Environment guidance issued in June 2011.
Section 210.8(d) of Title 31 CFR, Part 210 states:
“If an RDFI becomes aware that an agency has originated an ACH credit entry to an account that is not owned by the payee whose name appears in the ACH payment information, the RDFI shall promptly notify the agency. An RDFI that originates a Notification of Change (NOC) entry with the correct account and/or Routing and Transit Number information, or returns the original ACH credit entry to the agency with an appropriate return reason code, shall be deemed to have satisfied this requirement.” In a case where the RDFI discovers the fraudulent rerouting of a benefit payment, the appropriate return reason code would be R16, as access to the account is restricted due to specific action taken by the RDFI. If a Federal Government Agency notifies the RDFI of the fraudulent rerouting, the appropriate return reason code would be R06 (Returned per ODFI’s request).
DFIs should be aware that if a Federal Government agency receives an ENR believed to be fraudulent, it will return the ENR to the DFI using Return Reason Code R40 (Return of ENR Entry by Federal Government Agency).
Questions about this ACH Operations Bulletin should be submitted via firstname.lastname@example.org.
 This ACH Operations Bulletin is for information purposes, and is not intended to provide legal advice. Nacha’s
recommendations in this ACH Operations Bulletins do not constitute amendments to the Nacha Operating Rules.
 See 2012 Nacha Operating Rules, Section 8.9 “Automated Enrollment Entry”, Page OR53.
 See Title 31 of the Code of Federal Regulation (CFR,) Part 210
 See Authentication in an Internet Banking Environment guidance issued in June 2011