September 30, 2014

ACH Operations Bulletin #1-2014: Questionable ACH Debit Origination: Roles and Responsibilities of ODFIs and RDFIs

Replaces ACH Operations Bulletin #2-2013 (Originally Issued March 14, 2013); and ACH Operations Bulletin #3-2013 (Originally Issued July 15, 2013)

PDF version of this Bulletin 

This ACH Operations Bulletin[1] addresses the applicability of various sections of the Nacha Operating Rules (Nacha Rules) to questionable ACH debit origination activity, highlights the roles and responsibilities of both Originating Depository Financial Institutions (ODFIs) and Receiving Depository Financial Institutions (RDFIs), and describes several amendments to the Nacha Rules related to these topics.[2] Due to these Rules amendments, several aspects of two previous bulletins from 2013 have been superseded; therefore, this bulletin replaces ACH Operations Bulletin #2-2013 (issued on March 14, 2013) and ACH Operations Bulletin #3-2013 (issued on July 15, 2013).

Overview

During 2013, the ACH Network and its financial institution participants came under scrutiny as a result of the origination practices of certain businesses, such as online payday lenders, in using the ACH Network to debit consumers’ accounts. In some instances, RDFIs were erroneously singled out as having a role in those practices simply by allowing consumers’ accounts to be debited in accordance with the Nacha Rules. In fact, when acting in the capacity of an RDFI, a financial institution has no relationship with the Originator of the ACH debit, and has no basis or information on which to make an independent judgment as to whether any specific ACH debit entry was properly authorized. The ACH message itself, like any check or other payment instrument, provides no information about the substance of the underlying transaction to which the payment relates that would enable to RDFI to make such a judgment. Moreover, an RDFI is not in a position to respond to generalized complaints in the press or otherwise about the practices of a specific Originator(s).

Accordingly, an RDFI becomes aware of a questionable debit entry only when it is contacted by its customer. In this regard, the Nacha Rules provide a mechanism for a consumer to dispute the validity of an ACH debit, and then to be properly re-credited. This existing mechanism shifts the financial burden back to the ODFI of the ACH debit, appropriately placing the burden on the party that warranted the proper authorization of the debit in the first place. Once the consumer is re-credited, any further dispute between the consumer and the business about the purpose and validity of a debit is determined outside of the ACH system.

In short, much of the commentary that arose out of concerns regarding questionable origination practices fundamentally mischaracterized the nature of financial transaction processing through the ACH Network, and the responsibilities and obligations of participating Depository Financial Institutions. In fact, consumers have significant protections provided by Regulation E and the Nacha Rules, and are much better insulated against questionable transactions through the ACH Network than when third parties use “remotely created checks” to debit consumers’ accounts.[3]

This ACH Operations Bulletin is intended to provide guidance to both ODFIs and RDFIs on their rights and obligations within the ACH Network to help address potentially questionable activity, and to briefly summarize some sound practices. While RDFIs have no obligation under the Nacha Rules to assess the validity of entries that are presented to them, RDFIs that detect a pattern of unauthorized transactions from a single Originator as a result of customer complaints can contact the ODFI(s) for additional information and their Regional Payment Association for guidance, and also can use Nacha’s National System of Fines to pursue an action against the ODFI(s).

ODFI Responsibilities and Practices

ODFIs are the gatekeepers of the ACH Network.[4] As the party that enables an Originator to present debit Entries into the ACH Network, an ODFI must enter into an Origination Agreement with each Originator for which it processes ACH transactions, or have an arrangement with a Third-Party Sender that has such an Origination Agreement.[5] In doing so, the ODFI undertakes critical responsibilities under the Nacha Rules that reflect the reliance of the ACH Network on appropriate underwriting and monitoring of Originators by ODFIs and the third parties with whom ODFIs have ACH origination arrangements.

Most importantly, each ODFI is responsible for the proper authorization of every ACH debit processed in its name – a core principle enshrined in the ODFI warranty that “the Entry has been properly authorized by the Originator and the Receiver in accordance with these Rules.”[6] In the case of authorizations from consumers, the Nacha Rules are explicit that, among other things, the authorization must “be readily identifiable as an authorization” and “have clear and readily understandable terms.”[7]

If an unauthorized debit Entry is processed in an ODFI’s name, the ODFI incurs several obligations under the Nacha Rules. First, the debit will be returned to the ODFI when it is disputed by the consumer whose account is improperly debited.[8] Second, the ODFI incurs indemnity obligations for breach of its warranty of proper authorization.[9] Finally, the ODFI may be subject to sanctions under Nacha’s National System of Fines for violation of the Nacha Rules.[10]

Because of these obligations, as well as associated reputational and other risks, the Federal banking agencies advise that ODFIs, among other things, should (i) exercise appropriate risk-based diligence when bringing on new Originators and Third-Party Senders and (ii) perform appropriate monitoring to determine whether excessive returns or other suspicious patterns of activity warrant further review or more aggressive action. For example, in 2006 the Office of the Comptroller of the Currency (OCC) released its risk management guidance for ACH activities by national banks, OCC Bulletin 2006-39, in which it cautioned national banks acting as ODFIs to perform a risk-based evaluation of new Originators, including their historic patterns of unauthorized returns and whether they are engaged in legitimate business activities.

Furthermore, the OCC Bulletin includes explicit guidance regarding expectations for on-going monitoring of high-risk originators, including the following:

"Banks that engage in ACH transactions with high-risk originators or that involve third-party senders face increased reputation, credit, transaction, and compliance risks. High-risk originators include companies engaged in potentially illegal activities or that have an unusually high volume of unauthorized returns. High-risk originators often initiate transactions through third-party senders because they have difficulty establishing a relationship directly with a bank.

* * *

Before a bank engages in high-risk ACH activities, the board of directors should consider carefully the risks associated with these activities, particularly the increased reputation, compliance, transaction, and credit risks. The board should provide clear direction to management on whether, or to what extent, the bank may engage in such ACH activities. Some [originating] banks have established policies prohibiting transactions with certain high-risk originators and third-party senders.

Banks that engage in high-risk ACH activities should have strong systems to monitor and control risk. These systems should monitor the level of unauthorized returns, identify variances from established parameters such as origination volume, and periodically verify the appropriate use of SEC codes, as transactions are sometimes coded incorrectly to mask fraud.

* * *

A high level of unauthorized returns is often indicative of fraudulent activity. This indication may prompt management to terminate the relationship with the originator or third-party sender, or signal that additional training is needed to ensure compliance with ACH rules."[11]

Similarly, at the direction of its Board, Nacha has been pursuing a number of risk management initiatives over the past several years in order to ensure that the industry has the tools to appropriately manage risks arising out of poor origination practices. These include the institution of formal return rate monitoring procedures[12] and remediation for those ODFIs with unauthorized rates above 1 percent;[13] the requirement for audit of risk management practices in Originator underwriting;[14] the publication by Nacha’s Risk Management Advisory Group of Sound Business Practices for Evaluating Customer Risk;[15] and the introduction of services like the Originator Watch List and the Terminated Originator Database to help ODFIs identify Originators that may warrant further scrutiny through the underwriting process.

While no underwriting or monitoring system is foolproof, a well-constructed risk management system can: 1) help ODFIs avoid financial and reputational harm associated with processing improper transactions; 2) improve the overall quality of ACH Network processing; 3) reduce the cost of exception processing; and 4) minimize the impact to consumers whose accounts may be improperly debited. In addition to all the above, ODFIs should consider:

Return rate monitoring, not just for unauthorized transactions, but also for other reasons that may warrant further review, such as unusually high rates of return for insufficient funds or other administrative reasons.[16]

Risk-based review of Originator authorization forms and processes when other factors lead the ODFI to be concerned about those practices.

Risk-based review of Originator revocation practices to determine whether consumers are given a reasonable opportunity to revoke consent to ACH debits.[17]

Monitoring of transactions for patterns that may be indicative of attempts to evade the limitations on the reinitiation of returned Entries.[18] Modification of transactions in an attempt to evade these limits (e.g., resubmission under a different name or for slightly modified dollar amounts) will be treated as a violation of the Nacha Rules.

Risk-based review of Third-Party Sender underwriting standards when Third-Party Senders demonstrate a pattern of doing business with questionable Originators.

RDFI Responsibilities and Practices

As explained at the outset of this Bulletin, RDFIs have no relationships with Originators and have no basis to know whether any specific ACH debit entry has been properly authorized. RDFIs rely on the representations of ODFIs made under the Nacha Rules that entries have been properly authorized. Accordingly, RDFIs must accept all Entries that are transmitted through the ACH Network, subject to the RDFI’s right of return.[19] That right cannot be exercised on the basis of the type of Entry the RDFI has received, and RDFIs must consider the risk of a wrongful dishonor claim in connection with any return of an Entry that is not based on a Receiver’s dispute as to the proper authorization of the transaction.[20] Indeed, in the absence of a customer complaint, the RDFI will have no basis on its own by which to dispute the validity of an Entry.

Instead, the ACH Network is set up to empower consumers to dispute transactions that they believe were not validly authorized, and to give effect to consumer rights under Regulation E. RDFIs must accept Written Statements of Unauthorized Debit from their consumers,[21] must credit the consumer’s account in the amount of the unauthorized debit,[22] and may return the debit to the ODFI that warranted the validity of the authorization in the first place.[23]

If a consumer disputes a transaction and wishes to place a stop payment order, an RDFI must honor the stop payment order in accordance with the Rules.[24] Furthermore, if the consumer’s dispute relates to future debits from the same Originator, the consumer may place a stop payment order to prevent all future debits to his/her account.[25] While consumers should contact the Originator to revoke the authorization directly with the Originator, implementation of the stop payment order at the RDFI level helps prevent continued impact to the consumer.

Finally, RDFIs that have customers that experience unauthorized debit activity, especially if there is a pattern of unauthorized transactions from a single Originator, can contact the ODFI(s) for additional information, their Regional Payments Association for guidance, and also can use Nacha’s National System of Fines to pursue an action against the ODFI(s). The National System of Fines is designed to allow escalating levels of penalties against repetitive or egregious cases of violations of the Nacha Rules. Use of the National System of Fines can also provide Nacha with a view of the magnitude of questionable debit activity across multiple ODFIs and multiple RDFIs.

Impact of Rules Amendment

Effective September 18, 2015, an amendment to the Nacha Rules will lower the unauthorized return rate threshold from 1.0 percent to 0.5 percent. ODFIs, Originators, and Third-Party Senders that monitor returns of unauthorized transactions either at, or in relation to, this threshold in the Nacha Rules will need to adjust their monitoring levels accordingly.

The Rules amendment also establishes a new inquiry process that enables a review of an Originator’s or Third-Party Sender’s ACH activity and origination practices. The inquiry process can be utilized when an Originator is identified as having a return rate exceeding one or both of two new “return rate levels:” 1) 3.0 percent for debits returned for administrative/account number errors; and, 2) 15.0 percent for debits returned for any reason.[26] Unlike the unauthorized return rate threshold, the new return rate levels do not require or result in automatic remediation by the ODFI. Instead, the new return rate levels may constitute a trigger for an inquiry into an Originator’s or Third-Party Sender’s practices. Nevertheless, ODFIs, Originators and Third-Party Senders should set or adjust return monitoring to take into account these new return rate levels.

Reinitiation of Returned Entries

The Nacha Rules allow a returned Entry to be reinitiated by the Originator or ODFI under limited circumstances:[27]

  • An ACH debit was returned for reasons of insufficient or uncollected funds (as denoted by the return codes R01 and R09, respectively). In such a case, the Entry may be reinitiated a maximum of two times in an attempt to collect funds;
  • An ACH debit was returned for the reason of stop payment (return code R08), and reinitiation has been separately authorized by the Receiver;
  • An ACH entry was returned for another reason, and the Originator or ODFI has corrected or remedied the reason for the return.

“Reinitiation” is the method permitted in the Rules by which to resubmit a returned Entry. Language in an original authorization (or elsewhere) that is inconsistent with these provisions is not permitted by the Rules. As a simple example, even if an Originator obtains a consumer’s signature on a purported authorization that allows for three attempts to collect a debit Entry returned for insufficient funds, the third attempted collection would be impermissible under the Rules.

In any of these circumstances, reinitiation must take place within 180 days of the Settlement Date of the original Entry. After the expiration of this 180-day period, any additional action on, or resolution of, a returned Entry must take place outside the ACH Network.

A reinitiated Entry should contain the identical data as the original Entry, except as minimally necessary to accurately process the transaction.[28] This includes, but is not limited to, the data in the Company Name field, the Company Identification field, and the Amount field, each of which should contain the identical data as in the original Entry. Any modification of these fields in an attempt to make an Entry appear as a new Entry rather than as a reinitiated Entry will be treated as a violation of the Nacha Rules. An ODFI should be mindful of the indemnities it provides to an RDFI under the Nacha Rules, including for any breach of the warranty that its Entry complies with the Rules.[29]

An Originator may reinitiate an Entry returned due to stop payment (R08) only if it obtains a valid authorization from the Receiver to do so. Such an authorization must be obtained after the return of the original Entry. An Originator that reinitiates a debit Entry in such circumstances also should instruct the Receiver to notify his/her RDFI so that the RDFI can remove any stop-payment block. As with the original debit Entry, an ODFI must comply with an RDFI’s request to provide proof of authorization of a reinitiated debit Entry to a Consumer Account, and the Originator must comply with the ODFI’s request to provide it with this proof of authorization.

An Originator cannot reinitiate an ACH debit that was returned for a reason of unauthorized (such as R07 - Authorization Revoked). An unauthorized Entry cannot be remedied. This does not prevent an Originator from later obtaining a new authorization, in compliance with all requirements for an original authorization, for a transaction of an equal amount. As with any original debit Entry, an ODFI must comply with an RDFI’s request to provide proof of authorization of a new debit Entry to a Consumer Account, and the Originator must comply with the ODFI’s request to provide it with this proof of authorization.

Impact of Rules Amendment

Many of these provisions described above will be made explicit in a Rules amendment that becomes effective on September 18, 2015. Nevertheless, even prior to the effective date, Nacha would consider any modification of an Entry to make it appear as a new Entry rather than as a reinitiated Entry as a violation of the Nacha Rules.

More specifically, the Rules amendment provides that any of the following practices are improper:

  • Following the Return of an Entry, initiating an Entry to the same Receiver in an amount greater than the amount of the previously Returned Entry in payment or fulfillment of the same underlying obligation plus an additional fee or charge;
  • Following the Return of an Entry, initiating one or more Entries to the same Receiver in an amount(s) less than the original Entry in payment or fulfillment of a portion of the same underlying obligation;
  • Reinitiating any Entry that was Returned as unauthorized;
  • Initiating any other Entry that the National Association reasonably believes represents an attempted evasion of the limitations on Reinitiation, subject to the final authority of the ACH Rules Enforcement Panel.

The Rules amendment also provides that a debit Entry will not be treated as a reinitiated Entry if:

  • the debit Entry is one in a series of preauthorized, recurring debit Entries and is not contingent upon whether an earlier debit Entry in the recurring series has been Returned; or,
  • the Originator obtains a new authorization for the debit Entry after it receives the original Return Entry.

For example, an Originator and consumer Receiver might negotiate a bona fide new payment plan following the return of an Entry for insufficient funds. The new payments would be authorized by the consumer via a new authorization that allows the Originator to originate new ACH debits for lesser amounts as part of the revised payment plan. These would be viewed as new Entries and not an attempt to evade the restrictions on reinitiation of the original Entry. As with the original debit Entry, an ODFI must comply with an RDFI’s request to provide proof of authorization of a new debit Entry to a Consumer Account, and the Originator must comply with the ODFI’s request to provide it with this proof of authorization.

Collection of Return Fees

The Nacha Rules also restrict the use of the ACH Network to collect fees for an Entry that was returned for insufficient or uncollected funds.[30] Among other things, the Rules provide:

  • A Return Fee Entry may be initiated only to the extent permitted by applicable law, and only for an Entry that was returned for reasons of insufficient or uncollected funds (as denoted by the return codes R01 and R09, respectively);
  • The Originator must provide specific prior notice regarding the Return Fee Entry;
  • A Return Fee Entry must be specifically labeled “RETURN FEE” in the Company Entry Description field;
  • Only one Return Fee may be assessed with respect to any returned Entry;
  • A Return Fee may not be assessed with respect to the return of a Return Fee Entry (i.e., no “fees on fees”).

A “Return Fee Entry” is the method permitted in the Rules by which to collect a Return Fee. Language in an original authorization (or elsewhere) that is inconsistent with these provisions is not permitted by the Rules. As a simple example, even if an Originator obtains a consumer’s signature on a purported authorization that allows for multiple return fees to be assessed with respect to a returned Entry, this would be impermissible under the Rules.

Additional Resources

Office of the Comptroller of the Currency Bulletin 2006-39, ACH Activities, September 1, 2006

Office of the Comptroller of the Currency Bulletin 2008-12, Payment Processors, April 24, 2008

Consumer Financial Protection Bureau - Regulation E

Nacha Terminated Originator Database

Nacha Contacts

Questions about this ACH Operations Bulletin should be submitted via [email protected].

[1] This ACH Operations Bulletin is for information purposes only, and is intended to provide general guidance regarding certain principles of the Nacha Operating Rules. This ACH Operations Bulletin is not intended to provide legal advice. Readers should obtain their own legal advice regarding their obligations under the Nacha Operating Rules or applicable legal requirements.

[2] Financial institutions also have obligations under Regulation E for electronic transactions to consumer accounts. This ACH Operations Bulletin is not intended to cover those obligations (please refer to Regulation E; an online link is included on Page 5 of this Bulletin). In many cases, the Nacha Rules give effect to the consumer’s rights under Regulation E for electronic transactions that are processed over the ACH Network.

[3] In some cases, high-risk merchants utilize remotely created checks to debit consumers’ accounts in order to avoid the requirements and the enforcement mechanisms of the Nacha Rules.

[4] 2014 Nacha Operating Rules, Section 2.1 General Rule – ODFI is Responsible for Entries and Rules Compliance (2014 Nacha Operating Rules & Guidelines, Page OR4).

[5] Subsection 2.2.2 ODFI Agreement with Originator, Third Party Sender or Sending Point (Page OR4).

[6] Subsection 2.4.1.1(a) The Entry is Authorized by the Originator and Receiver (Page OR8).

[7] Subsection 2.3.2.3 Form of Authorization (Page OR6).

[8] Subsection 2.12.1 ODFI Acceptance of Timely Return Entries and Extended Return Entries (Page OR30).

[9] Subsection 2.4.4.1 Indemnity for Breach of Warranty (Page OR9).

[10] Appendix Ten, Rules Enforcement (Page OR211).

[11] OCC Bulletin 2006-39 (Sept. 1, 2006), http://www.occ.gov/news-issuances/bulletins/2006/bulletin-2006-39.html

[12] 2014 Nacha Operating Rules, Subsection 2.2.3 ODFI Risk Management (2014 Nacha Operating Rules & Guidelines, Page OR5).

[13] Subsection 2.17.2 ODFI Return Rate Reporting (Page OR34). Effective September 18, 2015, the return rate threshold for unauthorized transaction will be lowered to 0.5 percent. See section below on Impact of Rules Amendment.

[14] Subsection 2.2.3 ODFI Risk Management (Page OR7).

[15] See https://www.nacha.org/system/files/resources/RMAG%20Evaluating%20Customer%20Risk%20SBPs%20FINAL.pdf

[16] See section below on Impact of Rules Amendment.

[17] Subsection 2.3.2.3(c) Form of Authorization (Page OR6).

[18] Subsection 2.12.4 Reinitiation of Returned Entries (Page OR30).

[19] Subsection 3.1.1 RDFI Must Accept Entries (Page OR36).

[20] Section 3.8 RDFI’s Right to Transmit Return Entries (Page OR43).

[21] Subsection 3.12.4 RDFI Must Accept Written Statement of Unauthorized Debit (Page OR48).

[22] Section 3.11 RDFI Obligation to Recredit Receiver (Page OR45).

[23] Section 3.8 RDFI’s Right to Transmit Return Entries (Page OR43); and Section 3.13 RDFI Right to Transmit Extended Return Entries (Page OR49).

[24] Section 3.7 RDFI Obligation to Stop Payment.

[25] Subsection 3.7.1.1 RDFI Obligation to Stop Payment of Recurring Entries (Page OR42); and Subsection 3.7.1.4 Effective Period of Stop Payment Orders (Page OR42).

[26] RCK Entries are excluded from the overall Return Rate Level.

[27] Subsection 2.12.4 Reinitiation of Returned Entries (Page OR30). Also note that there are separate provisions for the reinitiation of RCK Entries (Subsection 2.5.13.7, Page OR19), which permit a combined maximum of three presentments between the original check and the RCK Entry.

[28] For example, just as with the return of an ACH Entry, a reinitiated Entry could have a different Effective Entry Date than the original Entry, as well as a different ACH Trace Number. As another example, an Entry returned for an incorrect account number would require a correct account number in order to be processed accurately as a reinitiated Entry.

[29] Subsection 2.4.4.1 Indemnity for Breach of Warranty (Page OR9).

[30] Section 2.14 Return Fee Entries (Page OR32).