November 27, 2017

ACH Operations Bulletin #4-2017: Managing the Risks of Consumer-to-Other-Consumer Debits

EXECUTIVE SUMMARY

The Nacha Operating Rules provide for Person-to-Person (P2P) payments via ACH credit transactions. In this way, one person can transfer funds to another person. Nacha has become aware that some financial institutions and their service providers are allowing consumers to debit other consumers’ accounts. This ACH Operations Bulletin[1] provides guidance to financial institutions and their service providers on the application of the Nacha Operating Rules and other risk management considerations relevant to the origination of such “consumer-to-other-consumer” (C2C) debits.

Although the origination of C2C debits is not expressly prohibited by the Nacha Operating Rules, Nacha strongly discourages ODFIs from facilitating these payments unless the ODFI is certain of its full compliance with all rules that apply to the origination of all ACH debits, regardless of the nature of the Originator. This should not be read to discourage financial institutions from offering and enabling consumers to transfer funds from their own accounts - i.e., an account-to- account transfer. For such an A2A debit, a consumer has authorized an ODFI or an Originator to debit her/his own account at another institution; and so such a consumer is the Receiver of the A2A debit.

Financial institutions that do not offer, or do not intend to offer, consumer-to-other-consumer debit capability are encouraged to verify that their products, platforms, or service providers are not inadvertently or unintentionally configured to allow this type of transaction.

DISCUSSION

In 2014, Nacha implemented rules to enable Person-to-Person (P2P) credit entries to facilitate the transfer of funds from one person to another person via an ACH credit. P2P Entries are credit entries that use the Internet Initiated/Mobile Entry Standard Entry Class Code (“WEB”); they are also known as P2P WEB credits.[2]

As consumer-originated credits, the Rules expressly provide exceptions for P2P WEB credits from specific origination and risk management requirements that otherwise apply to all other ACH origination activity.[3] Unlike other ACH origination activity, an ODFI is not required to enter into an ACH Origination Agreement with a consumer as the Originator of a P2P WEB credit.[4] The requirements of an ACH Origination Agreement are not suitable to credit entries in which a consumer is the Originator, and so are not applicable.

In addition, the Rules do not require ODFIs to perform certain risk management functions with respect to a consumer as the Originator of a P2P WEB credit.[5] Again, these exceptions were made for these ODFI obligations (an assessment of the nature of the Originator’s ACH activity; establishment, implementation, and periodic review of an exposure limit; monitoring of return activity across multiple settlement dates; enforcement of restrictions on origination; and enforcement of exposure limits) specifically because they are not suitable to credit entries in which a consumer is the Originator.

For P2P WEB credit entries, the additional ODFI warranties that are in place for WEB debit entries also do not apply – i.e., the Originator’s use of commercially reasonable fraud detection systems; methods of verifying the Receiver’s identity; and methods of verifying the validity of routing numbers do not apply. As above, because P2P WEB credit entries involve a consumer as the Originator, the use of these risk control measures may not be suitable to these credit entries. Finally, as both the Originator and Receiver of a P2P WEB credit entry are intended to be natural persons, the Rules do not require authorization by the Receiver.[6]

Consumer-to-Other-Consumer Debits

Nacha has become aware that some financial institutions and their service providers are allowing consumers to debit other consumers’ accounts. Because the Rules do not include debits within the scope of P2P Entries, a C2C debit is not excepted from the origination and risk management provisions of the Rules cited above, as is a P2P WEB credit. A C2C debit is still a debit, and all the provisions of the Rules related to debit origination and risk management apply. Any financial institution allowing a consumer to originate a debit entry to another consumer’s account needs to be certain of its full compliance with all rules that apply to the origination of ACH debits. The ODFI is expected to fulfill the same prerequisites to origination (i.e., ODFI/Originator ACH Origination Agreements, authorization requirements, etc.) with respect to the Originator, and is subject to all warranties made for an ACH debit, as would be the case for any ACH debit entry.

Financial institutions allowing C2C debits are also responsible for the Originator’s compliance with the Rules requirements regarding authorizations with respect to consumer accounts.[7] Generally, an authorization to debit a consumer account must be in writing and signed or similarly authenticated, and a copy provided to the Receiver in accordance with the Rules. The authorization must be readily identifiable as an authorization; have clear and readily understandable terms, including with regard to the timing of the debit; and provide how the Receiver may revoke the authorization. The Originator must also meet the Rules requirements regarding retention of the authorization and provision of the record of the authorization at the request of the ODFI. Though not expressly prohibited by the Nacha Operating Rules, it would be very difficult for individual consumers to satisfy these requirements of ACH debit Originators.

Specific topics that an ODFI should address if allowing C2C debits include:

How will it comply with its obligation to provide an RDFI with proof that the debit was authorized by the receiving consumer, if requested?
How will it manage, handle, and monitor returns, such as for insufficient funds or account not found?
How will it manage, handle, and monitor extended returns for unauthorized reasons?
The ODFI should understand that an RDFI will treat a C2C debit the same as any other debit received to a consumer’s account. If the RDFI’s consumer customer disputes the debit as lacking authorization, the RDFI’s obligations and actions will be the same as for any other debit to the consumer’s account.

If the ODFI does not satisfy the above prerequisites to origination, risk management and authorization requirements of the Rules when allowing a consumer to originate debits to another consumer’s account, the ODFI may find itself in a precarious risk position, possibly resulting in poor-quality debit origination and increased return rates, in addition to being out of compliance with the Rules. Even financial institutions that do not offer, or do not intend to offer, C2C debit capability should verify that their products, platforms, or service providers are not inadvertently or unintentionally configured to allow this type of transaction.

Although the origination of consumer-initiated C2C debits is not expressly prohibited by the Nacha Operating Rules, Nacha strongly discourages ODFIs from facilitating these payments unless the ODFI is certain of its full compliance with all provisions of the Rules governing the origination of ACH debits, as discussed above.

[1] This ACH Operations Bulletin is for informational purposes only, and is intended to provide general guidance regarding certain principles of the Nacha Operating Rules. This ACH Operations Bulletin is not intended to provide legal advice. Readers should obtain their own legal advice regarding their obligations under the Nacha Operating Rules or applicable legal requirements.

[2] 2017 Nacha Operating Rules, Article Eight, Section 8.74.
ACH Operations Bulletin #4-2017 – Managing the Risks of Consumer-to-Other-Consumer Debits
November 27, 2017; Page 2

[3] The Rules also expressly provide the same exceptions for a separate type of consumer-originated ACH credit, the Customer-Initiated Entry (CIE). The CIE is not the subject of this ACH Operations Bulletin.

[4] 2017 Nacha Operating Rules, Article Two, Subsection 2.5.17.7.

[5] Id.

[6] Id. at Article Two, Subsection 2.3.2.1.

[7] Id. at Article Two, Subsection 2.3.2. There are no exceptions in the Rules from the requirements for authorizations to Consumer Accounts, regardless of whether the Originator also is a consumer.

ACH Operations Bulletin #4-2017 – Managing the Risks of Consumer-to-Other-Consumer Debits
November 27, 2017; Page 3

Nacha

ACH Operations Bulletin #4-2017: Managing the Risks of Consumer-to-Other-Consumer Debits

ACH Network Records Strong Growth in 2023 as Same Day ACH Surpasses 3 Billion Payments Since Inception

Smarter Faster Payments 2024: ‘You Can’t Beat It’

Check Out the Many Enhancements to Nacha’s Risk Management Portal

Nacha Launches New Campaign Highlighting the Many People Benefiting from Direct Deposit