Nacha has recently become aware of an increasing number of fraudulent transactions being made over the ACH Network using the Telephone-Initiated Entry (TEL) application. The TEL application became effective in September 2001 as a means to provide a more streamlined method by which consumers could authorize one-time ACH debit entries. This Operations Bulletin is intended to identify specific risk management concerns related to the origination of TEL entries and to clarify key rules obligations with respect to proper authorization and use of the TEL application. ODFIs are strongly encouraged to consider these issues when determining whether to offer TEL origination services on behalf of their customers and to consider expanding their risk management policies and procedures to address these concerns.
TEL Risk Concerns
While the TEL application was developed to facilitate the use of automated payments for one- time consumer debit entries, intentional misuse of the application is resulting in an increasing number of unauthorized consumer debit entries. It has become apparent that some of these entries have been initiated as a result of deceptive and fraudulent telemarketing practices. Examples of the types of complaints that Nacha has received concerning misuse of TEL entries are described below:
Merchants operating with fraudulent intent debit the consumer without having obtained the consumer’s authorization for such a transaction.
Merchants operating with fraudulent intent violate the rules by cold calling consumers with whom they have no existing relationship and subsequently debiting the consumer.
Merchants operating within the boundaries of the TEL rules by using mail solicitations to instruct the consumer to initiate the telephone call to the merchant and subsequently attempting to sell their wares using deceptive marketing practices.
It has become obvious that there is a correlation between high return rates relating to unauthorized debits and Originators that are violating the rules or that are engaged in fraudulent/deceptive marketing practices. These merchants are experiencing a volume of unauthorized returns in excess of the average for other unauthorized debit entries.
It is critical that ODFIs understand that, under the Nacha Operating Rules, they are responsible for all transactions initiated into the ACH Network. To that end, they must recognize that they will be exposed to substantial risk when offering origination services on behalf of merchants that are engaged in fraudulent or deceptive business practices. To minimize the potential for fraud:
ODFIs must take steps to ensure that they know their customers and are familiar with their business practices.
In any situation where the ODFI’s customer is a third-party service provider, the ODFI must ensure that it has entered into contractual agreements with the ultimate Originators of the transactions and that it is familiar with the business practices and risks associated with originating entries on behalf of each individual Originator.
ODFIs should understand that offering direct access to the ACH Operator adds risk to the ODFI. The ODFI remains responsible for all transactions originated under its routing number but may have no knowledge of the types or dollar values of payments being originated. ODFIs must ensure that they have established monitoring capabilities to examine entries entered into the ACH Network under its routing number and to restrict the origination of any files that seem questionable.
ODFIs should consider monitoring returns for unauthorized TEL entries in an effort to quickly identify areas of potential fraud.
ODFIs may wish to exclude certain types of business activities (such as gambling over the telephone) from use with the TEL application, as these businesses dealings, by nature, are likely to be riskier and result in an excessive rate of returns. (Note: For the same reasons, ODFIs may also wish to exclude similar types of activities from use with the WEB application.)
The TEL Entry Application
A Telephone-Initiated (TEL) Entry is a single entry (one-time) debit to a consumer Receiver’s account, initiated pursuant to an authorization that was obtained from the Receiver orally via the telephone. Originators may use TEL entries only when the following criteria have been met:
- There must be an existing relationship between the Originator and the consumer. That is, there must be a written agreement in place between the Originator and the consumer for the provision of goods or services (for example, when the consumer has an insurance policy with the Originator), or the consumer must have purchased goods or services from the Originator within the past two years.
- When no relationship exists between the Originator and the consumer, the consumer must be the one to place the telephone call to the Originator.
TEL entries may not be used in circumstances where:
- No relationship exists between the Originator and the consumer, and the Originator has initiated the telephone call (i.e., the Originator has “cold-called” the consumer). In such cases, the Originator must provide the consumer with a written authorization that is signed or similarly authenticated and initiate a PPD or a WEB entry.
- There is a standing authorization provided by the consumer to the Originator for the transmission of multiple but non-recurring ACH debit entries to the consumer’s account, as in the example when the consumer has provided a written authorization to his brokerage firm to debit the consumer for occasional securities purchases. While the written authorization may contain language permitting the initiation of a debit via a telephone instruction, this type of entry must be transmitted as a PPD debit.
Originators of TEL entries must obtain the consumer’s explicit oral authorization, via the telephone, prior to initiating a debit entry to the consumer’s account. Because TEL entries are single-entry (that is, one-time) debits, a separate and distinct oral authorization must be obtained from the consumer for each TEL entry to be initiated to the consumer’s account.
The Nacha Operating Rules require that the Originator (1) clearly state, during the telephone call with the consumer that the consumer is authorizing an ACH debit to his account, and (2) express the terms of the authorization in a clear manner.
The authorization must include:
The date on or after which the consumer’s account will be debited;
The amount of the debit entry to the consumer’s account;
The consumer’s name;
A telephone number that is available to the consumer and answered during normal business hours for customer inquiries;
The date of the consumer’s oral authorization; and
A statement by the Originator that the consumer’s authorization will be used to originate an ACH debit to the consumer’s account.
The Rules further require the Originator to tape record the consumer’s oral authorization or to provide written notice to the consumer, prior to the settlement date of the TEL entry, confirming the terms of the oral authorization (including the information specified above). A copy of the tape-recorded authorization or written notice must be retained for two years from the date of the authorization.
Voice response units (VRUs) may be used by the Originator during the telephone call to prompt consumers to key enter data and to respond to questions. However, key-entry responses by the consumer do not qualify as an oral authorization for purposes of TEL entries. Originators must understand that the actual authorization by the consumer and disclosure of the information noted above must be provided orally.
Questions about this ACH Operations Bulletin should be submitted via firstname.lastname@example.org.