Nacha just published its Operations Bulletin #2-2025. The bulletin strongly recommends that all Non-Consumer Originators, Participating Depository Financial Institutions, Third-Party Service Providers and Third-Party Senders abandon the use of faxes and use only a secure electronic channel when exchanging information and documents to resolve ACH Exceptions.

The Nacha Operating Rules require ACH participants to protect the security and integrity of certain ACH data throughout its life cycle. The data elements themselves help transactions flow through the ACH Network in straight-through fashion. Sometimes, though, exceptions arise. Exception cases necessarily support an ACH Entry as an additional part of its life cycle. These cases typically include sensitive data such as names and account numbers. When information related to an Entry must be communicated outside the ACH Network in an exception case, the data elements require protection similar to the protection they receive when they flow through the ACH Network.

Not all methods of sharing information to resolve an exception provide a similar level of protection. Consider that a fax is not inherently secure. Sending a fax depends on the accurate entry of a fax number, email address, or similar identifier to transmit a document image to an intended recipient. An error in entering a number can send a document to an unintended recipient, perhaps to a recipient in an environment not subject to data security requirements and that might mishandle or even exploit the information it receives. Additionally, where physical facsimile machines still exist, the machines often stand unattended in a shared workspace where an incoming document might be retrieved by someone other than the intended recipient. Even within a secure environment, a person with physical access to the area may not have a need for the information being transmitted.

As an alternative to faxes, Nacha offers a secure electronic channel available to financial institutions within the Risk Management Portal for resolving many types of ACH exceptions. For example, an Originating Depository Financial Institution (ODFI) might provide a signed Letter of Indemnity (LOI) to support its request that a Receiving Depository Financial Institution (RDFI) return an ACH Credit. An RDFI can notify an ODFI about the status of a request for return using the Portal’s Return Status form, which can also be used to advise an ODFI after receiving an LOI. An RDFI can notify an ODFI that it has exercised its Exemption from Funds Availability as allowed by the Nacha Operating Rules. Finally, FIs might exchange information to resolve an IAT exception.

The Risk Management Portal has evolved to serve as a channel for sensitive information that must be exchanged securely. The channel is secure even from Nacha, which cannot view, collect, or retain data or documents exchanged between parties. The Portal is also evolving to discourage the use of unsecure channels. From now on, any new categories added to the ACH Contact Registry in Nacha’s Risk Management Portal—such as Exception Resolution and Information Security contacts—will not capture fax numbers. Nacha believes phasing out support for fax numbers will steer users toward channels that provide appropriate security for the information being exchanged.

The growth of tools such as Nacha’s Risk Management Portal has made access to secure forms of electronic communication so prevalent as to make the use of an inherently unsecure method of communication unnecessary. 

Read Operations Bulletin #2-2025