Posted March 29, 2010
Compliance Deadline: June 18, 2010
All ODFIs must register their Direct Access status with NACHA no later than June 18, 2010. ODFIs that have already registered their Direct Access status with NACHA do not have to register again unless their Direct Access status changes.
NACHA has established a Web page for ODFIs to complete the registration process. Direct Access forms and more information can be found there.
ODFIs complete their registration by either (1) acknowledging a statement to the effect that they have no Direct Access Debit Participants, or (2) providing information about each Direct Access Debit Participant.
NACHA’s membership recently approved the Direct Access Registration Rule (“Rule”) to implement these registration requirements. The Rule also requires an ODFI’s board, committee of the board, or its designee to approve a Direct Access Debit Participant prior to the ODFI originating ACH debit entries for that participant. This board-directed approval is applicable on a “going-forward” basis to new Direct Access Debit Participant relationships that are established on or after June 18, 2010.
Questions about this ACH Operations Bulletin should be submitted via firstname.lastname@example.org.
* * * *
SECTION 1. Direct Access Registration Rule
1. What is Direct Access?
Direct Access is defined as “a situation in which an Originator, Third-Party Sender, or a Third- Party Service Provider transmits credit or debit entries to an ACH Operator using the ODFI’s routing and transit number and settlement account.”
2. What is a Direct Access Debit Participant?
A Direct Access Debit Participant is defined as “an Originator, Third-Party Sender, or Third- Party Service Provider with Direct Access for the origination of entries except (i) a Third-Party Service Provider that transmits ACH files solely on behalf of an ODFI where that Third-Party Service Provider does not have a direct agreement with an Originator (and is not itself an Originator), or (ii) an ODFI that transmits files using another Participating DFI’s routing number and settlement account.”
3. Why is Direct Access Registration required?
Direct Access Registration promotes due diligence and adherence to risk management policies by ODFIs and allows for an accurate measurement of the number of Direct Access relationships in the ACH Network and the associated risk profile. When an ODFI allows its Originators and/or third parties Direct Access to the ACH Operators, ACH Network participants, including the ODFI, may be exposed to a variety of risks (including fraud) arising out of shortcomings in the Originator’s or third party’s policies and processes. Accordingly, it is essential that an ODFI that permits Direct Access effectively mitigates such risks by appropriately underwriting, managing, and monitoring its relationship with its customer. ACH Operator tools that allow tracking of volume and exceptions are available to assist ODFIs in these efforts. Regardless of the level of due diligence performed by the ODFI’s Direct Access customers, the ODFI remains responsible for those customers and for the entities those customers introduce to the Network.
4. Is registration required for all Direct Access relationships?
Registration is only required for Direct Access relationships involving the origination of ACH debit transactions. The definition of a Direct Access Debit Participant includes exclusions for two types of debit scenarios: registration is not required for a Third-Party Service Provider that transmits files using another Participating DFI’s routing number and settlement account (correspondent/respondent relationships); and third parties that transmit ACH files solely on behalf of an ODFI where the third party does not have an agreement with the Originator (and is not itself an Originator). Additionally, this Rule does not require registration of an ODFI’s Direct Access relationships for ACH credit transactions.
5. What is the requirement for an ODFI that had no Direct Access Debit Participants?
The Rule requires ODFIs with no Direct Access Debit Participants to complete Form A on NACHA’s Web site no later than June 18, 2010. The ODFI will provide the following information:
6. What is the requirement for an ODFI with Direct Access Debit Participants?
This Rule requires ODFIs with Direct Access Debit Participants to complete Form B on NACHA’s Web site no later than June 18, 2010. The ODFI will provide the following information:
7. What is the requirement for statistical reporting?
An ODFI with a Direct Access Debit Participant is required to report transaction data on a quarterly basis using Form C, on NACHA’s Web site.
For each Direct Access Debit Participant, the ODFI provides the average daily data in total and by Standard Entry Class (SEC) Code for:
Typical reporting periods are January-March, April-June, July-September, and October- December.
8. What is the ODFI’s requirement if the Direct Access Debit Participant relationship changes or is terminated?
An ODFI with Direct Access Debit Participants must report any changes in their registration data using Form D on NACHA’s Web site. These changes could include contact changes at the ODFI, Originator or third party, or termination of a Direct Access Debit Participant.
9. What will NACHA do with the information?
NACHA uses the information on Direct Access Debit Participants to better quantify the number of, and the risk profile for, these relationships in the ACH Network. NACHA works with the ACH Operators to validate that ODFIs have registered all Direct Access Debit Participant relationships. Registration information is retained confidentially by NACHA and only reported in aggregate form.
SECTION 2. Registration Requirements for ODFIs
1. What are the responsibilities of ODFIs?
ODFIs are responsible for completing form(s) on NACHA’s Direct Access Registration portion of the NACHA Web site:
SECTION 3. Additional Requirements of the Direct Access Registration Rule
The Direct Access Registration Rule contains the following provisions:
SECTION 4. Best Practices for ODFIs
ODFIs should exercise due diligence to determine whether allowing a Direct Access relationship is appropriate with any given customer. This should include: (1) reviewing financial statements (e.g., three years worth) to check for creditworthiness; (2) obtaining and reviewing ratings from a credit service company and the Better Business Bureau; (3) understanding the type of business their customer is engaged in; and (4) knowing the types of ACH transactions that are being originated.
DFIs should approve any new business introduced by Originators or third parties with Direct Access after conducting an appropriate review. For example, DFIs should perform a risk-based review of new Originators supported by a third party with Direct Access to manage risks related to changes in volume and character of transactions.
DFIs should ensure their agreements with these Originators and third parties address all appropriate rules provisions, including proper authorization and revocation language, and otherwise adhere to the Rules.
DFIs, along with the Originators and third parties, should subscribe to the risk-monitoring services provided by the ACH Operators.
DFIs should monitor origination and return volume and act accordingly if they note anything out of the ordinary, including a significant increase in origination volume or dollars, as well as an atypical increase in return entries, particularly if the returns are for unauthorized reasons.
Federal banking agencies have recently released guidance on the use of third parties in sensitive banking areas. DFIs should remain current on all compliance standards related to the use of third parties for ACH origination.
1 This ACH Operations Bulletin supersedes the ACH Operations Bulletin issued on September 22, 2008.