Direct Access Registration Requirements For Originating Depository Financial Institutions [1]

Posted March 29, 2010

Compliance Deadline: June 18, 2010

EXECUTIVE SUMMARY

All ODFIs must register their Direct Access status with NACHA no later than June 18, 2010. ODFIs that have already registered their Direct Access status with NACHA do not have to register again unless their Direct Access status changes.

NACHA has established a Web page for ODFIs to complete the registration process. Direct Access forms and more information can be found there.

ODFIs complete their registration by either (1) acknowledging a statement to the effect that they have no Direct Access Debit Participants, or (2) providing information about each Direct Access Debit Participant.

NACHA’s membership recently approved the Direct Access Registration Rule (“Rule”) to implement these registration requirements. The Rule also requires an ODFI’s board, committee of the board, or its designee to approve a Direct Access Debit Participant prior to the ODFI originating ACH debit entries for that participant. This board-directed approval is applicable on a “going-forward” basis to new Direct Access Debit Participant relationships that are established on or after June 18, 2010.

NACHA CONTACTS

Questions about this ACH Operations Bulletin should be submitted via info@nacha.org.

* * * *

SECTION 1. Direct Access Registration Rule

1.   What is Direct Access?

Direct Access is defined as “a situation in which an Originator, Third-Party Sender, or a Third- Party Service Provider transmits credit or debit entries to an ACH Operator using the ODFI’s routing and transit number and settlement account.”

2.   What is a Direct Access Debit Participant?

A Direct Access Debit Participant is defined as “an Originator, Third-Party Sender, or Third- Party Service Provider with Direct Access for the origination of entries except (i) a Third-Party Service Provider that transmits ACH files solely on behalf of an ODFI where that Third-Party Service Provider does not have a direct agreement with an Originator (and is not itself an Originator), or (ii) an ODFI that transmits files using another Participating DFI’s routing number and settlement account.”

3.   Why is Direct Access Registration required?

Direct Access Registration promotes due diligence and adherence to risk management policies by ODFIs and allows for an accurate measurement of the number of Direct Access relationships in the ACH Network and the associated risk profile. When an ODFI allows its Originators and/or third parties Direct Access to the ACH Operators, ACH Network participants, including the ODFI, may be exposed to a variety of risks (including fraud) arising out of shortcomings in the Originator’s or third party’s policies and processes. Accordingly, it is essential that an ODFI that permits Direct Access effectively mitigates such risks by appropriately underwriting, managing, and monitoring its relationship with its customer. ACH Operator tools that allow tracking of volume and exceptions are available to assist ODFIs in these efforts. Regardless of the level of due diligence performed by the ODFI’s Direct Access customers, the ODFI remains responsible for those customers and for the entities those customers introduce to the Network.

4. Is registration required for all Direct Access relationships?

Registration is only required for Direct Access relationships involving the origination of ACH debit transactions. The definition of a Direct Access Debit Participant includes exclusions for two types of debit scenarios: registration is not required for a Third-Party Service Provider that transmits files using another Participating DFI’s routing number and settlement account (correspondent/respondent relationships); and third parties that transmit ACH files solely on behalf of an ODFI where the third party does not have an agreement with the Originator (and is not itself an Originator). Additionally, this Rule does not require registration of an ODFI’s Direct Access relationships for ACH credit transactions.

5. What is the requirement for an ODFI that had no Direct Access Debit Participants?

The Rule requires ODFIs with no Direct Access Debit Participants to complete Form A on NACHA’s Web site no later than June 18, 2010. The ODFI will provide the following information:

  • ODFI name
  • ODFI routing number
  • ODFI representative contact information
  • Acknowledgement of a statement that the ODFI does not maintain any Direct Access Debit Participant relationships

6. What is the requirement for an ODFI with Direct Access Debit Participants?

This Rule requires ODFIs with Direct Access Debit Participants to complete Form B on NACHA’s Web site no later than June 18, 2010. The ODFI will provide the following information:

  • ODFI name
  • ODFI’s routing number(s) used by Direct Access Debit Participant
  • ODFI representative contact information
  • Identification of whether the Direct Access Debit Participant is an Originator, Third-Party Service Provider, or Third-Party Sender
  • Direct Access Debit Participant name, representative contact information, and TIN
  • The number of Originators transmitting ACH debits through a Direct Access Debit Participant that is a Third-Party Sender or Third-Party Service Provider
  • Identification of the ACH Operator through which the Direct Access Debit Participant transmits entries
  • An indication of whether the ODFI’s board, board-level committee, or its designee has approved the Direct Access Debit Participant
  • Quarterly data reporting upon initial registration if the Direct Access Debit Relationship has been in place for at least one quarter of the year (Note: After initial registration, quarterly data reporting is reported on Form C.)

7. What is the requirement for statistical reporting?

An ODFI with a Direct Access Debit Participant is required to report transaction data on a quarterly basis using Form C, on NACHA’s Web site.

For each Direct Access Debit Participant, the ODFI provides the average daily data in total and by Standard Entry Class (SEC) Code for:
 

  • Debit entry origination and return transaction volume
  • Debit entry origination and return dollar value
  • Rates of return for all Return Reason Codes in total and by NSF, administrative and unauthorized return reasons

Typical reporting periods are January-March, April-June, July-September, and October- December.

8. What is the ODFI’s requirement if the Direct Access Debit Participant relationship changes or is terminated?

An ODFI with Direct Access Debit Participants must report any changes in their registration data using Form D on NACHA’s Web site. These changes could include contact changes at the ODFI, Originator or third party, or termination of a Direct Access Debit Participant.

9. What will NACHA do with the information?

NACHA uses the information on Direct Access Debit Participants to better quantify the number of, and the risk profile for, these relationships in the ACH Network. NACHA works with the ACH Operators to validate that ODFIs have registered all Direct Access Debit Participant relationships. Registration information is retained confidentially by NACHA and only reported in aggregate form.

SECTION 2. Registration Requirements for ODFIs

1. What are the responsibilities of ODFIs?

ODFIs are responsible for completing form(s) on NACHA’s Direct Access Registration portion of the NACHA Web site:

  • An ODFI registers its Direct Access Debit Participant status with NACHA
    • An ODFI with Direct Access Debit Participants provides specified information about each Participant
    • An ODFI with no Direct Access Debit Participants acknowledges a statement to that effect.
  • An ODFI with Direct Access Debit Participants reports via the registration process specified transaction data on a quarterly basis
  • An ODFI reports when there is a change to the information provided for a current Direct Access Debit Participant, such as new contact information or a termination of a relationship

SECTION 3. Additional Requirements of the Direct Access Registration Rule

The Direct Access Registration Rule contains the following provisions:

  • Board-Level Approval: The Registration Rule requires that the ODFI’s board, board-level committee, or its designee approve each Direct Access Debit Participant prior to the ODFI initiating ACH debit entries for that Participant. The board’s designee can be a management group or staff-level position as appropriate at the institution. This approval process ensures that this type of ACH activity is within the ODFI’s risk parameters. The board-directed approval of Direct Access Debit Participants is applicable on a “going-forward” basis to new Direct Access Debit Participant relationships established after June 18, 2010.
  • ACH Rules Compliance Audit: The Registration Rule includes an ODFI audit provision requiring the ODFI to verify that it has registered its Direct Access status with NACHA, obtained the approval of its board, board-level committee, or its designee for each Direct Access Debit Participant relationship, provided the required statistical reporting for each Direct Access Debit Participant, and notified NACHA of any change with respect to any Direct Access Debit Participant.
  • ACH Rules Enforcement: The Registration Rule provides for enforcement of the Rules if an ODFI fails to register its Direct Access status, or provide the required data reporting.

SECTION 4. Best Practices for ODFIs
 

  • Know Your Customer - Originators and Third Parties

ODFIs should exercise due diligence to determine whether allowing a Direct Access relationship is appropriate with any given customer. This should include: (1) reviewing financial statements (e.g., three years worth) to check for creditworthiness; (2) obtaining and reviewing ratings from a credit service company and the Better Business Bureau; (3) understanding the type of business their customer is engaged in; and (4) knowing the types of ACH transactions that are being originated.

DFIs should approve any new business introduced by Originators or third parties with Direct Access after conducting an appropriate review. For example, DFIs should perform a risk-based review of new Originators supported by a third party with Direct Access to manage risks related to changes in volume and character of transactions.
 

  • Adherence to the Rules

DFIs should ensure their agreements with these Originators and third parties address all appropriate rules provisions, including proper authorization and revocation language, and otherwise adhere to the Rules.
 

  • Utilize Operator Risk-Monitoring Tools

DFIs, along with the Originators and third parties, should subscribe to the risk-monitoring services provided by the ACH Operators.

  • Monitor Volume and Act Accordingly

DFIs should monitor origination and return volume and act accordingly if they note anything out of the ordinary, including a significant increase in origination volume or dollars, as well as an atypical increase in return entries, particularly if the returns are for unauthorized reasons.
 

  • Follow Regulatory Guidance Regarding Third-Party Relationships

Federal banking agencies have recently released guidance on the use of third parties in sensitive banking areas. DFIs should remain current on all compliance standards related to the use of third parties for ACH origination.

---------------

1 This ACH Operations Bulletin supersedes the ACH Operations Bulletin issued on September 22, 2008.
 

Access: Public