ACH Contact Registration

Effective Date

Rule Status

Rule Status

REQUEST FOR COMMENT - RESPONSES DUE BY FRIDAY, AUGUST 23, 2019

Nacha is issuing this Request for Comment to obtain industry feedback on a proposal to create an industry resource for financial institutions to be able to more easily connect with other financial institutions about ACH operations, exceptions and risk management. 

 

Details

Details

All ACH financial institutions would register contact information for ACH operations and risk/fraud

The contact information would be available for other registered ACH participating financial institutions, Payments Associations, and Nacha

  • For use in ACH-related system outages, erroneous payments, duplicates, reversals, fraudulent payments, etc., or potentially other uses within scope (e.g., proper contact for letters of indemnity)

  • Use of the information would be limited to these purposes

Registration information would be required to be updated within 45 days after any change, and verified on an annual basis

Nacha would provide this registry resource as a tool for inter-FI communication for issues relating to ACH operations and fraud/risk management

  • The registry would be accessed via the existing Risk Management Portal

  • Authorized users would use the secure Portal to access registered contact information

  • There would not be a charge to FIs to register or use the contact information

Risk Management Portal security

  • The Portal is a hosted solution built with security and business continuity in mind, including physical security, encryption, user authorization and authentication processes, and auditing to verify satisfaction of privacy and security requirements

  • Data is encrypted while in transit to Nacha and remains encrypted while it is at rest

  • Compliance of the underlying cloud platform with key industry standards is certified by the cloud service provider

Technical

Technical

A Participating DFI would register specific contact information for personnel or departments responsible for:

  • ACH operations; and

  • Fraud and/or risk management

  • An FI may register contacts for additional personnel or departments, at its discretion

A Participating DFI would register either:

  • The name, title, email address, and phone number for at least one primary and one secondary contact person; or

  • Department contact information that includes an email address and a working telephone number

    1. For department contacts, phone numbers and email addresses must be those that are monitored and answered during normal business hours for financial institution inquiries
    2. Use of department contacts could enable financial institutions to better route inquiries internally

 

To keep registration information up-to-date, an FI would

  • Update the registration information within 45 days following any change to the information previously provided; and

  • Verify all registration information at least annually

  • These timeframe are intended to accommodate FIs that want to establish routines for keeping information updates

    1. The 45-day period would accommodate a monthly update routine
    2. The annual verification can be aligned with or incorporated into the annual Rules Compliance Audit

 

Nacha will make registered contact information available via secure means only to other registered Participating DFIs and Payment Associations

FIs accessing registered contact information would agree that such information will be used only for the purposes stated in the Rule

Impact

Impact

Currently, all ODFIs are required to register with Nacha both their Direct Access status, and their Third-Party Sender status

  • Under this proposal, ODFIs also would be required to add an additional registration category to provide their own contact information for ACH operations and risk/fraud, and keep that information up-to-date

  • ODFIs might have to implement procedures to keep contact information up-to-date

Currently, financial institutions that are only RDFIs are not required to register information with Nacha, but voluntarily can enroll through the Risk Management Portal for the optional Emergency Financial Institution Contact Database and the Terminated Originator Database

  • Under this proposal, all RDFIs would be required to register contact information with Nacha, and keep that information up-to-date

  • RDFIs would have to implement procedures to keep contact information up-to-date

  • Annual verification could be performed in conjunction with the annual Rules compliance audit

Financial institutions could decide to establish department contact information for purposes of registration, and establish procedures for how to route inquiries internally

All financial institutions would need to consider and address the circumstances under which they would use the registry, and how they would handle and respond to contacts and inquiries they receive

FAQs Section

FAQs Section
How is this proposed registry different from the Emergency FI Contact Database?

An ACH Contact Registry of all financial institutions is intended to be a substantially higher-value industry resource for all financial institutions in addressing and resolving ACH exceptions, operational issues, and risk or fraud situations.

Payment Associations would be better able to assist their FI members in finding appropriate contact information, and Nacha would have more complete contact information in the event of ACH Network risk or fraud events.

Who could use the Registry and what would they use it for?

The contact information would be available to other registered ACH participating financial institutions, Payments Associations, and Nacha.

The information would be used for ACH-related system outages, erroneous payments, duplicates, reversals, fraudulent payments, etc., or potentially other uses within scope (e.g., proper contact for letters of indemnity) and would be limited to these purposes.

When would an FI use the ACH Contact Registry?

Potential use cases for an ACH Contact Registry could include, but are not limited to, situations in which:

  • An ODFI needs to contact an RDFI about an ACH credit that is suspected to be fraudulent

  • An RDFI needs to contact an ODFI regarding the authorization of a ACH debit

  • An ODFI needs to contact an RDFI about a duplicate ACH payment, notify the RDFI of an ODFI request for return, or request a copy of a WSUD

  • An ODFI and RDFI need to execute a letter of indemnity

Some FIs have limited staff and some have entire departments to handle these situations. What information would be included in the Registry?

A Participating DFI would register specific contact information for personnel or departments responsible for ACH operations and fraud/risk management. An FI may register contacts for additional personnel or departments, at its discretion.

A Participating DFI would register either:

  • The name, title, email address, and phone number for at least one primary and one secondary contact person; or

  • Department contact information that includes an email address and a working telephone number. For department contacts, phone numbers and email addresses must be those that are monitored and answered during normal business hours for financial institution inquiries. Use of department contacts could enable financial institutions to better route inquiries internally.

How would registration information be kept up-to-date?

FIs would be required to update the registration information within 45 days following any change to the information previously provided and would need to verify all registration information at least annually.

These timeframes are intended to accommodate FIs that want to establish routines for keeping information updates. The 45-day period would accommodate a monthly update routine. The annual verification can be aligned with or incorporated into the annual Rules Compliance Audit.

How would this proposed change impact ODFIs?

Currently, all ODFIs are required to register with Nacha both their Direct Access status, and their Third-Party Sender status. Under this proposal, ODFIs also would be required to add an additional registration category to provide their own contact information for ACH operations and risk/fraud, and keep that information current.

ODFIs would have to implement procedures to keep contact information up-to-date. Annual verification could be performed in conjunction with the annual Rules compliance audit.

How would this proposed change impact RDFIs?

Currently, financial institutions that are only RDFIs are not required to register information with Nacha, but voluntarily can enroll through the Risk Management Portal for the optional Emergency Financial Institution Contact Database and the Terminated Originator Database. Under this proposal, all RDFIs would be required to register contact information with Nacha, and keep that information current.

RDFIs would have to implement procedures to keep contact information up-to-date. Annual verification could be performed in conjunction with the annual Rules compliance audit.

How would the contact information be available?

Nacha will make registered contact information available via secure means only to other registered Participating DFIs and Payment Associations as a tool for inter-FI communication for issues relating to ACH operations and fraud/risk management.

The registry would be accessed via the existing Risk Management Portal. Authorized users would use the secure Portal to access registered contact information. There would not be a charge to FIs to register or use the contact information.

Is the Risk Management Portal secure?

The Portal is a hosted solution built with security and business continuity in mind, including physical security, encryption, user authorization and authentication processes, and auditing to verify satisfaction of privacy and security requirements.

Data is encrypted while in transit to Nacha and remains encrypted while it is at rest.

Compliance of the underlying cloud platform with key industry standards is certified by the cloud service provider.

What happens if a Participating DFI does not register contact information with NACHA?

As with any other rule, the failure to comply with the requirement to register contact information with Nacha would constitute a rule violation and could be subject to potential enforcement action through Nacha’s National System of Fines. A Participating DFI’s failure to comply with a direct obligation to the National Association (in this case, the obligation to register contact information) is considered a Class 2 Rules Violation and could result in a Class 2-level fine assessed against the financial institution.

Once I register my financial institution’s contact information, do I have any new or additional obligations for responding to inquiries I may receive?

The requirement to register financial institution contact information does not include specific obligations for responding to an inquiry that may be generated from the FI contact database. Nevertheless, there is an industry expectation that a financial institution will provide a timely response to any inquiry it receives. In addition, for certain types of inquiries (i.e., requests for proof of authorization, copies of WSUDs, etc.), the Nacha Operating Rules impose defined response times that are not affected by this change.

What is the proposed effective date?

Nacha intends the registration portal to be available for Participating DFIs to begin to submit contact information on July 1, 2020.

A Participating DFI must have completed its registration no later than October 30, 2020.