ACH Contact Registry

Effective Date

Rule Status

Rule Status

An industry resource – the ACH Contact Registry - is being created for financial institutions to be able to more easily connect with other financial institutions about ACH operations, exceptions and risk management. In order for the ACH Contact Registry to be a valuable, Network-wide resource, all financial institutions participating in the ACH Network need to participate. This rule enables the creation of this resource by requiring the registration of contact information by all financial institutions that participate in the ACH Network.

 

Details

Details

All financial institutions participating in the ACH Network will be required to register contact information with Nacha for personnel or departments responsible for ACH operations and fraud/risk management. The contact information will be available for other registered ACH participating financial institutions, Payments Associations, the ACH Operators, and Nacha for operational, fraud, and risk management issues in the ACH Network (e.g., proof of authorizations, ACH-related system outages, erroneous payments, duplicates, reversals, fraudulent payments, etc.). Contact information will be only for those parties own, internal use and limited to these purposes.

Technical

Technical
  • Beginning July 1, 2020 All financial institutions participating in the ACH Network will be required to register contact information with Nacha for personnel or departments responsible for ACH operations and fraud/risk management.

  • All FIs must register contact information by October 30, 2020

  • Registration will be done via the Risk Management Portal.

  • The registry of financial institution contacts will be made available to registered financial institutions, the ACH Operators, and Payment Associations to use in addressing and resolving ACH operations and risk management situations.

Impact

Impact

Currently, all ODFIs are required to register with Nacha both their Direct Access status, and their Third-Party Sender status

  • Under this Rule, ODFIs also would be required to add an additional registration category to provide their own contact information for ACH operations and risk/fraud, and keep that information up-to-date
  • ODFIs would have to implement procedures to keep contact information up-to-date


Currently, financial institutions that are only RDFIs are not required to register information with Nacha, but voluntarily can enroll through the Risk Management Portal for the optional Financial Institution Contact Database and the Terminated Originator Database

  • Under this Rule, all RDFIs would be required to register contact information with Nacha, and keep that information up-to-date
  • RDFIs would have to implement procedures to keep contact information up-to-date


Annual verification may be performed in conjunction with the annual Rules compliance audit

The rule will become effective, and the ACH Contact Registry will become available for FIs to begin submitting contact information, on July 1, 2020. Registration will be done via the Risk Management Portal. Compliance with registration requirements must be completed by October 30, 2020. An additional 9-month grace period (to August 1, 2021) will be provided to ensure broad communication of this requirement before failure to register could be considered a Rules violation.

FAQs Section

FAQs Section
Why did Nacha create this Registry?

Nacha created this industry resource – the ACH Contact Registry - for financial institutions to be able to more easily connect with other financial institutions about ACH operations, exceptions, and risk management.  This rule enables the creation of this resource through the registration of contact information by all financial institutions that participate in the ACH Network.

Who will be permitted to use the ACH Contact Registry and for what purposes?

Nacha will make information within the ACH Contact Registry available, via secure means, only to (a) registered Participating DFIs; (b) ACH Operators; and (c) Associations, for purposes of addressing ACH operational, fraud, and risk management issues within the ACH Network. Examples of potential use cases for the Registry include requests for proof of authorization; communications about ACH-related system outages; communications between FIs regarding erroneous payments, duplicates, reversals; fraudulent payments; etc. Nacha would use registered contact information only for purposes of ACH Network operational, risk and fraud management.  Contact information would be solely for these parties’ own, internal use for the specific purposes permitted by the Rules.

Examples of use cases for an ACH Contact Registry:

  • An ODFI needs to contact an RDFI about an ACH credit that is suspected to be fraudulent
  • An RDFI needs to contact an ODFI regarding the authorization of a ACH debit
  • An ODFI needs to contact an RDFI about a duplicate ACH payment, request the RDFI to return an entry, or request a copy of a WSUD
  • An ODFI and RDFI need to execute a letter of indemnity
How will information in the ACH Contact Registry be accessible?

Authorized users will access the ACH Contact Registry via the existing Risk Management Portal.

Is the Risk Management Portal secure?

The Portal is a hosted solution built with security and business continuity in mind, including physical security, encryption, user authorization and authentication processes, and auditing to verify satisfaction of privacy and security requirements.

Data is encrypted while in transit to Nacha and remains encrypted while it is at rest.

Compliance of the underlying cloud platform with key industry standards is certified by the cloud service provider.

Is there a cost to register with or use the ACH Contact Registry?

No.

Some FIs have limited staff and some have entire departments to handle these situations. What information would be included in the Registry?

A Participating DFI will be required to register specific contact information for personnel or departments responsible for ACH operations and fraud/risk management. A Participating DFI will also be permitted to register contacts for additional personnel or departments, at its discretion.

A Participating DFI will be required to register either:

  • The name, title, email address, and phone number for at least one primary and one secondary contact person; or
  • Department contact information that includes an email address and a working telephone number. Use of department contacts could enable financial institutions to better route inquiries internally.

Phone numbers and email addresses must be those that are monitored and answered during normal business hours for financial institution inquiries. Generic email addresses (e.g., info@FI.com) and customer service/800 lines that are not designed to handle inquiries from other FIs) would not be appropriate contact information to enter in the Registry.

Contacts entered in the registry for ACH operations and for fraud/risk management could be the same contact, provided that contact person/department is able to act on either type of inquiry. This would accommodate institutions that may not have separate departments for these functions, and any institutions that prefer the ability to route risk/fraud issues through their ACH operations area.

How would registration information be kept up-to-date?

FIs will be required to update the registration information within 45 days following any change to the information previously provided and will need to verify all registration information at least annually.

These timeframes are intended to accommodate FIs that want to establish routines for keeping information updated. The 45-day period would accommodate a monthly update routine. The annual verification may be aligned with or incorporated into the annual Rules Compliance Audit.

How will this Rule impact ODFIs?

Currently, all ODFIs are required to register with Nacha both their Direct Access status, and their Third-Party Sender status. Under this Rule, ODFIs also are required to add an additional registration category to provide their own contact information for ACH operations and risk/fraud, and keep that information current.

ODFIs need to implement procedures to keep contact information up-to-date. Annual verification could be performed in conjunction with the annual Rules compliance audit.

How will this Rule impact RDFIs?

Currently, financial institutions that are only RDFIs are not required to register information with Nacha, but voluntarily can enroll through the Risk Management Portal for the optional Financial Institution Contact Database and the Terminated Originator Database. Under this Rule, all RDFIs must register contact information with Nacha, and keep that information current.

RDFIs need to implement procedures to keep contact information up-to-date. Annual verification could be performed in conjunction with the annual Rules compliance audit.

What would happen if a Participating DFI does not register contact information with NACHA?

As with any other rule, the failure to comply with the requirement to register contact information with Nacha would constitute a rule violation, and the Participating DFI would be subject to potential enforcement action through Nacha’s National System of Fines. A Participating DFI’s failure to comply with a direct obligation to the National Association (in this case, the obligation to register contact information) is considered a Class 2 Rules Violation and could result in a Class 2-level fine assessed against the financial institution.

The rule will become effective, and the ACH Contact Registry will become available for FIs, on July 1, 2020.  Compliance with registration requirements must be completed by October 30, 2020. An additional 9-month grace period (to August 1, 2021) will be provided to ensure broad communication of this requirement to the industry before a rule violation for failure to register would be enforced.

Once I register my financial institution’s contact information, will I have any new or additional obligations for responding to inquiries I may receive?

The requirement to register financial institution contact information does not include specific obligations for responding to an inquiry that may be generated from the FI contact database. Nevertheless, there is an industry expectation that a financial institution will provide a timely response to any inquiry it receives. In addition, for certain types of inquiries (i.e., requests for proof of authorization, copies of WSUDs, etc.), the Nacha Operating Rules impose defined response times that are not affected by this change.

What is the effective date?

Nacha intends the registration portal to be available for Participating DFIs to begin to submit contact information on July 1, 2020.

A Participating DFI must have completed its registration no later than October 30, 2020.

An additional 9-month grace period (to August 1, 2021) will be provided to ensure broad communication of this requirement before failure to register would be enforced through the National System of Fines.

How is this Registry different from the current FI Contact Database?

An ACH Contact Registry of all financial institutions is intended to be a substantially higher-value industry resource for all financial institutions in addressing and resolving ACH exceptions, operational issues, and risk or fraud situations.

Payment Associations would be better able to assist their FI members in finding appropriate contact information, and Nacha and the ACH Operators would have more complete contact information in the event of ACH Network risk or fraud events.

RFC Summary

RFC Summary

The rule was issued as a Request for Comment on July 12, 2019 (Original Proposal). Approximately 98% of respondents generally support requiring FIs to register ACH contact information with Nacha. Ninety-four percent of FIs responding believe an ACH Contact Registry would have a positive impact on their institution.

In response to comments and feedback, one change is being made to the Original Proposal - ACH Operators will be added as a party that will have access to the Contact Registry. Other parties that were included in the Original Proposal as having access are the registered DFIs, Nacha, and Payments Associations.

In addition, a clarification is being made that contacts entered in the registry for ACH operations and fraud/risk management may be the same contact, as long as that contact can act on an inquiry. This clarification is being made to accommodate institutions that may not have separate departments for these functions, and any institutions that prefer the ability to route risk/fraud issues through their ACH operations area.