Nacha created this industry resource – the ACH Contact Registry - for financial institutions to be able to more easily connect with other financial institutions about ACH operations, exceptions, and risk management.  This rule enables the creation of this resource through the registration of contact information by all financial institutions that participate in the ACH Network.

Nacha will make information within the ACH Contact Registry available, via secure means, only to (a) registered Participating DFIs; (b) ACH Operators; and (c) Associations, for purposes of addressing ACH operational, fraud, and risk management issues within the ACH Network. Examples of potential use cases for the Registry include requests for proof of authorization; communications about ACH-related system outages; communications between FIs regarding erroneous payments, duplicates, reversals; fraudulent payments; etc. Nacha would use registered contact information only for purposes of ACH Network operational, risk and fraud management.  Contact information would be solely for these parties’ own, internal use for the specific purposes permitted by the Rules.

Examples of use cases for an ACH Contact Registry:

• An ODFI needs to contact an RDFI about an ACH credit that is suspected to be fraudulent
• An RDFI needs to contact an ODFI regarding the authorization of a ACH debit
• An ODFI needs to contact an RDFI about a duplicate ACH payment, request the RDFI to return an entry, or request a copy of a WSUD
• An ODFI and RDFI need to execute a letter of indemnity

Authorized users will access the ACH Contact Registry via the existing Risk Management Portal.

The Portal is a hosted solution built with security and business continuity in mind, including physical security, encryption, user authorization and authentication processes, and auditing to verify satisfaction of privacy and security requirements.

Data is encrypted while in transit to Nacha and remains encrypted while it is at rest.

Compliance of the underlying cloud platform with key industry standards is certified by the cloud service provider.

No.

A Participating DFI will be required to register specific contact information for personnel or departments responsible for ACH operations and fraud/risk management. A Participating DFI will also be permitted to register contacts for additional personnel or departments, at its discretion.

A Participating DFI will be required to register either:

• The name, title, email address, and phone number for at least one primary and one secondary contact person; or
• Department contact information that includes an email address and a working telephone number. Use of department contacts could enable financial institutions to better route inquiries internally.

Phone numbers and email addresses must be those that are monitored and answered during normal business hours for financial institution inquiries. Generic email addresses (e.g., info@FI.com) and customer service/800 lines that are not designed to handle inquiries from other FIs) would not be appropriate contact information to enter in the Registry.

Contacts entered in the registry for ACH operations and for fraud/risk management could be the same contact, provided that contact person/department is able to act on either type of inquiry. This would accommodate institutions that may not have separate departments for these functions, and any institutions that prefer the ability to route risk/fraud issues through their ACH operations area.

FIs will be required to update the registration information within 45 days following any change to the information previously provided and will need to verify all registration information at least annually.

These timeframes are intended to accommodate FIs that want to establish routines for keeping information updated. The 45-day period would accommodate a monthly update routine. The annual verification may be aligned with or incorporated into the annual Rules Compliance Audit.

Currently, all ODFIs are required to register with Nacha both their Direct Access status, and their Third-Party Sender status. Under this Rule, ODFIs also are required to add an additional registration category to provide their own contact information for ACH operations and risk/fraud, and keep that information current.

ODFIs need to implement procedures to keep contact information up-to-date. Annual verification could be performed in conjunction with the annual Rules compliance audit.

Currently, financial institutions that are only RDFIs are not required to register information with Nacha, but voluntarily can enroll through the Risk Management Portal for the optional Financial Institution Contact Database and the Terminated Originator Database. Under this Rule, all RDFIs must register contact information with Nacha, and keep that information current.

RDFIs need to implement procedures to keep contact information up-to-date. Annual verification could be performed in conjunction with the annual Rules compliance audit.

As with any other rule, the failure to comply with the requirement to register contact information with Nacha would constitute a rule violation, and the Participating DFI would be subject to potential enforcement action through Nacha’s National System of Fines. A Participating DFI’s failure to comply with a direct obligation to the National Association (in this case, the obligation to register contact information) is considered a Class 2 Rules Violation and could result in a Class 2-level fine assessed against the financial institution.

The rule will become effective, and the ACH Contact Registry will become available for FIs, on July 1, 2020.  Compliance with registration requirements must be completed by October 30, 2020. An additional 9-month grace period (to July 31, 2021) will be provided to ensure broad communication of this requirement to the industry before a rule violation for failure to register would be enforced.

The requirement to register financial institution contact information does not include specific obligations for responding to an inquiry that may be generated from the FI contact database. Nevertheless, there is an industry expectation that a financial institution will provide a timely response to any inquiry it receives. In addition, for certain types of inquiries (i.e., requests for proof of authorization, copies of WSUDs, etc.), the Nacha Operating Rules impose defined response times that are not affected by this change.

Nacha intends the registration portal to be available for Participating DFIs to begin to submit contact information on July 1, 2020.

A Participating DFI must have completed its registration no later than October 30, 2020.

An additional 9-month grace period (to July 31, 2021) will be provided to ensure broad communication of this requirement before failure to register would be enforced through the National System of Fines.

An ACH Contact Registry of all financial institutions is intended to be a substantially higher-value industry resource for all financial institutions in addressing and resolving ACH exceptions, operational issues, and risk or fraud situations.

Payment Associations would be better able to assist their FI members in finding appropriate contact information, and Nacha and the ACH Operators would have more complete contact information in the event of ACH Network risk or fraud events.