Micro-Entries (Phase 2)

This Rule will define and standardize practice and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation.

This phase of the Rule requires Originators of Micro-Entries to use commercially reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes.

Details

Originators of Micro-Entries are required to use commercially reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes
This phase of the Rule became effective March 17, 2023.

Technical

In Phase 2 of the Rule risk management requirements are applied to Originators.

An Originator of Micro-Entries must conduct commercially reasonable fraud detection on its use of Micro-Entries, including by monitoring of forward and return volumes of Micro-Entries

The use of commercially reasonable fraud detection is intended to minimize the incidence of fraud schemes that make use of Micro-Entries
Monitoring forward and return volumes, at a minimum, establishes a baseline of normal activity
An Originator is not be required to perform an entry-by-entry review

Impact

Benefits

For ODFIs and their Originators

Reduces the potential of originating fraudulently-initiated Micro-Entries

For the ACH Network as a whole

Improve the quality of this type of Entry in the ACH Network

Impacts

Originators

Originators will need to conduct commercially reasonable fraud detection for Micro-Entries (Phase 2)

Monitoring forward and return volumes of Micro-Entries
Other desired velocity checks or anomaly detection

FAQs Section

What is expected of Originators, who must apply commercially reasonable fraud detection standards (which includes monitoring of forward and return volumes) to Micro-Entries as of March 16, 2023?

The rule requires an organization using Micro-Entries to use reasonable methods to recognize and prevent suspicious activity. This requirement is different from the WEB Debit account validation requirement in that the account number for a Micro-Entry does not need to be individually validated, and Originators are not required to perform an entry-by-entry review. However, at a minimum, Originators should understand forward and return volumes to establish a baseline of normal Micro-Entry activity. Velocity monitoring, recognizing the number of times an account number is used (in various formats), in addition to the number of transactions, can also be an important tool in Originator’s fraud monitoring efforts.

Does the requirement for an Originator to use commercially reasonable fraud detection methods and monitor forward and return entry volumes for Micro-Entries affect existing requirements for return rate monitoring?

No. The fraud detection requirements for Micro-Entries are in addition to and distinct from the return rate threshold monitoring required under Article Two, Subsection 2.17.2. The new rule does not impose a specific return threshold for Micro-Entries but instead requires Originators to understand and establish a baseline for normal forward and return volumes and to recognize and react to activity outside of those levels.

To what extent must an ODFI apply its own commercially reasonable fraud detection standards (e.g., forward and return entry monitoring, velocity checks, anomaly detection) to Micro-Entries specifically?

An ODFI is ultimately responsible for its Originators’ compliance with the Nacha Operating Rules. While the rule imposes the requirement for commercially reasonable Micro-Entry fraud detection directly on the Originator, the ODFI should also follow the current language in Article Two, Subsection 2.2.3 regarding monitoring origination and return activity for Originators and Third-Party Senders. ODFIs may want to have ACH Origination Agreements reviewed by their compliance area along with the Rules language to determine if any additional steps need to be taken.