Request For Comment - ACH Risk Management 2023
Nacha’s latest Risk Management Framework expands the focus on fraud detection, prevention and recovery to encompass credit-push payments. All participants in the payments system, whether the ACH Network or elsewhere, have roles to play in working together to combat fraud.
As part of implementing the Risk Management Framework objectives, Nacha requests comment on proposals to amend the Nacha Operating Rules:
- Seven proposals related to ACH credit risk management, and
- Two proposals related to ACH debit risk management.
Responses to the RFC topics are requested by Friday, June 16, 2023.
Please review the survey questions prior to beginning your response so that you can gather information and comments from all impacted areas of your organization before responding to the questions. You can download the materials on the left side of the page and respond online.
View our videos below for detailed information on this Request for Information and Request for Comment.
View a full playlist of the Request for Comment and Request for Information video series on YouTube.
Details
ACH Credit Risk Management Topics:
Expand Commercially Reasonable Fraud Detection
This proposal would require each non-Consumer Originator, ODFI, Third-Party Service Provider, and Third-Party Sender to establish and implement a commercially reasonable fraudulent transaction detection system with respect to its ACH Entries.
- The proposal is intended to reduce the incidence of successful fraud attempts.
- Regular fraud detection monitoring can establish baselines of typical activity, making atypical activity easier to identify
RDFI Credit Transaction Monitoring
The proposal would require RDFIs to establish Commercially Reasonable Fraud Detection Systems that monitor their received ACH credit transactions.
- RDFIs have a view of incoming transactions as well as account profile information and historic activity on Receivers’ accounts.
- A commercially reasonable, risk-based approach to monitoring can consider factors such as transactional velocity, anomalies (e.g., SEC Code mismatch with account type), and account characteristics (e.g., age of account, average balance, etc.). This aligns with AML monitoring practices in place today.
- Based on its monitoring of incoming credits, an RDFI may decide to post a transaction, return an entry, or contact the ODFI to determine the validity of a transaction.
This proposal is intended to reduce the incidence of successful fraud and better enable the recovery of funds when fraud has occurred.
- The proposal aligns with an institution’s regulatory obligation to monitor for suspicious transactions.
Expand Use of Return Reason Code R17
This proposal would explicitly allow, but not require, an RDFI to use R17 to return an entry that it thinks is fraudulent.
- Such use is optional and at the discretion of the RDFI.
- The proposal retains the current requirement to include the descriptor QUESTIONABLE in the return addenda record for such use.
- The proposal is intended to improve the recovery of funds originated due to fraud.
Expand Use of Reversals for Fraud Recovery
The proposal would explicitly allow reversals for use with fraudulently-originated credits and credits transmitted without the authorization of the Originator
- It is likely that some reversals are being used in this manner already.
The proposal is intended to improve the recovery of funds when a fraud has occurred.
This proposal would not change other permissible reasons for a reversal, nor the language that reasons other than those excplicitly listed are not permitted.
The proposal would also require that a reversal used to attempt to recover from fraud use a distinct Company Entry Description to differentiate it from standard reversals for errors.
Reversals for fraud would use the standard description “REVERSALFR.”
- Adding “FR” to the end of the description “REVERSAL” differentiates reversals for fraud from reversals for errors.
- The description is similar in intent to messages in instant payment systems requesting the return of funds that use a reason code of “FRAD.”
- Providing this indicator in a Batch Header Record field would enable reporting on these transactions.
In addition, this proposal also includes an expansion to the ability of an ODFI to request a return from the RDFI.
- Historically, the permissible reasons that an ODFI can request a return tracked closely to the reasons allowed for a reversal (i.e., to correct errors). One existing distinction between reversal and ODFI requests for return occurs when a request for return attempts to recover for credits transmitted without the Originator’s authorization.
- It is likely that in practice, ODFI requests for return encompass other reasons.
The proposal would expand the ODFI request for a return so that an ODFI could request a return from an RDFI for any reason.
- The ODFI would still indemnify the RDFI for compliance with the request.
- Compliance by the RDFI would remain optional.
- An RDFI’s only obligation to the ODFI would be to promptly respond to the ODFI’s request.
- This proposal is intended to improve the recovery of funds when fraud has occurred.
Additional Exemption to Funds Availability Requirements
This proposal would provide RDFIs with an additional exemption to include credit entries that the RDFI suspects are originated as a part of a fraud scheme or fraud event.
- The additional exemption provides RDFIs with a tool under the Rules regarding entries identified as questionable.
- RDFIs are still subject to requirements under Regulation CC for funds availability.
- The proposal is intended to improve the recovery of funds when fraud has occurred.
- The proposal is not intended to otherwise alter an RDFI’s obligation to promptly make funds available as required by the Rules.
Standard Company Entry Descriptions
This proposal would establish two new standard descriptions for specific payment purposes.
1. For PPD Credits for payment of wages, salaries and similar types of compensation, the Company Entry Description field must contain the description PAYROLL.
- RDFIs that monitor inbound ACH credits would have better information regarding new or multiple payroll payments to an account.
- A standard description for payroll payments can help support RDFI logic to provide or suppress early funds availability.
- The proposal is intended to reduce the incidence of fraud involving payroll redirections.
2. For e-commerce purchases, the Company Entry Description field must contain the description PURCHASE.
- For this purpose, an e-commerce purchase is a debit Entry authorized by a consumer Receiver for the online purchase of goods or services. An e-commerce purchase uses the WEB debit SEC Code, except as permitted by the rule on Standing Authorization to use the PPD or TEL debit SEC Code.
- ACH purchases at the point-of-sale would continue to use the POS SEC Code which carries terminal information.
- A standard description for e-commerce purchases would enable ODFIs and RDFIs to track volume and other metrics related to transaction quality for this payment purpose (e.g., disputes, returns) and potentially apply additional processing logic
- The proposal is intended to improve ACH transaction quality.
Standard Use of Individual Name Field
This proposal would standardize the formatting for the Individual Name field for consumer names.
- Generally, the standard format would be: last name, first name, middle name or initial.
- Examples are shown on slide slide #36 within the full slide deck.
- The proposal is intended to reduce the incidence of fraud and to improve the recovery of funds.
This proposal does not seek to require RDFIs to perform name matching when handling received ACH Entries and does not seek to require name matching for the origination of ACH payments.
- Standard formatting, however, can support logic to identify the individual by RDFIs choosing to reconcile against the name of the account owner, and can otherwise help improve name-matching capabilities.
- A standardized format may also permit RDFIs to better identify when an account is receiving entries for multiple receivers who may not be named on the account.
- This activity may be indicative of a party acting as a “mule” in a fraud scheme.
ACH Debit Risk Management Topics
Timing of Written Statement of Unauthorized Debit
This proposal would allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver (either by posting to the account or by notice of a pending transaction), even if the debit has not yet been posted to the account.
- Through digital notifications and alerts, a consumer may be able to report an unauthorized debit prior to the debit posting to his or her account.
- Allowing such a debit to post after being reported may cause harm to the Receiver.
This proposal is intended to improve the process and experience when debits are claimed to be unauthorized.
The proposal does not otherwise change the requirement for an RDFI to obtain a consumer’s WSUD.
RDFI Must Promptly Return Unauthorized Debit
This proposal would require that when returning a debit as unauthorized, the RDFI must do so promptly upon receiving a consumer’s completed WSUD.
- The proposal is intended to improve the recovery of funds and reduce the incidence of future fraud.
- The prompt return of an unauthorized debit alerts an ODFI and an Originator to a potential problem.
- This is also true in first-party fraud schemes in which the party who disputes the debit Entry is the same party who benefits from the original entry.
- A prompt return supports controls that an Originator may have enabled, such as a hold on funds or delayed shipment of merchandise.
- This proposal would not change reasons or requirements for obtaining a Written Statement of Unauthorized Debit.
Technical
This RFC seeks comment on the 2 proposed effective dates:
March 15, 2024 (approx. 6 months after potential approval) for those proposed changes that are either optional for use and/or would require modifications only to existing processes and uses:
- Expanded use of Return Reason Code R17 (proposal #3).
- Additional exemption to funds availability requirement (proposal #5).
- Timing of WSUD (proposal #8).
- Prompt Return of Unauthorized Debit (proposal #9).
September 20, 2024 (approx. 1 year after potential approval) for those proposed changes that would require implementations of new technology, systems or processes:
- Commercially reasonable fraud detection (proposal #1).
- RDFI Credit Transaction Monitoring (proposal #2).
- Allow Reversals for fraud recovery (proposal #4).
- Standard Company Entry Descriptions (proposal #6).
- Standard Individual Name Format (proposal #7).
Impact
Expand Commercially Reasonable Fraud Detection
Anticipated benefits
- Expanding fraud detection responsibilities to more parties in the ACH Network provides additional opportunities to detect and prevent fraud, especially for frauds that make use of credit-push payments.
- Reducing the incidence of successful fraud and improving the quality of transactions in the ACH Network.
Potential impacts
- Implementing or updating fraud-detection systems and processes, particularly by organizations that are not currently performing adequate fraud detection.
- Less impact for those who have already implemented a monitoring system for WEB Debits or Micro-Entries.
RDFI Credit Transaction Monitoring
Anticipated Benefits
- The proposal is intended to reduce the incidence of successful fraud and improve the recovery of funds when fraud has occurred.
- Identifying fraud or potentially fraudulent transactions will better enable an RDFI to exercise heightened scrutiny of accounts that are receiving such transactions.
Potential Impacts
- RDFIs may need to either implement a commercially reasonable system to monitor received ACH credits or ensure that existing systems are commercially reasonable, including updating such systems and their alerting processes, if necessary.
- RDFI may need to enable information sharing internally between teams that monitor transactions for suspicious activity and operations, product, and relationship teams.
- While potentially significant, these impacts are intended to reduce the incidence of fraud that uses ACH payments.
Expand Use of Return Reason Code R17
Anticipated Benefits
Provides clarity on the use and meaning of the R17 Return Reason Code.
- RDFIs would have a return reason to use at their option.
- ODFIs/Originators/Third-Party Service Providers would potentially receive funds back in questionable situations, while receiving a clear message related to the reason for return.
- Enhances an ODFI’s and an Originator's ability to prevent future transactions.
Potential Impacts
- Technical changes are not expected to be significant for FIs or other parties, as R17 with the QUESTIONABLE descriptor is in use today. Documentation may require updating.
- Education is required for proper usage at each participant.
- RDFIs should be cognizant of the potential for false positives.
Expand Use of Reversals for Fraud Recovery
Anticipated Benefits
- Creates additional opportunities to recover funds lost to fraud.
- Aligns the Rules language for Reversals with anecdotally-understood current business practices for some Originators/ODFIs.
- Provides more flexibility for ODFIs that want to indemnify and request the RDFI return a transaction for any reason.
- Allows for improved, systemic tracking of Reversals specific to fraudulent transactions and recovery figures.
- For RDFIs, the distinct description of a Reversal for fraud provides information from the Originator/ODFI regarding the original entry.
Potential Impacts
- May require procedural changes for Originators, Third-Party Senders and ODFIs.
- Systems changes would be required to implement the new, distinct Company Entry Description.
- Education and documentation for all participants on the new reason.
Additional Exemption to Funds Availability Requirements
Anticipated Benefits
- Improves the potential for recovery of funds when fraud has occurred.
- Provides participants with an additional tool to manage potentially questionable or suspicious transactions that fall under the authorized fraud category.
- Provides additional time for RDFIs and ODFIs to communicate before funds availability is required.
Potential Impacts
- RDFIs taking advantage of this exemption are required to contact the ODFI to inform them of the exemption.
- RDFIs may need to update policies and procedures to take advantage of the expanded use.
Standard Company Entry Descriptions
Anticipated Benefits
- Improved, targeted risk mitigations and tools may be utilized as participants are able to better identify certain types of transactions.
- For payroll, can help support RDFI transaction monitoring and logic regarding funds availability.
- For e-commerce purchases, enables identification of such transactions.
- Standardize use of data can help parties manage risk.
Potential Impacts
- Originators/Third-Party Service Providers/ODFIs of these types of transactions will need to update their systems to utilize the required Company Entry Description(s).
- RDFIs may choose to take advantage of intelligence enabled by new descriptors, but they would not be required to act as a result of these descriptions.
Standard Use of Individual Name Field
Anticipated Benefits
- Standardized data can help manage risk, reduce the incidence of fraud and improve recovery of funds.
- Better supports logic by the RDFI to identify the individual and reconcile against the name of the account owner, at the RDFI’s choice.
- Generally, help improve name-matching capabilities.
- All monitoring parties may be able to identify fraudulent entries more easily, e.g., names like Mickey Mouse.
Potential Impacts
- Originators/Third-Party Service Providers/ODFIs will need to update their systems to utilize the required Individual Name format.
- RDFIs may choose to take advantage of intelligence provided by new format but would not be required to perform name matching.
Timing of Written Statement of Unauthorized Debit
Anticipated Benefits
- Moving transaction data more quickly can help manage risk.
- RDFIs could obtain WSUDs from account-holders prior to an unauthorized debit posting to the account.
- Receivers may be less impacted by unauthorized, and potentially fraudulent, transactions.
- ODFIs, Third-Party Senders and Originators may receive returns more quickly.
Potential Impacts
- Changes are not required for RDFIs. RDFIs may want to explore ways to use electronic notifications and alerts, and electronic WSUDs.
- Education for RDFI front-line and operational staff is expected for proper usage and to gain full benefit of this Rule change
RDFI Must Promptly Return Unauthorized Debit
Anticipated Benefits
- Accelerating some returns can help manage risk.
- RDFIs that currently delay returns would be made whole more quickly through the return settlement process.
- ODFIs, Third-Party Senders and Originators would receive some returns more quickly, reducing their exposure to losses and to future unauthorized debits.
Potential Impacts
- Some RDFI may need to improve procedures for processing extended returns after receiving a customer’s completed WSUD
- RDFIs may need to educate operations staff and update procedures related to handling consumer unauthorized debit claims.
