RISK MANAGEMENT TOPICS – October 1, 2024
These Rule amendments are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.
Details
Included in this portion of the Risk Management Rule amendments are:
- Codifying Expanded Use of Return Reason Code R17,
- Expanded Use of ODFI Request for Return/R06,
- Additional Funds Availability Exceptions,
- Timing of Written Statement of Unauthorized Debit, and
- RDFI Must Promptly Return Unauthorized Debit.
"For additional information related to the upcoming effective date please review Operations Bulletin #1-2024."
Technical
Codify Use of Return Reason Code R17
This rule will explicitly allow, but not require, an RDFI to use R17 to return an entry that it thinks is fraudulent.
- Such use is optional and at the discretion of the RDFI.
- The rule retains the current requirement to include the descriptor QUESTIONABLE in the return addenda record for such use.
- The amendment is intended to improve the recovery of funds originated due to fraud.
Some RDFIs already may be able to identify an ACH entry that is fraudulent and want to return the entry on this basis.
- There currently is no defined Return Reason Code for this use.
- Unauthorized reasons are based on a customer contact, dispute or claim.
- The Rules provide for using the return code that most closely approximates the reason for the return.
- Nacha guidance has been that R17 is likely the closest return code for incidents of potential fraud.
This new Rule also includes references to a newly defined term, False Pretenses:
- the inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”
This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations, and complements language on “unauthorized credits” (account takeover scenario). It does not cover scams involving fake, non-existent or poor-quality goods or services.
Expanded Use of ODFI Request for Return/R06
This rule expands the permissible uses of the Request for Return to allow an ODFI to request a return from the RDFI for any reason.
- The ODFI would still indemnify the RDFI for compliance with the request.
- Compliance by the RDFI would remain optional.
- An RDFI’s only obligation to the ODFI would be to respond to the ODFI’s request.
- Regardless of whether the RDFI complies with the ODFI’s request to return the Entry, the RDFI must advise the ODFI of its decision or the status of the request within ten (10) banking days of receipt of the ODFI’s request.
- Note: the requirement for the RDFI to advise the ODFI of the status of the request will become effective April 1, 2025.
- This rule is intended to improve the recovery of funds when fraud has occurred.
Additional Funds Availability Exceptions
This rule provides RDFIs with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses.
- The additional exemption provides RDFIs with a tool under the Rules regarding questionable entries.
- RDFIs are still subject to requirements under Regulation CC for funds availability.
- The rule is intended to improve the recovery of funds when fraud has occurred.
- The rule is not intended to otherwise alter an RDFI’s obligation to promptly make funds available as required by the Rules. An RDFI cannot delay funds availability because it has not screened an ACH credit; but it can delay funds availability if its fraud detection processes and procedures identifies a flag.
The Nacha Rules already provide RDFIs with an exemption from funds availability requirements if the RDFI reasonably suspects the credit entry was unauthorized.
- This exemption encompasses cases of account takeovers, in which a party that is not the Originator is able to initiate an ACH credit from the Originator’s account.
This new Rule also includes references to a newly defined term, False Pretenses:
- the inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”
This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations, and complements language on “unauthorized credits” (account takeover scenario). It does not cover scams involving fake, non-existent or poor-quality goods or services.
Timing of Written Statement of Unauthorized Debit (WSUD)
This rule will allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver (either by posting to the account or by notice of a pending transaction), even if the debit has not yet been posted to the account.
- Through digital notifications and alerts, a consumer may be able to report an unauthorized debit prior to the debit posting to his or her account.
- Allowing such a debit to post after being reported may cause harm to the Receiver.
When a consumer account holder notifies an RDFI of an unauthorized debit, the RDFI must obtain a signed Written Statement of Unauthorized Debit (WSUD) to return the debit.
- The current Rules require that the WSUD be dated on or after the Settlement Date of the Entry.
This rule is intended to improve the process and experience when debits are claimed to be unauthorized.
The amendment does not otherwise change the requirement for an RDFI to obtain a consumer’s WSUD.
RDFI Must Promptly Return Unauthorized Debit
This amendment will require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth Banking Day following the completion of its review of the consumer’s signed WSUD.
- The amendment is intended to improve the recovery of funds and reduce the incidence of future fraud.
- The prompt return of an unauthorized debit alerts an ODFI and an Originator to a potential problem.
- This is also true in first-party fraud schemes in which the party who disputes the debit Entry is the same party who benefits from the original entry.
- A prompt return supports controls that an Originator may have enabled, such as a hold on funds or delayed shipment of merchandise.
- This amendment does not change reasons or requirements for obtaining a Written Statement of Unauthorized Debit.
Quick responses can be significant when responding to fraud. In the days immediately following posting of an unauthorized debit Entry, any delay in processing a return may expose the ODFI or Originator to additional risk.
Impact
Codify Use of Return Reason Code R17
Effective date – Oct 1, 2024
Codification of this practice should become effective as soon as possible; use will be optional by RDFIs (i.e., no compliance obligation by the implementation date).
Anticipated Benefits
- Provides clarity on the use and meaning of the R17 Return Reason Code.
- RDFIs would have a return reason to use at their option.
- ODFIs/Originators/Third-Party Service Providers would potentially receive funds back in questionable situations, while receiving a clear message related to the reason for return.
- Enhances an ODFI’s and an Originator’s ability to prevent future transactions.
Potential Impacts
- Technical changes are not expected to be significant for FIs or other parties, as R17 with the QUESTIONABLE descriptor is in use today. Documentation may require updating.
- Education is required for proper usage by each participant.
- RDFIs should be cognizant of the potential for false positives.
Expanded Use of ODFI Request for Return/R06
Effective date – Oct 1, 2024
Codification of this practice should become effective as soon as possible; use would be optional by ODFIs (i.e., no compliance obligation by the implementation date).
Anticipated Benefits
- Creates additional opportunities to recover funds lost to fraud.
- Aligns the Rules language for this return with anecdotally-understood current business practices for some Originators/ODFIs.
- Provides more flexibility for ODFIs that want to indemnify and request the RDFI return a transaction for any reason.
Potential Impacts
- May require procedural changes ODFIs and RDFIs.
- Note: the requirement for the RDFI to advise the ODFI of the status of the request will become effective April 1, 2025.
- Education and documentation for all participants on the new reason.
Additional Funds Availability Exceptions
Effective date – Oct 1, 2024
Codification of this practice should become effective as soon as possible; use would be optional by RDFIs (i.e., no compliance obligation by the implementation date).
Anticipated Benefits
- Improves the potential for recovery of funds when fraud has occurred.
- Provides participants with an additional tool to manage potentially questionable or suspicious transactions that fall under the authorized fraud category.
- Provides additional time for RDFIs and ODFIs to communicate before funds availability is required.
Potential Impacts
- RDFIs taking advantage of this exemption are required to contact the ODFI to inform them of the exemption.
- RDFIs may need to update policies and procedures to take advantage of the expanded use.
Timing of Written Statement of Unauthorized Debit (WSUD)
Effective date – Oct 1, 2024
Codification of this practice should become effective as soon as possible; use would be optional by RDFIs (i.e., no compliance obligation by the implementation date).
Anticipated Benefits
- Moving transaction data more quickly can help manage risk.
- RDFIs could obtain WSUDs from account-holders prior to an unauthorized debit posting to the account.
- Receivers may be less impacted by unauthorized, and potentially fraudulent, transactions.
- ODFIs, Third-Party Senders and Originators may receive returns more quickly.
Potential Impacts
- Changes are not required for RDFIs. RDFIs may want to explore ways to use electronic notifications and alerts, and electronic WSUDs.
- Education for RDFI front-line and operational staff is expected for proper usage and to gain full benefit of this Rule change.
RDFI Must Promptly Return Unauthorized Debit
Effective date of October 1, 2024
- Some implementation effort by some RDFIs.
- Some RDFIs might need to adjust return processes to achieve timing requirement.
- Avoids overlap with other effective dates proposed.
Anticipated Benefits
- Accelerating some returns can help manage risk.
- RDFIs that currently delay returns would be made whole more quickly through the return settlement process.
- ODFIs, Third-Party Senders and Originators would receive some returns more quickly, reducing their exposure to losses and to future unauthorized debits.
Potential Impacts
- Some RDFI may need to improve procedures for processing extended returns after receiving a customer’s completed WSUD.
- RDFIs may need to educate operations staff and update procedures related to handling consumer unauthorized debit claims.
FAQs Section
What is covered by the term “False Pretenses?”
The term “False Pretenses” covers common fraud scenarios such as:
- Business Email Compromise (BEC);
- vendor impersonation;
- payroll impersonation; and
- other payee impersonations.
“False Pretenses” does not cover scams involving fake, non-existent, or poor-quality goods or services.
A payment made to the right person but induced on a fraudulent basis is not considered to have been made under False Pretenses.
The term “False Pretenses” complements language on “unauthorized credits” (i.e., account takeover scenario), but entries made under False Pretenses are not “unauthorized.” (Unauthorized credits are discussed separately within these Frequently Asked Questions.)
Examples of credit entries authorized by the Originator under False Pretenses:
- Receiver of the credit Entry misrepresents the Receiver’s identity or ownership of the receiving account.
- Fraudster impersonates someone with the authority to order payment (e.g., a CEO/CFO via business email compromise) to induce someone with authority to originate a payment from the credit account to make a payment.
- Fraudster claims to be a vendor with whom the accountholder has a relationship and requests payment to fraudster’s account.
- Fraudster claims to be a real estate settlement agent or attorney and requests funds transferred to fraudster’s account.
- Fraudster claims to be an employee of an organizations and requests payment to fraudster’s account; or, fraudster gains access to organization’s payroll system and redirects payroll payments to fraudster’s account.
- Fraudster claims to be a governmental agency (e.g., IRS) claiming a Person is delinquent in a payment (e.g., taxes) with consequences if not paid.
- Fraudster claims to be the account holding ODFI and tells the Originator that his/her account has been compromised and to avoid losses they need to move their funds to another account that has been opened for them.
What constitutes an “unauthorized credit?”
An unauthorized credit entry is an entry for which the account holder (Originator) did not authorize the credit entry.
An unauthorized credit entry is different from an entry authorized under False Pretenses. (False Pretenses are discussed separately within these Frequently Asked Questions.)
Example of unauthorized credit entry:
- Account takeover - Fraudster gains access to the credentials necessary to initiate a transaction and initiates a credit entry from the accessed account.
What are examples of disputes that do not involve either an unauthorized entry or an entry initiated under False Pretenses?
Some disputes do not involve either unauthorized credit entries or credit entries authorized under False Pretenses and therefore do not qualify to be handled through the ACH Network, but should be resolved directly between the merchant and customer.
Examples:
- A dispute regarding the quality or condition of, or warranties or timing of delivery for, goods or services (provided there are not other circumstances that woul
d give rise to a claim of False Pretenses or unauthorized payment). For example, a business payment to a vendor, for which the quantity or quality of goods delivered is later disputed.
- Payment is made to the right person/organization but induced on a basis other than False Pretenses (e.g., a contribution to a charitable organization because it says they are going to spend the funds on something particular and then spends it on something else).
How will the changes impact Return Reason Code R17?
Return Reason Code R17 will be expanded to formally recognize its use by the industry to return entries it identifies as potentially fraudulent or originated under false pretenses.
Do the changes to R17 impact other situations covered by R17?
No. Other uses of R17 remain intact and unaffected by the expansion of the return reason code.
May an RDFI use R17-Questionable to return entries suspected of being fraudulent (or originated under false pretenses) now, even though the rule change is not yet effective?
Yes. The Nacha Operating Rules direct the RDFI to use the return reason code that most closely approximates the reason for the return if no appropriate return reason code exists for a specific return situation. This change to R17 simply codifies existing industry practice to use R17 in cases of suspected fraud.
Is an RDFI required to return an entry using R17-Questionable when it suspects an entry may be fraudulent or originated under false pretenses?
No. Use of R17-Questionable for this purpose is at the RDFI’s discretion.
Does an RDFI have an extended time period in which to return an entry using R17-Questionable?
No. The standard 2-day return period applies when using R17. An RDFI that chooses to return an entry as R17-Questionable when it suspects an entry is fraudulent or originated under false pretenses must transmit the return in such time that it is made available to the ODFI no later than the opening of business on the second banking day after the settlement date of the original entry.
However, certain opt-in programs may provide RDFIs with additional time frames and protections from liability when returning ACH credits as questionable.
What are the changes to the rules governing an ODFI’s request for a return?
Prior to this amendment, the Nacha Operating Rules permitted an ODFI to request an RDFI to return an Erroneous Entry, or an entry originated without the Originator’s authorization. In practice, ODFIs and RDFIs have utilized this process more broadly to request the return of entries for other reasons. This amendment codifies common business practice by expanding the rules to allow an ODFI to request the return of an entry for any reason.
Does this rule require an RDFI to return an entry when requested by the ODFI?
No. The return of any entry in response to a request from the ODFI remains at the discretion of the RDFI. However, this rule imposes a new obligation on the RDFI to advise the ODFI of its decision or status of the request within 10 banking days of receipt of the ODFI’s request.
What action is required of the RDFI if it receives an ODFI’s request for return?
An RDFI that receives a request from the ODFI to return an entry must advise the ODFI of its decision or the status of the request within ten (10) banking days of receipt of the ODFI’s request. The manner in which the RDFI communicates the decision or update to the ODFI is at the discretion of the RDFI.
Can the RDFI’s return of the requested entry (using R06 – Returned Per ODFI’s Request) serve as the RDFI’s required notice to the ODFI?
Yes. The return of the requested entry as R06 can fulfill the RDFI’s requirement to advise the ODFI of the status of its request, provided the entry is returned within the RDFI’s 10 banking day response period. In this situation, the RDFI is not required to provide an additional or separate notification to the ODFI.
If the RDFI does not return the entry within the 10-banking-day response period, it must otherwise advise the ODFI of the request’s status within that period.
Do financial institutions have to wait until the effective date to comply with these new rules?
No. These changes codify current business practices related to an optional process for the ODFI and may be implemented as soon as practical. At their discretion, ODFIs may request the return of an entry for any reason. Return of any entry remains at the discretion of the RDFI.