Supplementing Fraud Detection Standards for WEB Debits

Effective Date

Rule Status

Rule Status

The effective date for an upcoming change in the Nacha Operating Rules is being extended by the Nacha Board of Directors. The WEB Debit Account Validation Rule now takes effect March 19, 2021, rather than Jan. 1, 2020. The rule was originally approved by Nacha members in November 2018. The Nacha Board of Directors approved the extension in effective date to allow for additional time, education and guidance to be provided to the industry. 
 

Details

Details

Currently, ACH Originators of WEB debit entries are required to use a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud. This existing screening requirement will be supplemented to make it explicit that “account validation” is part of a “commercially reasonable fraudulent transaction detection system.” The supplemental requirement applies to the first use of an account number, or changes to the account number.

Technical

Technical

This Rule modifies the following areas of the Nacha Operating Rules:

Article Two, Subsection 2.5.17.4 (Additional ODFI Warranties for Debit WEB Entries) to make explicit that a fraudulent transaction detection system must, at a minimum, validate the account to be debited.

Impact

Impact

Effective Date: March 19, 2021

Potential Impacts:

  • Possible re-tooling of ACH Originators’ fraud detection systems

    • Or implementation of a system for Originators who currently do not perform any fraud detection for WEB debits

    • These impacts could increase the cost of originating WEB debits for some parties

  • RDFIs could receive a greater volume of ACH prenotifications, micro-transactions, or other account validation requests

    • Some could be in lieu of receiving live-dollar transactions initially

FAQs Section

FAQs Section
What is the effective date for the Rule change?

The effective date for the upcoming change is March 19, 2021.

The rule was originally approved by Nacha members in November 2018, to become effective January 1, 2020. The Nacha Board of Directors approved the extension in effective date to allow for additional time, education, and guidance to be provided to the industry. 

How does this change what is currently required by the Nacha Operating Rules?

Currently, Originators of WEB debit entries are required to use a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud. This existing screening requirement will be supplemented to make it explicit that “account validation” is part of a “commercially reasonable fraudulent transaction detection system.” The supplemental requirement applies to the first use of an account number, or with subsequent changes to the account number, when used for WEB debit entries.

As part of a commercially reasonable fraud detection system for WEB debit entries, the Nacha Rules require an Originator validate the account number prior to its first use and before any change to the account number. What does the term “validate” mean?

At a minimum, the Originator must use a commercially reasonable means to determine that the account number to be used for the WEB debit is for a valid account – that is, that the account to be used is a legitimate, open account to which ACH entries may be posted at the RDFI.

Does the new rule on account validation mean that an Originator must also validate the ownership of the account?

No. The minimum standard imposed by the Nacha Operating Rules requires Originators to validate that an account is open and accepts ACH entries.

However, because the determination of whether a business practice is considered commercially reasonable depends on a particular Originator’s business model and risk profile, and how it compares to similarly situated Originators, each Originator will need to determine for itself, in consultation with its own advisors, such as legal counsel and risk department, whether verifying simply that an account is open is sufficient. For some Originators, a more rigorous assessment that also verifies account ownership may be appropriate to meet a commercially reasonable standard.

Do the Nacha Operating Rules require a specific method for validating the account information?

No. The Nacha Operating Rules are neutral with regard to specific methods or technologies to validate account information.  See the question below for additional guidance.

Are there methods of account validation that NACHA recognizes as sufficient?

Examples of methods to validate an account may include, but are not limited to, the use of a Prenotification Entry, ACH micro-transaction verification, use of a commercially available validation service provided by either an ODFI or a third-party, and use of account validation capabilities or services enabled by APIs.

Other options not listed above may also provide a commercially reasonable means to test an account for ACH use. As an example, use of a third-party that provides scoring information on the account status might be determined by some Originators to be a commercially reasonable option. Similarly, for others, an account with a proven history of prior successful payments may prove a sufficient means for validation for use of the account with a new WEB authorization.

Since the concept of commercial reasonableness is dependent on each customer’s particular situation and how it compares to similarly-situated Originators, each Originator, in consultation with its own attorneys, risk department, or other advisors, will need to determine which account validation method meets the commercially reasonable standard for its own facts and circumstances.

Does the new rule require an Originator to verify account numbers for all of its existing WEB debit customers?

No. This rule applies on a “going-forward” basis and applies to new account numbers obtained for initiating WEB debits. This rule does not apply retroactively to account numbers that have already been used for WEB debits.

If a WEB debit customer authorizes use of an account number that has been previously used successfully for non-WEB debits, must an Originator do additional validation of that account number?

No. Use of an account number with a proven history of prior successful payments is a sufficient means for validation for use of the account with a new WEB authorization.

If a WEB debit customer authorizes use of an account number that has been previously used successfully for WEB debits, must an Originator do additional validation of that account number?

No. Use of an account number with a proven history of prior successful payments is a sufficient means for validation for use of the account with a new WEB authorization.

If an Originator has already validated its existing WEB debit customer’s account number, and the customer subsequently changes the account to a new number that has not been used previously, must the Originator validate the new number before its use?

Yes.

If an Originator of WEB debits receives a Notification of Change from an RDFI requesting an update to the RDFI customer’s account number, must the Originator validate the new account number before its use?

No. The accuracy of an account number change requested by the RDFI via the NOC process is warranted by the RDFI, which serves as validation. The Originator need not re-validate the change, provided it has correctly applied the change requested by the RDFI.

If an Originator transmits a Prenotification Entry to validate the Receiver’s account number, and does not receive a Return Entry or Notification of Change in reply, can the Originator assume that the prenote posted to a valid account?

Yes. Transmission of a Prenotification Entry meets the minimum standard of the Rules for validating that an account is open and can accept ACH entries. Under today’s prenote rules, an Originator can assume that a “no response” by the end of the return/NOC period means that the RDFI has validated the account number is open and can accept ACH entries, and therefore begin to transmit live entries. However, for some Originators, this standard of account validation may not be commercially reasonable for the particular line of business or risk profile compared with similarly-situated Originators, and the use of a more rigorous account validation standard may be appropriate.

If an Originator transmits one or more ACH micro-transactions that are not returned within the return time frame, can the Originator assume that the transactions posted to a valid account?

Yes. Transmission of ACH micro-transactions can meet the minimum standard of the Rules to validate that an account is open and can accept ACH entries. If the RDFI does not return the micro-transactions within the return timeframe, the Originator can assume that the entries posted to a valid account. However, for some Originators, this standard of account validation may not be commercially reasonable for the particular line of business or risk profile compared with similarly-situated Originators, and the use of a more rigorous account validation standard may be appropriate.

Why was this change made?

ACH Originators of WEB debit entries are required to use a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud. This requirement is intended to help prevent the introduction of fraudulent payments into the ACH Network, and to help protect RDFIs from posting fraudulent or otherwise incorrect/unauthorized payments.

Originators are in the best position to detect and prevent fraud related to payments they are initiating, but in recent risk events perpetrated via social media channels, it has become apparent that some ACH Originators do not have or use any such system to screen WEB debits.

Does an account validation method or service have to cover 100% of potential accounts to be considered commercially reasonable?

Not necessarily.  When a particular validation method or service does not cover 100% of potential accounts, it is possible to supplement it with other methods such as the ACH prenotification or micro-transactions.  As an example, an instant verification service that can validate 95% of potential accounts can use supplemental methods such as a prenotification or micro-transactions for the remaining accounts.  In such a case, the use of the prenotification entries or micro-transactions can help meet the minimum standard of the rule.

RFC Summary

RFC Summary

There were 83 respondents to the Request for Comment. 80% of financial institution respondents supported adding account validation to WEB debit fraud screening, and that this should apply to the first use of an account number and subsequent account number changes.