Nacha Operating Rules

Effective Date

Rule Status

Rule Status
New Rule

Supplementing Fraud Detection Standards for WEB Debits

The WEB Debit Account Validation Rule became effective March 19, 2021. The rule was originally approved by Nacha members in November 2018 to become effective January 1, 2020. The Nacha Board of Directors approved an extension in effective date to allow for additional time, education and guidance to be provided to the industry. This effective date was recently affirmed in ACH Operations Bulletin #7-2020.

Nacha will not enforce this rule for an additional period of one year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions. Nacha strongly encourages all such covered entities to work towards compliance as soon as possible.

Resources

Additional resources and information on account validation are available through the Account Validation Resource Center.

Details

Details

ACH Originators of WEB debit entries are required to use a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud. This existing screening requirement is being supplemented to make it explicit that “account validation” is part of a “commercially reasonable fraudulent transaction detection system.” The supplemental requirement applies to the first use of an account number, or changes to the account number.

Technical

Technical

This Rule modifies the following areas of the Nacha Operating Rules:

Article Two, Subsection 2.5.17.4 (Additional ODFI Warranties for Debit WEB Entries) to make explicit that a fraudulent transaction detection system must, at a minimum, validate the account to be debited.

Impact

Impact

Effective Date: March 19, 2021

Potential Impacts:

  • Possible re-tooling of ACH Originators’ fraud detection systems

    • Or implementation of a system for Originators who currently do not perform any fraud detection for WEB debits

    • These impacts could increase the cost of originating WEB debits for some parties

  • RDFIs could receive a greater volume of ACH prenotifications, micro-transactions, or other account validation requests

    • Some could be in lieu of receiving live-dollar transactions initially

FAQs Section

FAQs Section
What is the effective date for the Rule change?

The effective date for the change is March 19, 2021.

The rule was originally approved by Nacha members in November 2018, to become effective January 1, 2020. The Nacha Board of Directors approved the extension in effective date to allow for additional time, education, and guidance to be provided to the industry. 

As part of a commercially reasonable fraud detection system for WEB debit entries, the Nacha Rules require an Originator validate the account number prior to its first use and before any change to the account number. What does the term “validate” mean?

At a minimum, the Originator must use a commercially reasonable means to determine that the account number to be used for the WEB debit is for a valid account – that is, that the account to be used is a legitimate, open account to which ACH entries may be posted at the RDFI.

Does the new rule on account validation mean that an Originator must also validate the ownership of the account?

No. The minimum standard imposed by the Nacha Operating Rules requires Originators to validate that an account is open and accepts ACH entries.

However, because the determination of whether a business practice is considered commercially reasonable depends on a particular Originator’s business model and risk profile, and how it compares to similarly situated Originators, each Originator will need to determine for itself, in consultation with its own advisors, such as legal counsel and risk department, whether verifying simply that an account is open is sufficient. For some Originators, a more rigorous assessment that also verifies account ownership may be appropriate to meet a commercially reasonable standard.

Do the Nacha Operating Rules require a specific method for validating the account information?

No. The Nacha Operating Rules are neutral with regard to specific methods or technologies to validate account information.  See the question below for additional guidance.

Are there methods of account validation that Nacha recognizes as sufficient?

Examples of methods to validate an account may include, but are not limited to, the use of a Prenotification Entry, ACH micro-transaction verification, use of a commercially available validation service provided by either an ODFI or a third-party, and use of account validation capabilities or services enabled by APIs.

Other options not listed above may also provide a commercially reasonable means to test an account for ACH use. As an example, use of a third-party that provides scoring information on the account status might be determined by some Originators to be a commercially reasonable option. Similarly, for others, an account with a proven history of prior successful payments may prove a sufficient means for validation for use of the account with a new WEB authorization.

Since the concept of commercial reasonableness is dependent on each customer’s particular situation and how it compares to similarly-situated Originators, each Originator, in consultation with its own attorneys, risk department, or other advisors, will need to determine which account validation method meets the commercially reasonable standard for its own facts and circumstances.

Nacha does not consider a fraudulent transaction detection system that does not include an account validation component as sufficient.

Does the new rule require an Originator to verify account numbers for all of its existing WEB debit customers?

No. This rule applies on a “going-forward” basis and applies to new account numbers obtained for initiating WEB debits. This rule does not apply retroactively to account numbers that have already been used for WEB debits.

If a WEB debit customer authorizes use of an account number that has been previously used successfully for non-WEB debits, must an Originator do additional validation of that account number?

No. Use of an account number with a proven history of prior successful payments is a sufficient means for validation for use of the account with a new WEB authorization.

If a WEB debit customer authorizes use of an account number that has been previously used successfully for WEB debits, must an Originator do additional validation of that account number?

No. Use of an account number with a proven history of prior successful payments is a sufficient means for validation for use of the account with a new WEB authorization.

If an Originator has already validated its existing WEB debit customer’s account number, and the customer subsequently changes the account to a new number that has not been used previously, must the Originator validate the new number before its use?

Yes.

If an Originator of WEB debits receives a Notification of Change from an RDFI requesting an update to the RDFI customer’s account number, must the Originator validate the new account number before its use?

No. The accuracy of an account number change requested by the RDFI via the NOC process is warranted by the RDFI, which serves as validation. The Originator need not re-validate the change, provided it has correctly applied the change requested by the RDFI.

If an Originator transmits a Prenotification Entry to validate the Receiver’s account number, and does not receive a Return Entry or Notification of Change in reply, can the Originator assume that the prenote posted to a valid account?

Yes. Transmission of a Prenotification Entry meets the minimum standard of the Rules for validating that an account is open and can accept ACH entries. Under today’s prenote rules, an Originator can assume that a “no response” by the end of the return/NOC period means that the RDFI has validated the account number is open and can accept ACH entries, and therefore begin to transmit live entries. However, for some Originators, this standard of account validation may not be commercially reasonable for the particular line of business or risk profile compared with similarly-situated Originators, and the use of a more rigorous account validation standard may be appropriate.

If an Originator transmits one or more ACH micro-transactions that are not returned within the return time frame, can the Originator assume that the transactions posted to a valid account?

Yes. Transmission of ACH micro-transactions can meet the minimum standard of the Rules to validate that an account is open and can accept ACH entries. If the RDFI does not return the micro-transactions within the return timeframe, the Originator can assume that the entries posted to a valid account. However, for some Originators, this standard of account validation may not be commercially reasonable for the particular line of business or risk profile compared with similarly-situated Originators, and the use of a more rigorous account validation standard may be appropriate.

Why was this change made?

ACH Originators of WEB debit entries are required to use a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud. This requirement is intended to help prevent the introduction of fraudulent payments into the ACH Network, and to help protect RDFIs from posting fraudulent or otherwise incorrect/unauthorized payments.

Originators are in the best position to detect and prevent fraud related to payments they are initiating, but in recent risk events perpetrated via social media channels, it has become apparent that some ACH Originators do not have or use any such system to screen WEB debits.

Does an account validation method or service have to cover 100% of potential accounts to be considered commercially reasonable?

No.  An account validation service or method might be commercially reasonable for a specific set of facts and circumstances, even if it does not cover 100% of potential accounts or account validation attempts.

What is “commercially reasonable” should be assessed by the parties within the full context of all the relevant facts and circumstances.  Such facts and circumstances can include:

  1. the risks associated with the purpose of the transaction being initiated;
  2. the originator’s history with returns for invalid account information and fraud;
  3. the percentage of “no hit” responses;
  4. the historical experience of fraud on “no hit” responses with the service being used; and,
  5. the use of other compensating controls.


In addition, an account validation service or method could supplement its primary validation method with others, such as an ACH prenotification or micro-transaction, in an effort to come closer to 100% coverage.  As an example, an instant verification service that can validate 95% of potential accounts can use supplemental methods such as prenotification or micro-transactions for many of the remaining accounts.  Alternatively, it may be commercially reasonable in some circumstances to confirm that the remaining 5% of entries do not show unusual or suspicious activity, such as concentrations of entries on specific routing numbers or suspicious account number sequencing in a series of entries.

While no account validation system is likely to have a perfect record in identifying invalid accounts, Nacha does not advocate any specific percentage of “unidentifiable” accounts as “commercial reasonable.”  Parties must make that judgment based on their own specific facts and circumstances.

If an attempted account validation results in a “no hit” (i.e., neither a positive or a negative outcome), can an Originator initiate a WEB debit entry that to that account number and still be compliant with the Rule?

Yes.  A commercially reasonable account validation method, assessed based on the factors described in the Rule and these FAQs, may include instances where a WEB debit entry is initiated even if the attempted account validation resulted in a “no hit.” 

If an Originator has a commercially reasonable fraudulent transaction detection system that does not include an account validation component, can WEB debit entries be originated on the first use of an account number and be in compliance with the Rule?

No. As of the effective date, originating WEB debit entries the with first use of new account numbers would not be in compliance with the Rule if the fraudulent transaction detection system does not include an account validation component.  Nacha does not consider a fraudulent transaction detection system that does not include an account validation component as sufficient under the Rule.  Ongoing origination of WEB debit entries using existing account information (from prior to the effective date) would be compliant.

RFC Summary

RFC Summary

There were 83 respondents to the Request for Comment. 80% of financial institution respondents supported adding account validation to WEB debit fraud screening, and that this should apply to the first use of an account number and subsequent account number changes.