As of March 18, 2022, Nacha’s account validation rule requires ACH originators of WEB entries to use a commercially reasonable fraud detection system to verify the first time a consumer checking account is used for an electronic (ACH) payment, if the payment is initiated over an online channel, the account number must be validated first. WEB debit entries, by definition, are debits to consumers’ accounts where authorization is communicated via the internet or a wireless network. Nacha does not require a specific method to be used for account validation but has provided examples of acceptable forms of validation.
The addition of Nacha’s account validation rule supplements existing guidance which simply required the originator—the creator or sender of the payment—to use a “commercially reasonable fraudulent transaction detection system.” The purpose of this rule is to clarify that a commercially reasonable fraud detection system must have the capability to validate accounts. This means that, before a WEB entry is processed, Nacha will require validation that the account it originated from is, in fact, a valid account for that financial institution and that it is able to accept an ACH transaction.
Appropriate Account Validation Methods
The account validation requirement applies to the first use of an account number or change to the account number. Several methods are available to comply with the new rule. Please note, the methods can be used as part of a waterfall methodology.
The methods appropriate are:
- Manual – The organization obtains a voided check from the consumer and uses it to verify the account and routing number with the consumer’s financial institution.
- ACH Prenote – The organization uses the consumer’s account and routing number to send a zero-dollar transaction to the consumer’s financial institution; by accepting the transaction, the organization can determine whether the account is open and valid.
- Micro/Trial Deposits – In this two-step process, the organization uses the consumer’s routing and account number to make two small deposits into the consumer’s account. The consumer then confirms the deposit amounts with the organization.
- Database – The organization uses the consumer’s name, account number, routing number, and other details about the consumer and cross-references them against a third-party database to confirm account status and ownership.
- Financial Institution Credentials – Consumers select and authenticate with their financial institution through the organization’s digital channels to verify they can access the account.
There are several pros and cons with each validation method, which is why it is highly recommended to use more than one. Using a combination of methods helps ensure consumers have a frictionless experience while also providing higher levels of fraud prevention.
2022 Implementation Schedule for Nacha’s Fraud Risk Management and Monitoring Rules
Here is the schedule for the implementation of Nacha’s Fraud, Risk Management, and Monitoring Rules
- Rule 1: March 19, 2022: Becomes enforceable: Commercially Reasonable Fraud Detection for WEB Debits (Account Validation)
- Rule 2: September 16, 2022: Micro-Entries (Phase 1); Originators utilizing micro-entries will be required to use the standard entry descriptions
- Rule 3: March 17, 2023: Micro-Entries (Phase 2); Originators of micro-entries will be required to use commercially reasonable fraud detection, including the monitoring of Micro-entry forward and return volumes
SWBC’s Financial Institution Group will continue to support the needs of our clients during the evolution of regulatory and rule changes specifically for payments.