NACHA Rule Updates & ACH Quick Guide
The National Automated Clearing House Association (NACHA) manages the development, administration, and governance of the ACH Network. The ACH Network is governed by the NACHA Operating Rules, which is a set of rules that guide risk management. For 2022, there are no significant changes to the NACHA Operating Rules that directly impact our originating customers.
ACH Rules Quick Guide
While we encourage you to read and become familiar with the ACH Operating Rules Book, this quick reference was developed to give you an overview of important information you should be aware of as an originator of ACH transactions. This guide is to assist you with training, compliance and risk associated with ACH Origination.
- ACH entries are categorized as “consumer or corporate”.
- ACH is a batch system (not real time).
- ACH entries are irrevocable once they have been sent to the ACH Operator.
- ACH is capable of crediting or debiting checking or savings accounts.
- An ACH Originator is any entity or person that creates an ACH transaction.
- ACH stop payments for consumers may not have an expiration date.
ACH LEGAL FRAMEWORK
You are required to abide by multiple rules and agreements including, but not limited to, the following when submitting ACH transactions. Poca Valley Bank may ask for access to your premises and records in order to confirm compliance with ACH Rules.
- Poca Valley Bank recommends that you obtain a copy of the NACHA Operating Rules & Guidelines which is published annually. Please visit https://www.nachaoperatingrulesonline.org/ to order a current copy or to view an electronic version of the ACH Rules by creating a Login account as a Basic User.
- Poca Valley Bank has the right to audit your compliance with the NACHA Operating Rules and your compliance with the origination agreement at any time. Poca Valley Bank has the right to terminate the origination agreement immediately for breach of the NACHA Operating Rules or applicable laws.
- Regulation E (for consumer entries)
- UCC4A (for corporate credits)
- Poca Valley Bank Account Agreement and Terms and Conditions
- ACH Origination Agreement with Poca Valley Bank
- Cash Management Agreement with Poca Valley Bank
- Client/ User Cash Management Application/ Authorizations
YOUR RESPONSIBLITIES AS AN ORIGINATOR
- Obtain proper authorizations – dependent on transaction type – and retain authorizations for two years past revocation. (See “Consumer Debit Authorizations”)
- Provide a copy of authorization if requested by the Bank.
- Give appropriate notice to debtor if changing amount or date.
- Protect the banking information received.
- Send entries on the proper date.
- Make necessary changes to payee account information within six banking days when notified by Poca Valley Bank.
- Cease subsequent entries when appropriate.
- Monitor your return rate threshold to ensure it does not exceed .05% for Unauthorized Debit Returns, 3% for Administrative Debit Returns, and 15% for Overall Debit Returns.
- Check payees against OFAC compliance checklists. (This information may be obtained directly from the OFAC Compliance Hotline at 800-540-OFAC or from the OFAC’s home page site at www.ustreas.gov/ofac.)
- Ensure your computer is protected from unauthorized access as listed in the Cash Management Agreement.
- Protect the confidentiality and integrity of protected information until its destruction. Some examples of protected information include: customer authorizations, social security number, account number and routing number information, policy numbers, etc.
- Protect sensitive information no matter what form it is stored as, e.g., electronically or paper based, from the point it is collected until it is destroyed. Restrict and limit access to sensitive date. Use locks on doors and file cabinets. Limit employee access to data to those that need it to do their jobs.
- Do not store sensitive information on portable storage devices (e.g., PDA’s, USB drives, CD’s laptops, iPhones, iPods, etc.) as these devices are frequently lost or stolen.
DIRECT DEPOSIT PAYROLL AUTHORIZATIONS (CONSUMERS)
- Neither ACH Rules, nor Regulation E, require a written authorization for ACH credits or reversals.
- The Bank recommends you use direct deposit authorization forms that allow the company to debit the employee’s account for adjustments. The forms may also be used to collect the proper employee account information.
- Obtain a voided check, not a deposit slip, from the employee.
- The most common SEC code for direct deposit is PPD.
CONSUMER DEBIT AUTHORIZATIONS
- For consumers, an authorization to his or her account must be in writing.
- The most common SEC code is PPD (used for debits and credits).
- For debit entries, you must provide the customer with evidence of the authorization and information regarding the manner in which the authorization can be revoked.
- Retain authorizations for a period of two years from the termination or revocation of the authorization. No entries can be initiated after termination or revocation of the customer’s authorization.
- For companies, there must be an agreement between the two parties, but the rules do not define what business practices constitute agreements.
- The most common SEC code is CCD (used for debits and credits).
COPIES OF CONSUMER OR CORPORATE AUTHORIZATIONS
- Upon request, you must provide a copy of the customer’s authorization to Poca Valley Bank within five banking days.
- At any time, Poca Valley Bank may test your ability to provide a copy of an authorization.
CHANGING DATE OR AMOUNT OF DEBITS
- ACH Rules require you to notify your debtors of changes in date or amount debited under the following circumstances:
- 7 calendar days’ notice for a change of date (consumer and corporate).
- 10 calendar days’ notice for a change in the amount (consumer only).
- Sending the notice via U.S. Mail is acceptable.
- Prenotes are zero dollar entries that precede the first live entry. The purpose of a prenote is to verify account information which will help keep your Administrative Debit Return rate below the 3.0% threshold.
- Prenotes are optional for you to send. However, if sent, prenote rules must be followed. A prenote must precede the first live entry by at least three banking days.
- The Receiving Bank is not required to validate the name of the payee on the prenote, although many do; they are only required to check the account number. You must understand there is still a risk if the subsequent entry debits or credits the wrong account (this is true for all originations, not just prenotes).
NOTICE OF CHANGE
- When ACH information is incorrect, a Notification of Change “NOC” is sent by the Receiving Bank requesting that future entries contain correct information. ACH Rules require you to make the change within six banking days of receiving the information from Poca Valley Bank.
- The Receiving Bank warrants that the information they provide is correct.
- Poca Valley Bank will notify you of any NOCs received on your behalf.
- Poca Valley Bank may pass any fines received to you for non-compliance.
- Returns must be processed by the Receiving Bank within 24 hours of settlement. Returns that are unauthorized beyond the 24 hours are the company’s liability and any disputes may have to be settled outside the banking network. The Bank recommends that you view your account activity daily.
- An exception to the 24 hour rule is consumer unauthorized returns, which may be returned 60 days of posting.
- The use of consumer (PPD) or corporate (CCD) entry codes determines applicable ACH return rules.
- If the Receiving Bank receives a dispute claiming a debit was unauthorized, the Receiving Bank must get a signed Written Statement of Unauthorized Debit for the account holder. You may obtain a copy of that statement by requesting a copy through Poca Valley Bank.
- You may re-initiate a debit entry up to two times if you receive a return entry of “NSF” or “Uncollected Funds”. This gives the Originator a total of three attempts at debiting an account.
- The re-initiated entry must contain the words “RETRY PYMT” in the Company Entry Description of the debit entry.
- The Company Name, Company Identification and Amount fields must be identical to the contents of the original entry.
- A “Stop Payment” return may be re-initiated only if you receive approval from the payee to re-send the item.
- It is a violation of ACH Operating Rules to re-initiate the debit entry if a return is received for any other reason.
REVERSALS (can only be made under certain conditions)
- Reversals may only be made for the following three conditions: 1) wrong dollar amount, 2) wrong account, or 3) duplicate transaction.
- If a reversing entry must be made, please contact the Bank for instructions.
- When processing a reversal, the complete ACH file that was originally submitted must be reversed. The reversing entry must be for the full amount, sent within five banking days of original entry and within 24 hours of discovering the error.
- For wrong amount or wrong account reversing entries, a correcting entry must also be sent.
- The Receiving Bank is under no obligation to post the reversing debit if it overdraws the payee’s account or if the payee’s account is closed.
- A payee must be notified if a reversing entry debits his or her account. However, a payee does not need to authorize the reversing entry.
Website spoofing is the act of creating a fake website to mislead individuals into sharing sensitive information. Spoof websites are typically made to look exactly like a legitimate website published by a trusted organization.
- Pay attention to the web address (URL) of websites. A website may look legitimate, but the URL may have a variation in spelling or use a different domain.
- If you are suspicious of a website, close it and contact the company directly.
- Do not click links on social networking sites, pop-up windows, or non-trusted websites. Links can take you to a different website than their labels indicate. Typing an address in your browser is a safer alternative.
- Only give sensitive information to websites using a secure connection. Verify the web address begins with “https://” (the “s” is for secure) rather than just http://
- Avoid using websites when your browser displays certificate errors or warnings.
Phishing is when an attacker attempts to acquire information by masquerading as a trustworthy entity in an electronic communication. Phishing messages often direct the recipient to a spoof website. Phishing attacks are typically carried out through email, instant messaging, telephone calls, and text messages (SMS).
- Delete email and text messages that ask you to confirm or provide sensitive information. Legitimate companies don’t ask for sensitive information through email or text messages.
- Beware of visiting website addresses sent to you in an unsolicited message.
- Even if you feel the message is legitimate, type web addresses into your browser or use bookmarks instead of clicking links contained in messages.
- Try to independently verify any details given in the message directly with the company.
- Utilize anti-phishing features available in your email client and/or web browser.
- You are required to check payees against OFAC compliance checklists.
- The Office of Foreign Asset Control (OFAC) lists countries, groups and individuals that U.S. companies are not allowed to send funds to or receive funds from.
- The Bank must protect itself by informing every customer that it is against the law to send debit or credit entries to OFAC blocked entities.
- You may check the OFAC SDN list at: https://www.ustreas.gov/ofac.
Poca Valley Bank will be closed on the following standard holidays observed by the Federal Reserve Bank. We will not accept any ACH Origination files for processing on these days or on Saturdays and Sundays.
- New Year’s Day (January 1)
- Martin Luther King’s Birthday (Third Monday in January)
- Presidents Day (Third Monday in February)
- Memorial Day (Last Monday in May)
- Juneteenth National Independence Day (June 19)
- Independence Day (July 4)
- Labor Day (First Monday in September)
- Columbus Day (Second Monday in October)
- Veterans Day (November 11)
- Thanksgiving Day (Fourth Thursday in November)
- Christmas Day (December 25)
Note: If January 1, July 4, November 11, or December 25 falls on a Sunday, the next day (Monday) is a Federal Reserve Bank holiday. In general, if one of these holidays’ falls on a Saturday, Poca Valley Bank will be open the preceding Friday.