NACHA Rules Awareness Information
National Automated Clearing House Association (NACHA) Rules Awareness Information for Corporate Customers
Each company originating ACH entries through Time Bank must comply with the NACHA Operating Rules as stated within the ACH agreement between Time Bank and the Corporate Customer. The National Automated Clearing House Association (NACHA) is the rule-making body governing the ACH network and therefore all participants of the ACH network must comply with these Rules. To ensure that Time Bank communicates effectively, we have provided specific Originator (Corporate Customer) requirements of the Rules. As you may be aware, these Rules are updated with changes, additions, and deletions on an annual basis. Time Bank will ensure that annually it communicates these Rules changes to ensure that our companies are educated on those Rules and make any necessary changes to its daily process as a result of these changes. Below, we have included a brief summary of Originator responsibilities as well as current and upcoming changes to the 2021-2022 Rules. This document is not intended to be a replacement or substitution for the NACHA Operating Rules & Guidelines. Annually, it is recommended that you purchase a copy of the updated NACHA Operating Rules & Guidelines by visiting http://www.nacha.org. You may also obtain free limited access to the basic NACHA Operating Rules in a read-only format by visiting https://www.nachaoperatingrulesonline.org.
All corporate originators must establish, implement and, as appropriate, update security policies, procedures, and systems related to the initiation, processing, and storage of entries and resulting Protected Information. Security policies, procedures, and systems related to the initiation, processing, and storage of entries must: (1) protect the confidentiality and integrity of Protected Information; (2) protect against anticipated threats or hazards to the security or integrity of Protected Information; and (3) protect against unauthorized use of Protected Information that could result in substantial harm to a natural person. The Rules define Protected Information as the non-public personal information, including financial information, of a natural person used to create, or contained within, an entry and any related addenda record.
All ACH transactions that involve the exchange or transmission of banking information must be transmitted at a minimum of 128-bit RC4 encryption. Any transmission of banking information using less than this requirement is considered an Unsecured Electronic Network. The online banking system allows for the appropriate security; however, if the Originator sends entries to Time Bank outside of this communication facility, the Originator will hold the liabilities of this unsecured transmission of entries. In addition, it is the responsibility of the customer to protect its current online banking system and implement best business practices to assist in the protection of its account. Some best business practices may include (1) ensuring it updates its computer regularly (2) initiates ACH entries under dual control (with two systems) – one individual inputs the ACH debit and/or credit while another individual approves the debit and/or credit from another PC (3) implements a security policy that enforces no social networking sites to be on the same PC as the online banking system (4) monitor and reconcile accounts daily (5) implements a procedure that enforces “red-flag” activity (i.e. the online banking system’s color structure not looking the same as before, “system down” warnings, etc.), and (6) educates staff on how to protect the online banking system.
Company Name Identification:
The Originator is required under the Rules to ensure there is clear identification of the source of an ACH transaction. Specifically, the Rules require the Originator to populate the Company Name Field with the name by which it is known to and readily recognized by the Receiver of the entry. As this company name appears on the account holder’s statement, it should be easily recognized by the account holder/receiver of the debit/credit.
Minimum Authorization Requirements/Proper Use of Standard Entry Class Code:
The authorization requirements specified within the Rules address the minimum requirements needed for authorization of various types of ACH transactions. In the case of Time Bank customers, we allow that our Originators send PPD (Prearranged Payments and Deposits) for entries hitting consumer accounts and CCD (Corporate Credits and Debits) for entries hitting corporate accounts.
The signed or similarly authenticated authorization must be retained by the Originator for a period of two (2) years following the termination or revocation of the authorization. In the case of a paper authorization that has been signed by the consumer, the Originator must retain either the original or a copy of the signed authorization. This authorization may be obtained in an electronic format that (1) accurately reflects the information in the record, and (2) is capable of being accurately reproduced for later reference, whether by transmission, printed or otherwise.
At the request of its ODFI (Time Bank), the Originator must provide the original, copy or other accurate Record of the Receiver’s authorization to the ODFI for its use or for the use of a receiving depository financial institution requesting the information. The Originator must provide in such time and manner as to enable the ODFI to deliver the authorization to a requesting receiving depository financial institution within ten (10) banking days of the receiving depository financial institution’s request.
Authorization Requirements for Consumer Entries:
For consumer entries (those entries hitting a consumer account and not a corporate account), Originators should ensure that the authorization is clear and readily understandable by the account holder/receiver. The authorization should include account number and routing number which should be clearly stated (i.e. a copy of the account holder’s check stapled to authorization ensures the numbers are clearly obtained), the consumer must date and either sign or similarly authenticate (must prove that you had the account holder’s authorization to debit the account), should include what type of account it is debiting and/or crediting (demand deposit account, savings account), company identification is easily understandable (see below under company identification), and the Originator must obtain authorization for both consumer credit and debit entries. Companies are responsible for ensuring the authorization is clear and readily understandable as an authorization that is not clear and readily understandable is not considered a valid authorization.
Originators need to ensure its authorizations are clear and readily understandable in order to be a valid authorization. A review of its authorizations should be performed to make sure it meets the requirements of the NACHA Operating Rules. If the company is unaware if the authorization is clear and readily understandable, it may contact its account officer for guidance.
Originators can expect the return of consumer entries that were not properly authorized. An unauthorized debit entry is an entry in which (1) the authorization requirements have not been followed in accordance with the NACHA Operating Rules or invalid under applicable legal requirements; (2) a transaction was initiated in an amount different than that authorized by the Receiver; (3) a transaction was initiated for settlement earlier than authorized by the Receiver. In general, consumer debit entries must be returned by the receiving depository financial institution in such time and manner that the return is made available to the ODFI (Time Bank) no later than the opening of business on the banking day following the sixtieth (60) calendar day following the settlement date of the original entry. This return deadline also applies to the return of debit entries for which the consumer Receiver had previously revoked his authorization.
Authorization Requirements for Corporate Entries:
As with consumer entries, the business Receiver (Company) must authorize all ACH credits and debits to its account. The Receiver of CCD (Corporate Credit and Debit), CTX (Corporate Trade Exchange) entries, and IAT (International ACH Transactions to a corporate customer account) must enter into an agreement with the Originator to which the Receiver has agreed to be bound by the NACHA Operating Rules. This agreement for credits and/or debits to the corporate customer account should be clear to the corporate customer as to what the credit/debit represents.
Notice of Change in Amount/Change in Debiting Date for Recuring Debits:
For recurring debits, when the debit amount varies, the Rules require the Originator to notify the account holder/receiver within ten (10) calendar days before the scheduled transfer date. If an Originator changes the date in which it debits the account holder/receiver, it must notify the account holder/Receiver in writing of the new date of the entry at least seven (7) calendar days before the first entry to be affected by the change is scheduled to be debited to the Receiver’s account.
Prenotifications are zero dollar entries generated to validate the account held at the receiving financial institution. Originators may originate a prenote; however this is not required under the Rules. If the Originator initiates a prenotification, it must wait three (3) banking days prior to initiating the live dollar amount.
Notifications of Change Requirements:
Notifications of Change (NOC) are zero dollar entries sent by the receiving depository financial institution to the originating depository financial institution to alert the Originator that a change to its transaction should be made. Under the NACHA Operating Rules, the corporate customer is required to change its information (the information requested to be changed by the receiving financial institution) within six (6) banking days of receipt of the NOC or the next time the transaction is generated, whichever is later.
Receiving ACH Returns and Reinitiation of Entries:
The NACHA Operating Rules state that any Entry, other than an RCK Entry, that was previously returned may be reinitiated if: (a) the entry was returned for insufficient or uncollected funds; (b) the entry was returned for stopped payment and reinitiation has been authorized by the Receiver, or (c) the Originator or ODFI (Time Bank) has taken corrective action to remedy the reason for the return. As a corporate customer, any returns received should be resolved immediately and no reinitiation of the same entry should be transmitted unless one of the three reasons above has occurred.
Stop Payments Made by Consumer:
This affects Originators as a stop payment may be placed on the receiving financial institutions system for all future transactions relating to the one Originator for the payment. Originators need to train its internal staff to ensure they understand that there may be multiple stop payments returned. These should not be reinitiated into the system until resolved.
Reversing an ACH File:
An Originator may reverse a file if the file is erroneous or duplicate. The Originator must transmit the reversing file within 5 banking days after the Settlement Date for the entries within the duplicate or erroneous file. The word “REVERSAL” must be placed in the Company Batch Header Field and if the file is reversing an erroneous file, the Originator must initiate a correcting file with the reversing file.
Reversing an ACH Entry:
An Originator may reverse an entry if the entry is erroneous or a duplicate entry. The Originator must transmit the reversing entry within 5 banking days after the Settlement Date of the entry. Only an Originator may reverse an entry. The Originator should notify the account holder/receiver of the reversing entry and reason of the reversing entry no later than the Settlement Date of the reversing entry.
Erroneous File or Entry:
A file or entry that (1) is a duplicate of an entry previously initiated by the Originator or ODFI; (2) orders payment to or from a Receiver different than the Receiver intended to be credited or debited by the Originator; (3) orders payment in an amount different than was intended by the Originator; or (4) is a PPD credit entry satisfying each of the following criteria: (i) the PPD credit entry is for funds related to a Receiver’s employment; (ii) the value of the PPD credit is fully included in the amount of a check delivered to the same Receiver at or prior to the Receiver’s separation from employment; or (iii) the PPD credit entry was transmitted by the Originator prior to the delivery of the check to the Receiver.
International ACH Transactions (IAT):
Time Bank does not allow the origination of International ACH Transactions (“IAT”). An IAT is an Entry that is part of a payment transaction involving a financial agency’s office that is not located in the territorial jurisdiction of the United States.
Laws and Regulations:
Originators are required to comply with laws and regulations of the United States. This includes, but is not limited to, Regulations GG (Unlawful Internet Gambling Enforcement Act), sanction laws administered by the Office of Foreign Assets Control (OFAC), and programs administered by the Financial Crimes Enforcement Network (FinCEN). The penalties for ignoring OFAC obligations can be both criminal and civil and include both jail time and fines ranging from $10,000 to $10,000,000 per occurrence. If these fines are levied against the bank they may be passed back to the corporate originator depending on the specifics of the case and the details of their contract with the financial institution. The fines are levied by the U.S. government and funds collected are the property of the government, not the financial institution. Additional information on OFAC obligations and fines can be found at the following link: http://www.treas.gov/offices/enforcement/ofac/.
General Audit Requirements for Third-Party Senders:
A Third-Party Sender is an intermediary between the bank and the entity’s (Third-Party Sender’s) customers. The Rules require that all Third-Party Senders conduct an internal or external audit of its ACH operation no later than December 31 of each year. Documentation supporting the completion of an audit must be (1) retained for a period of six years from the date of the audit, and (2) provided to NACHA upon request. As this is a Rule requirement, Time Bank will request confirmation of such an audit each year. This applies only to Third-Party Senders.
Risk Management and Assessment Requirements of Time Bank
Originators need to understand the necessity of risk management practices regarding the following (1) The performance of the due diligence with respect to Originators and Third-Party Senders; (2) The assessment of the nature of the Originator’s or Third-Party Sender’s ACH activity and the risks it presents; and, (3) the establishment of procedures to monitor an Originator’s or a Third-Party Sender’s origination and return activity, and to enforce exposure limits and restrictions on the types of ACH transactions that may be originated.
Time Bank as an ODFI may establish additional risk management procedures such as requiring an audit of its Originators activity be performed, closely monitoring the return volume of its originators, and assessing the risk associated with the type of ACH activity performed by each Originator. Time Bank may also limit the types of standard entry class codes for which can be originated using Time Bank’s routing number.
Below are revisions to the 2021-2022 Rules which will become effective throughout the 2022 year. It is important that you as an Originator or a Third-Party Sender utilizing the ACH network to process debit and credits make appropriate changes to your internal processes as necessary to accommodate any Rules changes that may be applicable to you. For a detailed and complete list of proposed rules and amendments and rule changes, visit https://www.nacha.org/rules/operating-rules. If you have any questions regarding the impact of these Rules, please do not hesitate to contact your Time Bank account officer.
UPCOMING RULES 2022
March 18, 2022
Increasing the Same Day ACH Dollar Limit
This rule will continue to expand the capabilities of Same Day ACH. Increasing the Same Day ACH dollar limit to $1 million per payment is expected to improve Same Day ACH use cases, and contribute to additional adoption.
Originators Impact: These ACH participants should discuss with their financial institution whether and when originating same-day debit and/or credit entries up to $1 million is appropriate for their businesses.
June 30, 2022
Supplementing Data Security Requirements (Phase 2)
This rule supplements previous ACH Security Framework Data protection requirements by explicitly requiring large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
Third-Party Sender Roles and Responsibilities
The overarching purpose of these Rules is to further clarify the roles and responsibilities of Third-Party Senders (TPS) in the ACH Network by; Addressing the existing practice of Nested Third-Party Sender relationships, and; Making explicit and clarifying the requirement that a TPS conduct a Risk Assessment. The two Rules will become effective September 30, 2022, with a 6-month grace period for certain aspects of each rule.