NACHA Rules Changes

NACHA Rules Updates for ACH Originators

 
Effective Date:  April 1, 2025
RDFIs must respond to an ODFI’s Request for Return within 10 Banking Days.
 
Return Reason Code R06 (Return per ODFI’s Request)
Effective Date: October 1, 2024
Currently, the ACH Rules allow your financial institution to request a payee’s financial institution return an erroneous entry using Return Reason Code R06. An erroneous entry is a payment that has been duplicated in error, sent for the wrong amount or transmitted to the wrong payee. While your institution may make the request, the payee’s institution is not obligated to comply. Therefore, the request is just an attempt to recover from an error and not a guarantee. With the increase in fraud, your organization could benefit from allowing R06 requests to be used to recover fraudulent payments. This update explicitly allows R06 requests for this purpose but does not change the obligations of the payee’s institution (i.e., they are not required to return the funds).

Return Reason Code R17 (Entry Initiated Under Questionable Circumstances)
Effective Date: October 1, 2024
If a payee’s financial institution is unable to process an ACH payment, they will return it using a Return Reason Code to convey why it is being returned (e.g., R02 means the payee’s account is closed). Return information is provided to you by your financial institution. Currently, Return Reason Code R17 with QUESTIONABLE in the Addenda Information field indicates the payee’s institution believes the payment is suspicious or questionable. While R17 could mean fraud, the ACH Rules currently do not explicitly state that. This update allows a payee’s institution to use R17 in situations where they believe the transaction was initiated under “false pretenses” (i.e., the result of an account takeover, business email compromise, vendor impersonation fraud, payroll impersonation scam or other payee impersonation scheme).

Action on Notification of Change
Effective Date: June 21, 2024
If the account information your company obtains from a payee (e.g., employee, customer, vendor) is valid, your payment will automatically be processed to the payee’s account. However, if the account information provided is erroneous or has become outdated, the payee’s financial institution may manually process the payment to the payee’s account and send a Notification of Change (NOC). An NOC contains the information in error along with the corrected information and will be provided to you by
your financial institution. If your company sends recurring payments to a payee’s account (e.g., daily, bi-weekly, monthly), then you are required to update the information in error either before sending the next payment or within six banking days of receiving the NOC information. If your company initiates a single or one-time payment to a payee’s account, then you may, at your discretion, make the changes noted in the NOC. This amendment clarifies this is applicable regardless of the type of one-time payment originated (i.e., credit or debit transaction).

Effective June 1, 2024
Use of Prenotification Entries
A prenotification, or prenote, is a non-monetary entry used to verify that the account number provided by the payee is a valid account number at the receiving institution. Prenotes do not verify if the payee is an owner of the account. Typically, prenotes are only sent prior to transmitting the first credit or debit payment to the payee’s account. This Rule change removes language limiting prenotes to this use. Therefore, your company may send prenotification entries at its discretion or as required by your financial institution.
 
2023 - March: Micro-Entries Phase 2
Effective March 17, 2023
Phase 2 of the Micro-Entries Rule builds upon the initial implementation of Phase 1 of the Rule. As of the effective date, Originators of Micro-Entries are required to employ commercially reasonable fraud detection practices, including the monitoring of forward and return Micro-Entry volumes.
Technical Summary:
This Rule modifies the following area of the NACHA Operating Rules:
• Article Two, Subsection 2.7.5 (Commercially Reasonable Fraud Detection for Micro-Entries) – New subsection to require Originators to conduct commercially reasonable fraud detection when using Micro-Entries.
Impact to Participants:
ODFIs: ODFIs will need to make sure that their Originators that use Micro-Entries are aware of the Rule and its requirements.
RDFIs: RDFIs should consider incorporating Micro-Entry activity into existing fraud detection, AML and money mule detection processes. To advance the effectiveness of Micro-Entries as a fraud mitigation tool, RDFIs should consider treating corresponding credit and debit Micro-Entries the same when making post/no post decisions, i.e., they should either post both or return both. RDFIs that have not automated their return processing are encouraged to do so to minimize the impact that additional administrative returns may have on their operations.
 
Micro-Entries
Effective September 16, 2022
A new NACHA ACH rule goes into effect for small dollar payments used to verify a receiver’s bank account. If your payments were used for this purpose these ACH rules apply.
Effective on September 16, 2022, Phase I of the rule requires all originators to use the standard Company Entry Description of ACCTVERIFY in their instructions.
 
June – Supplementing Data Security Requirements for Large Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs)
Effective on June 30, 2021, this change to the Rules is intended to enhance quality and improve risk management within the ACH Network by supplementing the existing account information security requirements for large-volume Originators and Third-Parties. Participants are required to protect deposit account information collected for or used in creating ACH transactions by rendering it unreadable when it is stored electronically.
This change will be implemented in two phases:
• The rule initially applies to ACH originators, TPSPs and TPSs with ACH volume of 6 million transactions or greater annually. An ACH originator, TPSP or TPS that originated 6 million or more ACH transactions in calendar year 2019 would need to be compliant by June 30, 2021.
• The second phase would apply to ACH originators, TPSPs and TPSs with ACH volume of 2 million transactions or greater annually in the 2020 calendar year and compliance is required by June 30, 2022.

June – Limitation on Warranty Claims
Effective June 30, 2021, this change to the Rules limits the length of time in which an RDFI is permitted to make a claim against the ODFI's authorization warranty
• For an entry to a non-consumer account, the time limit is one year from the settlement date of the entry. This is similar to the one-year rule in UCC4-406 that applies to checks charged to accounts.
• For an entry to a consumer account, the limit covers two time periods. Two years from the settlement date of the ACH entry. This period exceeds the one-year in the EFT Act (Regulation E).

June – Reversals
Effective June 30, 2021, this Rule change addresses improper uses of reversal and provides for enforcement capabilities in the event of egregious violations of the Rules. The Rule also spells out that beyond the current use of 'REVERSAL' in the ACH batch description field, the format of the reversal must be identical to the original entry including the amount. Originators are allowed flexibility to accommodate minor variations in the batch header Company Name field for tracking purposes. The RDFI is permitted to return of an improper REVERSAL using return code R11 for consumer accounts and R17 for non-consumer accounts and expands returns to be permissible due to 'wrong date'.

September – Meaningful Modernization
Effective September 17, 2021, this is a grouping of five Rules, which:
• Explicitly define the use of standing authorization for consumer ACH debits. Standing Authorization is a new term defined by Nacha as an advance authorization by a consumer of future debits at various intervals. Under a Standing Authorization, future debits can be initiated by some further action of the consumer for a one-time entry that is separate from the recurring entries. A Standing Authorization can be obtained from the consumer either orally or in writing and the one-time entry or entries initiated by the further action are known as 'Subsequent Entries'. Individual
subsequent ACH entries can be initiated in any manner as identified in the Standing Authorization. • Define and allow for oral authorization of consumer ACH debits beyond telephone calls.
• Clarify and provide greater consistency of ACH authorization standards across payment initiation channels.
• Reduce the administrative burden of providing proof of authorization.
• Better facilitate the use of electronic and oral written statement of Unauthorized Debit

2021 - March: Supplementing Fraud Detection Standards for WEB Debits
Effective on March 19, 2021, the rule change is intended to enhance quality and improve risk management within the ACH Network by supplementing the fraud detection standard for Internet-initiated (WEB) debits. ACH originators of WEB debit entries have always been required to use a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud. The existing screening requirement is supplemented by this change to make it explicit that “account validation” is part of a “commercially reasonable fraudulent detection system”. The supplement requirement would apply to the first use of an account number or changes to the existing account.

2021 - March: Expanding Same Day ACH to Later Deadline
The effective date of a new, third Same Day ACH processing window is March 19, 2021. RDFIs must make funds available for SDA credits in this new SDA processing window no later than the end of its processing day.