ACH debit entries: NACHA rule change and guidance from CFPB consent order - key takeaways on compliance


eSignature and ePayment News and Trends


An ACH Debit Entry is an electronic instruction sent by a payee (an "Originator") through the Originator's bank (an Originating Depository Financial Institution or ODFI) to the payor's (a "Receiver") bank (the Receiving Depository Financial Institution or RDFI) to pay an amount from the Receiver's deposit account, based on a prior authorization given by the Receiver to the Originator. ACH Debit Entries are an extremely popular way to obtain payments from consumers, and are governed by the Operating Rules of NACHA.

This month's Insight highlights some recent developments, including upcoming NACHA rule changes and regulatory enforcement actions that impact the origination, processing, and review of these transactions by ACH participants and their banks. We also look briefly at how electronic records and signatures can help address one particular compliance issue related to ACH Debit Entries.

Expanded information on returned entries

ACH Debit Entries are sometimes later reversed – the Receiver asserts to its RDFI that the ACH Debit Entry was erroneous or unauthorized, the RDFI investigates and, if appropriate, uses the ACH system to retrieve the funds from the ODFI and Originator and return them to the Receiver. Currently, the various reasons justifying these reversing entries are lumped under a single "return reason code" provided by the RDFI. This means that the Originators and ODFIs often cannot tell from the code whether the ACH Debit Entry is being reversed because the entry contained an error or because the Receiver maintains the debit was unauthorized. This makes it difficult for the Originator to know what steps to take next – may the entry be corrected and resubmitted? Is the claim that the ACH debit was unauthorized by the Receiver open to challenge?

NACHA has issued a revised rule which will split those return entries into two separate reason codes – one for authorized but erroneous transactions, and the other for unauthorized transactions. This will make it easier for Originators and ODFIs to decide whether to take further action, and if so, what action to take.

The rule change becomes effective April 1, 2020.

Additional controls required for ACH debit authorizations received over the web

The NACHA Rules currently require Originators of ACH web debits to screen the debit authorizations for potential fraud using a "commercially reasonable fraudulent transaction detection system." NACHA's rule update makes it clear that a "commercially reasonable" detection system must include account validation. The requirement to validate the account will apply to the first use of an account number, or a change to the account number. As a result, many Originators will have to update their fraud detection practices, potentially at an increased cost. NACHA also notes that RDFIs will need to be prepared to receive a larger volume of ACH pre-notifications, micro-deposits and withdrawals, and other account validation requests. The rule change was originally supposed to go into effect January 1, 2020, but the effective date has been extended to March 19, 2021.

Guidance on what constitutes a reasonable investigation

Recently, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with an RDFI in which the RDFI agreed to change certain of its practices related to investigating consumer complaints, pursuant to Regulation E, that an ACH Debit Entry was erroneous or unauthorized. The RDFI also agreed to pay remediation and penalties of approximately $15.5 million as part of the consent order. The consent order provides some insight into what the CFPB considers to be a reasonable investigation of an alleged erroneous or unauthorized ACH Debit Entry under Regulation E.

Among other things, the consent order confirms that the CFPB expects RDFIs to promptly investigate all erroneous and unauthorized ACH debit transactions asserted by Receivers, without regard to whether the Receiver has submitted a written statement with respect to the transactions (referred to in the NACHA Rules as a Written Statement of Unauthorized Debit, or WSUD), and also not require that any WSUD the Receiver submits be notarized. The RDFI is also expected to (i) consider all relevant information in the bank's records that pertains to the account for which the assertion of an erroneous or unauthorized ACH debit transaction is made, including the Receiver's oral or written statements and (ii) request from the ODFI documentation sufficient to prove the transaction was authorized.

Strategies for obtaining a written statement of unauthorized debit

The consent order discussed above appears to confirm that, under Regulation E, a WSUD cannot be required as a precondition to investigating or resolving an alleged erroneous or unauthorized ACH Debit Entry. This creates some tension with the NACHA Rules, which require an RDFI returning an unauthorized entry to warrant to the ODFI that it has received a WSUD from the Receiver, and that the WSUD is "signed or similarly authenticated." As a result of this tension, the RDFI may be required to refund the transaction to the Receiver, but may be unable to make the required warranty to the ODFI as part of a reversed entry.

Electronic records and signatures can be used by an RDFI to increase the number of unauthorized ACH Debit Entries for which the RDFI receives a WSUD. Under the NACHA Rules, the WSUD may be created or retained in an electronic form that (a) accurately reflects the information in the Record and (b) is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise. It may also be signed using an electronic signature.

This means that RDFIs may, through careful design, structure their online and telephone intake processes for challenged ACH Debit Entries so that, in many cases, the processes automatically create a WSUD and obtain the necessary signature.