As the volume of interactions and transactions between financial institutions and clients continues shifting toward an electronic environment, financial institutions should expect commercial clients to seek convenient, electronic methods of doing business with their customer base.
For commercial clients acting as originators, the Automated Clearing House (ACH) network makes it possible to obtain electronic authorization for initiating debit entries to collect payment from non-commercial customers. These entries are identified by the Standard Entry Class Code, WEB. However, electing to originate debit WEB entries can expose ODFIs, originators and receivers to additional risk; therefore, National Automated Clearing House Association (NACHA) has additional rules for ODFIs and originators to follow to reduce this risk.
NACHA rules state an originator must complete the following requirements prior to originating debit WEB entries:
- The origination agreement with the ODFI should specify how liability for WEB debit entries will be shared between the originator and the ODFI and specify processing obligations.
- The originator must ensure all sensitive information obtained from a receiver is communicated via a commercially reasonable manner. This includes the method to verify the identity of the receiver, ensuring proper encryption for an internet session, the utilization of a system for detecting fraudulent transactions and procedures for verifying the Receiving Depository Financial Institution’s (RDFI) routing number.
- Originators must obtain authorization from receivers in a manner that complies with the requirements of the rules.
- Per Section V – Standard Entry Class Codes, Chapter 48 Internet Initiated/Mobile Entries of the 2020 NACHA Operating Guidelines, the following information must be included in an authorization:
- Express authorization language (“I authorize Company A” to debit my account)
- Amount of transaction:
- For a single-entry payment
- For a recurring entry that is for the same amount each interval
- For a range of payments
- The effective date of the transaction
- The receiver’s account number
- The Receiver’s financial institution’s routing number
- Revocation language
- Due to the added risk of fraudulent internet/mobile payments, originators must institute the following risk management techniques:
- Authentication: Prior to accepting an online ACH debit authorization, an originator must decide the methods it will use for authenticating the identity of the receiver. A popular method of authentication is requesting multiple forms of identifying information that may be corroborated against databases.
- Fraudulent Transaction Detection Systems: A fraudulent transaction detection system will track payment history, purchases made and behavior.
- Annual Data Security Audit: Used to determine receivers’ financial information is protected in a commercially reasonable manner.
- The data security audit should cover the following levels of security:
- Physical security aimed at preventing theft, damage or unauthorized interference
- The efficacy of physical and technological access controls to stop unauthorized access
- Network restrictions designed to facilitate the transmission, storage, distribution and destruction of sensitive financial information
- The minimum elements required by an annual data security audit are outlined by Section V – Standard Entry Class Codes, Chapter 48 Internet Initiated/Mobile Entries in the 2020 NACHA Operating Guidelines.
- Verification of routing numbers: The originator must utilize commercially reasonable procedures to verify the validity of routing numbers. This may be accomplished as an element of a fraudulent transaction detection system, through a directory, database, or other methods conceived by the originator.
- NACHA rules state that an ODFI must complete the following requirements prior to transmitting debit WEB entries on behalf of an originator:
- The origination agreement with the originator should specify how liability for debit WEB entries will be shared between the originator and the ODFI and specify processing obligations.
- ODFIs must agree to additional warranties and liabilities prior to transmitting debit WEB entries on behalf of an originator:
- ODFI warrants that each originator originating debit WEB entries employs a commercially reasonable fraudulent transaction system.
- ODFI warrants that originators of debit WEB entries utilize commercially reasonable methods to verify the identity of the receiver.
- ODFI warrants that originators have taken commercially reasonable steps to verify the validity of routing numbers used for debit WEB entries.
- ODFI warrants that originators have conducted annual data security audits to ensure the financial information of receivers is secure.
Effective March 19, 2021, NACHA is modifying Article Two, Subsection 220.127.116.11 Additional ODFI Warranties for Debit WEB Entries to require, at a minimum, a fraudulent transaction detection system must validate the account to be debited.
If an Originator chooses to bypass or neglects to institute proper account validation, the Originator’s fraudulent transaction detection system will not be considered commercially reasonable and will not comply with NACHA Rules. Originators may need to institute changes to their current fraudulent transaction detection systems to comply with this modification.
ODFIs electing to transmit WEB entries for their commercial clients will likely have questions on instituting NACHA’s rules for themselves and their originators.
Wipfli LLP’s risk advisory and technology consulting teams are available to assist with advising and evaluating the controls implemented to mitigate risk from originating debit WEB entries.