SUMMARY OF REVISIONS TO THE 2021 NACHA OPERATING RULES
Effective on June 30, 2021
SUPPLEMENTING DATA SECURITY REQUIREMENTS (Phase 1)
This change impacts Originators and TPSP (including TPS)
The existing ACH Security Framework including its data protection requirements will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
This new rule applies only to account numbers collected for or used in ACH transactions and does not apply to the storage of paper authorizations.
Phase 1 – June 30, 2021 for Originators and Third-Parties with ACH volume greater than 6 million in 2019
Phase 2 – June 30, 2022 for Originators and Third-Parties with ACH volume greater than 2 million in 2020
Effective on January 2, 2021 (Enforcement Rule)
Effective on June 30, 2021 (Reversal Rule)
REVERSALS AND ENFORCEMENT
This change impacts Financial Institutions as well as Originators and Receivers
This Rule will explicitly address improper uses of reversals. It will expand the permissible reasons for a reversal to include a “wrong date” error – 1) the reversal of a debit Entry that was for a date earlier than intended by the Originator, or 2) a credit Entry that was for a date later than intended by the Originator
The Rule will also establish formatting requirements for reversals, beyond the current standardized use of the Company Entry Description field (“REVERSAL”):
- The Company ID, SEC Code, and Amount fields of the reversal must be identical to the original entry.
- The contents of other fields may be modified only to the extent necessary to facilitate proper processing of the reversal.
- This is the same approach as the formatting requirements for Reinitiated Entries.
This Rule will define an Egregious Violation as:
- A willful or reckless action, and involves at least 500 Entries, or involves multiple Entries in the aggregate amount of at least $500K.
- Allow the ACH Rules Enforcement Panel to determine whether a violation is egregious, and to classify an Egregious Violation as a Class 2 or 3 Rules Violation.
- The sanction for a Class 3 violation can be up to $500,000 per occurrence and a directive to the ODFI to suspend the Originator or Third-Party Sender. It also expressly authorizes NACHA to report Class 3 Rules violations to the ACH Operators and industry regulators.
Effective on September 17, 2021
This change impacts Originators and TPSP (including TPS)
The overarching purpose of these rules is to improve and simplify the ACH user-experience by
facilitating the adoption of new technologies and channels for the authorization and initiation of ACH payments.
This rule will define a “Standing Authorization”
- Under existing guidelines, consumers may authorize the Originator to debit their account as a Single-Entry (one-time) payment or Recurring (regular intervals.) Future entries that do not align with the terms of the original request would require the Originator obtain an additional authorization.
- Under the new Rule, Standing Authorizations may be obtained when the payment is not a Single-Entry but doesn’t fit into the Recurring model, and enable businesses and consumers to make more flexible payment arrangements for relationships that are ongoing in nature. Standing Authorizations may be collected in writing or orally.
- Payment Type Codes:
- “R” = Recurring
- “S” = Single Entry
- “ST” = Standing Authorization
Other Authorization Proposals
In conjunction with the other authorization rules (Standing Authorizations and Oral Authorizations), this Rule includes other modifications and re-organizations of the general authorization rules for purposes of clarity, flexibility and consistency.
- Re-organizes the general authorization rules to better incorporate Standing Authorizations, Oral Authorizations, and other changes described below.
- Defines “Recurring Entry” to complement the existing definition of Single Entry and the proposed new definition of Subsequent Entry, and align with terms in Regulation E.
- Explicitly states that authorization of an ACH payment by any method allowed by law/regulation.
- Only consumer debit authorizations require a writing that is signed or similarly authenticated.
- Applies the standards of “readily identifiable” and “clear and readily understandable terms” to all authorizations.
- For all consumer debit authorizations, applies the minimum data element standards that are currently stated only in the TEL rules (i.e., what will be in a consumer authorization).
Disclaimer: The “ACH Rules Awareness & Updates Guide” is offered to Maine Community Bank’s ACH origination clients.
This document is meant as a source of information for our clients and Maine Community Bank and its Divisions of Biddeford Savings and Mechanics Savings make every attempt to create value-added articles with the most current information possible.
This “ACH Rules Awareness & Updates Guide” is not intended to provide any warranties or legal advice, and is intended for educational purposes only.
For any discrepancies between this Guide and the NACHA Operating Rules and Guidelines please refer to the NACHA Rules.
GENERAL REMINDERS OF RESPONSIBILITIES WITH CURRENT NACHA RULES FOR ORIGINATORS
NOTIFICATION OF CHANGE (NOC)
Originators must respond to Notifications of Change by making corrections within six banking days of receipt of the NOC information or prior to initiating another entry to the Receiver’s account, whichever is later. (Note: Special requirements apply to NOCs received in response to prenotification entries and to Single Entries. These are discussed in more detail below.)
NOC received in response to a prenotification entry
- An Originator must make all changes contained within an NOC related to a prenotification entry; however, the Originator’s timing requirements for action can differ, depending on when the NOC is made available to the ODFI. For a timely NOC (that is, an NOC made available to the Originator’s ODFI by the ACH Operator by the opening of business on the second banking day following the prenote’s settlement date), the Originator must make the requested changes before transmitting a “live” entry to the Receiver’s account. For an untimely NOC (that is, an NOC made available to the ODFI by the ACH Operator after the opening of business on the second banking day following the prenote’s settlement date), the Originator must make the requested changes within six banking days of receiving the NOC information from its ODFI or prior to transmitting the next entry, whichever is later.
NOC Received in response to a Single Entry
- By definition, a Single Entry is a credit or debit entry based on a Receiver’s authorization for a one-time transfer of funds to or from the Receiver’s account. No subsequent entries may be originated unless separately authorized by the Receiver via a new authorization. The NACHA Operating Rules, therefore, allow an Originator discretion in determining whether to make the changes requested in any NOC related to an Entry identifiable as a Single Entry.