Electronic Funds Transfer (NACHA) Rules.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
Brigham Young University Office of Compliance and Audit Research Memo NACHA Operating Rules Law/Act: NACHA Operating Rules Public Law Citation: None U.S. Code Citation: None Code of Federal Regulations Citation: None Responsible Regulator: NACHA – The Electronic Payments Association BYU Responsible Officer Richard White, University Treasurer Version 2.0 Effective Date: December 14, 2010 BACKGROUND NACHA – The Electronic Payments Association (NACHA) is a non-profit private-sector trade association that oversees the Automated Clearing House (ACH) Network, which is one of the largest electronic payment transfer networks in the world.1 Formed in 1974 by various state and regional payment associations, NACHA’s purpose was “to establish uniform operating rules for the exchange of ACH payments among ACH associations.”2 Based on NACHA’s work, by 1978 it was possible for two participating financial institutions located in the United States to electronically exchange ACH payments under a common set of rules, known today as the NACHA Operating Rules.3 The ACH Network is a “batch processing, store-and-forward system” that allows for the interbank clearing of electronic payments.4 Electronic transfers in the network are stored then forwarded in batches to their destination banks at a predetermined time.5 ACH payments may include: Direct deposit of payroll, Social Security, and other government benefits; Direct deposit of tax refunds; Direct payment of consumer bills, such as mortgages, loans, utilities, and insurance premiums; Business-to-business payments; e-Checks; e-Commerce payments; and, Federal, state, and local payments.6 The NACHA Operating Rules govern the electronic payment transactions of participating institutions and “work in concert with applicable laws and regulations to provide a legal and business foundation for the use of ACH payments.”7 The rules provide payment formats for the ACH Network and define the roles and responsibilities of parties involved in the Network.8 Rules are adopted or amended through a deliberative process that includes the opportunity to comment by member institutions.9 As of 2003, the ACH Network governed by the NACHA Operating Rules served 20,000 financial institutions, 3.5 million businesses, and 135 million individuals.10 1 See NACHA – The Electronic Payments Association, Executive Management, available at http://www.nacha.org/c/ExecMgmt.cfm. 2 NACHA – The Electronic Payments Association, History, available at http://www.nacha.org/c/aboutus_History.cfm. 3 See id. 4 NACHA – The Electronic Payments Association, Intro to the ACH Network, available at http://www.nacha.org/c/Intro2ACH.cfm. 5 See id. 6 See id. 7 NACHA – The Electronic Payments Association, ACH Rules: NACHA Operating Rules, available at http://www.nacha.org/c/achrules.cfm. The U.S. Department of Treasury has formally adopted the NACHA Operating Rules to apply to the Federal government’s ACH payments, including Social Security payments, tax collections, and refunds. See 31 C.F.R. Part 210; NACHA – The Electronic Payments Association, Private-Sector Rulemaking for U.S. Payments Systems, and the NACHA Operating Rules (June 2009), available at http://admin.nacha.org/ userfiles/File/Private_Sector_Rulemaking_for_US_Payment_Systems_-_June_2009.pdf. Other related laws include: the Federal Electronic Fund Transfer Act (EFTA), the Federal Reserve Board’s Regulation E, the FTC’s Telemarketing Sales Rule, and UCC Article 4A. 8 See id. 9 See id. 10 NACHA – The Electronic Payments Association, Online Bill Payment Comes of Age, May Exceed $200 Billion in 2003, According to NACHA (May 27, 2003), available at http://www.nacha.org/news/newsDetail.cfm/RecentBusinessNewsID/73. 1 Brigham Young University Office of Compliance and Audit Research Memo NACHA Operating Rules APPLICABILITY TO BYU NACHA Operating Rules apply to all ACH transactions conducted by participating entities. As many as six different types of entities may participate in a given transaction, one of which is the “Originator,” defined as “the entity that agrees to initiate ACH entries into the payment system.”11 NACHA explains that “[t]he Originator is usually a company directing a transfer of funds to or from a consumer’s or another company’s account. An Originator can be either a company or a consumer.”12 The rules also define the “Receiver” as “a natural person or an organization that has authorized an Originator to initiate an ACH entry to the Receiver’s account.”13 The ACH process “operates from beginning to end through a series of legal agreements.”14 Before an ACH transaction is conducted, the parties, including the Originator, execute an agreement to use the ACH Network and to abide by the NACHA Operating Rules.15 Common ACH transactions in which BYU is either the Originator or Receiver include direct deposit payroll transactions, student online tuition payments, and debit or credit card transactions. In general, through agreements with its financial institutions, BYU is required to know and follow the NACHA Operating Rules. REQUIREMENTS The NACHA rules have recently undergone a major revision to simplify, clarify, and unify the language and structure of the rules.16 In spite of these changes, NACHA maintains that the substantive meaning of the underlying rules has not changed from the previous version.17 By way of general summary, the NACHA Operating Rules require that an Originator Enter into an agreement with its financial institution (and third-party sender if applicable) under which it agrees to be bound by the NACHA Operating Rules and that it will not initiate ACH entries in violation of United States laws.18 Each agreement between the Originator and its financial institution must also expressly address the following: o Any restrictions on the types of ACH transactions that may be originated. o The right of the financial institution to terminate the agreement for breach of the NACHA Operating Rules. o The right of the financial institution to audit the Originator’s compliance with the NACHA Operating Rules.19 For certain types of transactions, enter an agreement with the Receiver that obligates the Receiver to be bound by the NACHA Operating Rules.20 Obtain authorization from the Receiver before initiating a transaction.21 11 NATIONAL AUTOMATED CLEARING HOUSE ASSOCIATION, ACH RULES: A COMPLETE GUIDE TO RULES & REGULATIONS GOVERNING THE ACH NETWORK (“NACHA OPERATING RULES”) §14.1.48, at OR 48, ACH PRIMER 2 (2010). 12 Id. 13 Id. § 14.1.58, at OR 49, ACH PRIMER 2. 14 Id. at ACH PRIMER 13. The Federal government has adopted by statute and regulation the NACHA Operating Rules for purposes of many of its own ACH transactions. See id.; supra n.7 15 Id. 16 See NACHA – The Electronic Payments Association, Rules Simplification, available at http://www.nacha.org/c/_content.cfm/AID/779/. The new rules are effective January 1, 2011. See id. 17 See id. 18 NACHA OPERATING RULES § 2.1.1, at OR 2–OR 3. 19 See id. at OR 3. 20 See id. § 2.1.2, at OR 2. 21 See id. 2 Brigham Young University Office of Compliance and Audit Research Memo NACHA Operating Rules Provide “clear and conspicuous” notice to the Receiver, in applicable transactions, that information will be used from the Receiver’s source document (such as a check) to make a one-time electronic fund transfer.22 The notice should include the following or substantially similar language: “When you provide a check as payment, you authorize us either to use information from your check to make a one-time electronic fund transfer from your account or to process the payment as a check transaction.”23 In the case of certain non-recurring in-person transactions for which there is no standing authorization, provide the Receiver a phone number for inquiries.24 If the consumer notifies the Originator that receipt of a check does not authorize an ACH debit entry, then the Originator may not make such an entry.25 Employ a “commercially reasonable” fraudulent transaction detection system to screen payment entries made on the Internet.26 Employ a “commercially reasonable” method of authentication to verify the identity of a person making an online request for an ACH payment from their account.27 Use “commercially reasonable” procedures to verify that routing numbers entered on the Internet for payment purposes are valid.28 Conduct or have conducted annual audits of Internet-initiated entries to ensure that the financial information the Originator obtains from Receivers is protected by adequate security practices and procedures.29 Such practices and procedures must include, at a minimum, (1) Adequate physical security to protect against theft, tampering, or damage; (2) Sufficient personnel and access controls to protect against unauthorized access and use; and (3) Network security to ensure secure capture, storage, and distribution.30 For information exchanged over an unsecured electronic network,31 encrypt banking information including, but not limited to, an ACH entry, ACH entry data, a routing number, an account number, or a PIN or other identification symbol using a commercially reasonable security technology that, at a minimum, is equivalent to 128-bit RC4 encryption technology.32 Ensure that no invalid characters are included in ACH files sent to its financial institution.33 Adhere to the schedules established by its financial institution for input of ACH files.34 Comply with PIN Management and Security requirements of the American National Standards Institute’s (ANSI) Accredited Standards Committee in certain identified transactions involving a PIN.35 Provide sufficient notices to Receivers related to amounts and dates of debit entries, and an electronic or hard copy of the Receiver’s authorization for all debit entries.36 For entries related to re-presented checks, provide the Receiver with notice that “clearly and conspicuously” states the terms of the entry policy before receiving the item to which the entry relates.37 22 See id. §§ 2.1.4, 2.1.6, at OR 4; see also id.