UNDERSTANDING ACH ©2018 First Tennessee Bank National Association operating as First Tennessee Bank and Capital Bank. Member FDIC. NEW 05/18 OVERVIEW The National Automated Clearing House Association (NACHA) regulates the use of the ACH system. The “Rules” related to originating (sending) ACH transactions can be pretty complex and intimidating. It’s recommended that each client review this list annually as a reminder of key issues related to ACH processing. This document is not intended to substitute for NACHA Rules nor eliminate the need for continuing education. Capital Bank customers can obtain a recent copy of the Rules or register for educational classes at the Southern Financial Exchange. Visit SFE.ORG for details. 1. The Company Name used by the originator (sender) of the transaction should be known and readily recognized by the receiver of the transaction. For example, the commonly known name found in advertisements or on signage should be used. 2. To originate (or send) transactions to a receiver, the originator must obtain the receiver’s authorization. When requested to provide proof, copies of the authorization must be provided within ten (10) business days of the request. The original authorization or equivalent copy must be maintained for two (2) years from termination or revocation of authorization. 3. It is acceptable in certain situations to originate a variable amount recurring debit entry. For example, utility bills frequently change in amount on a monthly basis and an ACH debit entry can be used to collect these bills. However, when the amount varies on a monthly basis, the originator must send the receiver a notice of the new payment amount at least ten (10) calendar days prior to date the debit is sent. 4. On recurring transactions (consistent or variable amount), if the scheduled date for the debit to be received changes, the originator must notify the receiver of the new schedule in writing at least seven (7) calendar days before entry is received. 5. Prenotes are frequently used to validate the financial information provided to the originator. Prenotes are zero-dollar entries which are sent at least three (3) banking days prior to initiating the first live (dollar) transaction. The receiving financial institution (bank, credit union or savings and loan) is responsible to provide a return notification if the financial information (routing number or account number) is incorrect. The receiving financial institution will not provide a positive confirmation that transactions were processed successfully (no news = good news). • ACH entries are posted to the receiver’s account based on routing and account number information only. The receiving bank is not required to verify the name, individual identification or other information provided in the entry. • It is the responsibility of the originator to verify that the individual authorizing the entry is in fact the owner of the account. The method to authenticate the identity of the receiver varies according to Standard Entry Code and is explained under each code starting on page 3. When a prenote is returned, the originator is responsible to correct the reason for the return. Upon receipt of returns relating to prenotifications indicating that the RDFI cannot accept such entries, such entries cannot be initiated. 6. In some instances, the receiving bank will process an entry that contains inaccurate information. When this happens, the receiving bank will send a Notification of Change (NOC) to the originating bank (Capital Bank). When this occurs, Capital Bank will provide a report to the originator that contains both NOC information with any return item entries which are received. The originator is required to make the correction within six (6) banking days or prior to the initiation of the next entry. 7. When transactions are returned as “R01 Insufficient Funds” or “R09 Uncollected Funds” Capital Bank can re-present the item a second or third time to attempt collection. These items are re-presented automatically unless it’s after 180 days from the original settlement date. This option would need to be setup in advance of the return entry. 8. If a transaction is returned “R05 Unauthorized Debit to Consumer Account Using Corporate SEC Code”, “R07 Authorization Revoked by Customer”, “R08 Payment Stopped”, or “R10 Customer Advises Not Authorized” a new authorization must be obtained and a new ACH file provided. The Standard Entry Class Code must be corrected on an R05. 9. If the originator recognizes that an error has been made on a file that has been sent to the bank, two options exist. If the file has not yet been processed by Capital Bank, the file can be deleted and a new file submitted. If the file has been processed, a reversing file, batch or entry can be made to correct the error. Requests for deletion or reversals must be made in writing by an authorized signer on the settlement account at First Tennessee. Contact the Business Service Center (888-227-2792) to obtain the correct form. Requests to reverse files, batches or entries must be made within five (5) banking days following the settlement date of the erroneous entry or file and within twenty four (24) hours of the discovery of the error. The originator is responsible to notify the receiver before the reversing entry is passed to the Receiver’s account. When a reversal is requested, the originator takes on additional risk. For example, if the original entry was a credit, it’s possible that the receiver may have withdrawn funds from the account prior to the reversal (debit) entry is passed to the receiver’s account. If the funds are not available to pay the debit entry, the reversal will be charged back to the originators account. If the original entry was a debit transaction, it’s possible that the debit transaction may be returned as insufficient, prior to reversal (credit) reaching the receiver’s account. Frequently, it takes time and effort outside the ACH Network to clean up problems created by files containing errors. 10. Originators are responsible to ensure that they have sufficient security in place when sending ACH transactions. When Originators send transaction information via an unsecured delivery channel (i.e. the internet), the information must be transmitted or received via a secure session utilizing a commercially reasonable security that provides a level of security that at a minimum is equivalent to 128-bit RC4 encryption technology. Security requirements may change periodically due to technological changes. 11. In general, NACHA uses Standard Entry Classes (SEC codes) to designate the method by which an ACH entry is authorized. The Rules regarding each SEC varies and NACHA monitors various statistics by originator and SEC. If your company is interested in originating multiple SEC codes, discuss this with your Relationship Manager or Treasury Management Sales Officer. Below is recap of information related to each SEC. STANDARD ENTRY CODES A. Consumer Applications Each type of ACH transaction carries specific risk issues that are related to the purpose of the transaction, how and who originates the transaction. However, in general, all consumer transactions carry the following risk concerns: Timing of returns: • Most entries need to be returned by the Receiving Depository Financial Institution (RDFI) so that the return entry is available to the Originating Depository Financial Institution (ODFI) no later than the opening of business on the second business day following the original settlement date of the transaction. • An exclusion exists which can extend the above timeframe until the 60th day following the settlement date of the transaction for transactions such as ARC, POP, TEL or WEB relating to stop payments that have been placed on the source document. The consumer is required to place a stop in such a time and manner that allows the RDFI a reasonable opportunity to act on the stop prior to acting on the debit entry. This provision is provided to allow a safety net for RDFIs that have not built a bridge between check and ACH systems. • Unauthorized returns may be returned up until the 60th day following the original settlement date of the transaction. The consumer is required to provide a Written Statement of Unauthorized Debit that identifies the item as being unauthorized. • As an ODFI, Capital Bank can be held liable under NACHA Rules for any breach of warranty. The majority of warranty issues tend to be regarding proper authorization. Breach of warranty is not limited to the return time frames discussed above, but is limited only by the statute of limitations for breach of contract claims under the applicable state law. The next section highlights the primary differences between SEC codes used for Consumer entries. 1. Accounts Receivable Entries (ARC) – Definition NACHA Rules enable an originator to convert a check into an ACH debit. This process enables a single entry debit which is provided to the originator via US Mail or at a drop box location to be converted into an ACH debit for payment of goods or services. Notification must be provided for each conversion event prior to the receipt of each check which explains the check will be used as a basis for the origination of an ARC entry. Check can only be converted to ARC when reading device electronically captures the MICR line. Authorization is provided by receipt of the signed check. Sample ARC Notification Language “When you provide a check as payment, you authorize us to use information from your check to make a one-time electronic fund transfer from your account. In certain circumstances, such as for technical or processing reasons, we may process your payment as a check transaction.” The following checks are not eligible for ARC: • Checks that do not contain a pre-printed serial number; • Checks that do contain an Auxiliary on-us field in the MICR line (auxiliary on-us fields are only found on larger, 9 inch check stock and is not present on smaller consumer sized 6 inch checks); • Checks greater than $25,000; • Third party checks; • Demand drafts or other checks that do not contain the signature of the receiver; • Checks provided by a lender for purposes of accessing a credit card account, home equity line or other form of credit; • Obligations of financial institutions (cashier’s checks, money orders, etc.); • Checks drawn on the US Treasury, a Federal Reserve bank, or a Federal Home Loan bank; • Checks drawn on a state or local government; • Checks drawn on an investment company as defined by the Investment Company Act of 1940; or • Checks payable in a medium other than US currency. Risks unique to ARC ARC entries can be returned up until 60 days from the settlement date for the following reasons: • Improper source document (a Written Statement of Unauthorized Debit is required); • No notice of conversion provided to the receiver; • If the original check was presented and cleared; or • The ARC transaction was initiated in an amount other than the amount indicated on the source document. Capital Bank has enabled ARC through Retail Lockbox processing platform. Vendor supplied software converts the MICR line information into ARC transactions and houses the logic to recognize ineligible items. 2. Back Office Conversion (BOC) – Definition BOC is used for single entry debits to a customer account and would typically be used in a retail application such as a grocery store. Checks would be provided to the originator by the receiver at the point of purchase or at a manned bill payment location. The store is required to provide notice that the check could be subject to processing as an electronic debit. Checks in this process are collected from the customer and converted through a back office conversion process. The merchant will keep the check and is required to use a reading device to capture the MICR line. Authorization is provided by the combination of the notification sign and the signed check. Sample BOC Notification Language “When you provide a check as payment, you authorize us to either to use information from your check to make a one-time electronic fund transfer from your account or to process the payment as a check transaction. For inquiries, please call <retailer phone number>.” The same checks which are not eligible for ARC are not eligible for BOC. Risks unique to BOC BOC entries can be returned up until 60 days from the settlement date for the following reasons: • Improper source document (a Written Statement of Unauthorized Debit is required); • No notice of conversion provided to the receiver (BOC requires a copy of the notice to be provided at the time of the transaction); • If the original check was presented and cleared; or • The BOC transaction was initiated in an amount other than the amount indicated on the source document. The business is required to: • Maintain source document images for a period of 2 years – the front image is required and back image is optional (this should be controlled easily by our Remote Deposit Capture software when that is the tool used to create the BOC transaction); • Store the converted check securely and to destroy it when necessary; and • Adequately verify the check presenter’s identity through commercially reasonable means. 3. International ACH Payments (IAT) - Definition An IAT Payment Transaction is defined as an ACH entry that is part of a payment transaction involving a financial agency that is not located within the territorial jurisdiction of the United States (US). HOWEVER, a payment transaction is defined to include any and all settlements, accounting entries, or disbursements that are necessary or appropriate to carry out the instruction. IAT transactions would be authorized under the requirements of the underlying SEC. § NACHA Rules applies to all ACH payments that are either… § Funded (directly or indirectly) by funds from financial institutions outside the US, or § Sent to / received from financial institutions or agencies outside the jurisdictional territory of the US. § In addition, the Rule requires that Bank Secrecy Act Travel Rule data be included in the ACH transaction. This includes: § Originator name & address, account number & financial institution, and payment amount § Beneficiary name & address, account number & financial institution. § This information is contained within additional addenda records specific to international transactions. Return information will also contain this data. IAT entries can be either a debit or credit entry, and can be sent by your client or received by your client. The receiver of the IAT transaction can be either a consumer or a corporation. If the funds move across an international border or if the instructions and the funding combined are from outside the US, even if the payments are sent from a US bank to a US bank, it would be considered an IAT. The corporate originator, rather than its ODFI, is in the better position to know the parties with which it does business, where those funds are destined, where its employees reside, etc. As a result, originators generally hold the responsibility for asking appropriate questions of their vendors and employees sufficient to determine whether those funds will remain domestic or whether the funds will move internationally. NACHA suggests that each company should determine whether they have transactions being sent out of the country, develop a specific company policy to address these items, and implement that policy. • Clients whose business activities include any of these four dimensions rank high on the list of companies impacted and in turn are required to meet the requirements of IAT. Businesses: § With subsidiaries or offices outside the US; § With pensioners or employees outside the US; § With vendors or suppliers outside the US; § That receive ACH entries from outside the US. Penalties for non-compliance with Office of Foreign Asset Control (OFAC) can range from $10,000 - $10,000,000 per occurrence with potential prison terms. Additional information can be found at http://www.nacha.org/c/IATIndustryInformation.cfm under the Corporate Tool Kit. How it works: Capital Bank directs International ACH Transactions (IAT) to the Federal Reserve, who routes the transactions to Gateway Operators that deliver the transactions to the Receiving Country and Receiving Financial Institution. The originator is responsible to ensure that all items are in compliance with U.S. law, including programs administered by the OFAC. IAT transactions contain additional data on both the originator and the receiver to comply with these programs and to properly route transactions to the foreign country, the financial institution and the receiver. IAT transactions can be routed to a specific account or directly to the receiver (who may not have a bank account). When the transaction is being sent from an account to an account, the transaction is referred to as A2A. When the transaction is being sent from an account to a receiver, the transaction is referred to as A2R. Some countries will only support A2A, others only support A2R and some support both. IAT transactions can be sent in U.S. Dollars to be received in U.S. Dollars. They can also be sent in U.S. Dollars and converted by the receiving financial institution to the local currency. IAT transactions may be limited in dollar value and may not be a good substitute for an International Wire. A chart is attached at the end of this document that provides additional information. The IAT process is complex; however, Capital Bank has the expertise to help you with this process. 4. Point of Purchase (POP) – Definition The POP SEC is used by originators as a method of payment for in-person purchase of goods and services. Checks can be accepted at the point of sale then scanned to capture the MICR line, voided and handed back to the customer. The scanned MICR line is used to initiate an ACH entry to debit the customer’s account. These entries are also single entry debits, requiring that the consumer signs an authorization at the time of purchase. Sample POP Notification Language “When you provide a check as payment, you authorize us to either to use information from your check to make a one-time electronic fund transfer from your account or to process the payment as a check transaction.” Risks unique to POP • POP entries have the same exclusion of items that are addressed earlier under ARC. • The originator must ensure ineligible items are not submitted. • Because the check is not retained, the originator must take additional steps to capture information in case the check is returned. • POP entries can be used for corporate checks only if the check does not contain an auxiliary on-us field in the MICR line. 5. Prearranged Payment and Deposit (PPD) – Definition PPD can be used for credit or debit transactions. Most PPD transactions are authorized in writing in advance of the transactions. PPD is normally used for recurring transactions (consistent or variable amounts) such as payroll or direct debit. However, NACHA Rules do not exclude the use of PPD for single entry authorizations. PPD transactions can also be authorized under the standard of similar authentication which allows the use of electronic signatures, digital signatures and security codes. Risks unique to PPD • Because NACHA Rules allow digital authentication, ACH transactions can be accepted by Interactive Voice Response (IVR) or Touch Tone systems and be processed under the PPD Standard Entry Class (SEC). This is frequently misunderstood by originators who may try to use the TEL SEC in error. • Unauthorized returns may be returned up until the 60th day following the original settlement date of the transaction. 6. Re-Presented Check entries (RCK) – Definition NACHA Rules permit the ACH network to be used to transmit a single-entry debit transaction to re-present electronically after a paper check has been returned for insufficient or uncollected funds. These entries are subject to UCC, Regulation CC and NACHA Rules, but are not covered under Regulation E or the Electronic Funds Transfer Act. Items are only eligible if they are: • Under $2,500 • Contain a pre-printed serial number; • Negotiable items drawn on an ACH participating bank other than the Federal Reserve Bank or the Federal Home Loan Bank • Payable in US dollars • Items that include the signature of the receiver • Returned for insufficient or uncollectible funds and this is clearly indicated on the face of the item • Dated 180 days or less from the date of entry transmitted to the RDFI • Drawn on a consumer account • Not presented more than a total of 3 times: 1 paper and 2 electronic or 2 paper and one electronic • Items cannot be a US Postal Money Order • Items cannot be a third party check Sample RCK Notification Language The manner for providing notification for RCK is not specific; however, notice at a point of sale must be clearly displayed. Notice provided by a billing company of intent to collect return check electronically must be clearly displayed on or with the billing statement. Fees related to return check collection must be authorized separately under WEB, PPD or TEL rules and cannot be included with the face amount of the returned item. “When you provide a check as payment, if the check is returned for insufficient or uncollected funds, your check may be collected electronically.” Risks unique to RCK • By the nature of these items, return rates will be high. This is reflected in both normal returns and in unauthorized returns. • Notice of possible conversion can be displayed at the point of check acceptance stating if the check is returned for NSF or uncollected funds that it may be collected electronically. The consumer doesn’t always recall that notice was provided and this results in higher unauthorized returns since actual conversion to ACH is delayed. 7. Telephone-Initiated (TEL) – Definition NACHA Rules enable an ACH entry to be initiated in response to a consumer’s oral authorization which includes the consumer’s banking information captured by telephone to transmit an ACH debit for goods or services. This authorization can be valid for recurring or for a single-entry TEL transaction. TEL entries can only be created: • When there is an existing relationship between the originator and the receiver, or • When there is not an existing relationship, but the receiver has initiated the call. An existing relationship is defined: • As a written agreement being in place between the originator and the receiver, or • By the consumer purchasing goods or services from the originator in the past two years. Sample TEL Notification Language The receiver must be provided and acknowledge during the conversation, the following terms of the transaction: • Date on or after which the consumer’s account will be debited; • The amount of the debit entry; • The consumer’s name;The account to be debited; • A telephone number that is available during normal business hours for customer inquiries; • The method by which the consumer can revoke the authorization; • The date of the consumer’s oral authorizations; • A statement that the authorization obtained will be used to create a single ACH debit to the consumer’s account. The above terms must be clearly stated and receiver must specifically acknowledge consent. Silence is not express consent. Risks unique to TEL NACHA Rules were specifically written to exclude marketing to consumers through cold calling efforts. Violations of TEL rules normally result in high rates of unauthorized returns. ODFIs are required to provide NACHA with specific information related to originators of TEL entries whose unauthorized return rates exceed 1.0%. Originators of TEL are required to either record the consumer’s oral authorization or provide in advance of the Settlement Date, written confirmation addressing the above terms of the transaction to the receiver. Authorization is evidenced by the recording or a copy of the confirmation. 8. Internet Initiated/Mobile (WEB) – Definition The NACHA Rules permit the internet or a mobile device to be used to authorize single or recurring debits to a consumer’s account. Sample WEB Notification Language Authorizations which are internet initiated must be displayed on a computer screen or other visual format in a clear manner. The consumer should be able to print and retain a copy of the authorization. Only the consumer can authorize a transaction, not a Third Party on behalf of the consumer. Use of a digital signature or code to similarly authenticate the written authorization is acceptable but does not preclude the other methods of authentication such as shared secret, passwords, biometrics, etc. The authentication method must demonstrate the consumer’s assent to the authorization. “I <consumer name> acknowledge that I am authorizing an electronic debit to my account for <amount> which will be debited on or after <date>. For inquiries, I can reach <retailer or biller> during normal business hours of <state hours> at <retailer or bill phone number>.” Risks unique to WEB There are 3 unique internet transaction characteristics that elevate risk levels. • Because of the anonymity of the internet, parties don’t always know who they are doing business with, which increases the opportunity for fraud. • Since the internet is an open network, special security procedures need to be in place to prevent unauthorized access to consumer financial information. • The sheer volume and speed of transactions increases risk levels. NACHA Rules refrain from developing rigid standards that may become outdated easily due to technological changes in a rapidly changing environment. Terms such as commercially reasonable are used which makes it more difficult to determine compliance. Audit Requirements Annual audit requirements exist for all originators of WEB transactions. These audits can be conducted by external or internal auditors which are independent. These requirements include: • Authentication techniques – these may vary according to the type of transaction, the dollar amount, new or existing customer base, etc. The more robust the authentication the less likely fraudulent transactions will occur. • Fraudulent detection systems – different technologies are available at varying costs. Examples include tracking payment history, the average dollar size of the transactions, the typical relationship with the consumer and the types of goods or services sold. • Verification of routing numbers – to minimize errors related to key entry mistakes each originator is required to verify that routing numbers are valid. This can be considered a component of a fraudulent detection system. • Security of internet sessions – Secure sites with an equivalent to 128-bit RC4 encryption technology, or transmit the receiver’s banking information utilizing commercially reasonable security technology via a secure session that is equivalent to 128-bit RC4 encryption. If technology advancements occur to drive the commercially reasonable standard to change, the originator should comply with the new standard. • Network security – § Physical security to prevent theft, tampering or damage with disaster recovery plans developed and reviewed periodically § Personnel access controls to deter unauthorized access and use § Security policies to govern access to sensitive data § Employment verification for employees with access § Access controls to systems, networks, files that contain sensitive information. § Ensure no one person acting alone cannot bypass safeguards § Audit trails to scrutinize activities of users § Ensure secure capture storage, distribution and destruction § Network and data stored behind firewalls and inaccessible from the internet § Data retention schedule developed with policies from time of capture to destruction § Ensure systems have updated software, security patches § Regularly test security systems and processes NACHA Rules also require the ODFI to establish, monitor and review periodically specific exposure limits for originators of WEB entries. B. Corporate Applications Corporate entries are limited to two standard entry classes, CCD and CTX. 1. Corporate Credit or Debit (CCD) – Definition This is the most commonly used corporate entry. This can be used for either debit or credit transactions to distribute or collect between corporate entities. Tax payments also use this standard entry class for federal and state payments. 2. Corporate Trade Exchange (CTX) – Definition This is most commonly used to move funds and information related to the payments. This transaction supports up to 9,999 addenda records to communicate ANSI ASC X12 message sets or UN/EDIFACT information. 3. Risks unique to Cash Concentration In general, corporate transactions carry additional risk issues when used for Cash Concentration. Cash Concentration is the consolidation of funds from multiple financial institutions were the accounts at each financial institution are all owned by the corporate entity. Since deposited funds are available to the corporate entity on the effective date of the transaction, it is possible for the corporate entity to withdraw funds, and then declare bankruptcy. If this sequence of events should occur, the ACH debit entries presented to the receiving financial institution are likely to be returned and Capital Bank would have unsecured credit exposure. 4. Timing of returns • Most entries will need to be returned by the RDFI so that the return entry is available to the ODFI no later than the opening of business on the second business day following the original settlement date of the transaction. • For the receiver of CCD or CTX transactions, this shorter return timeframe requires daily reconciliation to recognize and return unauthorized or other ACH debits in a timely manner. • Originators are held liable under the Capital Bank Treasury Management Master Agreement and ACH Service Description for any breach of warranty (which includes, but is not limited to, any breach of warranty regarding proper authorization) and is not limited to the return time frames discussed above, but is limited only by the statute of limitations for breach of contract claims under the applicable state law.
Description: