November 30, 2020
New NACHA Account Validation Requirement Will Make It More Difficult For You To Accept Electronic Payments From Your Website
Back in the 1980s, President Reagan popularized an English translation of the Russian proverb "Doveryai, no proveryai" - trust, but verify. Years later, former Secretary of State John Kerry put a more modern spin on things: "President Reagan's old adage about 'trust but verify' ... is in need of an update. And we have committed here to a standard that says 'verify and verify'." It appears that the good folks at NACHA may be following Secretary Kerry's lead by requiring you to "validate and validate" your customer's account before initiating ACH debits.
An upcoming change to the NACHA Rules will impact your business if you allow consumers to authorize you to initiate ACH payments from their deposit accounts via the Internet or a mobile device. Such ACH payments are known under the NACHA Operating as "WEB Debit Entries."
Because WEB Debit Entries are susceptible to fraud, the NACHA Rules currently require Originators of WEB Entries (i.e., the payees who initiate such payments with the consumer's authorization) to establish and implement commercially reasonable:
- fraudulent transaction detection system(s) to screen the WEB Debit Entry;
- methods of authentication to verify the identity of the Receiver (the consumer depositor of the consumer deposit account that will be debited) of the WEB Debit Entry; and
- procedures to verify that the routing number used in the WEB Debit Entry is valid.
NACHA's new Supplementing Fraud Detection Standards for WEB Debits Rule, which becomes effective on March 19, 2021, is intended to reduce fraud by requiring Originators to "validate" consumer accounts before the first debit from the consumer's account. The rule change explicitly identifies account validation as a required part of an Originator's "commercially reasonable fraudulent transaction detection system." This means that any time a consumer authorizes an ACH debit from the consumer's deposit account (either one-time or recurring payments) online or via a mobile device, the payee must validate the consumer's deposit account. While the NACHA Rules do not define "validate," additional "Frequently Asked Questions" guidance posted to NACHA's website clarify the meaning of "validate":
At a minimum, the Originator must use a commercially reasonable means to determine that the account number to be used for the WEB debit is for a valid account - that is, that the account to be used is a legitimate, open account to which ACH entries may be posted at the [consumer's bank].
The rule change does not require Originators to validate that the consumer who authorizes the payment is the owner or an authorized user of the account.
The NACHA FAQs provide the following examples of methods one could use to satisfy the new validation requirement, but each comes with challenges:
- ACH micro-transaction verification - These typically involve two steps: The payee makes a small deposit (usually just a few pennies) into the consumer's account, and the consumer confirms the amount deposited. This process can takes a couple of days, and anecdotal information indicates that consumer's often fail to complete the process.
- Prenotification Entry - Sometime referred to as a "pre-note," these are non-monetary ACH entries. The payee sends a prenotification entry through the ACH network to verify that the account is valid. If the account is not valid or is not set up to receive ACH entries, the consumer's bank will respond with that information. Like the micro-transaction process, the prenotification process can take a couple of days, and the NACHA Rules require you to wait to initiate payment entries until 3 business days after you send the prenotification entry.
- Commercially available account validation database service - This method compares account and routing number information to a database of previously validated accounts. NACHA's " Account Validation Resource Center" webpage includes a list of third-party vendors who offer this service. While this method is virtually instantaneous, not all consumer accounts will be in the database, and you would need to pay for the service.
- Account validation APIs - This validation method uses an application program interface ("API") and a secure digital connection to the consumer's bank to retrieve the account and routing numbers from the consumer's online banking interface. While this method is virtually instantaneous, it requires the consumer to share online banking login credentials. Anecdotal information indicates that many consumers are not willing to do this due to privacy and information security concerns.
If you haven't already done so, now is a great time to check in with your payments counsel or your payment processing vendor to confirm that you will have appropriate account validation procedures in place to comply with the rule change by March.