The effective date for the change is March 19, 2021.

The rule was originally approved by Nacha members in November 2018, to become effective January 1, 2020. The Nacha Board of Directors approved the extension in effective date to allow for additional time, education, and guidance to be provided to the industry. 

At a minimum, the Originator must use a commercially reasonable means to determine that the account number to be used for the WEB debit is for a valid account – that is, that the account to be used is a legitimate, open account to which ACH entries may be posted at the RDFI.

No. The minimum standard imposed by the Nacha Operating Rules requires Originators to validate that an account is open and accepts ACH entries.

However, because the determination of whether a business practice is considered commercially reasonable depends on a particular Originator’s business model and risk profile, and how it compares to similarly situated Originators, each Originator will need to determine for itself, in consultation with its own advisors, such as legal counsel and risk department, whether verifying simply that an account is open is sufficient. For some Originators, a more rigorous assessment that also verifies account ownership may be appropriate to meet a commercially reasonable standard.

No. The Nacha Operating Rules are neutral with regard to specific methods or technologies to validate account information.  See the question below for additional guidance.

Examples of methods to validate an account may include, but are not limited to, the use of a Prenotification Entry, ACH micro-transaction verification, use of a commercially available validation service provided by either an ODFI or a third-party, and use of account validation capabilities or services enabled by APIs.

Other options not listed above may also provide a commercially reasonable means to test an account for ACH use. As an example, use of a third-party that provides scoring information on the account status might be determined by some Originators to be a commercially reasonable option. Similarly, for others, an account with a proven history of prior successful payments may prove a sufficient means for validation for use of the account with a new WEB authorization.

Since the concept of commercial reasonableness is dependent on each customer’s particular situation and how it compares to similarly-situated Originators, each Originator, in consultation with its own attorneys, risk department, or other advisors, will need to determine which account validation method meets the commercially reasonable standard for its own facts and circumstances.

Nacha does not consider a fraudulent transaction detection system that does not include an account validation component as sufficient.

No. This rule applies on a “going-forward” basis and applies to new account numbers obtained for initiating WEB debits. This rule does not apply retroactively to account numbers that have already been used for WEB debits.

No. Use of an account number with a proven history of prior successful payments is a sufficient means for validation for use of the account with a new WEB authorization.

No. Use of an account number with a proven history of prior successful payments is a sufficient means for validation for use of the account with a new WEB authorization.

Yes.

No. The accuracy of an account number change requested by the RDFI via the NOC process is warranted by the RDFI, which serves as validation. The Originator need not re-validate the change, provided it has correctly applied the change requested by the RDFI.

Yes. Transmission of a Prenotification Entry meets the minimum standard of the Rules for validating that an account is open and can accept ACH entries. Under today’s prenote rules, an Originator can assume that a “no response” by the end of the return/NOC period means that the RDFI has validated the account number is open and can accept ACH entries, and therefore begin to transmit live entries. However, for some Originators, this standard of account validation may not be commercially reasonable for the particular line of business or risk profile compared with similarly-situated Originators, and the use of a more rigorous account validation standard may be appropriate.

Yes. Transmission of ACH micro-transactions can meet the minimum standard of the Rules to validate that an account is open and can accept ACH entries. If the RDFI does not return the micro-transactions within the return timeframe, the Originator can assume that the entries posted to a valid account. However, for some Originators, this standard of account validation may not be commercially reasonable for the particular line of business or risk profile compared with similarly-situated Originators, and the use of a more rigorous account validation standard may be appropriate.

ACH Originators of WEB debit entries are required to use a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud. This requirement is intended to help prevent the introduction of fraudulent payments into the ACH Network, and to help protect RDFIs from posting fraudulent or otherwise incorrect/unauthorized payments.

Originators are in the best position to detect and prevent fraud related to payments they are initiating, but in recent risk events perpetrated via social media channels, it has become apparent that some ACH Originators do not have or use any such system to screen WEB debits.

No.  An account validation service or method might be commercially reasonable for a specific set of facts and circumstances, even if it does not cover 100% of potential accounts or account validation attempts.

What is “commercially reasonable” should be assessed by the parties within the full context of all the relevant facts and circumstances.  Such facts and circumstances can include:

1. the risks associated with the purpose of the transaction being initiated;
2. the originator’s history with returns for invalid account information and fraud;
3. the percentage of “no hit” responses;
4. the historical experience of fraud on “no hit” responses with the service being used; and,
5. the use of other compensating controls.

In addition, an account validation service or method could supplement its primary validation method with others, such as an ACH prenotification or micro-transaction, in an effort to come closer to 100% coverage.  As an example, an instant verification service that can validate 95% of potential accounts can use supplemental methods such as prenotification or micro-transactions for many of the remaining accounts.  Alternatively, it may be commercially reasonable in some circumstances to confirm that the remaining 5% of entries do not show unusual or suspicious activity, such as concentrations of entries on specific routing numbers or suspicious account number sequencing in a series of entries.

While no account validation system is likely to have a perfect record in identifying invalid accounts, Nacha does not advocate any specific percentage of “unidentifiable” accounts as “commercial reasonable.”  Parties must make that judgment based on their own specific facts and circumstances.

Yes.  A commercially reasonable account validation method, assessed based on the factors described in the Rule and these FAQs, may include instances where a WEB debit entry is initiated even if the attempted account validation resulted in a “no hit.” 

No. As of the effective date, originating WEB debit entries the with first use of new account numbers would not be in compliance with the Rule if the fraudulent transaction detection system does not include an account validation component.  Nacha does not consider a fraudulent transaction detection system that does not include an account validation component as sufficient under the Rule.  Ongoing origination of WEB debit entries using existing account information (from prior to the effective date) would be compliant.