NACHA Rules on Internet ACH Debits
by Mary Beth Guard
An amendment to the NACHA operating rules which took effect March 16, 2001 is designed to enhance security for ACH debits initiated through the Internet. Internet-originated ACH debits are thought to pose special risks due to the anonymity of the medium. The amendments increase the warranties that accompany the transmission of certain Internet-initiated ACH entries by an originating depository financial institution (ODFI) to a receiver's account with a receiving depository financial institution (RDFI).
A debit entry initiated pursuant to an authorization obtained through the Internet to effect a transfer of funds from a consumer account will need to bear a unique new Standard Entry Class (SEC) Code, WEB;
ODFIs are required to
- WEB entries must be further identified as either recurring entries or nonrecurring entries; RDFIs are permitted, but not required, to identify Internet-initiated entries for appropriate treatment;
- Originators of WEB entries (e.g., merchant customers of banks) are required to do several things:
- Employ commercially reasonable fraudulent-transaction detection systems to screen the entries in order to minimize the risk of fraud related to Internet-initiated payments. For example, they must use a commercially reasonable security technology providing a level of security that, at a minimum, is equivalent to 128-bit encryption technology.
- Use commercially reasonable procedures to verify that routing numbers are valid.
- Establish a secure Internet session with each receiver prior to the key entry by the receiver of any banking information.
- Conduct an annual audit to ensure that the financial information obtained from receivers is protected by security practices and procedures that include, at a minimum, adequate levels of (1) physical security to protect against theft, tampering, or damage; (2) personnel and access controls to protect against unauthorized access and use; and (3) network security to ensure capture, storage, and distribution of financial information. The first audit must be completed by December 31, 2001!
Originally appeared in the Oklahoma Bankers Association Compliance Informer.
- Ensure that originators are in compliance with the above requirements on a continuing basis. Under the amendment, ODFIs that transmit WEB entries warrant that originators have conformed to those new requirements.
- Conform with an additional warranty, in the case of a WEB entry initiated by an originator that is not a natural person, that the ODFI has:
- Used a commercially reasonable method to establish the identity of the originator;
- Established procedures to monitor the creditworthiness of the originator on an ongoing basis;
- Established an exposure limit for the originator and implemented procedures to review that exposure limit periodically;
- Implemented procedures to monitor entries initiated by the originator relative to its exposure limit across multiple settlement dates.
First published on BankersOnline.com 6/18/01