2024 NACHA Rule Changes
Minor rule changes effective on June 21, 2024.
- Definition of WEB Entries – This change clarifies the WEB SEC Code must be used for all consumer-to consumer credits, regardless of how the consumer communicates the payment instructions to the Originating Depository Financial Institution (ODFI) or the Person-to-Person (P2P) service provider.
- Definition of Originator – The definition of Originator will be amended to reference the Originator’s authority to credit or debit a Receiver’s account in instances where a Receiver’s authorization is not required. Examples of this could be Reversing an Entry, Reclamation, and P2P Entries. • Originator Action on Notification of Change (NOC) – This amendment will give Originators discretion on whether to make NOC changes for any single entry, regardless of the SEC Code.
- Data Security Requirements – This revision clarifies that once an Originator who initiates ACH origination exceeds 2 million entries, the Originator must protect account numbers by rendering them unreadable when stored electronically. When an Originator meets the threshold, they are always covered going forward even if they drop below the threshold.
- Use of Prenotification Entries – This amendment clarifies that a pre-note may be used to validate an account prior to initiation of the first entry and to also re-validate an account is open even after previous entries have been sent.
The ACH Risk Management topic changes. These changes are effective on Oct. 1, 2024.
- Codifying Use of Return Reason Code R17 – If a Receiving Depository Financial Institution (RDFI) identifies an ACH entry as fraudulent, Nacha has provided clarification that Return Reason Code R17 may be used to return the item. Use of R17 is optional, at the discretion of the RDFI, and is not required by the Rules. As before, the use of R17 requires the descriptor of “QUESTIONABLE” in the return addenda record.
- Expanded Use of ODFI Request for Return – Return Reason Code R06 has been expanded. Currently R06 is used when an ODFI requests the RDFI return a defined Erroneous Entry or credit entry that was originated without the authorization of the Originator. The use of R06 will be expanded to allow an ODFI to request a return from the RDFI for any reason. The ODFI will still indemnify the RDFI for compliance with the request, and the RDFI’s compliance remains optional at the RDFI’s discretion. The RDFI will, however, be required to respond to the ODFI, regardless of whether the RDFI complies with the request to return the entry. The RDFI must advise the ODFI of its decision within 10 banking days of receipt of the ODFI’s request.
- Additional Funds Availability Exceptions – Currently an RDFI is provided with an exemption from the funds availability requirement if the RDFI reasonably suspects the credit entry was unauthorized. This exemption covers cases of account takeovers where a party that is not the Originator is able to initiate an ACH credit from the Originator’s account. The Additional Funds Availability Exceptions will provide RDFIs with additional exemptions from the funds availability requirements to include credit ACH entries the RDFI suspects are originated under False Pretenses, a new defined term in the Nacha rules discussed below. RDFIs are still subject to the requirements under Regulation CC and a RDFI cannot delay funds availability because it has not monitored an ACH credit. The RDFI can delay funds availability if its fraud detection processes and procedures identify a red flag. There is no intention by the Rule to otherwise alter an RDFI’s obligation to promptly make funds available as required by the Rule. The Rule is designed to provide an additional tool to manage potentially questionable or suspicious transactions that fall under the “authorized fraud” category. The Rule will provide additional time to communicate before funds availability is required.
- Timing of Written Statement of Unauthorized Debit (WSUD) – This amendment will allow the RDFI to accept a signed WSUD prior to the date of settlement. Due to digital notifications and alerts, Receivers often are aware of an unauthorized entry prior to actual settlement of the entry. The amended timing of the WSUD will allow the Receiver to sign and date the WSUD on or after the date on which the entry is presented to the Receiver, even if the debit has not yet been posted to the account. The Rule will continue to require information about the incoming debit to be included on the signed WSUD as before.
Many of these changes will help with detecting and returning fraudulent entries. Nacha is working to strengthen the ability of the ACH Network to detect and reduce the incidence of successful fraud attempts and to improve the recovery of funds if fraud has occurred. The final changes discussed in the amendment are to further help with fraud detection and will take more time to implement into systems.
Implementation date for these next changes is March 20, 2026.
- Fraud Monitoring by Originators, Third-Party Service Providers/Third-Party Senders and ODFIs – The Rules currently require Originators to use “commercially reasonable” fraud transaction detection systems to screen WEB debits and when using Micro-Entries. These requirements do not encompass other transaction types, and do not currently apply to other types of debits or to any credits other than MicroEntries. This Rule will require each non-consumer Originator, ODFI, Third-Party Service Provider and Third-Party Sender to establish and implement riskbased processes and procedures reasonably intended to identify ACH entries initiated due to fraud. Each of these parties will need to review, at least annually, their processes and procedures and make appropriate updates to address evolving risks. The objective of the Rule is to reduce the amount of successful fraud attempts through regular fraud detection monitoring. The Rule also includes a reference to a new defined term, “False Pretense.” This term covers common fraud scenarios such as Business Email Compromise, vendor impersonation, payroll impersonation, and other payee impersonations.
- RDFI ACH Credit Monitoring – This amendment will require RDFIs to establish and implement risk-based processes and procedures reasonably intended to identify credit ACH entries initiated due to fraud. RDFIs will need to review, at least annually, their processes and procedures and make updates as needed to address evolving risks. The Rule’s goal is to reduce the incidence of successful fraud and better enable the recovery of funds when fraud has occurred. The Rule aligns with obligations to monitor for suspicious transactions. A risk-based approach to monitoring can consider factors such as transactional velocity, anomalies, and account characteristics, which are all part of anti-money laundering practices in place today. 8 | DISCLOSURE JUNE 2024 HIGHLIGHTS The Rule encourages communication between compliance monitoring and operations, product management and relationship staff. This Rule also includes a reference to the new defined term, False Pretense. The Rule goes in effect in two phases: on March 20, 2026, the Rule will apply to RDFIs with an annual ACH receipt volume exceeding 10 million entries in 2023, and on June 19, 2026, the Rule will apply to all other RDFIs.
- Standard Company Entry Descriptions – Payroll and Purchase – The Rule creates two new Company Entry Descriptions: PAYROLL and PURCHASE. PURCHASE will be used for e-commerce purchases which are debit entries authorized by a consumer Receiver for the online purchase of goods. PAYROLL must be used for ACH credits bearing the PPD Standard Entry Class Code for payment of wages, salaries and other similar types of compensation. The effective date of this Rule is March 20, 2026; however, Originators may begin using the new descriptions as soon as practical, but no later than March 20, 2026