New NACHA Account Validation Requirement Will Make It More Difficult for You to Accept Electronic Payments from Your Website.

Back in the 1980s, President Reagan popularized an English translation of the Russian proverb "Doveryai, no proveryai" — trust, but verify. Years later, former Secretary of State John Kerry put a more modern spin on things: "President Reagan’s old adage about ‘trust but verify’ ... is in need of an update. And we have committed here to a standard that says ‘verify and verify.’"

It appears that the good folks at the National Automated Clearing House Association may be following Secretary Kerry’s lead by requiring you to "validate and validate" your customer’s account before initiating ACH debits.

An upcoming change to the NACHA operating rules will impact your business if you allow consumers to authorize you to initiate ACH payments from their deposit accounts via the Internet or a mobile device. Such ACH payments are known under the NACHA rules as "WEB Debit Entries."

Because WEB Debit Entries are susceptible to fraud, the NACHA rules currently require originators (i.e., the payees that initiate such payments with the consumer’s authorization) to establish and implement commercially reasonable:

• fraudulent transaction detection systems to screen the WEB Debit Entry;
• methods of authentication to verify the identity of the receiver (the consumer depositor of the consumer deposit account that will be debited) of the WEB Debit Entry; and
• procedures to verify that the routing number used in the WEB Debit Entry is valid.

NACHA’s new Supplementing Fraud Detection Standards for WEB Debits Rule, effective on March 19, 2021, is intended to reduce fraud by requiring originators to "validate" a consumer account before the first debit from the consumer’s account. The rule change explicitly identifies account validation as a required part of an originator’s "commercially reasonable fraudulent transaction detection system." Therefore, whenever a consumer authorizes an ACH debit from his or her deposit account (either one-time or recurring payments) online or via a mobile device, the payee must validate the consumer’s deposit account. While the NACHA rules do not define "validate," additional Frequently Asked Questions guidance posted to NACHA’s website clarifies the meaning of "validate":

At a minimum, the Originator must use a commercially reasonable means to determine that the account number to be used for the WEB debit is for a valid account — that is, that the account to be used is a legitimate, open account to which ACH entries may be posted at the [consumer’s bank].

The rule change does not require originators to validate that the consumer who authorizes the payment is the owner or an authorized user of the account.

The NACHA FAQs provide the following examples of methods one could use to satisfy the new validation requirement, but each comes with challenges:

• ACH micro-transaction verification - The payee makes a small deposit (usually just a few pennies) into the consumer’s account, and the consumer confirms the amount deposited. This process can take a couple of days, and anecdotal information indicates that consumers often fail to complete the process.
• Prenotification entry - Sometimes referred to as a "pre-note," these are non-monetary ACH entries. The payee sends a prenotification entry through the ACH network to verify that the account is valid. If the account is not valid or is not set up to receive ACH entries, the consumer’s bank will respond with that information. Like the micro-transaction process, the prenotification process can take a couple of days, and NACHA rules require you to wait to initiate payment entries until three business days after you send the prenotification entry.
• Commercially available account validation database service - This method compares account and routing number information to a database of previously validated accounts. NACHA’s Account Validation Resource Center webpage includes a list of third-party vendors that offer this service. While this method is virtually instantaneous, not all consumer accounts will be in the database, and you must pay for the service.
• Account validation API - This validation method uses an application program interface (API) and a secure digital connection to the consumer’s bank to retrieve the account and routing numbers from the consumer’s online banking interface. While this method is virtually instantaneous, it requires the consumer to share online banking login credentials. Anecdotal information indicates that many consumers are unwilling to share this information due to privacy and information security concerns.

If you haven’t already done so, now is a great time to check in with your payments counsel or your payment processing vendor to confirm that you will have appropriate account validation procedures in place to comply with the rule change by March.

CounselorLibrary.com, LLC, provides articles on its website written by attorneys with Hudson Cook, LLP, and by other authors, for information purposes only. CounselorLibrary.com, LLC, and Hudson Cook, LLP, do not warrant the accuracy or completeness of the articles, and have no duty to correct or update information contained on the CounselorLibrary.com website. The views and opinions contained in the articles do not constitute the views and opinions of CounselorLibrary.com, LLC, or Hudson Cook, LLP. Such articles do not constitute legal advice from such authors or from Hudson Cook, LLP, or CounselorLibrary.com, LLC. For legal advice on a matter, one should seek the advice of legal counsel.

© 2020 CounselorLibrary.com, LLC. All rights reserved.