Nacha Operating Rules Update September 2019 Utility Payments Conference Danita T. Tyrrell AAP, APRP Director, ACH Network Rules

The Nacha Operating Rules Establish the legal foundation for the ACH Network Provides a common set of rules and formats Creates certainty and interoperability Defines roles and responsibilities for Network users

What is an Authorization? “An Originator must obtain authorization from the Receiver to originate one or more entries to the Receiver’s account.” 2019 Nacha Operating Rules, Article Two, Subsection 2.3.1

Consumer Authorizations Readily identifiable Have clear and readily understandable terms Provide that the Receiver may revoke only by notifying the Originator in the manner specified Originator must provide a copy Can be for a single entry or for a stream of recurring entries

Types of Consumer Authorizations Written Notice Oral Similarly Authenticated

Non-Consumer Authorizations Originator and Receiver must have an agreement that binds the Receiver to the Rules No specific agreement format Agreement should contain authorization for ACH transactions, as sell as any specific terms and conditions

Obligations of Originators Obtain proper authorization Retain authorization for the correct retention period Ensure transaction information is correct Provide proof of authorization when requested by ODFI

Standard Entry Class (SEC) Codes Three-letter acronym to identify the ACH transaction type Distinguishes key aspects surrounding the initiation of the ACH payment Indicates that certain provisions of the Nacha Operating Rules, risk management practices, and/or legal requirements apply to the transaction

SEC Codes for B2C Transactions PPD: Pre-arranged Payment or Deposit Entry Debit Credit TEL: Telephone Initiated Entry Debit only WEB: Internet/Mobile Initiated Entry Debit only for B2C

SEC Code for C2B Transactions CIE: Customer Initiated Entry Credit only

SEC Codes for B2B Transactions CCD: Corporate Credit or Debit Entry Credit Debit CTX: Corporate Trade Exchange Entry

SEC Code for P2P Transactions WEB: Internet/Mobile Initiated Entry Credit only

Hybrid SEC Codes Can be initiated to consumer or business accounts Are related to check conversion or check truncation ARC: Account Receivable Entry BOC: Back Office Conversion Entry POP: Point of Purchase Entry RCK: Re-presented Check Entry

What about Virtual Assistants? Payments can be initiated via Virtual Assistant Mainly B2C debits Voice instruction for payment Which SEC Code should Originators use?

Does TEL Fit? Currently used for voice based authorizations Phone representative VRU TEL definition: A debit entry initiated by an Originator to a Consumer Account of the Receiver based on an oral authorization obtained over the telephone TEL does not fit No telephone involved

Does WEB Fit? WEB definition: A debit entry initiated by an Originator to a Consumer Account of the Receiver based on An authorization that is communicated, other than by oral communication, from the Receiver to the Originator via the Internet or a Wireless Network Any form of authorization if the Receiver’s instruction for the initiation of the individual debit entry is designed by the Originator to be communicated, other than by an oral communication, to the Originator via a Wireless Network; or A credit entry initiated by or on behalf of the holder of a Consumer Account that is intended for the Consumer Account of a Receiver, regardless of whether the authorization of such entry is communicated vie the Internet or Wireless network obtained over the telephone

Does WEB Fit? WEB includes debit entries authorized under any form of authorization when the origination instruction is provided to the Originator, other than by oral communication, over a wireless network. Device is not being used as a telephone to initiate the payment Instruction is over the internet or wireless network WEB fits!

New and Upcoming Rules Same Day ACH Quality and Risk June 21, 2019 R17 for Questionable Transaction Sept 20, 2019 Faster funds availability March 20, 2020 Dollar limit increase April 1, 2020 Differentiating Unauthorized Return Reasons – New R11 becomes effective June 30, 2020 Account Information Security Requirements (annual ACH volume greater than 6 million) March 19, 2021 Same Day ACH Third Window Commercially Reasonable Fraud Detection for WEB debits April 1, 2021 Differentiating Unauthorized Return Reasons – R11 covered by Unauthorized Entry Fee June 30, 2021   Account Information Security Requirements (annual ACH volume greater than 2 million)

R17 Return for Questionable Transaction RDFIs will be allowed to use Return Reason Code R17 to return an entry that does not have a valid account number and indicate that the RDFI believes the entry was initiated under questionable circumstances RDFIs using R17 for this purpose will use the description “QUESTIONABLE” in the Addenda Information field of the return An R17 in conjunction with this description will allow these returns to be distinguished from returns for routine account number errors Originators that receive R17 returns should work with their ODFI to explore the reasons the RDFI believed the original entry was problematic beyond an invalid account number Effective Date: June 21, 2019

Commercially Reasonable Fraud Detection for WEB Debits ACH Originators of WEB debit entries are required to use a “commercially reasonable fraudulent transaction detections system” to screen WEB debits for fraud Originators are closest to the Receiver so Originators are in the best position to detect and prevent fraud related to payments they are initiating Some Originators do not have or use any such system to screen WEB debits

Commercially Reasonable Fraud Detection for WEB Debits Originators for WEB debit entries will be required to supplement a “commercially reasonable fraudulent transaction detection system” with account validation Rule applies on a “going-forward” basis to new account numbers obtained for initiating WEB debits Does not apply retroactively to account numbers that have already been used for WEB debits Effective Date extended to allow for additional time, education and guidance to the industry Effective Date: March 19, 2021

Commercially Reasonable Fraud Detection for WEB Debits How can Originators prepare for this new requirement? Examine current process: is it sufficient or are enhancements required? Free Nacha webinars Five Preferred Partners review their account validation offerings Recordings available to anyone via Nacha website Additional Nacha guidance on ways to comply with the Rule

Differentiating Unauthorized Return Reasons Return Reason Code R11 will be re-purposed to be used for a debit in which there is an error, but for which there is an authorization “Customer Advised Entry Not in Accordance with the Terms of the Authorization” 60 day extended return time frame in effect No new authorization required if Originator corrects the error Return Reason Code R10 will continue to be used whey a consumer claims to not know the Originator, does not have a relationship with the Originator, or did not give authorization “Customer Advises Originator is Not Known to Receiver and/or is Not Authorized by Receiver to Debit Receiver’s Account Effective Date: April 1, 2020

Account Information Security Requirements Rule will require large non-financial institution Originators, Third-Party Service Providers and Third-Party Senders to protect account numbers used for ACH entries by rendering them unreadable when stored electronically Aligns with existing language contained in PCI requirements Neutral as to methods/technology: encryption, truncation tokenization, destruction, date stored/hosted/tokenized by ODFI, etc. Does not apply to the storage of paper authorizations

Account Information Security Requirements Rule will implement in two phases, beginning with the largest Originators, Third- Party Service Providers and Third-Party Senders Those entities with total ACH volume of 6 million transactions annually or greater in 2019 will need to be compliant by June 30, 2020 Those entities with total ACH volume of 2 million transactions annually or greater in 2020 will need to be compliant by June 30, 2021

QUESTIONS? THANK YOU! Danita Tyrrell, AAP, APRP Director, ACH Network Rules dtyrrell@nacha.org THANK YOU!