As commerce and transactions increasingly shift online, the need for additional regulatory guardrails grows. A new rule from the National Automated Clearing House (Nacha), which enables Automated Clearing House (ACH) payments, requires that account verification now be part of antifraud efforts and initiatives.
Nacha's Web Debit Account Validation Rule went into effect March 19, 2021 and became enforceable on March 19, 2022, which means Nacha can impose fines/penalties for non-compliance.
Nacha requires ACH originators of web debit entries use a "commercially reasonable fraudulent transaction detection system" to screen web debits for fraud. The new rule supplements that screening requirement, making it explicit that "account validation" be part of that detection system. Nacha's supplemental requirement applies to the first use of an account number or changes to the account number.
Breaking Down the New Rule
Nacha defines web debit as one that has occurred over the internet or any other unsecured network. The rule applies to any organization of any size in any industry.
Nacha's phrase "commercially reasonable" is associated with an organization's specific set of facts and circumstances. The organization using the ACH network should determine what is commercially reasonable to them when choosing solutions to comply with the rule.
Technology can help financial institutions and businesses comply with Nacha's new mandate.
Nacha and the Faster Payments Council developed the rule in 2018 to:
The rule was included as part of the "Faster Payments Playbook," created by the Faster Payments Council.
The rule was also created because of the growth in annual ACH volumes, total dollar values and increasing fraud attempts and activity.
Compliance Methods
Several methods are available to comply with the new rule. They can be used in isolation or in combination, depending on the risk tolerance of the organization.
There are several pros and cons with each validation method, which is why many organizations use more than one. Using a combination of methods helps ensure the organization can provide consumers with a smooth experience while also providing higher levels of fraud prevention.
As a best practice, the database, financial institution credentials and micro/trial deposits verification methods could be used in that order as part of a waterfall methodology.
Here's how it would work: If the organization has the user's name, account and routing number, start with the database approach because it is instant and does not require user interaction. If the financial institution is not included in the database or the database response to the query is inconclusive, then waterfall down to the financial institution credentials method of verification.
By implementing stronger controls and solutions for ACH web debits, organizations can lower their ACH fraud risk for credits and debits while increasing the volume of ACH transactions.
That method provides a decision in real time but requires more interaction because the end user does not have to provide financial institution credentials. The financial institution coverage in this method is very high because nearly all banks and credit unions are covered. The method provides the highest level of fraud prevention because it allows an organization to access additional data about the user's account.
If that method fails, use trial deposits as the last option. That takes more time to complete and requires user interaction, but virtually all financial institutions are covered.
Other factors to consider when choosing account validation methods are:
Stronger Controls and Solutions
By implementing stronger controls and solutions for ACH web debits, organizations can lower their ACH fraud risk for credits and debits while increasing the volume of ACH transactions.
Technology can help financial institutions and businesses comply with Nacha's new mandate. Compliance, verification and risk protection can be automated, and additional account details, such as balances and transactions, can be automatically retrieved.
Think about what option works and consider use case, cost and account validation needs. Now may be the time to go beyond basic compliance to add additional fraud risk mitigation.