Nacha Operating Rules Updates


Questions? Call Treasury Management Services Support.


Mon-Fri, 7:30AM – 8:00PM ET
Sat, 8:00AM – 4:00PM ET
Sun, 11:00AM – 3:00PM ET

Or, contact your Treasury Management Officer


Account validation requirement for WEB initiated debits

Effective March 19, 2021 – Enforced March 19, 2022
  • WEB (Internet Initiated ACH Payments) will specifically require an additional "account validation" screening as part of a "commercially reasonable fraudulent transaction detection system."
    • The supplemental requirement would apply to the first use of an account number, and changes to an account number previously used.
    • The requirement is non-specific with regard to the method or technology to validate account information.
  • Customers who create WEB transactions using their own software, or with that of software provider or other vendor must ensure this validation is in place on or before March 19th, 2021.
  • If your organization originates WEB entries, please act now to ensure you'll have account validation functionality in place before this change becomes effective.
    • Please see NACHA.org for additional information

Data Security Requirements for Non-Financial Originators, Third-Party Service Providers, and Third-Party Senders

Effective June 30, 2021 – Phase 1
  • Initially, this rule change was slated for June 30, 2020 but changed to June 30, 2021.
  • Phase 1: Any Originator, Third-Party Service Providers, and Third-Party Senders that originates 6 million or more ACH transactions in calendar year 2019 will need to be compliant by June 30, 2021.
  • This rule expands the existing ACH Security Framework to explicitly require large, non-financial institution Originators, Third-Party Service Providers, and Third-Party Senders to protect account numbers used in the initiation of ACH entries by rendering them unreadable when stored electronically.
  • The rule aligns with existing language contained in PCI requirements; thus industry participants are expected to be reasonably familiar with the manner and intent of the requirement.
  • The rule applies only to account numbers collected for or used in ACH transactions and does not apply to the storage of paper authorizations.
  • Please see Nacha.org for additional information

Reversals and Enforcement

Effective March 19, 2021
  • The two Rules will explicitly address improper uses of reversals and improve enforcement capabilities for egregious violations of the Rules.
    • The Reversal Rule will explicitly address improper uses of reversals.
      • It will expand the permissible reasons for a reversal to include a “wrong date” error
        • 1) the reversal of a debit Entry that was for a date earlier than intended by the Originator, or
        • 2) a credit Entry that was for a date later than intended by the Originator
      • The Rule will establish formatting requirements for reversals, beyond the current standardized use of the Company Entry Description field (“REVERSAL”)
        • The Company ID, SEC Code, and Amount fields of the reversal must be identical to the original entry
        • The contents of other fields may be modified only to the extent necessary to facilitate proper processing of the reversal
        • This is the same approach as the formatting requirements for Reinitiated Entries
      • In addition, the rules will explicitly permit an RDFI to return an improper Reversal
        • R11 for consumer accounts, 60-day return timeframe upon receiving a consumer claim
        • R17 for non-consumer accounts, 2-day return timeframe
        • An RDFI will be permitted to use R17 to return an improper Reversal that it identifies on its own (i.e., not based on a customer contact), 2-day return timeframe
    • The Enforcement Rule will:
      • Define an Egregious Violation as
        • A willful or reckless action, and
        • Involves at least 500 Entries, or involves multiple Entries in the aggregate amount of at least $500K
      • Allow the ACH Rules Enforcement Panel to determine whether a violation is egregious, and to classify an Egregious Violation as a Class 2 or 3 Rules Violation
        • The sanction for a Class 3 violation can be up to $500,000 per occurrence and a directive to the ODFI to suspend the Originator or Third-Party Sender
      • Expressly authorize Nacha to report Class 3 Rules violations to the ACH Operators and industry regulators
  • Please see Nacha.org for additional information
    • https://www.nacha.org/rules/reversals-and-enforcement

Data Security Requirements for Non-Financial Originators, Third-Party Service Providers, and Third-Party Senders

Effective June 30, 2022 – Phase 2
  • Initially, this rule change was slated for June 30, 2021 but changed to June 30, 2022.
  • Phase 2: Any Originator, Third-Party Service Providers, and Third-Party Senders that originates 2 million or more ACH transactions in calendar year 2020 will need to be compliant by June 30, 2021
  • This rule expands the existing ACH Security Framework to explicitly require large, non-financial institution Originators, Third-Party Service Providers, and Third-Party Senders to protect account numbers used in the initiation of ACH entries by rendering them unreadable when stored electronically.
  • The rule aligns with existing language contained in PCI requirements; thus, industry participants are expected to be reasonably familiar with the manner and intent of the requirement.
  • The rule applies only to account numbers collected for or used in ACH transactions and does not apply to the storage of paper authorizations.
  • Please see Nacha.org for additional information
    • https://www.nacha.org/rules/supplementing-data-security-requirements

back to top