2024 ACH Rule Changes and Updates

2024 ACH Rule Changes and Updates

Last year was a quiet year for rule changes and updates, and Nacha took additional time this year to review comments and feedback submitted for the proposed rules for 2024. But nevertheless, last month, Nacha approved several rules and amendments to the rules for this year, and a good portion of these rules will happen in phases over the next couple of years. Now, before I delve into the new rules, let’s take a quick peek at what happened in 2023.   

Past Rules

Many of you know that the first phase of the micro-entries-related rule updates took effect in 2022. Phase one defined micro-entries as ACH credits of less than a dollar that offset ACH debits that are used for the purpose of verifying a receiver’s account. In 2023, the second phase of this rule was implemented, which was the only rule change we saw in 2023, and it took effect on March 17, 2023.

This phase required the standardization of the company entry description for micro-entries to be entered as “ACCTVERIFY.” In addition to standardizing the company entry description, this rule further standardized the utilization and formatting of micro-entries for account validation for ACH entries. This rule update also implemented the requirements for originators of micro-entries to utilize commercially reasonable fraud detection.

While Nacha doesn’t define “commercially reasonable fraud detection,” most of us can agree that at the most basic level, it means your fraud detection processes should align with industry standards. In order to determine your industry standards, you should look at other financial institutions, similar to your own, and ask yourself:

  • What are other, similar, financial institutions doing?
  • What do their processes look like?
  • Are there vast differences in approach and implementation of their processes compared to ours?

These questions can help you figure out what “commercially reasonable fraud detection” looks like for your credit union. This fraud detection monitoring for micro-entries involves at minimum forward and return volumes to establish a baseline of normal activity, so that you can identify if there are any anomalies so that the necessary flags can be raised as an alert. It’s so important that we know about these anomalies as soon as possible because the sooner we are alerted to them, the quicker we can address activity outside of the baseline.

In addition to the micro-entries rule, Nacha also released the 2023 Risk Management Framework, which was intended to address the emerging role of fraud as it relates to credit-push payments. If you’d like more information about this framework, I encourage you to read an article I wrote about it, Nacha’s New Risk Management Framework: A Swift Response to Credit-Push Fraud.

That wraps up the past, so now let’s head to the present.

New Rules

Before we dive in, I’d like to preface this by saying most of the rules were created with the intention to work in conjunction with one another. In addition, these rules also address issues within the Risk Management Framework document. In several amendments/rules, Nacha references entries that have been “authorized under false pretenses,” and it defines false pretenses as “the inducement of a payment by a person misrepresenting that person’s identity, that person’s association with or authority to act on behalf of another person or the ownership of an account to be credited.”

This phrase was defined in such a way that it covers “business email compromise (BEC), vendor impersonation, payroll impersonation and other payee impersonations, and complements language on ‘unauthorized credits’ (account takeover).” However, Nacha specifically states that this definition does not apply to scams that include goods or services that were either fake, never existed or of poor-quality.

Now that we’ve looked at past rules, let’s look at the new rules and updates.

In order to combat credit-push fraud transactions, Nacha made amendments to the 2024 ACH Risk Management Rules. These amendments serve as “barriers” to detect fraudulent activity at different points throughout the transaction, starting with origination and ending at receipt.

There are several rule changes and updates, all of which address either credit or debit risks. To try and keep this simple, I’ll break this up into two sections, starting with credit risks.

ACH Credit Risk Rule Changes:

Fraud Monitoring by Originators, Third-Party Service Providers (TPSPs) and ODFIs

Nacha is implementing a phased approach for the implementation of this rule, which requires all non-consumer originators, Originating Depository Financial Institution (ODFI), third-party service providers (TPSPs) and third-party senders (TSP) to establish and implement risk-based processes and procedures to identify unauthorized ACH entries that are initiated due to fraud or authorized ACH entries that were authorized under false pretenses. This first phase will be implemented on March 20, 2026 and will include ODFIs with annual ACH origination volume of six million or greater in 2023.

According to Nacha, “the current rule requires originators to use a commercially reasonable fraud detection system to monitor WEB debits and when using micro-entries.” The intention of this current rule was to reduce unauthorized debits initiated online, which we know, based on today’s environment, has increased in volume and occurrence. We also know that the current rule does not apply to other SEC codes, but all participants are encouraged to implement systems to prevent and detect fraudulent activity.

Phase two of this approach will be fraud monitoring of all other non-consumer Originators, TPSPs and TPS; according to Nacha, this phase will be implemented on June 19, 2026, and will include all other ODFIs.

RDFI ACH Credit Monitoring

Previous rules required ODFIs to monitor ACH debits, but they did not require Receiving Depository Financial Institution (RDFIs) to monitor ACH credits. The RDFI credit monitoring rule will now require RDFIs to implement fraud monitoring for ACH credit transactions. The purpose of this rule is to assist with the identification of unauthorized credit entries that originated due to fraud or credit entries that were authorized under false pretenses. This rule also aims to reduce the rate of successful fraud, as well as enable increased incidents of refunds recovery due to fraud.

RDFIs are positioned to have the best viewpoint on incoming ACH transactions and historical account activity for receiver accounts, which in turn, allows RDFIs to better monitor for suspicious or anomalous incoming activity when it comes to ACH transactions. There are a number of risk-based factors that can and should be considered for ACH credit monitoring. These could include:

  • Transaction volume and velocity
  • Account history (balances, history of activity, age of account, etc.)
  • Exemptions or exceptions for anomalous activity.

Some of these factors are already being taken into consideration by Nacha, but you want to make sure that your credit union is taking some of these into consideration as well.

This rule will also be a phased approach, with the first phase to be implemented on March 20, 2026, and the second phase to be implemented on June 19, 2026. The first phase will include all RDFIs with an annual ACH receipt volume of 10 million or greater in 2023. The second phase will include all other RDFIs.

Codifying Expanded Use of Return Reason Code R17

The Codifying Expanded Use of Return Reason Code R17 rule will be implemented on October 1, 2024. This rule would allow for RDFIs to use the return code number R17 to return an ACH entry that the RDFI believes to be fraudulent. The usage by an RDFI is optional and will not be a requirement. If an RDFI does use this return code, they would be required to utilize the description field, similar to how it is today, with “QUESTIONABLE” in the return addenda record for the return entry.

This will in other words flag the transaction, so that the ODFI is made aware that this item is coming back because it may be fraudulent. The intention of this rule is to improve upon the recovery of funds originated due to fraud. Based on this proposed rule, the RDFI would be able to return the entry themselves.

Expanded Use of ODFI Request for Return Code R06

The Expanded Use of ODFI Request for Return (R06 return code) rule, which will go into effect on October 1, 2024, would allow ODFIs to request the return of funds for any reason. Of course, with these types of requests, the RDFI’s compliance would be completely optional. The ODFI would still indemnify the RDFI as well for those items. As an RDFI, just because you receive a request for return from an ODFI or you’re asked to return an item by an ODFI does not mean that you’re obligated to do so. As a result of this rule, the best practice and only obligation that the RDFI would have would be to respond to the request for return of funds and let the ODFI know whether or not the funds will be returned. The RDFI will be required to advise the ODFI of what their determination is or what the status is of the request for return within 10 banking days from receiving the request for return. The intention of this rule is to increase the recovery of funds in cases where fraud has occurred.

Additional Exemption to Funds Availability Requirements for RDFIs

As the name suggests, the Additional Exemption to Funds Availability Requirements rule would provide RDFIs with additional exemption from funds availability requirements. These additional exemptions include credit entries originated under false pretenses, like in fraud scenarios.

This rule, which goes into effect on October 1, 2024, does not take away from an RDFIs obligation to promptly make funds available per Nacha’s Operating Rules and Guidelines. In addition, the RDFI would still be subject to Regulation CC requirements for funds availability. Similar to the other rules we’ve covered, the intention of this rule is to increase recovery of funds in cases where fraud has occurred.

Standard Company Entry Descriptions – PAYROLL and PURCHASE

The standard company entry descriptions rule for both PPD credits and e-commerce purchases will go into effect March 20, 2026; however, originators can start using these descriptions before the March 20 deadline. The purpose of this rule is to standardize company entry descriptions for both payroll and purchases.

For payroll, this applies to the PPD credits that are initiated for things like wages, salaries and/or other types of compensation. The company entry description field for PPD credits must contain “PAYROLL.” This makes the transaction for PPD credits more easily identifiable when you’re looking for these types of transactions at your credit union, which could enhance your reporting capabilities.

In addition, this rule could also assist in reducing incidences of fraudulent payroll redirections. For example, if you have a business member who does payroll, you can see where the payroll is coming from and if anyone tries to redirect it or change it, it’ll raise red flags for you to take a closer look at it. This portion of the rule also contains language to address and disclaim any assumptions made regarding actual employment status of the receiver of the funds and would in no way create an obligation for the ODFI to police Originator’s proper usage of this description in ACH entries.

The other half of this rule, the half that focuses on e-commerce, would establish a new standard company entry for e-commerce purchases, or in other words, debits for online purchases of goods. Many of you likely know that this would include WEB debits and entries with standing authorization for PPD and/or TEL debits. According to this rule, the company entry description field must include “PURCHASE.” Once again, this makes the transaction for e-commerce purchases more easily identifiable when you’re looking for these types of transactions at your credit union, which could enhance your reporting capabilities.

In addition, this rule includes language to address or disclaim any obligations for the ODFI to police the Originators proper usage of this description in their ACH entries. Also, the ODFI doesn’t have an obligation to verify the accuracy of the Originator using “PURCHASE” in the description field.

Now that we’ve covered ACH credit risk rule changes, we’ll move on to the ACH debit risk rule changes.

ACH Debit Risk Rule Changes:

Timing of Written Statement of Unauthorized Debit

This rule allows for a written statement of unauthorized debit to be signed and dated for an entry that has been posted to a receivers account or for an entry where a receiver, or credit union member, has been notified that the item is pending but has not yet been posted. This new rule, which goes into effect on October 1, 2024, removes the timing requirement of the Settlement Date of the Entry rule and works to mitigate harm to the receiver by having an unauthorized payment post to their account. The purpose behind this rule was to improve the current process regarding Written Statements of Unauthorized Debits; however, the current requirement still remains intact.

RDFI Must Promptly Return Unauthorized Debit

This amendment, which goes into effect on October 1, 2024, requires RDFIs to promptly initiate a return by opening of the sixth business date following a review of a written statement of unauthorized debit. The intention of this rule is to improve the recovery of funds due to fraud. When an RDFI acts promptly on a return of funds, this can limit the exposure risk of fraud for the Originator and ODFI, as well as allow for additional time to act.

This rule also reduces future incidents of fraud because it raises a red flag as soon as possible that something is amiss with the transaction. These red flags can only be raised if the RDFI promptly returns the unauthorized debit.

If an ODFI believes that a credit-push payment transaction is fraudulent, they can request a return for any reason. As long as it’s within the requirements of Regulation CC, the RDFI can delay the funds until they have the ability to determine if they perceive the transaction to be fraudulent. An RDFI can also return this transaction without having to wait for a member’s claim, request or reversal.

That wraps it up for ACH rule changes and updates this year. I’ve covered a lot in this article, but I hope you’ll keep this information handy throughout the year to remind yourself of the upcoming rule changes and updates. As always, Vizo Financial and MY CU Services are here to help. If you have any questions, feel free to reach out to us. Your success is our priority.

Andi Crockett is the product manager of EFT at Vizo Financial. Her role involves developing and implementing EFT services — including ACH for Business, ACH Contingency, ACH Receipt and Returns, ACH Originations, ACH Settlement, Domestic and International Wires and Foreign Check Collection — for credit unions. She also participates in planning efforts for business development, works with members and clients to manage implementation expectations and manages relationships with vendors. Andi is also an active member of the Diversity, Equity and Inclusion (DEI) Champions team at Vizo Financial.