New ACH Meaningful Modernization Rules

New ACH Rules

The continuous developments in technology have ultimately led to self-driving cars, virtual assistants like Alexa and Siri, 3-D printers and so much more. Technology is essentially simplifying the world we live in, which was the purpose behind Nacha’s ACH Meaningful Modernization Rules that went into effect on September 17, 2021.

However, the term “rules” may not be the best way to describe ACH Meaningful Modernization because these changes are optional to your credit union. Your credit union could implement some of the changes, or none of the changes. Your credit union also has the option to implement the changes but do so slowly.

Nevertheless, Nacha’s intentions were to modernize some of the rules surrounding the authorization of ACH transactions. It’s intended to recognize operating situations, the technology around us and the burdens that the previous rules placed on administrators.

While temporary rules went into effect due to the pandemic, Nacha has taken a further look to see what they could do to simplify the user experience. The objective was to improve member experience regarding their interaction with financial institutions while also moving away from paper dependencies. These five new rules were designed to improve and simplify the ACH user experience. These rules include Standing Authorization, Oral Authorization, Other Authorization Proposals, Alternative to Proof of Authorization and Written Statement of Unauthorized Debit (WSUD) via electronic or oral methods.

Here is a breakdown of what these rules are and how they impact your credit union:

Standing Authorization

This new rule is intended to define a “standing authorization.” Previously, ACH authorizations only addressed single entries or recurring entries that occurred at regular intervals. However, the new rule states that a standing authorization is “an advance authorization by a consumer for future debits that will occur at various intervals.” This means that consumers can initiate debits in the future through an additional action, which is different from recurring entries that occur at regular intervals and do not require any additional action. Standing authorization can be acquired orally or in writing, and payments initiated based on a standing authorization will be referred to as subsequent entries. Standing authorization must identify the action the consumer must take to initiate subsequent entries.

An originator may initiate subsequent entries using additional standard entry class (SEC) codes (WEB or TEL) specific to the action taken by the consumer to initiate the entry. The risk management and security requirements associated with the TEL or WEB codes would need to continue to be met even though the originator would not be required to meet the authorization requirements for these codes. For example, if the first entry is requested via an online or mobile method, then the account validation for WEB debits would be required.

Proof of authorization for entries initiated under a standing authorization must include a copy of the standing authorization and evidence of the action taken to initiate each subsequent entry. The originator must retain a copy of each standing authorization for two years following the termination or revocation of the standing authorization, as well as proof that each entry was initiated by the receiver for two years following the settlement date of the entry. Both the proof and the copy may be stored electronically; however, credit unions must be able to produce it, if requested.

Originating Depository Financial Institutions (ODFIs) and originators may choose to implement the standing authorization and subsequent entries, but they are not required to.

Oral Authorization

Previously, oral authorizations were only recognized with the use of a TEL entry, which was the only payment type that had requirements and addressed specific oral authorization risks, but the TEL code is restricted to a telephone call. The new rule expands and validates the use of oral authorizations as a method for consumer debits when the oral authorization is not received via a telephone call. With newer voice-related technology, such as Alexa, Siri, Zoom, Facetime and Skype, these channels make use of verbal exchanges. While these channels would technically be considered a WEB entry, WEB entries do not cover verbal exchanges. Therefore, this rule clarifies the use of SEC codes and risk management requirements related to oral authorizations.

While ODFIs and Originators may choose whether they would like to implement the expanded applicability of oral authorizations, if they choose to do so, they may need to store larger numbers of oral authorizations. Consumer debits orally authorized through internet channels, such as virtual assistants, Skype, FaceTime or other similar technology, should be identified as a WEB debit entry. It’s important to note that account validation is required for all first time use of an account for WEB debit entries.

Proof of Authorization for an oral authorization must include the original or duplicate audio recording or a copy of the written notice. For single entries, proof must be retained for two years from the date of the authorization. For recurring entries and standing authorizations, proof must be retained for two years from the termination or revocation of the authorization.

Other Authorization Proposals

The purpose of the Other Authorization Proposals, along with the Standing Authorization and the expanded applicability of Oral Authorization, is to provide clarity, flexibility and consistency to the general authorization rules by modifying and re-organizing the rules. This rule only applies to new authorizations, not existing authorizations.

The clarity component of this rule rearranges the general authorization rules to include standing and oral authorizations. It also defines “recurring entry” in a way that complements both the single-entry definition and the newly defined subsequent entry. The flexibility component of this rule states that authorization for a non-consumer ACH debit can be made by any method that is allowed by law or regulations. The consistency component applies the principles of “readily identifiable” and “clear and readily understandable” to authorizations. Members should understand what they are authorizing when they are authorizing a payment. This component also defines the minimum required information that a new consumer debit authorization should contain.

This includes:

  • Language regarding whether the authorization is for a single entry, multiple entries or recurring entries
  • The amount, or the method of determining the amount
  • The timing, number and/or frequency of the entries, including the start date
  • The Receiver’s name or identity
  • The account to be debited
  • The date of the Receiver’s authorization
  • Instructions to the Receiver for the revocation of the authorization

Alternative to Proof of Authorization

An ODFI is permitted to accept the return of an ACH transaction instead of providing proof of authorization through the Alternative to Proof of Authorization rule. Once the Receiving Depository Financial Institution (RDFI) requests a proof of authorization for a debit, the ODFI will have ten banking days to either provide the proof of authorization or agree to accept the return. Upon the ODFI’s agreement to accept the return, the RDFI will have ten banking days to complete the return. The return should be completed using the R06 return reason code. If the ODFI agrees to accept the return but the RDFI still requests proof of authorization, the ODFI must still comply and provide the proof within ten additional banking days of the RDFI’s subsequent request.

Written Statement of Unauthorized Debit (WSUD) via Electronic or Oral Methods

The Written Statement of Unauthorized Debit (WSUD) via electronic or oral methods rule explains and explicitly states that an RDFI is permitted to acquire a consumer’s WSUD through electronic or oral methods. A consumer is permitted to sign a WSUD with an electronic signature online or through a mobile app. Any methods or formats that are acceptable for acquiring a consumer debit authorization are also acceptable for acquiring a consumer’s WSUD. The previous rules did not forbid these methods for obtaining a WSUD; however, there were misunderstandings regarding the rules. The RDFI may need to incorporate new procedures and technologies to accommodate this new rule. RDFIs must be able to provide or accurately reproduce the WSUD, upon request.

With these new rules, Nacha’s intentions were to improve and simplify the ACH user experience, while also considering the effect modern technology has on financial institutions. These rules not only allow for, but even encourage the implementation of newly created technologies and channels for authorization and initiation of ACH payments. They reduce ACH usage obstacles while clarifying and improving consistency around certain ACH authorization practices. They also reduce specific administrative burdens associated with ACH transactions. And while these rules are not required, they’re definitely worth considering.

Jessica Lelii is the product manager of EFT for Vizo Financial. In this role, she is responsible for the delivery and implementation of EFT services - including ACH audits, ACH contingency, ACH Receipt & Returns, ACH Originations, ACH settlement and domestic and international wires - for credit unions. Ms. Lelii is an Accredited ACH Professional (AAP).