Are You in Compliance with the Upcoming Nacha Rule Change?
If you accept web payments you may be required to comply with the new Nacha rule change which goes into effect on March 19, 2021. The rule change primarily impacts the requirement for completing account validation for new or changed accounts prior to completing debit account transactions. The rule change also implements an annual audit requirement relating to the originator’s security practices.
The supplemental requirement of the Nacha rules, Article Two (Rights and Responsibilities of ODFIs, Their Originators, and Third-Party Senders), Subsection 220.127.116.11, applies to the initial use of an account number as well as any subsequent changes to an account number, when used for WEB debit account transactions. At a minimum, an originator must use a “commercially reasonable” method to validate an account and determine that the account is a legitimate account. This rule change applies on a “going-forward” basis and does not apply retroactively to account numbers that have already been set up.
The concept of “commercial reasonableness” is based on the individual situation for each originator. Originators, in conjunction with others (lawyers, consultants, etc.), will need to determine which method is suitable and meets the “commercially reasonable” standard for compliance.
Nacha provides guidance and examples of methods that could be used for account validation. Some of these examples include the use of:
- Prenotification entry;
- ACH micro-transaction verification;
- A commercially available validation service provided by either an ODFI or a third-party; or
- Account validation capabilities or services enabled by APIs.
As noted above, the rule change puts into place an annual audit requirement. Subsection 18.104.22.168 requires that on an annual basis an originator must conduct or have conducted on its behalf an audit focusing on the security practices of the originator to protect financial information obtained from receivers. Areas to be audited include: physical security, access controls, and network security.
If you have any questions on this rule change or if you need assistance with the annual audit requirement, please reach out to Emily Antonico or your BNN advisor at 800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.