NACHA Rules Updates
2023 NACHA Rules Updates
Effective March 17, 2023: Micro-Entries (Phase 2)
The Micro-Entry Rule defines and standardizes practice and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation.
In Phase 2 of this Rule, effective March 17, 2023, Originators of Micro-Entries will be required to use commercially-reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes.
Previously-Published NACHA Rules Updates
Effective September 30, 2022: Third-Party Sender Roles and Responsibilities
The overarching purpose of these Rules is to further clarify the roles and responsibilities of Third-Party Senders (TPS) in the ACH Network by:
The overarching purpose of these Rules is to further clarify the roles and responsibilities of Third-Party Senders (TPS) in the ACH Network by:
- Addressing the existing practice of Nested Third-Party Sender (TPS) relationships, and
- Making explicit and clarifying the requirement that a TPS conduct a Risk Assessment.
The two Rules will become effective September 30, 2022, with a 6-month grace period for certain aspects of each rule.
Effective September 16, 2022: Micro-Entries
This rule will define and standardize practices and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation. This Rule will:
This rule will define and standardize practices and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation. This Rule will:
- Define "Micro-Entries" as ACH credits of less than $1 and any offsetting ACH debits, used for the purpose of verifying a Receiver's account.
- Standardize the Company Entry Description and Company Name requirements for Micro-Entries.
- Establish other Micro-Entry origination practices.
- Apply risk management requirements to the origination of Micro-Entries.
This Rule will be come effective in two phases:
- In the first phase, the term Micro-Entry will be defined, and Originators will be required to use the standard Company Entry Description and follow other origination practices. This phase will be effective September 16, 2023.
- In the second phase, Originators of Micro-Entries will be required to use commercially-reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes. This phase will be effective March 17, 2023.
Effective June 30, 2022: Supplementing Data Security Requirements (Phase 2)
This rule supplements previous ACH Security Framework data protection requirements by explicitly requiring large, non-financial institution (FI) originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically. For more information, see the first phase, effective June 30, 2021, below.
This rule supplements previous ACH Security Framework data protection requirements by explicitly requiring large, non-financial institution (FI) originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically. For more information, see the first phase, effective June 30, 2021, below.
Effective March 18, 2022: Increasing the Same Day ACH Dollar Limit
This rule will continue to expand the capabilities of Same Day ACH, by increasing the Same Day ACH dollar limit to $1 million per payment. This is expected to improve Same Day ACH use cases, and contribute to additional adoption.
This rule will continue to expand the capabilities of Same Day ACH, by increasing the Same Day ACH dollar limit to $1 million per payment. This is expected to improve Same Day ACH use cases, and contribute to additional adoption.
Effective September 17, 2021: Meaningful Modernization
This is a grouping of five Rules changes, which:
This is a grouping of five Rules changes, which:
- Explicitly defined the use of Standing Authorization for consumer ACH debits. Standing Authorization is a new term defined by Nacha as an advance authorization by a consumer of future debits at various intervals. Under a Standing Authorization, future debits can be initiated by some further action of the consumer for a one-time entry that is separate from the recurring entries. A Standing Authorization can be obtained from the consumer either orally or in writing and the one-time entry or entries initiated by the further action are known as “Subsequent Entries.” Individual subsequent ACH entries can be initiated in any manner as identified in the Standing Authorization.
- Defined and allowed for oral authorization of consumer ACH debits beyond telephone calls.
- Clarified and provided greater consistency of ACH authorization standards across payment initiation channels.
- Reduces the administrative burden of providing proof of authorization.
- Better facilitates the use of electronic and oral written statement of Unauthorized Debit
Effective June 30, 2021: Supplementing Data Security Requirements for Large Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs
This change to the Rules was intended to enhance quality and improve risk management within the ACH Network by supplementing the existing account information security requirements for large-volume Originators and Third-Parties. Participants are required to protect deposit account information collected for or used in creating ACH transactions by rendering it unreadable when it is stored electronically. This change is being implemented in two phases:
- The rule initially applies to ACH originators, TPSPs and TPSs with ACH volume of 6 million transactions or greater annually. An ACH originator, TPSP or TPS that originated 6 million or more ACH transactions in calendar year 2019 had to be compliant by June 30, 2021.
- The second phase will apply to ACH originators, TPSPs and TPSs with ACH volume of 2 million transactions or greater annually in the 2020 calendar year, and compliance is required by June 30, 2022.
Effective June 30, 2021: Limitation on Warranty Claims
This change to the Rules limited the length of time in which an RDFI is permitted to make a claim against the ODFI's authorization warranty.
This change to the Rules limited the length of time in which an RDFI is permitted to make a claim against the ODFI's authorization warranty.
- For an entry to a non-consumer account, the time limit is one year from the settlement date of the entry. This is similar to the one-year rule in UCC4-406 that applies to checks charged to accounts.
- For an entry to a consumer account, the limit covers two time periods. Two years from the settlement date of the ACH entry. This period exceeds the one-year in the Electronic Funds transfer Act (Regulation E).
Effective June 30, 2021: Reversals
This Rule change addressed improper uses of Reversals and provides for enforcement capabilities in the event of egregious violations of the Rules. The Rule also spells out that beyond the current use of “REVERSAL” in the ACH batch description field, the format of the reversal must be identical to the original entry including the amount. Originators are allowed flexibility to accommodate minor variations in the batch header Company Name field for tracking purposes. The RDFI is permitted to return an improper Reversal using return code R11 for consumer accounts and R17 for non-consumer accounts, and due to “wrong date.”
This Rule change addressed improper uses of Reversals and provides for enforcement capabilities in the event of egregious violations of the Rules. The Rule also spells out that beyond the current use of “REVERSAL” in the ACH batch description field, the format of the reversal must be identical to the original entry including the amount. Originators are allowed flexibility to accommodate minor variations in the batch header Company Name field for tracking purposes. The RDFI is permitted to return an improper Reversal using return code R11 for consumer accounts and R17 for non-consumer accounts, and due to “wrong date.”
Effective March 19, 2021: Supplementing Fraud Detection Standards for WEB Debits
This rule change was implemented to enhance quality and improve risk management within the ACH Network by supplementing the fraud detection standard for Internet-initiated debits (using the WEB standard entry class [SEC] code). ACH originators of WEB debit entries have always been required to use a “commercially-reasonable fraudulent transaction detection system” to screen WEB debits for fraud. The previously-existing screening requirement was supplemented by this change to make it explicit that “account validation” is part of a “commercially-reasonable fraudulent detection system.” The supplemental requirement applies to the first use of an account number or changes to the existing account.
This rule change was implemented to enhance quality and improve risk management within the ACH Network by supplementing the fraud detection standard for Internet-initiated debits (using the WEB standard entry class [SEC] code). ACH originators of WEB debit entries have always been required to use a “commercially-reasonable fraudulent transaction detection system” to screen WEB debits for fraud. The previously-existing screening requirement was supplemented by this change to make it explicit that “account validation” is part of a “commercially-reasonable fraudulent detection system.” The supplemental requirement applies to the first use of an account number or changes to the existing account.
Effective March 19, 2021: Expanding Same Day ACH to Later Deadline
This rule change implemented a new, third Same Day ACH processing window. RDFIs must make funds available for SDA credits in this new SDA processing window no later than the end of their processing day.
This rule change implemented a new, third Same Day ACH processing window. RDFIs must make funds available for SDA credits in this new SDA processing window no later than the end of their processing day.
Effective April 11, 2020: Return Reason Code R11 Differentiates Unauthorized Return Reasons
This Rule was intended to better differentiate unauthorized return reasons. Until this rule went into effect, return reason R10 with the description of “Unauthorized” had been a catch-all for various types of ACH debit returns including those when the originator had made an error. R11, a re-purposed reason code, now has the description of “Customer Advises Entry Not in Accordance with the Terms of the Authorization.” R11 can be used to return an ACH entry when an RDFI receives a claim from their account holder that the ACH entry has an error such as the wrong date or the incorrect amount. R11 has the same 60-day extended return time frame and requirement for a Written Statement as with R10, and the sender of the ACH debit is not required to obtain a new authorization if the error is corrected. R11 returns are covered by the Unauthorized Entry Return Rate reporting requirement as with R10 returns. The Unauthorized Entry Fee for R11 returns took effect on April 1, 2021.
This Rule was intended to better differentiate unauthorized return reasons. Until this rule went into effect, return reason R10 with the description of “Unauthorized” had been a catch-all for various types of ACH debit returns including those when the originator had made an error. R11, a re-purposed reason code, now has the description of “Customer Advises Entry Not in Accordance with the Terms of the Authorization.” R11 can be used to return an ACH entry when an RDFI receives a claim from their account holder that the ACH entry has an error such as the wrong date or the incorrect amount. R11 has the same 60-day extended return time frame and requirement for a Written Statement as with R10, and the sender of the ACH debit is not required to obtain a new authorization if the error is corrected. R11 returns are covered by the Unauthorized Entry Return Rate reporting requirement as with R10 returns. The Unauthorized Entry Fee for R11 returns took effect on April 1, 2021.
Effective March 20, 2020: Same Day ACH per Transaction Limit Increased to $100,000
The per-transaction dollar limit for Same Day ACH transactions increased from $25,000 to $100,000. Both Same Day ACH credits and Same Day ACH debits are eligible for same day processing up to $100,000 per transaction.