New Nacha Rules and How to Comply with Them

As we enter into 2021, some Nacha rules are expected to come online that will affect merchants, financial institutions (FIs), and billers. One rule adds a new data security procedure when a merchant/FI/biller keeps its customers’ deposit account information in electronic format. Another rule mandates an account verification step when making an ACH debit payment. We summarize these new rules below.

New Security Procedure on Storing Customer Deposit Account Information 

• Action Required: Encrypt customer’s deposit account information
• Parties Affected: Non-Financial Institution Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs)
• Deadline: June 30, 2021 (Phase I); June 30, 2022 (Phase II)
• Grace Period: One year from deadline, as long as non-compliant entity can show it is working in good faith to come into compliance.

Nacha data security rules require a customer’s deposit account information to be “rendered unreadable” when stored electronically. In other words, the account information must be encrypted.

This rule was recently amended to explicitly require Non-FI Originators, Third-Party Service Providers, and Third-Party Senders to encrypt the deposit account information. Previously, some of these entities encrypted the account information as a part of their standard data security procedure, but others did not.

There are two phases in implementing this rule:

• Phase I - Applies to those who process over 6 million transactions annually, based on 2020 transaction records.
• Phase II - Applies to those who process over 2 million transactions annually, based on 2021 transaction records.

New Account Validation Step for WEB ACH Transfers

• Action Required: Validate a customer’s account by using one of three approved methods when the account number is first used or first changed.
• Parties Affected: Any merchant or biller who uses WEB ACH debit transactions
•  Deadline: March 19, 2021
• Grace Period: One year from deadline, as long as non-compliant entity can show it is working in good faith to come into compliance.

Currently, any entity that originates an ACH debit transaction over the web must use a “commercially reasonable fraudulent transaction detection system” to screen for fraud. However, Nacha does not require any specific method as long as the account is verified in the end.

This new account validation rule mandates that the account must be validated in one of three ways, whenever the account number is first used or first changed. The approved validation methods are:

• An ACH prenotification (prenote). This is a notice of $0 that is sent to the new account that will be receiving the funds. There is a 6-day lag time between sending the prenotification and sending the actual amount.
• ACH micro-transaction verification. This method requires a small amount (usually a few cents) to be sent to the account to be verified. The account holder verifies the amount by contacting the sender and giving the correct amount that was sent to the new account. This method is faster than prenotes but requires the account holder to act, which the account holder might not.
• Commercially available validation service. These validation services use pools of data, validation of online banking credentials, or a combination of both to validate account information. Some validation services can also provide prenote or micro-transaction services.

Trustly Can Help with Compliance to the New ACH Rules

Trustly is a Nacha Preferred Partner for online banking and account verification services with a special focus in ACH payments. As such, we can help encrypting a customer’s deposit account information. We can also provide merchants and billers with any one the approved account verification methods soon to be required by the new account validation procedures.

Please feel free to contact us at sales.us@trustly.com for more information on any of our services. We are here to help.