On the surface, 2023 may seem like a pretty relaxed year ahead in terms of updates to the ACH Rules. However, in addition to the Rule change coming next month, there are a handful of previously passed Rules that are taking effect, have grace periods ending or will finally be enforced after the COVID-19 pandemic caused a delay.

Phase 2 of the Micro-Entries Rule

Beginning with the Rules change, Phase 2 of the Micro-Entries Rule (soon to be Subsection 2.7.5 of the ACH Rules) takes effect on March 17, 2023.  Phase 1 of the Rule, which took effect on September 16th, 2022, defined Micro-Entries officially as “ACH Credits less than $1 and any offsetting ACH Debits, used for the purpose of verifying a Receiver’s account” sent by ACH Originators. These are used to send unique offsetting entries that a Receiver can easily see on their account and report back to the Originator for validation. Phase 2, however, implements a new rule that states “an Originator of Micro-Entries must conduct commercially reasonable fraud detection on its use of Micro-Entries, including by monitoring the forward and return volumes of Micro-Entries.” Furthermore, the detection and reporting are intended to minimize the incidence of fraud schemes that make use of Micro-Entries, establish a baseline of activity and should be monitoring volumes instead of entry-to-entry reviews.

Third-Party Sender Roles and Responsibilities

As of September 30, 2022, Nacha has implemented revised rules relating to Third-Party Sender Roles and Responsibilities, which:

  • Address the existing practice of Nested Third-Party Senders,
  • Officially defines a Nested Third-Party Sender (“Third-Party Sender that has an agreement with another Third-Party Sender to act on behalf of an Originator but does not have a direct relationship with the ODFI”)
  • Updates requirements of Origination Agreements with Third-Party Senders regarding Nested Third-Party relationships (Subsection 2.2.2.2)
  • Establishes a “chain of agreements”
  • Requires that ODFIs update their existing Third-Party Sender registration to denote any Third-Party Senders who have Nested Third-Party Sender relationships
  • Adds clarity to who must perform an ACH Risk Assessment
    1. It’s important to note that Third-Party Senders, whether they are Nested or not, must complete their own Risk Assessment of their ACH activities and cannot rely on another participant to complete it for them. If a Third-Party Sender has a Nested Third-Party Sender relationship, they will need to complete the agreement seen in Subsection 2.2.2.2 and take on obligations like an ODFI for compliance with the agreement and with the ACH Rules.

Also, the six-month grace period for the following components of the Third-Party Sender rules expires March 31st, 2023:

  • ODFIs must update Third-Party Sender registrations on Nacha’s Risk Management Portal to denote whether or not a Third-Party Sender has a Nested Third-Party Sender relationship.
  • Completion of Risk Assessments of ACH Activities by Third-Party Senders

Phase 2 of the Supplemental ACH Data Security Rule

Finally, Nacha’s ACH Operations Bulletin #1-2022 presented the expiration of COVID Relief on several ACH Rules through October 1, 2022. The bulletin made mention of ending the non-enforcement grace period of Phase 2 of the Supplemental ACH Data Security rule (found on Section 1.6) through June 30, 2023, for Originators/Third-Party Senders with an ACH volume of two million or more transactions annually. For Originators/Third-Party Senders that have this volume, new data security requirements should be applied to render account information unreadable when stored.   Phase 1 was already implemented after 2019 for Originators/Third-Party Senders with an ACH volume of six million or more transactions annually while Phase 2 was originally going to be implemented on June 30, 2021.  However, the COVID-19 pandemic created a two-year delay in Phase 2’s implementation.   If you have an Originator/Third-Party Sender with a volume in excess of two million, let them know that by June 30, 2023, new data security ACH Rules will apply.

To learn more about what’s coming in the payments industry in 2023 and beyond, consider joining us virtually or in person for our one-day Payment Systems Update! Here you will learn what you need to know to prioritize your organization's plan of action and maintain compliance with the ever-changing rules and regulatory landscape. This year's update covers recent and upcoming ACH Rules changes, Third-Party Sender enhancements, updated Risk Management framework, Micro Entries, ISO 20022, faster payments adoption, the latest on FedNow℠ and RTP®, Regulation E investigation challenges, applying payments rules to fraud challenges, fraud mitigation best practices and more! Click here to learn more!

Republished with permission from EPCOR