The NACHA Operating Rules are the foundation for every ACH payment. By defining the roles and responsibilities of financial institutions and establishing clear guidelines for each Network participant, the Rules ensure that millions of payments occur smoothly and easily each day. These following are a brief summary of changes but are not a replacement for Rules, which are subject to change.
Click Here to view ACH Rules Resources for Corporates / NACHA
The Micro-Entry Rule defines and standardizes practice and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation.
March 18, 2022
Increasing the dollar limit has been a frequently asked for change by ACH end-users. Most recently, a summer 2020 survey of corporate ACH end-users resulted in recommendations for Same Day ACH:
The dollar limit increase in March 2020 had an immediate impact on the use of Same Day ACH
June 30, 2022
In response to requests from some covered parties in 2020 for additional time to come into compliance with the Rule requirements, Nacha extended each of the two effective dates by one year; Phase 1 of the Rule, which applies to ACH Originators and Third-Parties with more than 6 million ACH payments annually, became effective on June 30, 2021, and Phase 2 of the Rule, which applies to ACH Originators and Third-Parties with more than 2 million ACH payments annually, will be effective on June 30, 2022.
This effective date was affirmed in ACH Operations Bulletin #7-2020. Nacha will not enforce this rule for an additional period of one year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions. This applies to both phases of this rule. Nacha strongly encourages all such covered entities to work towards compliance as soon as possible.
SEPTEMBER 30, 2022
The overarching purpose of these Rules is to further clarify the roles and responsibilities of Third-Party Senders (TPS) in the ACH Network by; Addressing the existing practice of Nested Third-Party Sender relationships, and; Making explicit and clarifying the requirement that a TPS conduct a Risk Assessment. The two Rules will become effective September 30, 2022, with a 6-month grace period for certain aspects of each rule.
March 19, 2021
The effective date for an upcoming change in the Nacha Operating Rules is being extended by the Nacha Board of Directors. The WEB Debit Account Validation Rule now takes effect March 19, 2021, rather than Jan. 1, 2020. The rule was originally approved by Nacha members in November 2018. The Nacha Board of Directors approved the extension in effective date to allow for additional time, education and guidance to be provided to the industry.
Currently, ACH Originators of WEB debit entries are required to use a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud. This existing screening requirement will be supplemented to make it explicit that “account validation” is part of a “commercially reasonable fraudulent transaction detection system.” The supplemental requirement applies to the first use of an account number, or changes to the account number.
March 19, 2021
This new rule expands access to Same Day ACH by allowing Same Day ACH transactions to be submitted to the ACH Network for an additional two hours every business day. The new Same Day ACH processing window will go into effect on March 19, 2021.
Creates a third Same Day ACH processing window that expands Same Day ACH availability by 2 hours
April 1, 2021
The rule re-purposes an existing, little-used return reason code (R11) that will be used when a receiving customer claims that there was an error with an otherwise authorized payment. Previously, return reason code R10 was used a catch-all for various types of underlying unauthorized return reasons, including some for which a valid authorization exists, such as a debit on the wrong date or for the wrong amount. In these types of cases, a return of the debit still should be made, but the Originator and its customer (the Receiver) might both benefit from a correction of the error rather than the termination of the origination authorization. The use of a distinct return reason code (R11) enables a return that conveys this new meaning of “error” rather than “no authorization.”
Effective date: Phase 1 – April 1, 2020; effective date Phase 2 – April 1, 2021.
Effective Dates
The rule becomes effective in two phases. On April 1, 2020, the re-purposed return code became effective, and financial institutions will use it for its new purpose. Other provisions in the rules that apply to unauthorized returns became effective at this time with respect to R11s – i.e., Unauthorized Entry Return Rate and its relationship to ODFI Return Rate Reporting obligations.
On April 1, 2021, the re-purposed R11 return code becomes covered by the existing Unauthorized Entry Fee. This part of the rule will be implemented by the ACH Operators, and as with the current fee, is billed/credited on their monthly statements of charges.
As noted in ACH Operations Bulletin #4-2020, RDFIs that are not ready to use R11 as of April 1, 2020 should continue to use R10. RDFIs should implement R11 as soon as possible.
june 30, 2021
REVERSALS
This Rule explicitly address improper uses of reversals. It expands the permissible reasons for a reversal to include a “wrong date” error – 1) the reversal of a debit Entry that was for a date earlier than intended by the Originator, or 2) a credit Entry that was for a date later than intended by the Originator.
The Rule establishes formatting requirements for reversals, beyond the current standardized use of the Company Entry Description field (“REVERSAL”):
The Company ID, SEC Code, and Amount fields of the reversal must be identical to the original entry
The contents of other fields may be modified only to the extent necessary to facilitate proper processing of the reversal
This is the same approach as the formatting requirements for Reinitiated Entries
In addition, the rules explicitly permit an RDFI to return an improper Reversal:
R11 for consumer accounts, 60-day return timeframe upon receiving a consumer claim
R17 for non-consumer accounts, 2-day return timeframe
An RDFI will be permitted to use R17 to return an improper Reversal that it identifies on its own (i.e., not based on a customer contact), 2-day return timeframe
ENFORCEMENT
This Rule defines an Egregious Violation as:
A willful or reckless action, and
Involves at least 500 Entries, or involves multiple Entries in the aggregate amount of at least $500K.
The Rule also allows the ACH Rules Enforcement Panel to determine whether a violation is egregious, and to classify an Egregious Violation as a Class 2 or 3 Rules Violation.
The sanction for a Class 3 violation can be up to $500,000 per occurrence and a directive to the ODFI to suspend the Originator or Third-Party Sender
In addition, the Rule expressly authorizes Nacha to report Class 3 Rules violations to the ACH Operators and industry regulators.
june 30, 2021
LIMITATION ON WARRANTY CLAIMS
This rule limits the length of time in which an RDFI is permitted to make a claim against the ODFI’s authorization warranty.
For an entry to a non-consumer account, the time limit is one year from the settlement date of the entry (analogous to one-year rule in UCC §4-406 that applies to checks and items charged to bank accounts).
For an entry to a consumer account, the limit covers two time periods:
The first ninety-five (95) calendar days from the settlement date of the first unauthorized entry to the consumer’s account will always be covered (i.e., the first 95 days).
If outside the first 95 days, then two years from the settlement date of the entry (i.e., the last two years).
june 30, 2021
SUPPLEMENTING DATA SECURITY REQUIREMENTS (PHASE 1)
In response to requests from some covered parties during 2020 for additional time to come into compliance with the Rule requirements, Nacha extended each of the two effective dates by one year; Phase 1 of the Rule, which applies to ACH Originators and Third-Parties with more than 6 million ACH payments annually, became effective on June 30, 2021, and Phase 2 of the Rule, which applies to ACH Originators and Third-Parties with more than 2 million ACH payments annually, will become effective on June 30, 2022.
This effective date was was affirmed in ACH Operations Bulletin #7-2020. Nacha will not enforce this rule for an additional period of one year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions. This applies to both phases of this rule. Nacha strongly encourages all such covered entities to work towards compliance as soon as possible.
September 17, 2021
Standing Authorization
This rule will define a “Standing Authorization”
A Standing Authorization will be defined as an advance authorization by a consumer of future debits at various intervals
Under a Standing Authorization, future debits may be initiated by the consumer through some further action, as distinct from recurring entries which require no further action and occur at regular intervals
In addition to defining a Standing Authorization, other aspects of the rule include:
A Standing Authorization may be obtained in writing or orally (Oral Authorizations)
Individual payments initiated based on the Standing Authorization will be defined as Subsequent Entries
Individual Subsequent Entries may be initiated in any manner identified in the Standing Authorization
This rule also will allow Originators some flexibility in the use of SEC codes for individual Subsequent Entries
Allows an Originator to use the TEL or WEB codes for Subsequent Entries when initiated by either a telephone call or via the Internet/wireless network, respectively, regardless of how the Standing Authorization was obtained
In such cases, the Originator will not need to meet the authorization requirements of TEL or WEB, but will need to meet the risk management and security requirements associated with those codes
Oral Authorization
This rule will define and allow “Oral Authorization” as a valid authorization method for consumer debits distinct from a telephone call
Currently, only the TEL transaction type has requirements and addresses risks specific to an oral authorization; but it is specific to a telephone call
Many newer methods and channels make use of verbal interactions and voice-related technologies
Other Authorization Proposals
In conjunction with the other authorization rules (Standing Authorizations and Oral Authorizations), this Rule includes other modifications and re-organizations of the general authorization rules for purposes of clarity, flexibility and consistency
Clarity
Re-organizes the general authorization rules to better incorporate Standing Authorizations, Oral Authorizations, and other changes described below
Defines “Recurring Entry” to complement the existing definition of Single Entry and the proposed new definition of Subsequent Entry, and align with terms in Regulation E
Flexibility
Explicitly states that authorization of an ACH payment by any method allowed by law/regulation
Only consumer debit authorizations require a writing that is signed or similarly authenticated
Consistency
Applies the standards of “readily identifiable” and “clear and readily understandable terms” to all authorizations
For all consumer debit authorizations, applies the minimum data element standards that are currently stated only in the TEL rules (i.e., what will be in a consumer authorization)
Alternative to Proof of Authorization
This Rule will allow an ODFI to agree to accept the return of an entry as an alternative to providing proof of authorization
Example – An RDFI requests proof of authorization for a PPD debit; the ODFI will have the option within 10 banking days to either provide proof or agree to accept a return. If the ODFI chooses to accept the return, the RDFI will have 10 banking days to make that return
In situations in which the ODFI has accepted, or agreed to accept, a return in lieu of providing proof of authorization, but the RDFI still needs such proof, the RDFI will still retain the ability to obtain it from the ODFI. The ODFI must provide proof within 10 banking days of the RDFI’s subsequent request
Example – After an ODFI and RDFI agree on the return of a debit, the RDFI needs to obtain the proof of authorization as part of litigation
Written Statement of Unauthorized Debit via Electronic or Oral Methods
This Rule clarifies and makes explicit that an RDFI may obtain a consumer’s Written Statement of Unauthorized Debit (WSUD) electronically or orally
The same formats/methods permissible for obtaining a consumer debit authorization are permissible for obtaining a consumer’s statement of unauthorized debit
Although these formats/methods for obtaining a WSUD are not prohibited by the current Rules, there is confusion in the marketplace today; an explicit reference that they are permissible will increase the industry’s consideration of them
An additional clarification will be made that a consumer is permitted to sign a WSUD with an Electronic Signature
March 20, 2020
This new rule increases the Same Day ACH per-transaction dollar limit to $100,000 and will become effective on March 20, 2020.
Increases the per-transaction dollar limit for Same Day ACH transactions to $100,000
Currently, Same Day ACH transactions are limited to $25,000 per transaction
While the current limit covers approximately 98% of ACH transactions, there are many use cases for which a higher dollar limit will better enable end users to utilize Same Day ACH. For example, a higher transaction limit would better enable:
B2B payments, in which only approximately 89% of transactions are currently eligible
Claim payments, which are often for larger dollar amounts and are time sensitive in nature
Reversals for a larger pool of transactions, including all Same Day ACH transactions
April 1, 2020
This rule better differentiates among types of unauthorized return reasons for consumer debits. This differentiation will give ODFIs and their Originators clearer and better information when a customer claims that an error occurred with an authorized payment, as opposed to when a customer claims there was no authorization for a payment. ODFIs and their Originators should be able to react differently to claims of errors, and potentially could avoid taking more significant action with respect to such claims.
The rule re-purposes an existing, little-used return reason code (R11) that will be used when a receiving customer claims that there was an error with an otherwise authorized payment. Currently, return reason code R10 is used a catch-all for various types of underlying unauthorized return reasons, including some for which a valid authorization exists, such as a debit on the wrong date or for the wrong amount. In these types of cases, a return of the debit still should be made, but the Originator and its customer (the Receiver) might both benefit from a correction of the error rather than the termination of the origination authorization. The use of a distinct return reason code (R11) enables a return that conveys this new meaning of “error” rather than “no authorization.”
Effective date: Phase 1 – April 1, 2020; effective date Phase 2 – April 1, 2021
June 30, 2020
This change to the Nacha Operating Rules will enhance quality and improve risk management within the ACH Network by supplementing the existing account information security requirements for large-volume Originators and Third-Parties. This change will be implemented in two phases.
The existing ACH Security Framework including its data protection requirements will be supplemented to explicitly require large, non-FI Originators, Third-Party Service Providers (TPSPs) and Third-Party Senders (TPSs) to protect deposit account information by rendering it unreadable when it is stored electronically.
Implementation begins with the largest Originators and TPSPs (including TPSs) and initially applies to those with ACH volume of 6 million transactions or greater annually. A second phase applies to those with ACH volume of 2 million transactions or greater annually.
July 1, 2020
REQUEST FOR COMMENT - RESPONSES DUE BY FRIDAY, AUGUST 23, 2019
Nacha is issuing this Request for Comment to obtain industry feedback on a proposal to create an industry resource for financial institutions to be able to more easily connect with other financial institutions about ACH operations, exceptions and risk management.
All ACH financial institutions would register contact information for ACH operations and risk/fraud
The contact information would be available for other registered ACH participating financial institutions, Payments Associations, and Nacha
For use in ACH-related system outages, erroneous payments, duplicates, reversals, fraudulent payments, etc., or potentially other uses within scope (e.g., proper contact for letters of indemnity)
Use of the information would be limited to these purposes
Registration information would be required to be updated within 45 days after any change, and verified on an annual basis
Nacha would provide this registry resource as a tool for inter-FI communication for issues relating to ACH operations and fraud/risk management
The registry would be accessed via the existing Risk Management Portal
Authorized users would use the secure Portal to access registered contact information
There would not be a charge to FIs to register or use the contact information
Risk Management Portal security
The Portal is a hosted solution built with security and business continuity in mind, including physical security, encryption, user authorization and authentication processes, and auditing to verify satisfaction of privacy and security requirements
Data is encrypted while in transit to Nacha and remains encrypted while it is at rest
Compliance of the underlying cloud platform with key industry standards is certified by the cloud service provider
January 1, 2019
This rule changes the structure of the audit requirement within the Rules, but does not change the requirement to conduct a Rules compliance audit annually.
This rule change modifies the Rules to provide financial institutions and third-party service providers with greater flexibility in conducting annual Rules compliance audits. The rule does not change the requirement to conduct a Rules compliance audit annually, but rather changes the structure of the audit requirement within the Rules by consolidating requirements for the annual Rules compliance audit into one section and removing redundant material.
January 1, 2019
These ballots amend the Rules to address a variety of minor topics. Minor changes to the Rules have little-to-no impact on ACH participants and no significant processing or financial impact.
ACH Operator Edits
This change aligns the Rules with current ACH Operator file editing practices.
Clarification on TEL Authorization Requirement
This change makes clear that the general rules governing the form of authorization for all consumer entries apply to TEL entries. This rule also incorporates a reference to consumer account within the general rules for TEL entries.
Clarification of RDFI Obligation to Return Credit Entry Declined by Receiver
This change clarifies the specific conditions under which an RDFI is excused from its obligation to return a credit entry. It also modifies the language to refer to an entry being “declined” (rather than “refused”) by the Receiver.
Editorial Clarification on Reinitiation of Return Entries
This editorial change clarifies the existing intent that reinitiation is limited to 2 times.
Editorial Clarification on RDFI Liability Upon Receipt of a Written Demand for Payment
This editorial clarification makes clear that an RDFI may return a Written Demand for Payment only if it was not properly originated by the ODFI.
June 21, 2019
This change to the Nacha Operating Rules will enhance quality and improve risk management within the ACH Network by allowing RDFIs to indicate within a return that the original transaction was questionable or part of anomalous activity.
RDFIs may but are not required to use return reason code R17 to indicate that the RDFI believes the entry was initiated under questionable circumstances. RDFIs electing to use R17 for this purpose will use the description “QUESTIONABLE” in the Addenda Information field of the return. An R17 in conjunction with this description enables these returns to be differentiated from returns for routine account number errors.
September 20, 2019
This Rule increases the speed of funds availability for certain Same Day ACH and next-day ACH credits.
Establishes additional funds availability standards for ACH credits
Funds from Same Day ACH credits processed in the existing, first processing window will be made available by 1:30 p.m. in the RDFI's local time
Funds from non-Same Day ACH credits will be available by 9:00 a.m. RDFI's local time on the Settlement Date, if the credits were available to the RDFI by 5:00 p.m. local time on the previous day (i.e., apply the existing “PPD rule” to all ACH credits)
September 2017: Same Day ACH Debits
The National Automated Clearing House Association (NACHA), the organization that governs the ACH network, will implement a rule change that allows the initiation of Same Day ACH debit payments of $25,000 or less, with funds available to the receiver by the end of the receiving financial institution’s processing day. Same Day ACH will be available for debits starting September 15, 2017. All ACH transaction types are eligible, except for International ACH Transactions (IATs).
NACHA’S Same Day ACH rollout began in September 2016 with the introduction of Same Day ACH for credit entries. Starting in 2018, receiving financial institutions must make Same Day ACH transactions funds available to the receiver by 5:00 pm local time
September 2017: Third Party Sender Registry
The Third Party Sender registry is being created to improve the overall quality of the ACH Network and promote appropriate due diligence among Originating Depository Financial Institutions (ODFIs) processing for Third-Party Senders (TPS).
The new rule will require all ODFIs to register their TPS customers with NACHA, providing the following information regarding each TPS for which the ODFI provides ACH services.
After the initial registration, NACHA may request supplemental information about a TPS regarding any potential risk event. A risk event is defined as “cases in which NACHA believes that a TPS in the ACH network poses an escalated risk of (i) financial loss to one or more Participating (Depository Financial Institutions) DFIs, Receivers or Originators, (ii) violation of the (NACHA) Rules or Applicable Law, or (iii) excessive returns.”
For additional information regarding these rule changes, or to request a copy or access to the latest ACH Rules from PNC, please contact your Treasury Management representative.
October 2016: Unauthorized Entry Fee
To improve the overall quality of the ACH Network by reducing returns, NACHA is implementing a rule that applies to ACH debit transactions that are returned as “unauthorized” by the Receiver.
The rule introduces a fee of $4.50, assessed to the originating financial institution, for each ACH debit transaction that is returned as unauthorized. The fee will be passed to the receiving financial institution to compensate them for expenses related to servicing and returning the transaction for their customer. The rule applies to the following return reason codes:
The fees for unauthorized debit returns as of October 3, 2016 would be applied to debits originated as early as August 1, 2016. NACHA will evaluate the fee amount every three years.
Please Note: The fee is not applicable to International ACH Transactions (IATs).
September 2016: Same Day ACH
The rule will enable the option to initiate same day ACH payments through new ACH Network functionality. This option is in addition to the existing ACH network processing capabilities. The rule will be implemented over three phases with Phase 1 beginning on September 23, 2016.
Phase 1 will support ACH credits only. All transaction types are eligible (except International ACH Transactions (IATs)) up to $25,000 per transaction. All receiving financial institutions must be able to receive same day ACH payments and make funds available to the receiver by the end of the receiving financial institution’s processing day in Phase 1.
There is an additional fee to originate Same Day ACH entries and no additional fee to receive Same Day ACH entries.
September 2015: Return Rate Changes
1. Current monthly unauthorized debit return rate threshold reduced from 1% to 5%. Your total number of ACH debit returns with Unauthorized Return Reason Codes should not exceed 0.5% of your total ACH debits originated. Should you exceed the stated threshold, we may contact you to inquire on the reason for the high return rate. The following Return Reason Codes are considered unauthorized reason codes:
R05 - Unauthorized Debit to Consumer Account Using Corporate SEC Code
R07 - Authorization Revoked by Customer
R10 - Customer Advises Not Authorized
R29 - Corporate Customer Advises Not Authorized
R51 - Item is Ineligible
2. Established monthly ACH debit administrative return rate threshold of 3%. Your total number of ACH debit returns with Administrative Return Reason Codes should not exceed 3% of your total ACH debits originated. Should you exceed the stated threshold, we may contact you to inquire on the reason for the high return rate.
The following Return Reason Codes are considered Administrative Return Reason Codes:
R02 - Account Closed
R03 - No Acct/Unable to Locate Acct
R04 - Invalid Account Number
3. Established monthly overall ACH debit return rate threshold of 15%. Your total number of ACH debit returns for all Return Reason Codes should not exceed 15% of your total ACH debits originated. Should you exceed the stated threshold, we may contact you to inquire on the reason for the high return rate. All ACH debit returns regardless of Return Reason Code for all Standard Entry Class codes except RCK (Re-presented Check Entries) are considered for this calculation.
4. Re-initiation of ACH debits required to contain "Retry Pymt" in the Company Entry Eescription field. If ACH debits that are returned unpaid with R01 – Insufficient Funds or R09 – Uncollected Funds Return Reason Codes and are subsequently re-presented for payment, the description “RETRY PYMT” is required to be included in the Company Entry Description field. If you currently originate debit re-presented files, you are required to update the Company Entry Description prior to submitting. Not updating the Company Entry Description may result in the RDFI returning the transaction with an R10 - Customer Advises Unauthorized, Improper, or Ineligible Return Reason Code. If you have selected PNC’s “ACH Auto Debit Re-presentment” service feature, no action is required from you. PNC will automatically change your Company Entry Description to include “RETRY PYMT.”
March 2015: Removal of Notification of Change and Rule Changes Related to Dishonored Returns
1. Removal of Notification of Change - CO4 Change Code. Previously, Receiving Depository Financial Institutions (RDFIs) would send a Notification of Change – C04 to request a correction to the Receiver’s name on future ACH transactions. This sometimes created challenges for Originators, ODFIs and RDFIs. An example was when the Biller (Originator) could not make the requested name change due to contractual or other reasons while the Original Depository Financial Institution faced NACHA violations for not updating the name. To eliminate this risk the C04 code will be removed as a valid change code.
Impact to ODFIs / Originators
If you are an ACH Originator and the Receiver’s name on the ACH transaction and Receiver’s name at the RDFI do not match, rely on contracts and records to properly identify the name of the Receiver being credited or debited, without relying on a Notification of Change (NOC) from the RDFI
Impact to RDFIs
When the RDFI discovers a name mismatch, choose one of the following courses of action:
Originators and ODFIs can use the new R62 (Return of Erroneous Debit or Reversing Debit) only in the following situations:
If you are an ACH Originator, you can request that your ODFI dishonor a return in order to correct and resolve an erroneous or unintended credit to a Receiver.
In addition, ensure that R62 is only used when the associated credit entry (the Reversal or the erroneous credit) was not also returned by the RDFI.
RDFI’s can use the new Contested Dishonor R77 (Non-Acceptance of R62 Dishonored Return) if either of the following situations exist.
January 2015: Return Fee Entry Formatting Clarification
Consumers that received an electronic Return Entry fee posted to their account often times could not link the return fee to an authorized transaction at a merchant. The NACHA rule change clarifies that the Individual Name field in the PPD Return Entry Fee transaction is used to link the fee to the original authorized ARC, BOC, or POP transaction that was returned unpaid. The Individual ID field could contain the Receiver’s name, reference number, identification number or code of the merchant to identify the customer. This change should have no impact on ACH participants as it recognizes current best practice regarding the formatting of fees for check conversion entries.
