Treasury Management ACH News
September 2022

Effective September 16, 2022: Micro-Entries (Phase 1)

This Rule will define and standardize practices and formatting of Micro-Entries, which are used by some ACH Originators as a method of account validation.

This Rule will:

  • Define “Micro-Entries” as ACH credits of less than $1.00 and any offsetting ACH debits, used for the purpose of verifying a Receiver’s account;
  • Standardize the Company Entry Description and Company Name requirements for Micro-Entries;
  • Establish other Micro-Entry origination practices;
  • Apply risk management requirements to the origination of Micro-Entries.

Phase 1 of this Rule will be implemented on September 16, 2022. During this phase, the term Micro-Entry will be defined, and Originators will be required to use the standard Company Entry Description and follow other origination practices.

This Rule will standardize formatting for Micro-Entries. In the Company Entry Description field, the Rule will require the use of “ACCTVERIFY.”

Phase 2 of this Rule will be implemented on March 17, 2023. During this phase, Originators of Micro-Entries will be required to use commercially reasonable fraud detection, including the monitoring of Micro-Entry forward and return volumes.

This Rule does not require:

  • Originators to use Micro-Entries as a method of account validation;
  • Originators that are using credit Micro-Entries to use offsetting debit Micro-Entries;
  • ODFIs to actively monitor or inspect Originators’ files or Micro-Entries for compliance with the origination requirements.

The overarching purpose of these two Rules is to further clarify the roles and responsibilities of Third-Party Senders (TPS) in the ACH Network by addressing the existing practice of Nested Third-Party Sender relationships, and making explicit and clarifying the requirement that a TPS conduct a Risk Assessment.

Both rule amendments will become effective on a single effective date of September 30, 2022.

Changes to ACH Origination Agreements would be effective on a going-forward basis (i.e. applicable to agreements entered into on or after the effective date).

ODFIs will notify TPS of new Rules, even if not required to “re-paper” existing agreements, to ensure knowledge of and compliance with these Rules.

A six-month grace period, to March 31, 2023, will be provided for:

  • ODFIs to update TPS registrations to denote whether or not a TPS has Nested TPS;
  • TPS that have not conducted a Risk Assessment to do so;
  • A TPS need not wait for passage of this rule, or its effective date, to conduct a Risk Assessment.

Third-Party Senders and Risk Assessments

  • Makes explicit that a Third-Party Sender, whether Nested or not, must complete a Risk Assessment of its ACH activities;
  • Clarifies that a Third-Party Sender cannot rely on a Rules Compliance Audit or a Risk Assessment completed by another TPS in a chain; it must conduct its own.

Authorizations

Originators must obtain the Receiver’s authorization for entries and ensure that copies of the authorizations are provided to the Receiver in accordance with the Nacha Rules.

 

Prenotifications

If a Prenotification results in a Return or Notification of Change, the Originator must research the problem and make the correction prior to transmitting the live entry.

 

Notification of Change

Upon receipt of Notification of change, requested changes must be made within six banking days or prior to the initiation of the next entry, whichever is later.

 

Re-initiation of Entries 

Originators must ensure that Entries Returned for the following reasons are not reinitiated unless a subsequent Authorization has been obtained from the Receiver.

  • R07 – Authorization Revoked by Customer
  • R08 – Payment Stopped
  • R10 – Customer Advises Not Authorized
  • R29 – Corporate Customer Advises Not Authorized

 

Reversing Files or Entries

Originators are to take steps to ensure that all files are originated correctly. On occasion the Originator may need to create a Reversing Files or Entry.  Reversing Files or Entries are limited to:

  • Duplicate Files or Entries
  • Erroneous Files or Entries (Incorrect information within the file or entry. For example, incorrect account number, routing number, dollar amount, or date).

 

Additionally:

  • The Originator must make a reasonable attempt to notify the receiver of the Reversing Entry no later than the Settlement date for a credit PPD Entry.
  • Reversing entries must be transmitted within five banking days following the settlement date of the erroneous file.

Business Email Compromise

With business email compromise, business emails are either compromised or impersonated. They are then used to order or request the transfer of funds via ACH. The fraudster will often gain access to an employee’s email and monitor the account for contacts, information, and patterns. They then use the compromised email account to send erroneous payment instructions to a fraudulent account at another financial institution.

 

Protect Your Company by implementing internal controls.

  • Educate and train employees to recognize, question, and authenticate any changes in ACH and Wire payment instructions.
  • Fraudsters like to pressure employees to act quickly. This is a red flag.
  • Advise employees to check the sender’s email address to verify the email came from their client. The fraudulent email address is often very similar to the original customer’s email address.
  • Verbally authenticate any changes by making a telephone call to a known telephone number for the customer or employee. Do not use a telephone number provided in the email.
  • Initiate payments using dual controls.
  • Never share passwords, usernames or authentication credentials with anyone.
  • Avoid fee web-based email accounts for business purposes. Use a company domain for business emails.
  • Do not use the email reply option when authenticating emails for payment. Call or use the forward email option and type in a known email address for the customer or employee.

 

Vendor Impersonation

Vendor impersonation can occur when a business, agency or organization receives a request from a valid vendor asking to update payment information. This type of request can come from a fraudster mimicking the vendor.

  • These attacks can come via email, phone calls, faxes, or letters.
  • Again, educate and train employees to recognize, question, and authenticate any changes in ACH and Wire payment instructions.
  • Advise employees to check the sender’s email address to verify the email came from the vendor. The fraudulent email address is often very similar to the original vendor’s email address.
  • Verbally authenticate any changes by making a telephone call to a known telephone number for the customer or employee. Do not use a telephone number provided in the email.
  • Review vendors frequently.
  • Only make vendor payment forms available via secure methods.
  • Require that changes made for payment information be confirmed by a methods such as verification codes for existing vendors.
  • Have payment changes reviewed by administrators.
  • Do not use the email reply option when authenticating emails for payment. Call or use the forward email option and type in the known email address for the vendor.
  • Do not ignore calls from your financial institution questioning the legitimacy of a payment.

 

Payroll Impersonation

Fraudsters target employees by sending phishing emails to employees. These emails often impersonate the human resource or payroll department and may have a link that directs the employee to confirm their payroll information. They may also supply the employee with a direct deposit form. This email will claim the employee must update or confirm banking information. The fraudsters then use the employee’s credentials to change payment information to a fraudulent bank account.

Employers should:

  • Alert employees to watch for phishing attacks and suspicious malware links.
  • Advise employees to check the sender email address to verify the email came from their actual employer. The fraudulent email is often very similar to the actual employer.
  • Employers should authenticate any request to change payment information using previously known contact information.
  • Employers should set up employee alerts on self-service platforms so that unusual activity can be caught.