• Ruth Harpool, AAP, APRP, CTP

ACH Part Two: Supplementing Fraud Detection Standards for Web Debits

Suppose your business accepts consumer bank account information through the WEB or over the internet, and that information is used to deduct money from a consumers’ bank account. In that case, you need to be aware of an ACH rule that became effective on March 19, 2021.

Per the 2021 Nacha Operating Rules, “An Originator of a debit WEB Entry must establish and implement a commercially reasonable fraudulent transaction detection system to screen the debit WEB Entry.” On March 19, the Supplementing Fraud Detection Standards for WEB Debits rule, commonly referred to as the WEB Debit Account Validation Rule, expanded that language to state that “Such a fraudulent transaction detection system must, at a minimum, validate the account to be debited for the first use of such account number, and for any subsequent change(s) to the account number.” Nacha Operating Rules Article Two Subsection

(Head begins to spin, eyes begin to droop) Um…can you say that again sans the italics and chapter/verse references?

On a go forward basis, your business must conduct the account validation when you are first provided with an account number or any time the consumer changes their account number with you. This validation must occur prior to the initiation of a debit (withdrawal) to a consumer account. In this context, validating the consumer’s account means that you need to confirm that the bank account is open and accepts ACH entries. It does NOT mean that you need to confirm there is enough money in the account, and it does NOT require validation of account ownership. Remember, this rule only applies to consumer debits.

Going forward simply means ‘at some point in the future.’ That is to say, you do NOT need to go back in time to stored records for customers who have allowed you to debit their bank accounts in the past and validate those accounts. However, if existing customers change their bank account information with you at any time in the future, then this rule applies, and account validation is required. It will always apply to new customers, and the first time they give you an account number.

The easiest way to determine when the rule applies is to ask yourself these three questions:

1. Did I receive this banking information over the internet?

2. Does it belong to a consumer?

3. Is this the first time I have seen it?

If all three of the answers are yes, your next action should determine how you are going to comply with the rule.

I encourage you to reach out to your financial institution or third-party ACH service providers for more information about validation methods. I recommend you also take a few minutes and check out this Nacha resource too.

If you are unsure as to what questions to ask your financial institution, rely on a trusted partner like CampusGuard to help you. Please feel free to reach out to me directly at rharpool@campusguard.com.