Understanding ACH Payments

Nacha rules require that unauthorized or improper corporate ACH debits posted to your account, be returned no later than the opening of business on the second banking day following the settlement date of the original entry (i.e., one day to return an ACH debit). If an unauthorized debit is not returned by two days after posting, it will be much more difficult to recover lost funds.

Nacha rules require ACH origination customers to change information (the information requested to be changed by the Receiving Depository Financial Institution (RDFI)) within six (6) banking days of receipt of the NOC or the next time the transaction is generated, whichever is later. Common changes include updates to transaction codes, account numbers, or routing numbers.

• A returned ACH entry may not be reinitiated unless (1) the entry has been returned for insufficient or uncollected funds; (2) the entry has been returned for stopped payment and re-initiation has been authorized by the Account Holder, or (3) the Originating Depository Financial Instituion (SouthState Bank) has taken corrective action to remedy the reason for the return.
• An originator may re-initiate a debit entry within 180 days up to two times. Those entries must be sent in a separate batch and contain identical content in the Company Name, Company ID, and Amount field.
• Re-initiated entries must contain “RETRY PYMT” in the Company Entry Description Field.

Whenever possible, divide responsibilities among several employees. To prevent unauthorized ACH payments, separate out the payments process where one employee will create/upload the ACH batch and another employee is responsible for approving batches. To prevent unauthorized or inappropriate system access, separate the payments approval process where one user can add or delete users but does not have the ability to approve, delete, or edit batches.

Train employee to be alert for things that do not look right, such as the Treasury Navigator® color scheme or layout not looking the same as before, egregious misspellings on the website or email notifications, "system down" warnings, etc. Another red flag is the inability to log into Treasury Navigator®, despite multiple attempts with a known credentials. This may be an indication that the credentials have been compromised, or that the user is already logged in from another computer.
 

Do not allow employees to use social networking sites on the same computer systems as the business’ online banking system. Common social media attacks include likejacking, where attackers use fake “like” buttons to trick users into clicking website buttons that install malware and post updates on a user’s newsfeed to spread the attack; or, fake offerings/apps to join a fake group or subscription with incentives that are used to steal credentials or harvest other personal data.
 

• The authorization should clearly state account number and routing number (i.e. a copy of the account holder’s check), and account type (demand deposit, savings).
• The consumer must date and either sign or similarly authenticate debit authorizations.
• A review of authorizations should be performed to make sure it meets the requirements of the NACHA Operating Rules.

Originators can expect the return of consumer entries that were not properly authorized.

• An unauthorized debit entry is an entry in which (1) the authorization requirements have not been followed in accordance with the Nacha Operating Rules or invalid under applicable legal requirements; (2) a transaction was initiated in an amount different than that authorized by the Receiver; (3) a transaction was initiated for settlement earlier than authorized by the Receiver.

In general, consumer debit entries must be returned by the RDFI in such time and manner that the return is made available to the ODFI no later than the opening of business on the banking day following the sixtieth (60) calendar day following the settlement date of the original entry. This return deadline also applies to the return of debit entries for which the consumer Receiver had previously revoked his authorization.

As with consumer entries, the business Receiver (Company) must authorize all ACH credits and debits to its account.

• The Receiver of CCD (Corporate Credit and Debit), CTX (Corporate Trade Exchange) entries, and IAT (International ACH Transactions to a corporate customer account) must enter into an agreement with the Originator to which the Receiver has agreed to be bound by the Nacha Operating Rules.
• This agreement for credits and/or debits to the corporate customer account should be clear to the corporate customer as to what the credit/debit represents.

Unlike consumer entries, in general, the non-consumer receiver of a CCD, CTX or IAT entry must return entries no later than the opening of business on the second (2) banking day following the settlement date requiring prompt review of transactions to detect any unauthorized entries.

For recurring debits, when the debit amount varies, the Rules require the Originator to notify the account holder/receiver within ten (10) calendar days before the scheduled transfer date. If an Originator changes the date in which it debits the account holder/receiver, it must notify the account holder/ Receiver in writing of the new date of the entry at least seven (7) calendar days before the first entry to be affected by the change is scheduled to be debited to the Receiver’s account.

The signed or similarly authenticated authorization must be retained by the Originator for a period of two years following the termination or revocation of the authorization.

• In the case of a paper authorization that has been signed by the consumer, the Originator must retain either the original or a copy of the signed authorization.
• This authorization may be obtained in an electronic format that (1) accurately reflects the information in the record, and (2) is capable of being accurately reproduced for later reference.

At the request of its ODFI, Originator must provide the original, copy or other accurate Record of the Receiver’s authorization to the ODFI for its use or for the use of a RDFI requesting the information. The Originator must provide in such time and manner as to enable the ODFI to deliver the authorization to a requesting RDFI within ten (10) banking days of the RDFI’s initial request.

The Originator is required to ensure there is clear identification of the source of an ACH transaction. Specifically, the Rules require the Originator to populate the Company Name Field with the name by which it is known to and readily recognized by the Receiver of the entry. As this company name appears on the account holder’s statement, it should be easily recognized by the account holder/receiver of the debit/credit.

Origination of the IAT standard entry class code is not permitted by SouthState Bank. Certain ACH payments that were classified as domestic transactions may be classified as international payments, or IAT transactions today. The ACH transaction may be classified as an international payment (IAT transaction) if your company (1) is a subsidiary of a multi-national corporation; (2) has foreign subsidiaries; (3) buys or sells to organizations or individuals outside of the territorial jurisdiction of the United States; or (4) sends payroll, pension or benefit payments via the ACH Network to individuals that have permanent resident addresses outside the territorial jurisdiction of the United States.

Corporations are required to comply with OFAC obligations, and the penalties for ignoring those obligations can be both criminal and civil and include both jail time and fines ranging from $10,000 to $10,000,000 per occurrence. If these fines are levied against the financial institution, they may be passed back to the corporate originator depending on the specifics of the case and the details of their contract with the financial institution. The fines are levied by the U.S. government and funds collected are the property of the government, not the financial institution. Additional information on OFAC obligations and fines can be found at the following link: https://www.treas.gov/offces/enforcement/ofac/.

Prenotifications are zero dollar entries generated to validate the account held at the RDFI. Originators may originate a prenote; however this is not required under the Rules. If the Originator initiates a prenotification, it must wait three (3) banking days prior to initiating the live dollar amount.

An Originator may reverse an erroneous or duplicate file, or an item within the file, within 5 banking days after the Settlement Date of the original file. The word "REVERSAL" must be placed in the Company Batch Header Field and if the file is reversing an erroneous file, the Originator must initiate a correcting file with the reversing file. The Originator should notify the account holder(s)/ receiver(s) of the reversing entry and reason of the reversing entry no later than the Settlement Date of the reversing entry.

SouthState Bank permits Originators to send PPD (Prearranged Payments and Deposits) for entries posting to consumer accounts and CCD (Corporate Credits and Debits), CCD+, and CTX (Corporate Trade Exchange) for entries posting to corporate accounts. Any other types of standard entry class codes require approval from SouthState Bank prior to its use.

This affects Originators as a stop payment may be placed on the RDFI’s system for all future transactions relating to the one Originator for the payment. Originators need to train internal staff to ensure they understand that there may be multiple stop payments returned. These should not be reinitiated until resolved.

A Third-Party Sender is a type of Third-Party Service Provider that acts as an intermediary between the bank and the entity’s (Third-Party Sender’s) customers. The Rules require that all Third-Party Senders conduct Rule compliance audit and risk assessment of its ACH operation and compliance with the Rules no later than December 31 of each year. Documentation supporting the completion of an audit must be (1) retained for a period of six years from the date of the audit, and (2) provided to Nacha upon request. As this is a Rule requirement, SouthState Bank requires a copy of the ACH audit and Risk Assessment each year. Approved Third-Party Senders should reference their agreement for the additional requirements. This applies only to Third-Party Senders.

The originating customer is responsible for ensuring they (along with any third party service providers acting on their behalf) implement and maintain security policies, procedures, and systems related to the initiation, processing, and storage of entries and resulting protected information.

In addition, it is the responsibility of the customer to educate staff on how to protect the business’ online banking system, take reasonable steps to maintain the confidentiality and security of the security procedures and any passwords, codes, security devices, including but not limited to security tokens and secure browser sessions.

Security policies, procedure and systems must: (1) Protect the confidentially and integrity of the protected information, (2) Protect against anticipated threats or hazards to the security or integrity of protected information until its destruction and (3) Protect against unauthorized use of protected information that could result in substantial harm to the customer.

SouthState Bank as an ODFI may establish additional risk management procedures such as requiring an audit of its Originators activity be performed, closely monitoring the return volume of its originators, and assessing the risk associated with the type of ACH activity performed by each Originator. Originators need to understand the necessity of risk management practices regarding the following (1) The performance of the due diligence with respect to Originators and Third-Party Senders; (2)The assessment of the nature of the Originator’s or Third-Party Sender’s ACH activity and the risks it presents; and, (3) the establishment of procedures to monitor an Originator’s or a Third-Party Sender’s origination and return activity, and to enforce exposure limits and restrictions on the types of ACH transactions that may be originated.