Institutions that transfer money back and forth via ACH transactions are increasingly vulnerable to fraud, and colleges and universities are no exception. In response to more frequent and sophisticated phishing and other attacks, the National Automated Clearinghouse Association (NACHA) will implement two new fraud-prevention policies in 2020. Those deadlines will be here before you know it, so here’s a quick summary of the new rules and their respective compliance options:
Supplementing Fraud Detection Standards for WEB Debits – Effective March 19, 2021
While organizations are already required to use fraud detection when conducting commercial ACH transactions, this new rule will supplement existing efforts by making account validation explicitly required. Existing account validation methods include:
- ACH Validation Test (Prenote) – This method uses a test transaction for zero dollars to validate the account. It takes a few days to complete, and although it verifies the account and routing number, it doesn’t verify the account holder.
- Micro Deposits – Similar to prenotes, micro deposits — sometimes as little as a penny — take a few days to complete. This method requires action to be taken by the payer (i.e. students) to verify the amount deposited into their bank account.
- Account Validation Service – This real-time method leverages a cooperative database that is maintained and updated by major financial institutions. Validation includes both account and routing number, with no delay or added student interaction.
Both prenotes and micro deposits are manual processes, and response time is delayed for both.
Unlike the first two methods, an Account Validation Service is automated and occurs in real time at the point of payment, so accounts are validated immediately. Less friction for students, fewer returns for your office — this is the spirit of the new NACHA rules.
Supplementing Data Security Requirements – Phase-in Begins June 30, 2020
This two-phase rule will supplement data protection requirements by requiring bank account numbers used in the initiation of ACH transactions to be rendered unreadable when stored electronically. In simple terms, account numbers must be encrypted or tokenized when stored.
- Larger originators and third parties with ACH volume greater than six million will be required to have their encryption (or tokenization) in place by June 30, 2020. Smaller entities with ACH volume greater than two million must have encryption in place by June 30, 2021.
- Both encryption and tokenization meet this rule’s requirements; Tokenization vs. Encryption: Learn (the) Differences Between Both compares them using helpful charts and illustrations.
When it comes to higher ed fraud prevention, the best defense is a good offense that also provides a better student experience. By working with your Third Party Sender — also known as an ACH Originator or ACH Merchant Services Provider — now to implement Account Validation Service and end-to-end encryption or tokenization, you’ll be compliant in advance of NACHA’s rule updates. You’ll also have a competitive advantage when it comes to meeting student expectations for real-time campuswide commerce that’s frictionless and secure.
Adam McDonald is the President of TouchNet. Adam has spent his entire career in the software industry and draws from that experience to steer TouchNet's product and process innovation and ensure consistently exceptional customer experience. Prior to becoming president in mid-2018, Adam served as TouchNet’s Vice President and General Manager. Before joining TouchNet, Adam held a number of leadership positions at RSA, including Vice President and Global Service Leader. Prior to his tenure at RSA, Adam worked at Archer Technologies and MicroStrategy in leadership roles. Adam is a graduate of Dartmouth College, where he earned his bachelor’s degree in history.