3 minute read

Get to Know the New Nacha Anti-Fraud Rules

1/5/2021 8:30 PM

Institutions that transfer money back and forth via ACH transactions are increasingly vulnerable to fraud, and colleges and universities are no exception. In response to more frequent and sophisticated phishing and other attacks, the National Automated Clearinghouse Association (Nacha) will implement two new fraud-prevention policies in 2022. Those deadlines will be here before you know it, so here’s a quick summary of the new rules and their respective compliance options:

Supplementing Fraud Detection Standards for WEB Debits

Enforcement begins March 19, 2022

While organizations are already required to use fraud detection when conducting commercial ACH transactions, this new rule will supplement existing efforts by making account validation explicitly required. Existing account validation methods include:

  • ACH Validation Test (Prenote) – This method uses a test transaction for zero dollars to validate the account. It takes a few days to complete, and although it verifies the account and routing number, it doesn’t verify the account holder.
  • Micro Deposits – Similar to prenotes, micro deposits — sometimes as little as a penny — take a few days to complete. This method requires action to be taken by the payer (i.e. students) to verify the amount deposited into their bank account.
  • Account Validation Service – This real-time method leverages a cooperative database that is maintained and updated by major financial institutions. Validation includes both account and routing number, with no delay or added student interaction.

Both prenotes and micro deposits are manual processes, and response time is delayed for both.

Unlike the first two methods, an Account Validation Service is automated and occurs in real time at the point of payment, so accounts are validated immediately. Less friction for students, fewer returns for your office — this is the spirit of the new Nacha rules.

Supplementing Data Security Requirements

Phased enforcement begins June 30, 2022

This two-phase rule will supplement data protection requirements by requiring bank account numbers used in the initiation of ACH transactions to be rendered unreadable when stored electronically. In simple terms, account numbers must be encrypted or tokenized when stored.

  • Larger originators and third parties with ACH volume greater than six million transactions are required to have their encryption (or tokenization) in place by June 30, 2021; enforcement begins June 30, 2022. Smaller entities with ACH volume greater than two million transactions must have encryption in place by June 30, 2022; enforcement begins June 30, 2023.
  • Both encryption and tokenization meet this rule’s requirements; Tokenization vs. Encryption: Learn (the) Differences Between Both compares them using helpful charts and illustrations.

When it comes to higher ed fraud prevention, the best defense is a good offense that also provides a better student experience. By working with your Third Party Sender — also known as an ACH Originator or ACH Merchant Services Provider — now to implement Account Validation Service and end-to-end encryption or tokenization, you’ll be compliant in advance of Nacha’s rule updates. You’ll also have a competitive advantage when it comes to meeting student expectations for real-time campuswide commerce that’s frictionless and secure.