3 minute read

Nacha ACH Updates That Will Affect Higher Education Payment Processes

2/9/2021 12:00 PM

In 2020, Nacha released several new rules that will go into effect this year. Two of the new standards will affect the policies and procedures of colleges and universities using Automated Clearing House (ACH) to accept payments and issue funds.

To ensure compliance, higher ed institutions are encouraged to communicate these changes internally and work with the payment associations in their region as well as their financial services providers, transactional service providers, and vendors on how these standards impact their institutions ACH processing.

Here is a rundown of the new Nacha ACH standards:

Supplementing fraud detection standards for WEB debits

Beginning on March 19, 2021, higher ed institutions using consumer checking accounts for debit transactions will be required to verify the account before it can be used for web payments. The new rule enhances the existing requirement for the use of “commercially reasonable fraudulent transaction detection system” when screening web debits for fraud, by making it explicit that “account validation” is a part of this requirement. This new standard goes into effect next year, but Nacha has announced they will not enforce this rule for an additional period of one year from the effective date with respect to covered entities working in good faith toward compliance. All institutions will want to have a compliance plan in place by March 19, 2022.

Advice: Advice: Some businesses verify ACH accounts by sending pre-notifications ($0 transactions), micro-deposits, or via an account validation partner. It is important to ensure your campus has one of these solutions in place by March 2022.

Supplementing data security requirements

Beginning on June 30, 2021, Nacha will require schools to secure debit and credit financial data at rest — or data that is in storage or not currently in use. The new update will expand the existing rule that mandates securing data in transit through encryption, hashing, or other means to include data at rest.

The first phase goes into effect on June 30, 2021. This rule affects parties that send six million or more ACH transactions per year.

Advice: Higher ed institutions should review all platforms they process ACH transactions through to determine if they fit into the first phase. Campus leaders must ensure their partners and vendors are aware of and following the new mandate during their contract reviews to keep all data safe.

The second phase goes into effect on June 30, 2022. This rule affects parties that send two million or more ACH transactions per year, and therefore most higher education institutions will need to comply with this standard.

Advice: Schools are highly encouraged to secure their financial data even if they send less than 2 million of ACH payments per year. The cost of securing financial data is far less expensive than the cost of a data breach.

Complying with Nacha updates

Institutions that accept payments outside of TouchNet need to audit all departments making ACH transactions to ensure they’re aware of specific dates and capable of meeting new standards to remain compliant.

Colleges and universities also are encouraged to educate staff on their roles in processing payments. Annual PCI compliance reviews are opportune times to train staff on new ACH requirements such as handling form failures for ACH validation solutions.

Schools that use TouchNet Transaction Services already have access to secure, integrated, Nacha-compliant ACH validation and encryption. In line with the new standard for supplementing fraud detection standards for WEB debits, TouchNet will release U.Commerce 8.0 in March 2021. This update will offer an integrated ACH Validation solution whether institutions’ ACH files originate through their own Originating Depository Financial Institution (ODFI) or through our Transaction Services ACH solution.