Nacha’s latest rule to fight ACH fraud will become effective in October. Is your credit union prepared?

The rule changes “are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.”

Historically, the Originating Depository Financial Institution (ODFI) has been considered more likely to be in a position to determine a fraudulent transaction. Now, however, Nacha will shift some of the impetus to the Receiving Depository Financial Institutions (RDFIs). The new rule will take effect Oct. 1, 2024.

“All participants in the ACH Network have a part to play in reducing the incidence of fraud and recovering when fraud has occurred,” Jane Larimer, Nacha President/CEO, commented. “I applaud Nacha’s members for taking this important step of self-governance.”

The FBI’s Internet Crime Complaint Center’s 2023 annual report stated that 21,489 Business Email Compromise (BEC) complaints in 2023 were worth $2.9 billion in reported losses. BEC is an example of fraud that results in payments being “pushed” from a payer’s account to a fraudster's account, or credit-push fraud,Nacha explained. It is the second most costly cybercrime, per the FBI.

What Does Nacha’s New Rule Require?

“Among the most important changes are amendments to return codes to clarify that they can be used to return fraudulent transactions as well as the codes that can be used by ODFIs to request the return of funds,” veteran credit union attorney Henry Meier wrote in an analysis. “Although these and other changes don’t take effect until October, NACHA does expect institutions to review and update their policies and procedures.”

Among the details of the amendments, the rule:

·      Codifies Expanded Use of Return Reason Code R17, which is permitted but not required,

·      Expands Use of ODFI Request for Return/R06,

·      Creates Additional Funds Availability Exceptions,

·      Amends Timing of Written Statement of Unauthorized Debits and

·      Requires the RDFI to Return Unauthorized Debits Promptly.

Fraud Red Flag Example

One example of an ACH red flag would be multiple payroll payments from different companies into one account. Payroll impersonation has been a growing concern in which employees are tricked into entering their account info to get direct deposit. Instead, the funds are rerouted to a fraudster’s account. In this case, the account coding preauthorized payment and deposit (PPD) could be correct, but the volume of activity would be suspicious.

Impact of the Updates to Nacha’s Rule

According to Nacha, the new rule will clarify the use and meaning of the R17 return reason code. RDFIs would have a code to use, while ODFIs could potentially receive funds back in “questionable situations” with a clear reason for return. The rule will also enhance the ODFI’s ability to prevent future fraudulent transactions.

Credit unions and others that send and receive ACH transactions will not have to do much heavy lifting, but some training and procedural changes will be necessary. RDFIs should also be aware of the possibility of false fraudulent transaction detection.

Overall, the updates should increase opportunities to recover funds that would have been lost to scams. There will be more to come, however, as phases 2 and 3 of Nacha’s new rules roll out in 2026.

LaCorp is here to help protect your credit union. More information about our ACH services is just a click away!