CUNA Regulatory Comment Call
June 5, 2000
PILOT TO PAY FOR INTERNET GOODS
WITH ACH DEBITS
(MAJOR RULE)
EXECUTIVE SUMMARY
NACHA proposes to amend the NACHA Operating Rules to allow for consumers to pay for goods and services sold on the internet with an automated clearing house (ACH) debit from their accounts. NACHA proposes implementing an interim rule from September 15, 2000 through March 15, 2001, and a final rule on March 16, 2001.
This Request for Comment contains the recommendation that the NACHA Operating Rules be amended to:
- expand the current definition of the Prearranged Authorized Payment and Deposit Entry (PPD) format to uniquely identify internet-initiated debit entries until a new Standard Entry Class (SEC) Code, WEB, can be implemented;
- define new requirements for an one-time payment for web goods and recurring payments;
- require Originators (merchants originating the transactions) to employ commercially reasonable fraudulent transaction detection systems in order to both authenticate the purchaser and to minimize the risk of fraud related to internet-initiated payments;
- require originating depository financial institutions (ODFIs) to establish specific credit and exposure limits for Originators that take into consideration the unique risks of internet-originated ACH payments;
- require Originators to use commercially reasonable procedures to verify that routing numbers and account number structures are valid;
- establish minimum security requirements for the capture, storage, and transfer of payment-related information; and
- ensure minimum security procedures and policies of Originators are met by requiring the Originator to be certified by a nationally recognized certification program (such as WebTrust, SysTrust, or their equivalent) that the Originator’s Internet sessions and data capture and storage procedures and technology meet or exceed an established minimum level of security.
Comments are due to NACHA by July 10, 2000. Please submit your comments to CUNA by June 30, 2000. Please feel free to fax your responses to CUNA at 202-371-8240; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.com or to Assistant General Counsel Michelle Profit at mprofit@cuna.com or mail them to Mary or Michelle in c/o CUNA’s Regulatory Advocacy Department, 805 15th Street, NW, Suite 300, Washington, DC 20005.
NACHA has prepared its own survey that includes the questions at the end of this comment call. Press here for a complete copy of that survey (Note: PDF file). Surveys and comments may be sent directly to NACHA attention of: Debbie Barr, AAP, Assistant Director of Network Services, NACHA, 13665 Dulles Technology Drive, Suite 300, Herndon, VA 20171, fax: (703) 787-0996, E-mail: dbarr@nacha.org. Please forward any copy of this survey to CUNA as well.
RULE
This request for comment contains the recommendation that the NACHA Operating Rules be modified to include an interim rule that will be effective September 15, 2000 through March 15, 2001 and a final rule that will be effective on March 16, 2001.
Interim Rule: Using the PPD Format to Uniquely Identify Internet-Initiated ACH PaymentsUnder the proposed interim rule, the definition of the Prearranged Payment and Deposit Entry (PPD) format would allow internet-initiated entries to be identified by financial institutions until the new Standard Entry Class Code in the final rule becomes effective. Under the interim rule, which has been designed so that Receiving depository financial institutions (RDFIs) are not required to make any software changes, internet-initiated entries will be identified through the inclusion of the word "INTERNET" in the Company Entry Description Field of the Company/Batch Header Record. RDFIs will also be able to identify whether the internet-initiated ACH debit is a recurring payment or single-entry payment by an indicator in the Discretionary Data Field of the PPD Entry Detail Record. The indicator would be "S" for single entry payment and "R" for recurring payment. Under the interim and final rules, the Company Name Field would identify the originator of the internet-initiated debit entry and would be placed on the consumer’s bank statement.
Final Rule: A New Standard Entry Class (SEC) Code – Internet-Initiated Entries (WEB)Under the proposed final rule, a new SEC code (WEB) would supersede the use of the PPD format for internet-initiated ACH payments. In the final rule, a distinct field within the Entry Detail Record (the Payment Type Code) will be used to identify whether this is a single entry or recurring Internet-initiated PPD entry. This unique Standard Entry Class Code will enable RDFIs to readily identify these types of entries.
Legal FrameworkThe laws and regulations that apply to internet-initiated debit entries are the NACHA Operating Rules, the Electronic Funds Transfer Act, and Regulation E.
Return of an Internet-Initiated Debit EntryIn general, the NACHA Operating Rules require that an RDFI transmit a return for an internet- initiated entry to the RDFI’s ACH Operator by its deposit deadline for the return entry to be made available to the ODFI no later than the opening of business on the second banking day following the settlement date of the original entry.
In certain instances, the consumer may claim that he did not authorize the Originator to transmit an internet-initiated debit entry or that the consumer revoked the authorization prior to the debit posting to the account. In that case, the RDFI will have a longer deadline for returns. The RDFI must transmit a return to its ACH Operator by the deposit deadline for the return entry to be made available to the ODFI no later than the opening of business on the banking day following the sixtieth calendar day following the settlement date of the original entry. In circumstances in which an entry was not authorized or the authorization for recurring entries was revoked, the consumer will be required to sign an affidavit in order for the RDFI to recredit the consumer’s account and return the entry. Any subsequent dispute regarding an unpaid debt must be addressed directly between the merchant and the consumer.
Returns Not Allowed for Authorization Revoked on Single-Entry DebitsUnder the final rule establishing the new WEB Standard Entry Class Code, single-entry internet- initiated debit entries may not be returned by the consumer’s financial institution using Return Reason Code R07 – Authorization Revoked By Consumer. Therefore, the Originator is not required to include within the authorization language for a single-entry internet-initiated entry the method by which the consumer may revoke his authorization for such a transaction. The rationale for not allowing returns for this reason is that these transactions are one-time payments that are authorized at the time goods or services are purchased. The consumer does, however, retain the right to place a stop payment on a single-entry internet-initiated debit, or he could request the return of any unauthorized entry using Return Reason Code R10. The consumer may also seek a refund directly with the merchant. The interim rule does not require the Originator to include revocation language in the authorization, but the credit union/merchant should realize that until the final rule is implemented, the consumer could still use Return Reason Code R07.
Stop Payment of an Internet-Initiated Debit EntryUnder the PPD interim rule, and for recurring payments under the final rule establishing the new WEB SEC Code, the stop payment provisions for internet-initiated payments will be the same as current NACHA Operating Rules provisions (i.e., the stop payment order must be placed at least three days prior to the scheduled date of the transfer). For single-entry internet-initiated entries under the new WEB SEC Code, however, the NACHA Operating Rules are different. They require a consumer to place a stop payment order in such a time and in such a manner that the RDFI has a reasonable opportunity to act upon the stop payment order prior to acting on the debit entry. This variation is consistent with the stop payment requirements currently in place for re-presented check entries, point-of- purchase entries, and PPD Accounts Receivable Truncated Check Debit Entries.
ODFIIn addition to the general warranties that cover ODFI transmission of all ACH entries, ODFIs must be aware that they will assume the following additional warranties related to internet-initiated debit entries:
- Each Originator that an ODFI transmits internet-initiated debit entries for has implemented a commercially reasonable fraudulent transaction detection system to screen the entry.
- The ODFI has established specific procedures to monitor the credit-worthiness of each Originator on an ongoing basis for internet-initiated debit entries, and further has established specific exposure limits for internet-initiated debit entries.
- Each of its Originators has verified that the routing numbers and account number structures for its entries are valid.
- Each of its Originators has established a secure Internet session with each consumer that uses at least 128-bit encryption technology during the entry, transmission and receipt of financial information.
- Each of its Originators has obtained certification by a nationally recognized certification program that the Originator’s internet sessions and data capture and storage procedures and technology meet or exceed an established minimum level of security.
These warranties expose them to additional liabilities. ODFIs must ensure that they are aware of such warranties and resultant liabilities, and they should be sure such issues are addressed within their ODFI/Originator agreements.
RDFIThe proposed interim rule requires no software changes by RDFIs, but allows them to identify both single entry and recurring internet-initiated ACH debit transactions to consumer accounts. RDFIs should be aware that, as with all ACH entries, internet-initiated debit entries may be returned for any valid reason, with the following exception; for the new WEB SEC Code, they will not be able to utilize Return Reason Code R07 for single-entry internet-initiated entries. For unauthorized internet-initiated debit entries to consumer accounts, the RDFI may transmit the return entry so that it is made available to the ODFI no later than the opening of business on the banking day following the sixtieth calendar day following the Settlement Date of the original entry. For such return entries, the RDFI must have the Receiver’s affidavit that the entry was not authorized. RDFIs will need to ensure that their operations and customer service departments understand how these entries were initiated in order to be prepared to respond to customer service inquiries related to these transactions.
MemberMembers should be aware that by providing their authorization over the Internet, along with their bank information (routing and account number), they have authorized the initiation of an ACH debit to their accounts for the purposes of purchasing goods or services. Members should be aware that they need to be in a secure session prior to entering financial information over the Internet for purposes of purchasing goods or services. Members should understand that information relating to the transaction (i.e., merchant name, amount of transaction, etc.) would be provided to them on their monthly share draft statements to assist in reconciling their accounts. Information pertaining to such entries will be located in the electronic payments section of the bank statement. For the final rule implementing a new SEC Code, members should be aware that they may not return a single entry transaction on the basis that the authorization was revoked. Members do retain the right to place a stop payment order on such an entry or to be recredited for such a transaction if it is unauthorized.
NACHA states that this pilot would benefit RDFIs in the following manner:
- Requiring the verification of routing numbers and account number structures may reduce the volume of exception processing that RDFIs are likely to experience with Internet-initiated ACH debit entries.
- A new SEC Code will allow RDFIs to provide better customer service because they will be able to identify Internet-initiated payments.
- Enhanced security requirements should reduce the number of returns related to fraud.
- Requiring Originators to use commercially reasonable fraudulent transaction detection systems should reduce the number of returns due to unauthorized payments.
QUESTIONS ABOUT THE PROPOSAL:
- Are you an RDFI or an ODFI?
- Do Internet-initiated payments pose additional risk to your institution as compared to other ACH payments?
- Does your institution agree that there is a need to uniquely identify Internet-initiated ACH payments so that specific rules provisions and warranty issues related to Internet risk management issues may address these transactions?
- Does your institution agree that a new Standard Entry Class Code is the most appropriate method to identify Internet-initiated payments?
- If your institution does not agree that a new Standard Entry Class Code is the most appropriate method to identify Internet-initiated entries, what options does your institution suggest to identify these payments?
- Does your institution agree with the recommendation for an interim rule using the PPD format and a final rule using a new Standard Entry Class Code for this application?
- Does your institution agree with the recommendation that single-entry Internet-initiated entries, in the proposed final rule, can not be returned using Return Reason Code R07 (Authorization Revoked by Consumer)?
- Does your organization agree that, in order to better serve consumers, the final rule should include the modification to require the RDFI to act on a stop payment order for single-entry Internet-initiated transactions that is placed with the financial institution when the financial institution has been given a reasonable time to act on the stop payment order instead of the three days notice?
- 7. Does your institution agree that ODFIs should warrant that Originators of Internet-initiated entries have used commercially reasonable procedures to verify that routing numbers are valid for ACH transactions?
- What tools could Originators use to verify such data?
- What other methods could Originators use to verify such data?
- Does your institution agree that ODFIs should warrant that Originators of Internet-initiated entries have used commercially reasonable procedures to verify that account number structures are valid for ACH transactions?
- What tools could Originators use to verify such data?
- What other methods could Originators use to verify such data?
- Does your institution anticipate that requiring the Originator to verify the validity of routing numbers and account number structures will reduce the number of administrative returns you process?
- 8. Does your institution agree that ODFIs should warrant that each Originator of Internet- initiated entries has implemented and utilizes a commercially reasonable fraudulent transaction detection system?
- Does your institution agree that ODFIs should warrant that each Originator of Internet-initiated entries has established a secure Internet session with a minimum of 128-bit encryption for each consumer (Receiver) before transmitting any financial information?
- Does your institution agree that ODFIs should warrant that each Originator of Internet-initiated entries has been certified by a nationally recognized certification program that its Internet sessions and data capture/storage procedures and technology meet or exceed an established minimum level of security?
- Please identify any nationally recognized certification programs that your organization is aware of:
- The interim rule will not require RDFI software changes. The final rule with the new SEC Code will require your institution to make changes to its software. Will the required software changes be:
- Will the required software changes be:
- Does this Request For Comment adequately address the impact of this change on your organization?
- Does your organization agree with the proposal contained within this Request For Comment?
- Do you agree with the recommended implementation date for the Interim Rule using the PPD format of September 15, 2000 through March 15, 2001?
- Do you agree with the recommended implementation date for the new SEC Code of March 16, 2001?
- If no, what implementation date do you believe is more appropriate?
- Please identify any other specific issues that you may have concerning this proposed rule amendment: (attach additional pages if needed)
____Yes ____No
If not, why not?
If yes, what risks are you most concerned about?
____Yes ____No
Why or why not?
____Yes ____No
Why or why not?
___ Yes ___ No
Why or why not?
___ Yes ___ No
Why or why not?
____ Yes ___ No
____Yes ____No
Why or why not?
____Yes ____No
Why or why not?
____Yes ____No
____Yes ____No
Why or why not?
____Yes ____No
Why or why not?
____Yes ____No
Why or why not?
____Very extensive ____Moderately extensive
____Somewhat extensive ____Not extensive
____Very costly ____Moderately costly
____Somewhat costly ____Not costly
____Yes ____NoAll Participants
If no, specify why not?
____Yes ____No
Why or why not?
If no, what specific changes would cause your organization to be in favor of this proposal?A.
B.
C.
D.
____Yes ____No
Why or why not?
If no, what implementation date do you believe is more appropriate? _________
____Yes ____No
Why or why not?
September 2000
September 2001
Other, please specify:
Name:_______________________________________________
Title:______________________________________________
Organization:_______________________________________
Street Address:_____________________________________
City/State/Zip:_____________________________________
Phone:_______________________ Fax:_________________
E-mail:__________________
|
Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com |
