NACHA is a US organization closely linked to the Federal Reserve. It governs the ACH network, and, more recently, the FedNow instant payment system. NACHA rules were created in 2021 and became enforceable the following year. Their goal: prevent fraud in ACH payments. Keep reading to learn the required guidelines your business must follow to remain compliant!
What are the NACHA rules?
NACHA operating rules are here to protect your organization, its customers, and its suppliers against possible fraud. They ensure:
- All financial data will be safely handled.
- ACH transactions will reach their intended beneficiary smoothly.
That’s on top of ensuring you’ve received authorization from your customer for processing their funds.
All ACH network participants must comply with those guidelines, regardless of their POS entries (BOC, ARC, POP entries, etc.). Here is a summary of the NACHA requirements for originators of ACH transactions:
Secure sensitive data
As a business dealing with ACH payments, you’re handling a lot of personal data, such as:
- Routing numbers of financial institutions (specifically RDFIs),
- Social Security numbers,
- Bank account information,
- Fiscal numbers,
All this sensitive information must be dealt with appropriately when processing transactions but also when dealing with returns (which come with their error code).
There are clear rules established by NACHA for data management. They must be safely stored and transferred, undecipherable by any external person.
That means using encrypted emails or secured web forms for example. This NACHA rule also encompasses your eventual paper documents. Your physical files must be securely stored and access must be limited only to relevant employees.
In other words, NACHA wants you to keep all private information under lock and key.
Set up security protocols
But safe storage isn’t enough! As payment originator, you also need written rules to ensure everyone is on the same page regarding data governance and payment protection.
It will serve as an ACH compliance manual for your employees and also be operating rule guidelines for your providers.
Your security protocols can include:
- Clear process from payment intake to data storage,
- Who has access to which information, when, and from where,
- A requirement to use multi-factor authentication and strong passwords,
- Measures like the segregation of duties so no one person has total unrestricted access.
Think of it as your ultimate security policy that can be given during onboarding. It can also be used as a base for ongoing security training.
Remember that if you use a third-party app to deal with your payment (like Trustpair), you must ensure it complies with those rules as well (we do!).
Protect your organization against fraud
It is your responsibility to ensure you are protected against fraud. NACHA rules stipulate that originators must do what is deemed “commercially reasonable” to prevent fraud from happening in their organization.
While that is a vague statement, it is on the results that you will be judged. If fraud happens, an inquiry might happen to see if sufficient efforts were taken to prevent it. If not, your company could receive hefty fines (on top of fraud losses).
The best way to protect your organization is by using fraud prevention software like Trustpair as a third-party sender that’s 100% secure and compliant.
Our software works with AI and uses pattern recognition to spot any fraudulent attempt. We can identify something suspicious before any fraud has happened. Unauthorized transactions are spotted and blocked before they’re sent.
Our unique algorithm works internationally, so it’s ideal for companies with business overseas.
Validate Routing Numbers
Nacha rules say that you have to validate your third party routing numbers. Routing numbers are the numbers used to identify your financial institution (banks credit unions etc.) during an ACH transfer.
Receiving Depository Financial Institutions (or RDFIs) are financial institutions working with the Federal Reserve or Clearing House to receive entries. Those ACH payments (learn the difference between ACH and wire transfers here) are either qualified as:
- Debit entries or credit entries.
- Consumer or corporate entries.
RDFI check is the first step in ensuring the payment reaches the right receiver. It’s necessary whether you send payments directly or use third-party senders. Trustpair helps you check your RDFIs (and more) in a few seconds.
Verify your recipient’s identity
According to the NACHA operating rules, you must do your account validation before sending your recipient any payments through their RDFI.
Concretely, it means checking the credentials your recpient gave you, namely that:
- Their bank account numbers are valid,
- Their name is correct,
- Both sets of information match.
Three-way matching ensures that your recipient (a vendor or a supplier) is who they say they are. It is a key element in fighting against money laundering, terrorism funding, and fraud of all sorts.
This applies whether someone pays through your website or app, by email, phone, POP, etc. You have several ways to be compliant with the Nacha validation rule: using micro-entry deposits, pre-notifications, or instant notifications.
The latter means using software services like Trustpair, which gives you real-time feedback. It’s the most effective and safe way to do it.
How Trustpair helps you increase compliance with NACHA rules
ACH rules ask you to do account validation:
- When onboarding a new receiver to your payment file,
- When their financial information changes.
While the former can be done as part of your onboarding process, the latter is harder to comply with.
Someone can forget to do it in the hustle and bustle of day to day tasks. Even worse: no one might realize that there has been a change in your beneificiary’s credentials.
Fraudsters have developed several techniques that allow them to change legitimate bank account information for their own without anyone being the wiser. It is sometimes days or months before fraud is detected, and it’s too late by then to do anything but take the operating loss.
They might have an employee as an accomplice, hack into your supplier’s email account, or even get a team member to approve it by impersonating your CEO.
Our software checks your third party’s credentials before any funds are sent, meaning you always know who you’re sending payments to. An ACH debit will only be made to your account once the recipient has been cleared and checked. This also contributes to lower return (or bouncing) payment rates.
We use three-way matching so there is never any doubt about the validity or the identity of your receiver’s bank account. We have access to otherwise hard-to-reach information (including overseas) making it easy to pay your international suppliers safely.
Because our software works in real-time, you also don’t waste time going back and forth: our solution increases collaboration with your team members and suppliers. It gathers all the info you need in one secure location.
That means you also have total visibility and traceability over the ACH account validation process in case of an audit. Using Trustpair means you are 100% compliant and secure against fraud.
- NACHA rules are here to protect your business, vendors, and customers from fraud. You must follow them to guarantee compliance, or risk hefty fines.
- Using anti-fraud software streamlines your account validation process and increases your payments’ safety. Trustpair helps you be 100% compliant and safe.