On the surface, 2023 may seem like a pretty relaxed year ahead in terms of updates to the ACH Rules. However, in addition to the Rule change coming next month, there are a handful of previously passed Rules that are taking effect, have grace periods ending or will finally be enforced after the COVID-19 pandemic caused a delay.
Phase 2 of the Micro-Entries Rule
Beginning with the Rules change, Phase 2 of the Micro-Entries Rule (soon to be Subsection 2.7.5 of the ACH Rules) takes effect on March 17, 2023. Phase 1 of the Rule, which took effect on September 16th, 2022, defined Micro-Entries officially as “ACH Credits less than $1 and any offsetting ACH Debits, used for the purpose of verifying a Receiver’s account” sent by ACH Originators. These are used to send unique offsetting entries that a Receiver can easily see on their account and report back to the Originator for validation. Phase 2, however, implements a new rule that states “an Originator of Micro-Entries must conduct commercially reasonable fraud detection on its use of Micro-Entries, including by monitoring the forward and return volumes of Micro-Entries.” Furthermore, the detection and reporting are intended to minimize the incidence of fraud schemes that make use of Micro-Entries, establish a baseline of activity and should be monitoring volumes instead of entry-to-entry reviews.
Third-Party Sender Roles and Responsibilities
As of September 30, 2022, Nacha has implemented revised rules relating to Third-Party Sender Roles and Responsibilities, which:
Also, the six-month grace period for the following components of the Third-Party Sender rules expires March 31st, 2023:
Phase 2 of the Supplemental ACH Data Security Rule
Finally, Nacha’s ACH Operations Bulletin #1-2022 presented the expiration of COVID Relief on several ACH Rules through October 1, 2022. The bulletin made mention of ending the non-enforcement grace period of Phase 2 of the Supplemental ACH Data Security rule (found on Section 1.6) through June 30, 2023, for Originators/Third-Party Senders with an ACH volume of two million or more transactions annually. For Originators/Third-Party Senders that have this volume, new data security requirements should be applied to render account information unreadable when stored. Phase 1 was already implemented after 2019 for Originators/Third-Party Senders with an ACH volume of six million or more transactions annually while Phase 2 was originally going to be implemented on June 30, 2021. However, the COVID-19 pandemic created a two-year delay in Phase 2’s implementation. If you have an Originator/Third-Party Sender with a volume in excess of two million, let them know that by June 30, 2023, new data security ACH Rules will apply.
To learn more about what’s coming in the payments industry in 2023 and beyond, consider joining us virtually or in person for our one-day Payment Systems Update! Here you will learn what you need to know to prioritize your organization's plan of action and maintain compliance with the ever-changing rules and regulatory landscape. This year's update covers recent and upcoming ACH Rules changes, Third-Party Sender enhancements, updated Risk Management framework, Micro Entries, ISO 20022, faster payments adoption, the latest on FedNow℠ and RTP®, Regulation E investigation challenges, applying payments rules to fraud challenges, fraud mitigation best practices and more! Click here to learn more!
Republished with permission from EPCOR