Stephen Kenneally Vice President Center for Regulatory Compliance Phone: 202-663-5147 E-mail: skenneal@aba.com January 13, 2014 Maribel Bondoc Manager, Network Rules NACHA, The Electronic Payments Association 13450 Sunrise Value Drive Herndon, VA 20171 Re: Request for Comment and for Information: Improving ACH Network Risk and Enforcement Topics Dear Ms. Bondoc: The American Bankers Association (ABA) 1 respectfully submits its comments to NACHA, The Electronic Payments Association, on the Request for Comment and Information on Improving ACH Network Risk and Enforcement Topics (RFC) published on November 11, 2013. ABA appreciates NACHA s efforts to improve the quality of the ACH Network by bringing increased attention on the problems posed by Entries initiated by Originating Financial Depository Institutions (ODFIs) that are returned because they are unauthorized or contain inaccurate or incomplete information. This RFC is being considered in conjunction with another NACHA proposal published on the same date that is also intended to reduce the number of exceptions, Improving ACH Network Quality by Reducing Exceptions. 2 The value of the ACH Network is based upon transactions flowing efficiently from the Originator to the ODFI to the Receiving Depository Financial Institution (RDFI) to the Receiver, and ultimately funds flowing efficiently from purchaser to merchant or service provider. 3 Successful ACH transactions are entirely automated and have a very low unit cost. Disruption of this flow by returns harms all stakeholders in the Network. ABA agrees that the Network should promote practices that reinforce automated efficiency and apportion responsibilities for users whose processing of ACH transactions undermine the system s efficiency and reliability. The Network is the backbone of electronic payments for a diverse range of customers and providers in our economy; but that diversity encompasses varied economic circumstances and transactions that display different payment capabilities and characteristics. Consequently, ABA believes that 1 The American Bankers Association represents banks of all sizes and charters and is the voice fo r the nation s $14 trillion banking industry and its 2 million employees. ABA s extensive resources enhance the success of the nation s banks and strengthen America s economy and communities. Learn more at www.aba.com. 2 https://www.nacha.org/page/request-commentquality#overlay-context=page/request-comment 3 ABA recognizes the P2P transactions are also processed through the Network, but the predominant flow is P2B and B2B. In any case, the importance of maintaining automated efficiency applies across type.
changes to Network rules need to reflect its mission of providing efficient payments under varied business realities while at the same time supporting necessary latitude for legitimate business diversity. The Proposals The RFC contains six proposed changes intended to improve the quality of the ACH network by reducing the number of returned Entries through improving the origination practices of Originators and ODFIs. The six proposed changes to achieve this goal are: 1. Reduce the existing return rate threshold for unauthorized debit Entries from 1.0% to 0.5%; 2. Establish a new category for return rate thresholds in the Rules for account data quality returns set at 3.0%; 3. Establish a new category for return rate thresholds in the Rules for total debit returns set at 15%; 4. Clarify the limitations on the reinitiation of Returned Entries; and 5. Clarify the applicability of certain risk management rules to Third-Party Senders. 6. Expand NACHA s authority to initiate enforcement proceedings for potential violations related to unauthorized Entries. Summary of ABA Comments 1. ABA supports reducing the return rate threshold for unauthorized debit Entries to 0.5%; 2. ABA supports establishing an account data quality return rate threshold at 3.0%, with certain modifications; 3. ABA opposes establishing a new category for overall debit returns; 4. ABA supports clarifying the limitations on the reinitiation of Returned Entries; 5. ABA supports clarifying the applicability of certain risk management rules to Third-Party Senders; and 6. ABA opposes expanding NACHA s authority to initiate enforcement actions related to unauthorized Entries. Unauthorized Debit Threshold The ACH Network has long understood the importance of keeping unauthorized transactions as low as possible. After all, the Network s legitimacy is predicated on delivering payments in connection with authorized exchanges. The significance of setting tolerances for unauthorized transactions lies in the obligations that are triggered when the thresholds are exceeded thereby creating appropriate incentives to avoid the disruptions attributable to such transactions. In 2011, NACHA originally proposed lowering the unauthorized debit threshold rate to 0.5% but did not move forward to implement the change. ABA endorsed NACHA s intent and supported 2
the lowering of the rate at that time. 4 The evidence throughout the interim period illustrates a steady average of returns from unauthorized transactions at.03%. By re-setting the threshold trigger to.5% from 1.0%, NACHA s proposal recognizes both the consistency of current experience and the need for appropriate latitude before triggering the remedial obligations. The threshold is calculated on Entries initiated by an Originator or Third-Party Sender for a two month basis. If the threshold is exceeded, the ODFI must respond to NACHA and act to lower that rate within 30 days and keep it below the threshold for 180 days or be subject to a NACHA Class 2 Rules Violation. A pending Class 2 Rules Violation provides incentive to the ODFI to work with the offending customer to improve their return rates. ABA supports the proposed change to lower the unauthorized debit threshold return rate to 0.5% and concurs with the proposed effective date of March 20, 2015. Account Data Quality Threshold NACHA proposes to decrease the number of returns made due to account data quality issues by establishing a new threshold to be set at 3.0%, more than 10 times higher than the actual rate identified by NACHA s research of 0.28%. The threshold would be calculated using returns designated with Return Reason Codes R03 (No Account/Unable to Locate Account), R04 (Invalid Account Number) and/or R20 (Non Transaction Account). Remedial obligations for triggering the threshold are the same as in the unauthorized debit threshold. ABA concurs that improving the quality of data transmitted by ODFIs can benefit the entire ACH Network. However, the ODFIs and Originators should only be held responsible for what they can control. Reducing keystroke typos is one type of matter, verifying that the account number provided by the consumer corresponds to an eligible transaction account is much more difficult to correct. By including R20 returns, ODFIs would be held accountable for returns that are the result of customers providing valid bank account and routing information that is invalid for this type of transaction an account against which transactions are prohibited or limited. ABA does not recommend that R20 returns be included in the Account Data Quality Threshold calculation ABA supports the proposed change to establish an Account Data Quality Threshold return rate of 3.0% with the modification that R20 returns are not part of the calculation. ABA concurs with the proposed effective date of March 20, 2015. Total Debit Return Threshold NACHA indicates that Originators can impose significant costs to the ACH Network when return rates are high, even when the returns are not caused by the lack of authorization or poor data quality. Specifically, NACHA alleges that returns for insufficient funds (NSF) significantly 4 ABA Comment Letter, June 24, 2011, http://www.aba.com/compliance/regulatory/documents/74d6e23589bf46e38d7dd2f73c23843fclna CHA RiskMan agementfinal6242011.pdf 3
increase costs to RDFIs and raise questions about the quality of the origination practices when Entries are returned because of insufficient funds. For this reason, the NACHA proposal would establish a total return threshold of 15.0% that would encompass all return reason codes. ABA has concerns about this proposed rule change for two reasons. First, the claim that RDFIs incur significant costs associated with ACH Entries returned due to insufficient funds is not substantiated in the proposal. Returns related to insufficient funds are processed by RDFIs automatically. When an account balance is too low to offset an incoming debit Entry, the transaction is returned and assigned the designated Return Reason Code. This is an automated process and does not require expensive manual intervention by an RDFI s staff. Second, although the proposal acknowledges that some industries provide services to lower income customers who may have lower balances and therefore higher incidences of insufficient funds, it still would penalize that portion of the population if they exceeded the 15% threshold. The value of the ACH Network is derived from the word automated. In fact, the full name of the Network is the Automated Clearing House Network. Automation has resulted in the ability to process millions of ACH Entries each day at a low cost, even automated returns. NACHA s companion proposal refers to an industry proposal of a small number of financial institutions to break down the costs associated with returns related to unauthorized transactions, account data quality, and Notifications of Change (NOCs). It does not provide any detail on costs associated with returns related to insufficient funds. It is not clear that RDFIs are subjected to significant costs imposed by returns related to insufficient funds. And, if RDFIs do incur significant fees they are able to recoup those costs through customer fees. In the proposal, NACHA acknowledges that some Originators provide services to lower income customers who have lower bank balances resulting in higher returns for insufficient funds than other industries. The proposal also notes that the average debit return rate for all debit Entries was 1.5%. But the average experience with respect to insufficient funds returns can hide a multitude of legitimate business model variations. The proposal does not provide any detail on the average return rate for debit Entries for Originators that provide services to low income customers. Some of the services being provided include auto insurance, auto repair loans, dental services, and furniture purchases. In addition, numerous merchants characterized as high-risk, but nonetheless engaged in legitimate and often state licensed or regulated businesses may also incur relatively high NSF returns as a common experience. Financial institutions have indicated that a 15% total return threshold would negatively affect Originators providing these services causing them to cut back on providing these services to customers or migrating to alternate payment forms such as remotely created checks. Finally, in order for an Entry to be returned for insufficient funds, Originators and ODFIs must already have obtained accurate account information and proper authorization. By doing so, they are demonstrating a level of sound ACH practice that includes both administrative rigor and authorization process controls which ABA agrees are to be held accountable to the specific 4
thresholds previously discussed. The total return proposal does not excuse lax practices in these fundamental ACH requirements. We should recall that the purpose of these proposals is to apportion responsibility for undermining Network efficiency and reliability. However, in the case of NSF returns, neither the ODFI, nor the RDFI have apparent culpability for the incidence of such returns or any obviously available means to manage the return experience. Among an array of reasons for NSF returns, the ACH Network itself is disadvantaged in relation to more real-time systems that enable transactors that have initiated an ACH payment to impair their funds availability mid-payment, by conducting a subsequent near real-time transaction before the ACH transaction clears. In the absence of more study and analysis that addresses the different circumstances and legitimate reasons for the range of NSF experience in ACH transactions as well as the options for controlling its frequency, ABA does not support the current proposal to establish a single blanket Total Debit Return Threshold. Clarification of Reinitiation Limitations Entries that have been returned for certain reasons may be resubmitted under limited circumstances as permitted by the NACHA rules within 180 days of the settlement date of the original Entry. For example, an ACH debit returned due to insufficient funds may be reinitiated twice more, an Entry that had been returned due to a stop payment order can be reinitiated if a separate authorization is received. Other previously returned Entries can be reinitiated after being corrected for errors. NACHA believes that some Originators ignore these requirements and attempt to reinitiate transactions by making reinitiations appear to be new Entries by changing the content in various data fields. NACHA issued ACH Operations Bulletin #3-2013 in July 2013 to clarify that various types of Entries are attempts to evade the reinitiation limitations and are prohibited. NACHA also proposes two technical changes associated with incorporating the ACH Operations Bulletin clarifications into the rule. The first would be to require ODFIs to populate the Company Entry Description Field with the word REDEPOSIT for all reinitiated Entries to notify the Receiver that the Entry relates to a previously returned Entry. This proposal is problematic because the term REDEPOSIT in inaccurate and will be confusing to the Receiver. A debit to a customer s account that has been returned previously and is then represented is not a REDEPOSIT in the eyes of most customers. If it is a reinitiated debit then REINITIATE would be a more accurate term. Another option to consider would be to establish a new transaction code to facilitate easier tracking of these Entries. This option was not discussed in the proposal and should be reconsidered during a public comment process before being balloted by NACHA. The second technical change proposed would require that Return Reason Code R10 (Customer Advises Not Authorized) be used to return Entries that violate the Reinitiation Rule. This proposal is acceptable when the return is made because the Entry is not authorized. Further, the 5
proposal asks whether the Written Statement of Unauthorized Debit (WSUD) should be completed by the Receiver on the reinitiated Entry if they already filed one associated with the original entry. It is important to note that these are two separate Entries. If the Receiver identifies an Entry that is not authorized, the RDFI should obtain a separate WSUD. ABA s membership also noted that requiring WSUDs in each instance would simplify training frontline personnel and establishing the consistent practice of collecting the statement each and every time. Another factor to consider is that using the R10 code may not be appropriate for all violations of the Reinitiation Rule. If an Entry is reinitiated for the first time 180 days after settlement of the original entry it is in violation of the Reinitiation Rule, but it is not unauthorized. Similarly if the entry was initiated three times within 180 days it would violate the rule but not because it was unauthorized. The R10 code contains specific requirements related to the WSUD and to the return rate thresholds that will be set at 0.5% under this proposed rule so its use should be restricted only to transactions that truly fall into that category. In summary, ABA supports the proposal to incorporate the clarifications contained in ACH Operations Bulletin #3-2013 into the rules. ABA concurs with the proposed effective date of March 20, 2015. ABA opposes requiring the term REDEPOSIT to be included in the Company Entry Description Field because it will cause confusion. ABA supports the use of Return Reason Code R10 for returning reinitiated Entries only when the Entries are identified as unauthorized. Reinitiated Entries that are returned for other reasons, such as being outside the 180 day limit, should be grouped into a more accurate Return Reason Code and not into R10. ABA concurs with the proposed effective date of March 20, 2015 to properly apply Return Reason Code R10. ABA supports the requirement that Written Statements of Unauthorized Debit be collected by the RDFI upon each occasion a transaction is identified as such by a customer and the return is properly classified belonging in the R10 category. ABA concurs with the proposed effective date of March 20, 2015. Risk Management Rules Applicable to Third-Party Senders The current ACH Network Rules require ODFIs to monitor their Originators and Third-Party Senders through establishing, implementing, reviewing, and enforcing exposure limits. If a Third-Party Sender performs functions normally performed by an ODFI with regard to an Originator, then the Third-Party Sender should conduct the monitoring. Unfortunately, NACHA believes that some Third-Party Senders may not be meeting these expectations. 6
NACHA proposes to update the ACH Network Rules to put a direct obligation on Third-Party Senders to conduct these risk mitigation practices and conduct audits to prove they were conducted. Further, the proposed rule would allow NACHA to request the Third-Party Sender audits from the ODFI. ABA supports these proposed changes to improve risk mitigation associated with Third-Party Senders. ABA concurs with the proposed effective date of September 19, 2014. Expansion of NACHA s Authority to initiate enforcement actions Under the current ACH Network Rules found in Section 10.2.2 of Appendix Ten, NACHA has the authority to initiate a return rate enforcement action under three circumstances: 1. If an ODFI fails to provide upon NACHA s request complete and accurate information regarding return rate reporting in a timely manner; 2. The ODFI substantiates that an Originator or Third-Party Sender has exceeded the return rate thresholds and fails to reduce the return rate within 30 days; or 3. The ODFI substantiates that an Originator or Third-Party Sender that is subject to monitoring because it has exceeded return rate thresholds in the past, is failing to reduce the return rate thresholds over the 180 period. A Participating Depository Financial Institution can also initiate an enforcement action if it makes a specific request. NACHA would expand the ability to initiate an enforcement proceeding based on the origination of unauthorized entries. The proposed language to be added to Part 10.4.1 National System of Fines, Initiation of a Rules Enforcement Proceeding is vague: A Rules enforcement proceeding may also be initiated and conducted by the National Association in Response to. or (3) the National Association s reasonable belief that an ODFI, Third-Party Sender or Originator has originated Entries without proper authorization in accordance with these Rules. The National Association may initiate any such rules enforcement proceedings on the basis of, and utilize in connection with any such proceeding, any information available to the National Association, including information received from Participating DFIs and Operators. ABA believes that the current rules are adequate, and more importantly, well defined. There are three specific scenarios where NACHA can initiate an enforcement proceeding. Beyond that, an enforcement proceeding can be started if a Participating DFI files a complaint. Those are all good and valid reasons. The proposed rule change is vague and subject to interpretation. How does one assess NACHA s level of belief when it comes to unauthorized transactions? We don t know because it is not defined and we are not soothsayers. 7
The proposed rule is so vague that it will make all ODFIs, Originators, and Third-party Senders subject to an enforcement proceeding. It is a violation of ACH Network Rules to initiate any ACH Entry without authorization. Another section of this proposed ACH Network Rule Change would lower the threshold for unauthorized debit Entries to 0.5%. Any rate higher than 0.5% would require corrective action be taken by the ODFI and imposing Class 2 Rule violations. ABA supports this proposal, but it is in conflict with this latest rule change. The newly proposed language would allow formal enforcement proceedings to begin without NACHA knowing, or having reasonable belief that the rates of return for unauthorized transactions are excessive, only that Entries without proper authorization were initiated at all. This improperly divorces the tolerance threshold from the enforcement trigger. Consider an ODFI that originates 10,000 Entries for an Originator during a 60 day period. If there were more than 50 unauthorized returns it would be in violation of the 0.5% threshold proposed in this rule. If the Originator had a real return rate of 0.03%, the industry average cited in the proposal, there would be 3 unauthorized returns. The Originator would be safe from institution reforms based on the return rate but still subject to an enforcement proceeding under the proposal. A reasonable person reviewing NACHA s proposal would have a reasonable belief that every Originator following industry standards would have a statistical probability of generating three unauthorized returns from every 10,000 Entries. Therefore, every Originator and ODFI would be subject to a NACHA enforcement proceeding even if it had a reasonable expectation of generating one unauthorized return. ABA strongly opposes this proposal to increase NACHA s ability to initiate enforcement proceedings without cause. Request for Information on Incomplete Payroll Transactions NACHA is seeking input on the possibility of narrowly expanding the existing Incomplete Transaction Rule to cover payroll processing. Currently, the Rule only covers consumer accounts when a third party debits the consumer account in order to make a corresponding payment to another party that is the ultimate recipient of the funds. Under the rule, if the consumer account is debited, but the third party goes bankrupt before passing the payment to the ultimate recipient, the consumer is able to request that the RDFI recredit the consumer s account. This does not apply to non-consumers. NACHA asks if they should consider expanding the rule to cover payroll processing scenarios where the third party debits a commercial account to fund payroll for its employees, but the third party goes bankrupt before the wages are paid. ABA does not support considering this proposal because it would increase obligations on ODFIs; legal action can be pursued outside the ACH Network; and there is no demonstration that this is a problem that needs to be solved. 8
ABA appreciates the opportunity to comment on NACHA s Improving Network Risk and Enforcement Topics Request for Comment. If you have any questions about these comments, please contact the undersigned at (202) 663-5147. Sincerely, Stephen K. Kenneally Vice President Center for Regulatory Compliance 9