180 likes | 301 Views
LEADERSHIP + INNOVATION 2013 OLA Conference |October 16-17 |San Diego. Get Educated on the NACHA Rules Marsha Jones, AAP, NCP, Director, TPPPA Lin Fellerman , President and CEO, Secure Payment Systems. Agenda. ODFI Warranties and Responsibilities Third-Party Senders
E N D
LEADERSHIP + INNOVATION2013 OLA Conference |October 16-17 |San Diego Get Educated on the NACHA Rules Marsha Jones, AAP, NCP, Director, TPPPA Lin Fellerman, President and CEO, Secure Payment Systems
Agenda • ODFI Warranties and Responsibilities • Third-Party Senders • Originator Responsibilities • New Rules in 2013 • Data Passing • ODFI Return Rate Reporting • Incomplete Transactions • ACH Security Framework
ODFI General Rule – ARTICLE TWO SECTION 2.1 • An ODFI is responsible for all Entries originated through the ODFI, whether by an Originator or through a Third-Party Sender. • An ODFI is responsible for its Originators’ and Third-Party Senders’ compliance with the rules.
ODFI Warranties – ARTICLE TWO SECTION 2.4 • Entry is properly authorized and has not been revoked • Entry complies with all the Rules including proper use of SEC Codes • Contains correct information • Transmitted on the correct date • For the authorized amount • Transmitted securely
ODFI Indemnity for Breach of Warranty • Indemnifies all RDFIs from and against any and all claims, demands, losses, liabilities, and expenses including attorney fees and costs as the result of directly or indirectly from breach of warranty. • Includes any damages that result due to NSF caused by unauthorized entry. • Includes damages an RDFI would be liable for under Regulation E as a result of the entry being presented
ODFI and Third-Party SenderPrerequisites to Origination – ARTICLE TWO SECTION 2.2 • Perform Due Diligence on each Originator • Assess the nature of ACH activity and the risk it represents • Reassess at least annually • Establish, implement and review exposure limits • Establish and implement procedures to monitor origination and return activity • Enter into agreements meeting minimum NACHA standard • Bound by rules • Adhere to laws • Right to audit for compliance and terminate or suspend Originator
Authorization Requirements – ARTICLE TWO SECTION 2.3 • Consumer CREDIT authorizations do not have to be in writing • Consumer DEBIT authorizations must: • Readily identifiable as authorization • Clear and readily understandable terms including: • Amount and timing of debits • Satisfies applicable legal requirements • If not, not considered authorized (Larimer Letter) • Provide means to revoke authorization
Notice of Variable Debits to Consumer Accounts – ARTICLE TWO SUBSECTION 2.3.2.6 • Change in Amount • Must send written notification of change in amount at least 10 calendar days prior to the date of the scheduled payment • No notice required if consumer chooses option in Authorization to receive notice only if amount falls outside of a specific range • Change in Date • Must send written notification of change in date at least 7 calendar days prior to the date of the next payment • Does not include variations to dates due to holidays, Saturday or Sunday
Retention and Provision of Authorizations – ARTICLE TWO SUBSECTION 2.3.2.5 • Must retain for two years from the termination or revocation of the authorization • ODFI must provide to RDFI within ten banking days of written request • Originator must provide in such a time and manner to enable ODFI to comply with their timeframe • TPPP considerations • NOTE: ODFI or TPPP have right to request at any time to ensure compliance • Right to audit compliance with rules in agreements
Third-Party SenderThird Party Payment Processors • Company that processes payments for merchants through its bank • Bank has no direct relationship with merchants • Know as Third-Party Sender under ACH Rules • Know more broadly as Third Party Payment Processor • No direct relationship with the Receiver of the payment
TPPP Flow Bank (ODFI) Agreement TPPP has no Authorization with the Receiver Bank has no Agreement with the Merchant (Originator) TPPP Agreement Agreement Agreement Merchant (Originator) Merchant (Originator) Merchant (Originator) Authorization Authorization Authorization Receiver Receiver Receiver Receiver Receiver Receiver
Third-Party Sender Obligations – ARTICLE TWO SECTION 2.15 • Must provide ODFI with any information ODFI reasonably deems necessary to identify the Originator within 2 banking days of request. • Warrants to ODFI that Originator agrees to follow the ACH rules and indemnifies ODFI for all claims, losses, damages, etc. due to Originators failure to comply. • Assumes warranties for any functions they do on behalf of the bank. • ODFI is ultimately responsible for TPS • Jointly responsible with Originator for retention and delivery of required records, documentation, data or copies of documents.
Originator Responsibilities • Use of proper Standard Entry Class (SEC) Code • Including IAT • Proper authorizations • Including retention and delivery • Prenotes • Must wait 6 banking days prior to live entry • Must process Notification of Changes • Within 6 banking days or prior to next payment whichever is later
Reinitiation of Returns – ARTICLE TWO SUBSECTION 2.12.4 • NSF (R01) and UCF (R09) • Only two times • Within 180 days • Returned Stop Payment (R08) • Payment was reauthorized • Originator has taken corrective action to correct return • New Authorizations (R07) (R10) etc. • Correction of Routing/Account Information (R03)(R04)
New Rules • Data Passing Rule – March 15, 2013 • Prohibits sharing of customer information for the purposes of initiation debit entries not covered by the original authorization • ODFI Return Rate Reporting – March 15, 2013 • Reduces the timeframe for reducing the return rate below the threshold from 60 days to 30 days • Failure to do so will result in rules enforcement proceedings • Incomplete Transactions • Consumers can be re-credited for payments they did not receive credit for using (R10)
New Rules – Supplement #2-2012 • ACH Security Framework – September 20, 2013 • Protects Consumer Non-Public information including banking data • Requires TPPPs and Originators to perform assessments on security of data • Whole cycle – Initiation, Processing, Storage through destruction • Any form – paper, digital, recordings, voice, etc. • Establish and implement policies, procedures and systems to address security
Rules Enforcement – APPENDIX TEN • Class 1: (1st = $1,000, 2nd = $2,500, 3rd = $5,000) • Recurrence of previous violation within one-year • Class 2: ($100,000 per month until resolved) • Non-response or not intending to comply with Rules Violation Notice, • Failure to comply with Return Rate Reporting • Failure of ODFI or TPPP to provide proof of audit • NACHA considers violation causes excessive harm to network • Fourth or subsequent recurrence of same violation • Class 3: ($500,000 per month until resolved) • Class 2 continues 3 consecutive months • Enforcement Panel can require suspension of the Originator
Questions? Marsha Jones, AAP, NCP Director Third Party Payments Processor Association (TPPPA) mjones@tpppa.org