NACHA Proposes New Rules To Fight On-Line Account Takeovers

Last winter NACHA (“The Electronic Payments Association”) announced their intention to address the developing risks posed by on-line non-consumer account takeover attacks.  Good as its word, NACHA has now issued two Rules changes, one for its “Sound Practices Rule” and the other for its “Available Exception Rule.”  These amendments could not be more timely, given the latest FBI, FS-ISAC and IC3 press release announcing a new wave of cyber-attacks originating out of China (“unauthorized wire transfer to Chinese economic and trade companies located near the Russian border”), dated April 26, 2010. 

           The first proposed amendments are to the Sound Practices Rules, and impose new obligations upon financial institutions.  ODFI and Third-Party Senders are to provide, on an annual basis, its Originators with “current industry sound practices to prevent unauthorized [sic:  fraudulent] credit entries from being initiated from non-consumer accounting.”  See, Rules, Subsections 2.11.1 and 2.14.6.  A good argument can be made that this new notification and record-keeping burden imposed upon financial institutions is recommended, if not necessary.  Many suspect that the much anticipated new FFIEC Guidance will require a like burden.  Helpfully, NACHA has already published “Sound Business Practices for Companies to Mitigate Corporate Account Takeover,” which closely serves the purpose of a model for such new annual disclosure.  Note to community bankers:  Pay notice to NACHA’s suggested guidance  respecting “dual control” for your SMB customers.

            The second proposed amendment is to the Availabiltiy Exception Rule, and will apply to RDFI’s.  A favorable aspect of our ACH system is its faster clearing versus the Reg CC payment structure.  Under this NAHCA amendment, an RDFI is permitted to delay settlement under the standard Rules-specified time limits when either an ODFI or the RDFI itself “reasonably suspects” a fraudulent credit/debit Entry.  It remains to be seen what type of reasonable suspicion will justify the safe harbor.  Those of us who practice in this area know that with the attractiveness of ACH’s early settlement benefits comes a corresponding abbreviated response time in the event of transactional uncertainty, a task which itself is complicated by the general, if well-intentioned, reluctance of financial institutions to share account-holder financial information, even when fraud is strongly suspected by a counter-party.  One can never know with the required immediacy if an account holder is wittingly or unwittingly serving as a money-mule.  Thus, while the grant of additional time for investigation is appropriate, this amendment might have been further improved if NACHA had also included some protective measure or mandate for the ODFI and RDFI, in a matter that fully exploits the opening suggested in Reg P, Section 216.15’s language, “to protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability.”

            Responses to NACHA’s proposed amendments are due by June 10, 2011.  The Sound Practices Rule changes are to become effective September 16, 2011, and apply as a requirement to ODFI and Third-Party Senders in calendar year 2012.  The Availability Exception Rule will become effective 30 days after approval by the NACHA voting members. 

Posted by: William T. Repasky

Categories: Bankruptcy & Banking Law, Legislation & Regulation