a man wearing a hat and a coat looking at a phone a man wearing a hat and a coat looking at a phone

Understanding Nacha's New Web Debit Account Validation Rule

Apr  27 
Staff Writer   

Leverage Nacha Compliance Mandates to Also Reduce Fraud Risk

As commerce and transactions increasingly shift online, the need for additional regulatory guardrails grows. A 2022 rule from Nacha requires that account verification now be part of antifraud efforts and initiatives.

Nacha's Web Debit Account Validation Rule went into effect March 19, 2021 and became enforceable on March 19, 2022,  which means Nacha can impose fines/penalties for non-compliance. 

Nacha requires ACH originators of web debit entries use a "commercially reasonable fraudulent transaction detection system" to screen web debits for fraud. The new rule supplements that screening requirement, making it explicit that "account validation" be part of that detection system. Nacha's supplemental requirement applies to the first use of an account number or changes to the account number.

Breaking Down the New Rule

Nacha defines web debit as one that has occurred over the internet or any other unsecured network.  The rule applies to any organization of any size in any industry.

Nacha's phrase "commercially reasonable" is associated with an organization's specific set of facts and circumstances. The organization using the ACH network should determine what is commercially reasonable to them when choosing solutions to comply with the rule.

Technology can help financial institutions and businesses comply with Nacha's new mandate. 

Nacha and the Faster Payments Council developed the rule in 2018 to:

  • Help prevent fraud on the ACH network
  • Protect financial institutions from posting fraudulent, incorrect or unauthorized payments
  • Make payments safer and more secure, enhance payments quality and improve risk management within the ACH network
  • Meet consumer demand for fast, frictionless payments

The rule was included as part of the "Faster Payments Playbook," created by the Faster Payments Council.

The rule was also created because of the growth in annual ACH volumes, total dollar values and increasing fraud attempts and activity. 

Compliance Methods

Several methods are available to comply with the new rule. They can be used in isolation or in combination, depending on the risk tolerance of the organization.

  • Manual – The organization obtains a voided check from the consumer and uses it to verify the account and routing number with the consumer's financial institution
  • ACH Prenote – The organization uses the consumer's account and routing number to send a zero-dollar transaction to the consumer's financial institution; by accepting the transaction, the organization can determine the account is open and is valid
  • Micro/Trial Deposits – In this two-step process, the organization uses the consumer's routing and account number to make two small deposits into the consumer's account.  The consumer then confirms the deposit amounts with the organization
  • Database – The organization uses the consumer's name, account number, routing number and other details about the consumer and cross references them against a third-party database to confirm account status and ownership
  • Financial Institution Credentials – Consumers select and authenticate with their financial institution through the organization's digital channels to verify they can access the account

There are several pros and cons with each validation method, which is why many organizations use more than one. Using a combination of methods helps ensure the organization can provide consumers with a smooth experience while also providing higher levels of fraud prevention.

As a best practice, the database, financial institution credentials and micro/trial deposits verification methods could be used in that order as part of a waterfall methodology.

Here's how it would work: If the organization has the user's name, account and routing number, start with the database approach because it is instant and does not require user interaction. If the financial institution is not included in the database or the database response to the query is inconclusive, then waterfall down to the financial institution credentials method of verification.

By implementing stronger controls and solutions for ACH web debits, organizations can lower their ACH fraud risk for credits and debits while increasing the volume of ACH transactions.    

That method provides a decision in real time but requires more interaction because the end user does not have to provide financial institution credentials. The financial institution coverage in this method is very high because nearly all banks and credit unions are covered. The method provides the highest level of fraud prevention because it allows an organization to access additional data about the user's account.   

If that method fails, use trial deposits as the last option. That takes more time to complete and requires user interaction, but virtually all financial institutions are covered.

Other factors to consider when choosing account validation methods are:

  • Fraud – How important is mitigating payment fraud risk?
  • Additional Data and Other Use Cases – Is there enough information about the user, such as account balances and transactions?
  • Speed – How fast does the account need to be verified to process transactions?
  • Abandonment – Is there concern about users abandoning the verification process and opting to use payment mechanisms other than ACH?
  • User Experience – How important is a frictionless experience?
  • Coverage – What level of financial institution coverage is needed?

Stronger Controls and Solutions

By implementing stronger controls and solutions for ACH web debits, organizations can lower their ACH fraud risk for credits and debits while increasing the volume of ACH transactions.   

Technology can help financial institutions and businesses comply with Nacha's new mandate. Compliance, verification and risk protection can be automated, and additional account details, such as balances and transactions, can be automatically retrieved.

Think about what option works and consider use case, cost and account validation needs. Now may be the time to go beyond basic compliance to add additional fraud risk mitigation.