Digital Transactions Authoritative, insightful and timely information for payments professionals
By John Stewart
@DTPaymentNews
As the automated clearing house network gets set to start a process that will over time speed up credit and debit transactions to same-day settlement, the ACH’s governing body on Monday took an important step toward controlling the risk posed by certain non-bank players that stand between merchants and the network.
Starting Sept. 29. 2017, the new rule announced Monday will require originating banks—the institutions that submit transactions for merchants and other businesses—to register so-called third party senders with NACHA, the Herndon, Va.-based organization that manages the ACH. Third-party senders form agreements with originating banks to transmit transactions to them on behalf of merchants.
Registration will require the name, city, and state of the sender, the routing number used for ACH transactions, and the company names used by the sender, according to NACHA. In cases involving losses to participating banks, rules violations, or excessive return rates, the originating institutions will be required to add more information, much of it having to do with how to contact the sender’s principals. “One benefit of a registry is that it will enable a reliable count of the number of third-party senders active in the ACH network at any point in time,” Janet O. Estep, president and chief executive at NACHA, tells Digital Transactions News.
NACHA will also use the information to see where third-party senders use multiple originating banks and check on cases where a sender terminated by one bank is used by one more other institutions, according to information from NACHA.
NACHA officials clearly see such risk-management methods aligning with expected growth in transactions, especially as same-day processing kicks in starting Sept. 23 with ACH credits. “Third-Party Sender Registration builds upon other recent rules that enable the ongoing growth of the ACH Network while implementing appropriate risk-management monitoring,” said Estep in a press release about the registration requirement.
Third-party senders differ from other non-bank service providers in the ACH chain in that they not only process for businesses and organizations but also maintain their own contractual agreements with originating banks. Examples of such senders are non-bank bill-payment companies and processors for online merchants, such as PayPal Holdings Inc. These senders are nothing new, “but their roles have evolved over time as the ACH network itself has evolved,” Estep says.
Experts say NACHA’s action to start collecting basic information about such senders is well within reason. “NACHA has an appropriate level of concern for payers who allow their accounts to be debited in order to pay bills and make online purchases,” Nancy Atkinson, a senior analyst at Aite Group LLC who follows the ACH, tells Digital Transactions News in an email message. “NACHA rules ensure that initiators receive payors’ authorization to debit their bank accounts, and that the meaning of the authorization is unambiguous. Risks include fraud, money laundering, and customer-privacy breaches.”
She adds regulatory pressure has been building on NACHA, as well. “Both the Federal Financial Institutions Examination Council (FFIEC) and the Office of the Comptroller of the Currency (OCC) have applied pressure to financial institutions and to NACHA regarding the risk introduced by the increasing prevalence of third parties in payments processing, which are generally considered to be high-risk companies, especially since they have no direct relationship with the payers’ banks,” she notes.
Such concern has led to similar registration requirements in other forms of electronic payment. Visa Inc., for example, has for years maintained a similar rule for banks that use independent sales organizations, the non-bank third parties that recruit merchants for card processing.
Still, September 2017 may strike some observers as a long way off for such an important rule to take effect. Atkinson agrees the date may not be soon enough, but says banks have a lot to do to get ready. “Financial institutions need to address rule requirements from both technological and policy perspective. Some banks have many third-party senders as clients and will need to educate those clients regarding the changes and collect the data they need. Third-party senders may need to make systems changes to capture the information they must provide to their banks. So, all in all, September 29, 2017 seems reasonable.”
Originating institutions will have until March 1, 2018, to comply with the rule before NACHA begins enforcing it. Enforcment after that could include sanctions and fines. The rule began as a proposal issued a year ago for comment. The proposal drew more than 90 responses, NACHA says.
