Digital Transactions Authoritative, insightful and timely information for payments professionals
As the automated clearing house network gets set to start a process that will over time speed up all ACH credit and debit transactions to same-day settlement, the ACH’s governing body late this summer took an important step toward controlling the risk posed by certain non-bank players that stand between merchants and the network.
Starting Sept. 29, 2017, the new rule will require originating banks—the institutions that submit transactions for merchants and other businesses—to register so-called third-party senders with NACHA, the Herndon, Va.-based organization that manages the ACH.
Third-party senders form agreements with originating banks to transmit transactions to them on behalf of merchants.
Registration will require the name, city, and state of the sender, the routing number used for ACH transactions, and the company names used by the sender, according to NACHA.
In cases involving losses to participating banks, rules violations, or excessive return rates, the originating institutions will be required to add more information, much of it having to do with how to contact the sender’s principals.
NACHA will also use the information to see where third-party senders use multiple originating banks and check on cases where a sender terminated by one bank is used by one or more other institutions, according to information from NACHA.
NACHA officials clearly see such risk-management methods aligning with expected growth in transactions, especially with the start last month of same-day processing. “Third-Party Sender Registration builds upon other recent rules that enable the ongoing growth of the ACH Network while implementing appropriate risk-management monitoring,” said Janet O. Estep, president and chief executive at NACHA, in a press release about the registration requirement.
Third-party senders differ from other non-bank service providers in the ACH chain in that they not only process for businesses and organizations but also maintain their own contractual agreements with originating banks. Examples of such senders are non-bank bill-payment companies and processors for online merchants, such as PayPal Holdings Inc.
Experts say NACHA’s action to start collecting basic information about such senders is well within reason.
“NACHA has an appropriate level of concern for payors who allow their accounts to be debited in order to pay bills and make online purchases,” says Nancy Atkinson, a senior analyst at Aite Group LLC who follows the ACH. “NACHA rules ensure that initiators receive payors’ authorization to debit their bank accounts, and that the meaning of the authorization is unambiguous. Risks include fraud, money laundering, and customer-privacy breaches.”
She adds regulatory pressure has been building on NACHA, as well. “Both the Federal Financial Institutions Examination Council (FFIEC) and the Office of the Comptroller of the Currency (OCC) have applied pressure to financial institutions and to NACHA regarding the risk introduced by the increasing prevalence of third parties in payments processing, which are generally considered to be high-risk companies, especially since they have no direct relationship with the payors’ banks,” she notes.
Such concern has led to similar registration requirements in other forms of electronic payment. Visa Inc., for example, has for years maintained a similar rule for banks that use independent sales organizations, the non-bank third parties that recruit merchants for card processing.
Still, September 2017 may strike some observers as a long way off for such an important rule to take effect. Atkinson agrees the date may not be soon enough for some, but says banks have a lot to do to get ready.
“Financial institutions need to address rule requirements from both technological and policy perspective,” she notes. “Some banks have many third-party senders as clients and will need to educate those clients regarding the changes and collect the data they need. Third-party senders may need to make systems changes to capture the information they must provide to their banks. So, all in all, September 29, 2017 seems reasonable.”
Originating institutions will have until March 1, 2018, to comply with the rule before NACHA begins enforcing it. Enforcement after that could include sanctions and fines.
—John Stewart
