Is your business compliant?
What's a Nacha?
Nacha was originally NACHA, an acronym for National Automated Clearing House Association. Though the acronym is no longer in official use (they go by ‘Nacha’ instead), it shows where the organization came from and the role they fill in the ACH ecosystem.
Back in the early 1970s, regional banking associations across the US joined forces to standardize processes around the development of “automated” clearing house solutions—the digital replacements for physical clearinghouses where paper checks were once exchanged. By 1974, the American Bankers Association had centralized all of those regional groups under a national sub-division that they named NACHA.
An independent organization since 1985, Nacha is effectively a non-profit consortium tasked with:
Translating federal legislation and executive rules into clear guidance for member banks and ACH network participants
Enforcing those rules for all 10,000+ member banks and network participants
Driving development and adoption of the ACH system
Acting as a trade organization (e.g., education, advocacy, roundtables, etc.)
Online ACH volume is growing fast
The volume of online ACH payments is quite large and growing fast. ACH has long been a staple for larger, more regular payments—such as Direct Deposit wages and Direct Payment of utility bills—but its prevalence in other, smaller transactions is on the rise.
Much of this growth has come from internet-initiated ACH transactions, also referred to as WEB debits. There are many types of ACH transfers that happen online—mainly payments for bills such as mortgages, credit cards, and utilities, but also some high-ticket retail goods.
As transaction volumes rise, Nacha, the organization that governs the ACH system, has decided to implement a new rule, known as the Web Debit Account Validation Rule, that affects those who accept internet-initiated ACH payments. This rule adds on to the existing screening requirements that account validation (checking that account information is accurate and eligible for ACH transfers) should be included as part of a reasonable fraudulent detection system. It’s the goal is to ensure the continued quality and security of the ACH network.
In this handy guide, we’ll answer the most pressing questions surrounding this topic, provide insight on how to best meet the new rule, and how to use this change as an opportunity for growth:
What is Nacha’s 2021 rule change, exactly?
Nacha’s 2021 rule change is specific to WEB debits (internet-initiated transactions) and increases the standards for detecting fraud. Specifically, ACH originators of WEB debits now must use a “commercially reasonable fraudulent detection system” that includes “account validation” for the first time use of an account number or for any change to previous account numbers. Previously, account validation had not been part of the fraud requirement, but this rule changes that.
Businesses that use ACH to debit consumer accounts via online/ mobile requests must validate that new accounts are legitimate, open, and able to receive an ACH transfer before their first use.
At a minimum, businesses that use ACH to debit consumer accounts via online/ mobile requests must validate that new accounts are legitimate, open, and able to receive an ACH transfer before their first use. Nacha does not recommend any specific method for validating account information, but there are several ways to achieve this, including microdeposits, manual validation, database verification, and instant verification via API—all of which we’ll cover in more detail later on.
Originally the rule was going to take effect on January 1, 2020, but was pushed back to March 19, 2021, in order to give more time for guidance and education. The rule only applies to new accounts; already established accounts do not need to be re-validated. Additionally, originators are only required to validate the account information, not ownership.
Why did they change the rules?
This rule change is actually part of a larger, ongoing effort to address fraud attempts and data quality. It aims to do so by ensuring accounts are valid and by eliminating data entry errors related to account numbers, bringing to the forefront a requirement that has been in the Nacha guidelines for many years.
ACH fraud is relatively rare. In fact, it has the lowest fraud rate by value among all payment types, at 0.08 basis points ($0.08 of fraud per $10,000 in payments), according to a Federal Reserve study that measured fraud rates from 2012-2015. By comparison, ATM and card payments fraud increased from 7.99 to 10.80 basis points during the same time period.
However, the proliferation of ACH in fast-growing services—such as digital wallets and neobanks—underscores the industry’s need to use commercially reasonable practices to ensure the continued safety of the ACH Network. These internet-initiated transactions (which grew by 15% in 2020) can potentially give fraudsters the opportunity to use stolen information to load funds and pay for goods and services. This is why now, more than ever, account validation is a necessary and reasonable requirement to help prevent fraud.
Are your payments compliant?
With the new rule in effect, the way that many businesses had accepted ACH payments in the past will no longer be possible. This includes businesses that simply ask customers to manually enter their account and routing numbers, but don’t validate those accounts.
Without the minimum step of making sure that the account is valid, open, and able to receive an ACH transfer, a business will not be in compliance with the new rule. However, businesses should keep in mind that the new rule does not affect existing customers that pay by ACH. It is only for new accounts or for those that have changed their bank account information via an online/mobile means.
There are several options for businesses to validate new accounts, and some are more efficient than others.
How do you effectively validate accounts?
The five approaches to validating accounts:
Manual validation
Microdeposits
Pre-notes
Data API like Straddle Bank Account Wallets
Open-banking APIs
Under the new rule, there are five different approaches to validating accounts. These different approaches have a wide range in terms of speed, accuracy, and user experience.
Don’t give customers a reason to leave your application and never come back
We’re listing legacy solutions like items 1-3 above because it’s our job to be thorough... but no modern web application should impose the friction or time-wasting involved in legacy verification solutions
Manual validation requires obtaining a customer’s voided check to manually validate account and routing information. Businesses can also directly contact their customer’s bank to validate this information. This method takes up to six days and is the most labor-intensive and high-friction way to validate accounts.
Microdeposits involve two steps. After a customer provides their account and routing numbers, businesses make one or two very small deposits (typically less than $0.05) into a customer’s account. Then, the customer confirms the exact amount deposited to validate their account. This can take from a few hours up to 2-3 days, which creates some friction that can lead customers to potentially drop off and fail to validate their accounts.
Pre-notes (pre-notification transactions) are essentially the same as microdeposits, but they don’t require the customer to confirm the amount deposited. Instead of sending a microdeposit, the business sends a $0 ACH transaction to validate the account information. This process takes 2-3 days, but customers can’t initiate payments using pre-notes during this time.
Straddle's no-friction "Wallets" automatically verifies account status for ~90% and ownership for 80+% of domestic consumer accounts without requiring end-user interaction.
Open-banking APIs such as Straddle Bridge, MX or Plaid use application program interfaces (APIs) and secure bank connections to retrieve account and routing numbers directly from the accounts being validated. Using this method, users select their financial institutions from a list, enter their username and password, and are quickly connected—often in just a few seconds. This is the only verification method that uses a bank account username and password, rather than account and routing numbers, which is typically much easier to remember. The APIs used to instantly verify accounts can also retrieve other useful information such as account balances, identity verification, and transaction history.
Comparison of Account Validation Methods
Straddle Wallet | Seconds | What experience? | Yes | Excellent | Yes 2 | No | Not needed | Moderate |
Open Banking | Seconds | Very good | Yes | Very Good | Yes | Yes 🎉 | Required | High |
Micro-Deposits | 2-3 Days | 😂 | Control of account only | No | Yes | No | Required | Moderate |
ACH Pre-note | 2-3 Days | 😂 | No | No | Yes | No | Not needed | Low |
Manual | Who knows | 😂 | No | No | No | No | Required | High |
The choice is clear, right?
Not so fast. While the table above seems to lean towards a passive API solution like Straddle’s account intelligence, we don’t want to give you the wrong idea. The ancillary data account data - think real-time balance, income, and transaction history - provided by connectivity platforms like MX is so powerful that we recommend all businesses and applications implement a credential-based solution. Their data scope is second-to-none because the end-user explicitly opts-in to share that information as part of the connection process. Sure, sometimes certain banks don’t play nice, but that’s no reason to skimp here.
If for whatever reason, credential-based authentication isn’t in the cards right now. We’ve got you covered with Account Intelligence. We’ve also seen great success when adding the frictionless Straddle solution as a fallback for when your connectivity provider cannot connect to a user's bank.
Use a credential-based authentication method wherever possible. If a customer’s bank of out-of-network Straddle will automatically attempt to verify status and ownership using just routing and account number.
The future of online A2A payments
In 2020, there was tremendous growth in the volume of internet-initiated ACH transfers, as well as ACH transfers overall. Nacha’s new rule may require many businesses to implement changes to their onboarding flows, but those changes represent an opportunity for growth. With the uptick in ACH use, businesses that use this rule change as a chance to implement better customer onboarding and payments experiences should expect to see more paying customers.
From faster onboarding to enhanced fraud mitigation, meeting Nacha’s 2021 rule with instant verification provides an opportunity for businesses to improve their customer experience in a myriad of ways. This is not just a call for compliance, but a chance to improve the bottom line with better conversion rates and more funded accounts.
With instant verification, onboarding customers to ACH will be more reliable, safe, and faster than ever—all while going above and beyond to meet the requirements for Nacha’s new account validation rule.
As always, please reach out to the outstanding Straddle compliance team for questions, guidance, or just a good time.