Re: Request for Comment on the Rules Proposals Regarding ACH Risk Management Topics
Maribel Bondoc
Manager, Network Rules
Nacha, The Electronic Payment Association
13450 Sunrise Valley Drive
Herndon, VA 20171
Thank you for the opportunity to submit feedback on the Request for Comment (RFC) on Rules Proposals Regarding ACH Risk Management Topics issued on May 2, 2023. The American Bankers Association appreciates Nacha’s efforts to protect the ACH Network and its efforts to seek feedback from industry participants on the matter. We are pleased to provide our comments on the nine proposed rule changes.
The ABA recognizes the fraud threat to Financial Institutions (FIs) and their customers increasingly includes credit transactions as well as debits. The proposed Rules changes are intended to address this threat and increase the recovery rate of funds with the ACH Network.
1. Expand the existing requirement for commercially reasonable fraud detection to other parties in the ACH Network.
It makes sense to expand the requirements beyond Originating Depository Financial Institutions (ODFIs) and Receiving Depository Financial Institutions (RDFIs), but it is important to note that this will be a huge change to all the parties to a transaction. Non-Consumer Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs). It will also increase the scope of work for the FIs that are responsible for Nacha Rules compliance. The lack of detail regarding the new requirements and associated FI oversight makes it difficult to endorse the proposal as drafted. The effective date will be a significant challenge for FIs since most of the 2024 information technology planning and budgeting is complete or will be complete before any final rule is announced.
Some members expressed concern regarding the term "commercially reasonable" because of its ambiguity and the possibility of different participants opting into different standards of fraud mitigation.
Recommendation: ABA recommends that this proposal be enacted incrementally starting with the Originators followed by the TPSs finally the TPSPs. Due to the timing of this proposal and the lack of clarity in the requirements the effective date for the first wave of changes should be September 2026 with the TPSs and TPSPs becoming compliant in 2027 and 2028, respectively.
Download the letter to read the full text.