Unauthorized ACH Transactions: RDFI and ODFI Responsibilities

By: Liz Cone, AAP, APRP, Manager, Audit Services

Anyone who has reviewed Appendix Four of the Nacha Operating Rules & Guidelines can see the ACH Rules have multiple options for a financial institution to return an unauthorized ACH Entry. It can sometimes be tricky to determine which Return Reason Code is appropriate. Let’s face it – not all unauthorized ACH situations are black and white. What actions should RDFIs take when a Receiver notifies staff of an unauthorized ACH? What obligations do ODFIs have when receiving a Return that is indicated unauthorized? Let’s talk about it.

RDFI Obligations

As an RDFI, one of the more important things that should be in place is an up-to-date Written Statement of Unauthorized Debit (WSUD) form. Article Three, Subsection 3.12.4, Form of Written Statement of Unauthorized Debit details the minimum information that must be included on the WSUD.

Because the Standard Entry Class (SEC) codes of an Entry can determine the action taken by the RDFI as well as the Return Reason Code that is transmitted with the Return, staff responsible for obtaining the signed WSUD from the Receiver should be trained to identify different elements of the Entry as well as the characteristics of the account to which the unauthorized debit posted to properly complete the WSUD.

Once the WSUD is completed and signed by the Receiver, staff should process the Return as soon as possible. Staff responsible for processing the Return should review the WSUD for proper completion; ensuring that the date of debit is correct, the reason selected is appropriate for the SEC code, the form is signed and dated by the Receiver, the printed name of the Receiver is populated and the party debiting the account is indicated and correct. Once the information is verified, the Entry should be Returned and recredit provided to the Receiver. As a best practice, a second staff member should review the Return and the recredit.

The ACH Rules require prompt recredit, but “prompt” is not defined within the Rules. Regulation E does define prompt as within 24 hours of determining that an error has occurred or within 10 banking days, whichever is sooner. If the WSUD is being processed within 60 calendar days of the Settlement Date of the unauthorized Entry, the determination that an error occurred is simply receiving the signed WSUD from the Receiver. No additional investigation is required; therefore, recredit should be provided to the Receiver within 24 hours of the Receiver signing the WSUD.

RDFIs should ensure the original or reproducible copy of the completed WSUD is retained for at least one year from the Settlement Date of the Extended Return Entry. Should an ODFI request a copy of a completed WSUD, the RDFI must provide that copy to the ODFI within 10 banking days of receiving the request, provided the request is received by the RDFI within one year of the Settlement Date of the Extended Return Entry.

Common Return Reason Code Misuse – What’s the Correct Return Reason Code?

The following is a list of Return Reason Codes associated with unauthorized ACH debits that are often misused and the correct circumstances for each.

  • R05 should be used when a consumer Receiver notifies the RDFI of an unauthorized debit using a non-consumer SEC code (CCD or CTX).
  • R07 should be used when a Receiver notifies you that a debit has posted to their account and the Receiver had previously revoked the authorization for the Originator to debit their account.
    • It is common for an RDFI to be unsure whether to obtain a WSUD and process the Return as R07 or place a stop payment on the account and process the Return as R08. Determining the best option is as simple as verifying whether the debit has posted to the account. If the Entry has already been debited from the account, a WSUD should be completed, and the Entry returned as R07.
  • R10 should be used for consumer SEC codes to a consumer account.
  • R11 should be used when there is a relationship between the Originator and the Receiver and there is an authorization in place, but the debit Entry is not in accordance with the terms of the authorization. (i.e. the debit is for an amount different than the Receiver authorized or the Entry was debited from the account of the Receiver prior to the date the Receiver authorized)
  • R29 is reserved for a non-consumer SEC code to a non-consumer account.
    • This Return Reason Code has other stipulations. For instance, these Returns must be processed by the RDFI for the Return Entry to be made available to the ODFI no later than the opening of business on the second banking day following the Settlement Date of the original Entry. This is sometimes referred to as the 24-hour rule.

ODFI Obligations

Now that we’ve covered how to handle unauthorized ACH Entries from a receiving standpoint, let’s discuss how an ODFI should handle incoming Returns identified as unauthorized. Nacha closely monitors the origination of unauthorized ACH Entries. In recent years, fees have been implemented to encourage clean Entries in the ACH Network. That fee is charged per unauthorized Entry to the ODFI and is often passed on to the Originator.

Nacha has also established Return Rate thresholds, which are broken down into three categories: Unauthorized Returns, Administrative Returns and Overall Returns. ODFIs who have Originators processing ACH debit Entries should be monitoring incoming Returns for each Originator, and calculating and monitoring the Return Rates to ensure their Originators are not exceeding the established thresholds, which limit Unauthorized Returns to no more than .5% for each Originator. Should an Originator approach or exceed the threshold, the ODFI has an obligation to remediate the Originator to lower the Return Rate to acceptable levels. This remediation may include suspension of origination access or even termination of the relationship altogether. As a best practice and a risk management control, Return Rates should be reported to the ODFI’s Board of Directors on a periodic basis.

Another thing to consider is the ACH Origination Agreement, which should contain language regarding the Originator or Third-Party Sender’s obligations regarding incoming Returns. The ODFI should also consider language within the agreement that allows the ODFI to pass the Unauthorized Entry Fee onto the Originator or Third-Party Sender in the event of a received Unauthorized ACH Return.

Because the ODFI is responsible for its Originators’ and Third-Party Senders’ compliance with the Rules, the ODFI should provide education and training to its Originators and Third-Party Senders regarding authorizations, retention of the authorization, their requirement to provide a copy of the authorization when requests, as well as the Return Rates and actions that could be taken, should the Originator or Third-Party Sender exceed the Return Rate.