Hey, RDFIs! The WEB Debit Account Number Validation Rule Affects You, Too!

Amy Donaghue

By: Jennifer Kline, AAP, APRP, NCP, Director, Audit Services

For several years now, the ACH Network has been touting on about ODFI’s and Originator’s responsibilities for Supplementing Fraud Detection Standards for WEB Debit entries. But finally the WEB Debit Account Validation Rule became effective on March 19, 2021. Now, before you get all glossy-eyed, thinking that this Rule mostly impacts Originators and origination-related processes for ODFIs, know that this Rule change also impacts RDFIs as well.

It is true that the requirements of the new Rule put the onus on ODFIs and Corporate Origination Clients (Originators and Third-Party Senders) to ensure commercially reasonable fraudulent detection systems are in place for any newly acquired WEB debit authorizations. Since the Supplementing Fraud Detection Standard for WEB Debits was introduced in 2018, Originators, Third-Parties and software companies have been busy creating new software, updating ACH systems, and changing WEB Entry controls, as well as creating new procedures for tracking, monitoring and reporting WEB Debits. However, all of these changes also impact processes and expectations for RDFIs to help keep the ACH network safe.

Daily processing for RDFIs includes the verification of Prenotes and many RDFIs rely on an automated process where the core system validates and then accepts or rejects a Prenotification with no manual assistance. These automated processes are great, especially when there is no dollar value or balancing to worry about. So with the implementation of account number validation for WEB Debit rule, RDFIs should review their current procedures and automated processes to ensure compliance with the Rules and help with fraud detections standards for their clients.

RDFIs should consider:

  • Whether modifications to their current process(es) for verifying Prenotes and micro-entries are necessary
  • Reviewing auto-Return features of the core processing system for both Prenotes and micro-entries
    • Automated coding of Return Entries for no account (R03) or invalid account number (R04)
    • Returning all rejected micro-entries, both debit and credit micro-entries that net out to zero
  • Actively using Same Day ACH processing windows for Returning rejected Prenotes for a quicker turnaround of invalid account numbers
  • Using BSA/AML monitoring tools on micro-entries to find irregularities, such as:
    • Large volume of micro-entries from one Originator
    • Credit-only micro-entries from Originators, with no off-setting debit micro-entries
    • Multiple micro-entries to multiple account numbers for possible phishing, as fraudsters may be searching for new account number routines
  • Using the ACH Contact Database to call the ODFI to notify them of a potential scam to stop fraudsters as soon as possible

Enforcement of the Supplementing Fraud Detection Standard for WEB Debits will have an additional period of one year from March 19, 2021, for audit compliance and Rules violations.

Although at first glance it looks like this Rule only matters to Originators and ODFIs, this Rule is intended to help prevent fraud on the ACH Network and protect RDFIs from posting fraudulent or incorrect unauthorized payments. By taking proactive steps regarding the receipt of ACH Entries, RDFIs are playing their part to fight against fraud.

Not sure where to start when it comes to managing risk related to fraud and WEB debit entries? Want a fresh set of eyes when it comes to your required annual ACH Audit? We can help! Reach out to us at advisoryservices@epcor.org for a free no-obligation quote for our Operational Process Review or our Policy and Procedure Review services!