Nacha Operating Rules Updates

Nacha Operating Rules Updates

NBT Bank takes great pride in keeping our clients informed and educated on the ever changing payments landscape. The following information provides a high level overview of the current Nacha rule changes, as well as a link to the Nacha Operating Rules & Guidelines.

As stated within the ACH Originator Agreement, signed between you (Originator) and NBT Bank N.A. (Originating Depository Financial Institution, ODFI), each company that originates ACH entries through NBT Bank must comply with the Nacha Operating Rules & Guidelines (Rules).

  • The National Automated Clearing House Association (Nacha) is the rule-making body that governs the ACH network and therefore all participants of the ACH network must comply with these Rules.
  • As an Originator, you are required to understand the existing Rules and any upcoming Rule changes. It is recommended you purchase a copy of the updated Nacha Operating Rules & Guidelines on an annual basis.

Disclaimer: This webpage is not intended to be a replacement or substitution for the Rules. It is not intended to provide any warranties or legal advice and is provided for educational purposes only.

2025 Summary

Expanded Use of ODFI Request for Return/R06

Phase 2 - Effective April 1, 2025

  • This rule expands the permissible uses of the Request for Return of an originated ACH transaction, allowing an Originating Depository Financial Institution (ODFI) to request a return from the Receiving Depository Financial Institution (RDFI) for any reason.
  • This rule will also require the RDFI to respond to the ODFI for all requests received.
    • Whether the RDFI honors the ODFI’s request to return the Entry, the RDFI must advise the ODFI of its decision or the status of the request within ten (10) banking days of receipt of the ODFI’s request.
  • Please see Nacha.org for additional information about Expanded Use of ODFI Request for Return/R06.

2026 Summary

Fraud Monitoring by Originators, TPSPs and ODFIs

Phase 1 - Effective March 20, 2026

  • This rule amendment will require all ODFIs, and each non-Consumer Originator, Third-Party Service Provider, and Third-Party Sender with annual ACH origination volume of 6 million or greater in 2023, to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.
    • The organization’s processes and procedures must be reviewed at least annually.
    • Implementation of fraud-detection processes and procedures will be required for organizations not currently performing fraud monitoring.
  • Please see Nacha.org for additional information about Fraud Monitoring by Originators, TPSPs and ODFIs–Phase 1.

Phase 2 - Effective June 22, 2026

  • This rule amendment will require all ODFIs, and each non-Consumer Originator, Third-Party Service Provider, and Third-Party Sender, regardless of ACH origination volume, to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.
    • The organization’s processes and procedures must be reviewed at least annually.
    • Implementation of fraud-detection processes and procedures will be required for all ACH organizations that are not currently performing fraud monitoring.
  • Please see Nacha.org for additional information about Fraud Monitoring by Originators, TPSPs and ODFIs–Phase 2.

Company Entry Description

Phase 1 - Effective March 20, 2026

  • This rule amendment will require the standardized use of two newly defined Company Entry Descriptions on specific ACH transactions: PAYROLL and PURCHASE.
  • PAYROLL – For all PPD Credits for payment of wages, salaries, and similar types of compensation, the Company Entry Description field must contain the description PAYROLL.
  • PURCHASE – For all e-commerce purchases, the Company Entry Description field must contain the description PURCHASE.
    • An e-commerce purchase is defined as a debit Entry authorized by a consumer Receiver for the online purchase of goods, including recurring purchases first authorized online. An e-commerce purchase must use the WEB debit SEC Code, except as permitted by the rule on Standing Authorization to use the PPD or TEL debit SEC Codes.
  • Please see Nacha.org for additional information about Company Entry Description.

RDFI ACH Credit Monitoring

Phase 1 - Effective March 20, 2026

  • This rule amendment will require RDFIs with an annual ACH receipt volume of 10 million or greater in 2023 to establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud.
  • Please see Nacha.org for additional information about RDFI ACH Credit Monitoring–Phase 1.

Phase 2 - Effective June 22, 2026

  • This rule will require all RDFIs regardless of ACH receipt volume, to establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud.
  • Please see Nacha.org for additional information about RDFI ACH Credit Monitoring – Phase 2.

Summary of Rules Implemented in Prior Years

2024 Summary

General Rule for WEB Entries (Article Two, Subsection 2.5.17.1)

Effective June 21, 2024

  • All consumer-to-consumer credits must be originated using the WEB SEC Code, “regardless of whether the authorization is communicated via the Internet or Wireless Network.
  • This minor rule change re-worded the WEB general rule to make clear that WEB must be used for ALL consumer-to-consumer credits, regardless of how the consumer communicates the payment instruction to the ODFI or P2P service provider.
  • Please see Nacha.org for additional information about General Rule for WEB Entries.

Definition of Originator (Article Eight, Section 8.71)

Effective June 21, 2024

  • Current rules define an Originator only by its relationship with the ODFI - "a Person that has authorized an ODFI (directly or through a Third-Party Sender) to Transmit an entry to the Receiver’s account at the RDFI."
  • This minor rule change expanded the definition of an ‘Originator’ to identify the party authorized by the Receiver to credit or debit the Receiver’s account at the RDFI.
  • Please see Nacha.org for additional information about Definition of Originator.

ODFI and Originator Action on Notification of Change (Article Two, Section 2.12.1)

Effective June 21, 2024

  • This minor rule change gave Originators discretion to make NOC changes for any Single (One-Time) Entry, regardless of SEC Code.
    • SEC Codes that, by definition, are one-time entries include ARC, BOC, POP, RCK, single-entry WEB, single-entry TEL, XCK.
  • Please see Nacha.org for additional information on ODFI and Originator Action on Notification of Change.

Security Requirements (Article One, Section 1.6)

Effective June 21, 2024

  • Requires each Originator, Third-Party Service Provider, and Third-Party Sender to protect DFI account numbers by rendering them unreadable when stored electronically.
  • This requirement is threshold-based and begins to apply to non-covered entities once those participants’ annual ACH origination or transmission volume exceeds 2 million entries for the first time.
    • The rules include a grace period for newly covered parties to address implementation issues (they must comply by June 30 of the year after triggering the 2 million entry threshold)
  • Revised the wording of this section to separate compliance obligations for parties already covered by the rule from those meeting the threshold for the first time.
  • Please see Nacha.org for additional information on Security Requirements.

General Rule for Prenotifications (Article Two, Subsection 2.6.1) & Definition of Prenotification Entry (Article Eight, Section 8.81)

Effective June 21, 2024

  • Aligned the prenote rules with industry practice by removing language that limits prenote use only prior to the first credit or debit entry.
  • Originators will be allowed to re-validate that certain accounts are open and can accept ACH entries, even after live entries have previously been transmitted.
    • Ex: re-validation of inactive or dormant accounts before renewed ACH activity.
  • Please see Nacha.org for additional information on General Rule for Prenotifications.

Codify Use of Return Reason Code R17

Effective October 1, 2024

  • This rule explicitly allowed an RDFI to use R17 to return an entry it believes is fraudulent.
    • Such use is optional, not required, and at the discretion of the RDFI.
    • It still requires the return to include the descriptor ‘QUESTIONABLE’ in the addenda record when used for this purpose.
  • This new Rule also included reference to a newly defined term, ‘False Pretenses’ to mean:
    • the inducement of payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another person, or (c) the ownership of an account to be credited.
  • Please see Nacha.org for additional information about Codify Use of Return Reason Code R17.

Expanded Use of ODFI Request for Return/R06

Effective October 1, 2024

  • This rule expanded the permissible uses of the Request for Return to allow an ODFI to request a return from the RDFI for any reason.
    • The ODFI must still indemnify the RDFI for compliance with the request
    • Compliance by the RDFI will remain optional and does not need to be honored.
  • Please see Nacha.org for additional information about Expanded Use of ODFI Request for Return/R06.

Additional Funds Availability Exceptions

Effective October 1, 2024

  • This rule gave RDFIs an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects originated under false pretenses.
    • The rule is not intended to otherwise alter the RDFI’s obligation to promptly make funds available as required by the Rules.
  • The Nacha Rules already provided RDFIs with an exemption from funds availability requirements if the RDFI reasonably suspects the credit entry was unauthorized.
  • This new Rule also included reference to a newly defined term, ‘False Pretenses,’ meaning:
    • the inducement of payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another person, or (c) the ownership of an account to be credited.
  • Please see Nacha.org for additional information about Additional Funds Availability Exceptions.

Timing of Written Statement of Unauthorized Debit (WSUD)

Effective October 1, 2024

  • This rule allowed a WSUD to be signed and dated by the Receiver on or after the date the Entry is presented to the Receiver, even if the debit had not yet been posted to the account.
    • The current Rules require that the WSUD be dated on or after the Settlement Date of the Entry.
    • This amendment does not otherwise change the requirement for an RDFI to obtain a WSUD from the consumer.
  • Please see Nacha.org for additional information about Timing of Written Statement of Unauthorized Debit (WSUD).

RDFI Must Promptly Return Unauthorized Debit

Effective October 1, 2024

  • This amendment required that when returning a consumer debit as unauthorized in the extended return time, the RDFI must do so by the opening of the sixth Banking Day following the completion of its review of the consumer’s signed WSUD.
  • Please see Nacha.org for additional information about RDFI Must Promptly Return Unauthorized Debit.

2023 Summary

Micro-Entries

Phase 2 – Effective March 17, 2023

  • Originators must conduct commercially reasonable fraud detection on its use of Micro-Entries.
    • This includes monitoring forward and return Micro-Entry volumes.
  • Please see Nacha.org for additional information about Micro-Entries.

Third-Party Sender Roles and Responsibilities

Effective September 30, 2022 - Enforced March 31, 2023

  • This Rule addressed the existing practice of Nested Third-Party Sender (TPS) relationships.
    • Defined a Nested Third-Party Sender as a TPS that has an agreement with another TPS to act on behalf of an Originator, that does not have a direct agreement with the ODFI.
    • Updated the requirements of Origination Agreements for a Nested TPS relationship and established the “chain of agreements” and responsibilities in a Nested TPS arrangement.
  • This Rule also explicitly stated that a TPS is required to conduct a Risk Assessment and implement a risk management program.
    • Each TPS must conduct its own Risk Assessment. The obligation to perform the Risk Assessment, as well as the required Rules Compliance audit, cannot be passed onto another party.
    • This rule amendment did not define a specific methodology or list of topics for a TPS Risk Assessment.
  • Please see Nacha.org for additional information about Third-Party Sender Roles and Responsibilities.

Supplementing Data Security Requirements

Effective June 30, 2022 - Enforced June 30, 2023

  • Phase 2 of this Rule stated that those Originators and Third-Party Senders with annual ACH volumes larger than 2 million transactions must protect deposit account information by rendering it unreadable when stored electronically.
    • The Rules are neutral as to the methods/technologies that may be used for compliance.
  • Please see Nacha.org for additional information about Supplementing Data Security Requirements.