Nacha’s new Fraud Monitoring Rule (the “New Rule”) requires risk- and role-based fraud monitoring. It explicitly applies to banks (ODFIs) as well as their non-consumer customers that submit ACH Entries on behalf of themselves or third parties.
Nacha has created a list of vendors that provide “fraud monitoring” services pertinent to the New Rule. Many provide some form of transaction monitoring and/or behavior monitoring services. The question has been raised: Is it sufficient to rely on transaction or behavior monitoring to demonstrate compliance with the New Rule? This blog addresses that question.
As a preliminary matter, let’s establish that compliance requires records, and more particularly records that meet the Federal Rules of Evidence – i.e., they would stand up in a Federal court of law to establish that an event occurred. That means that risk management without records that meet that standard would not protect the bank in the event of a compliance enforcement action.
The New Rule itself explicitly raises the possibility of an enforcement action. It states that it is enforceable by Nacha pursuant to its Rules Enforcement powers contained in Article 9 of the Operating Rules. That Article in turn states that Nacha may bring an enforcement action against an ODFI for its or its customers’ compliance, typically based on excessive Return Rates or RDFI complaints. Nacha may also bring action against an ODFI for failure to comply with annual compliance audit requirements, or to attest to proof of its Third-Party Sender’s audit. Finally, the Rules make clear (in the Article 2 General Rule) that the ODFI is responsible for its Originators’ and Third-Party Senders’ compliance.
As discussed above, the New Rule requires role-based compliance: more specifically, it states that the covered entity (the ODFI, Originator, TPS or TPSP) “must establish and implement risk-based processes and procedures, relevant to the role it plays in the authorization or Transmission of Entries[.]” (Emphasis added for clarity.) As a party largely engaged in the Transmission of Entries, the ODFI may reasonably conclude that implementing a well-regarded transaction-monitoring service could help it demonstrate compliance with the New Rule, as it applies to its own operations. Indeed, the inclusion of various transaction-monitoring services in Nacha’s list of vendors supports that conclusion. Adding a behavior-monitoring tool, which reviews other factors relating to the submission of an Entry to the ODFI and analyzes them for patterns indicative of fraud, could also be seen as relevant to the bank’s demonstration of compliance with the New Rule, for the same reason.
What about a Third-Party Sender? Presumably, a high-volume TPS that relies on third parties for origination (compliance with the Article 2 requirements) could also point to use of a transaction and/or behavior monitoring service to show compliance, as its role is similarly in the transmission of Entries.
But what about a party whose role involves the authorization of Entries? Authorization is covered in Article 2 of the Operating Rules, and as an uncapitalized term in the New Rule could be read to mean compliance with any the origination requirements pertinent to fraud prevention. Just as one example, a party that originates a consumer debit authorized orally by telephone is required to verify the consumer’s identity. In the New Rule FAQs, Nacha also emphasizes another procedure specific to the Originator role:
Originators may be best placed to implement procedures to protect against account takeover or other vectors for initiating unauthorized transactions. Such procedures could include change controls regarding payment information and instructions for vendor and payroll payments.
Clearly, Nacha expects Originators involved in corporate credits or certain recurring consumer credits (direct deposit) to show that they’ve implemented procedures to verify the validity of instructions they receive to change the payment information for those transactions, in order to staunch a very common vector for fraud that (presumably) often evades transaction monitoring.
Neither of the above examples involve transaction monitoring. And, to underline this point, Nacha states in the FAQs that screening of “every ACH entry individually” is not required under the New Rule – i.e., the Rule means something different.
Taken together, these factors mean that compliance with the new Fraud Monitoring Rule, on the one side, and transaction or behavior monitoring, on the other, are not the same. In some cases, as it relates to a party’s role or risk, records that evidence transaction or behavior monitoring can support compliance with the New Rule. In other cases, and particularly in the case of the Originator, they would not suffice.