Have you thoroughly considered the risks of external account-to-account transfers, specifically consumer debit origination? Almost every week ePayResources fields a call from a member ODFI that has been asked to provide proof of authorization (PoA) for a debit entry they allowed a consumer accountholder to send to another institution. Often the ODFI’s accountholder debited someone else’s account for a large sum, and now the accountholder and the funds are gone.
The ODFI tells us that their accountholder filled out an online banking agreement and used micro-entries or some other account verification product. The problem is that account validation and transaction authorization are not the same thing.
An authorization to debit a consumer account must contain certain elements specified by the Nacha Operating Rules and be signed or similarly authenticated by the Receiver. These specific elements include:
- identification of the transaction as a single, recurring, or subsequent entry
- the date and amount of the transaction
- the account number being debited; and
- instructions on how to revoke authorization.
The complete list of what must be included in the authorization can be found in Subsection 2.3.2.2 on page OR8 of the 2024 Nacha Operating Rules and Guidelines. When requested, an ODFI must provide to the RDFI an authorization that complies with the Nacha Rules and that is signed by the RDFI’s accountholder (the Receiver).
Let’s look at an example: Bob has an account at Acme Bank (the ODFI). He wants to debit his account at The Other Bank (the RDFI) to move the funds to Acme Bank. He completes all of Acme Bank’s required documentation, and Acme Bank uses a service to verify that the other account number is for a valid and open account. Once the process is complete, Bob initiates a debit to The Other Bank.
Perhaps Bob mistypes or perhaps he acts with fraudulent intent when he initiates a debit to an account owned by Mary at The Other Bank. Days, weeks, months, or potentially years later, Acme Bank receives a request from The Other Bank for the proof of authorization for Bob’s transaction. Acme Bank must give The Other Bank a PoA that contains all the required elements and has been signed by an authorized signer on the account being debited. If Acme Bank cannot provide a PoA signed by Mary, then the transaction is unauthorized.
Personally, I have yet to talk to an ODFI that has received such a debit authorization from their consumer Originator. Without a valid PoA the ODFI must take the transaction back. Since the Originator is a consumer, whether the ODFI can charge the debit back to the consumer’s account will depend on what is stated in the account or online banking agreement.
As you considered this scenario, you were likely wondering what Standard Entry Class (SEC) Code was used. The SEC Code provides information about the transaction’s Originator, Receiver, and type of authorization. For instance, a debit PPD entry has a non-consumer Originator and a consumer Receiver. The authorization is communicated in writing and signed or similarly authenticated by the Receiver.
So, what SEC Code indicates that a debit entry has a consumer Originator? The simple answer is that there is not one. There are two SEC Codes for consumer Originators. Credit WEB is a consumer-to-consumer credit push, more commonly referred to as a P2P transaction. Consumer-Initiated Entry (CIE) entry is used for a consumer credit push to a non-consumer such as their electric company. None of the current twenty-three Standard Entry Class (SEC) Codes accommodate a consumer debit Originator initiating an entry to a consumer or non-consumer Receiver.
Financial institutions allowing consumers to debit accounts at other institutions need to consider the risk in such action, for they are acting outside of the current rules structure. Whether an institution is already allowing external transfers (aka A2A transactions) or is considering it, reading Appendix O: Managing the Risks to Consumer-to-Other Consumer Debits – ACH Operations Bulleting #4-2017 found in the Nacha Operating Rules and Guidelines should be included in their due diligence process. This bulletin provides important guidance from Nacha on the practice of allowing consumer debit origination.
If you have any questions about account-to-account transfers and your potential liability, please call ePayResources’ Payments Answerline at 800-475-0585, Option 1.