Penny transactions, smoke testing, micro-entries, small value testing, and penny drop testing are a few of the names applied to the type of transaction used to test the validity of a bank account by depositing a small amount of money.
The Nacha Operating Rules (ACH rules) define the term Micro-Entry to mean,
A credit or debit Entry used by an Originator for the purpose of verifying a Receiver’s account or an individual’s access to an account.
As account validation goes, the Micro-Entry process works! Challenges emerge when an ACH participant believes that account validation equals authorization.
Specific to ACH transactions, every debit entry must be properly authorized by the Originator and the Receiver. Just because a person can complete the Micro-Entry validation process does not make that person a Receiver.
The ACH rules state that Receiver means “all Persons whose signatures are required to withdraw funds from an account for purposes of the warranty provisions of Subsection 2.4.1 (General ODFI Warranties)” [Section 8.84, 2023 Nacha Operating Rules]. In other words, only a natural person or organization (i.e., Person) that is legally able to act on the account can be a Receiver for purposes of fulfilling the authorization with the Originator.
Another tool for account validation through ACH is a Prenotification Entry (Prenote). A Prenote is a zero-dollar entry that validates an account number is accurate. However, like a Micro-Entry, a Prenote cannot validate who owns the account.
Also, an Originator of a debit entry must first obtain an authorization (permission) before the Originator may use the account number for any purpose other than a credit or a non-monetary entry. In other words, without first obtaining a debit authorization, there cannot be an account number to which a Micro-Entry, Prenote, or other transaction may be sent. An Originator should develop practices and procedures to validate account ownership to the extent possible before any transaction is initiated.
There are numerous third-party tools one may purchase that can reveal account ownership for a subset of U.S. accounts. Organizations like Early Warning, Giact, MicroBilt, Plaid, and Vericheck are only a few examples of companies that specialize in account validation. Participating with one of these companies means participating in a give-to-get database. You securely share your account data to get account data from other participants in the database. Currently there is no unilateral tool to validate a Receiver because not every financial institution in the U.S. participates in the same shared database, or at all.
Bad actors impersonate the legitimate owners of accounts, i.e., Receivers. Bad actors are quite crafty sometimes, employing identity theft, synthetic identity theft, and other tricks of the financial fraud trade. A signature on an authorization does not make a person a Receiver. Successfully completing the account validation process using Micro-Entries does not prove account ownership either.
Originators (including ODFIs who are also Originators) should bake into their applicable procedures and risk assessment(s) the unfortunate truths that 1) account validation does not equal account ownership and 2) there is not currently a tool that can validate ownership for all accounts in the U.S.
If you would like to discuss Account Validation or other payments questions, please call our Payments Answerline™ at 800-475-0585, Option 1.