Two people are discussing business over a laptop in a conference room.

Treasury Management ACH News

October 2023

As a company that originates ACH transactions, it is required for you, as an Originator, to understand and abide by the Nacha ACH Rules. On occasion, Nacha will add a new Rule or amend current Rules. This ACH Newsletter provides notice and details regarding upcoming Rules and changes. Review our Nacha ACH Rules Update section for updates. A copy of the Nacha Operating Rules and Guidelines can be purchased at nacha.org.

There are several ways you can understand your responsibilities as an ACH Originator. Our Originator Obligations section highlights and reviews rules and guidelines. 

What is ACH Fraud, and how do you protect your company? In our Stay Up to Date on Fraud, Security, and Risk section we walk you through current trends in fraud and what your company can do to mitigate risk.

The TBK Bank Treasury Management ACH Newsletter is published bi-annually in the first and third quarters and is emailed to all ACH Users of Commercial and Small Business Center. It is also available in the Commercial and Small Business Resource Center.

No news is good news! There are no upcoming ACH Rules updates for the second half of 2023. Previous Rule changes are available at nacha.org. Click on FIND AN ACH RULE, then scroll through previous Rule changes.

Review of ACH Returns and Reinitiated Entries

An ACH return is an ACH transaction (debit or credit) the Receiving Depository Financial Institution (RDFI) cannot post to the Receiver’s account. The table below lists the most common Return Reason Codes for commercial clients. The table includes descriptions, comments, and whether the return can be reinitiated.

As an Originator you are responsible for knowing about Return Reason Codes and establishing procedures for handling returns. Originators should also have an alternative form of collection depending on the reason for the debit return or until the return can be researched and resolved.

Table of Return Codes

CODE Description Comments Reinitiating a Returned Entry
R01 Insufficient Funds Receivers balance is not sufficient to cover amount of debit Entry. Originator may reinitiate within 180 days of the original Entry’s Settlement date.
R02 Account Closed Previously active account has been closed by RDFI or Receiver. Stop future Entries and obtain a new authorization with a different account number from the Receiver.
R03 No Account or Unable to Locate Account Account number does not correspond to the individual identified in the Entry or the account number is not an existing account with the RDFI. Originator must stop future Entries until the Receivers account number/structure is corrected.
R04 Invalid Account Number Structure The account number structure is not valid. Stop future Entries and correct account/or correct account structure to create a new Entry.
R05 Unauthorized Debit to a Consumer Account Using a Corporate SEC Code The CCD or CTX debit Entry was transmitted to a consumer account and was not authorized by the receiver. The Originator must immediately stop initiation of future Entries.
R06 Return Per ODFI’s Request The ODFI has requested the RDFI return an erroneous Entry or a credit Entry originated without the authorization of the Originator. Originator has accepted the return.
R07 Authorization Revoked by Consumer Customer. The RDFI’s customer revoked the Authorization previously provided to the Originator. Stop future Entries until a new Authorization is obtained from the Receiver.
R08 Payment Stopped The Receiver has placed a Stop Payment on the debit Entry. A Stop Payment can be for one Entry or all future Entries. The Originator may only reinitiate once they contact the Receiver for a reason for the Stop Payment and obtain a new Authorization from the Receiver.
R09 Uncollected Funds A sufficient ledger balance exists to satisfy the dollar value of the transaction, but the available balance is below the dollar value of the debit Entry. The Originator may reinitiate within 180 days of the original Entry’s settlement date.
R10 Customer Advised Originator is Not Known to the Receiver and/or Originator is Not Authorized to Debit Receiver’s Account The Receiver has notified the RDFI that the Receiver does not know the identity, has no relationship with, or has not authorized the Originator to debit the account. The Originator must immediately stop initiation of future Entries.
R11 Customer Advised Entry Not in Accordance with the Terms of the Authorization The Originator and Receiver have a relationship, and an Authorization to debit exists. However, there is an error or defect in the payment. The Entry does not conform to the terms of that Authorization, such as the amount being different than authorized, settlement being earlier than allowed, or an incomplete transaction. When an Originator corrects the Entry within the terms of the original Authorization, the Entry can be reinitiated without obtaining a new Authorization. Reinitiating the Entry must be completed within 60 days of the R11 settlement date, and the Company Entry Description must be “RETRY PYMT.”
R12 Account Sold to Another DFI The financial institution received an Entry to an account sold to another financial institution. Immediately stop initiation and contact Receiver for a correct Routing number to create a new Entry.
R13 Invalid ACH Routing Number Not a valid ACH routing number. Immediately stop initiation and contact Receiver for a correct Routing number to create a new Entry.
R16 Account Frozen/Entry Returned per OFAC Instruction Access to the receiving account is restricted by the RDFI, legal action, or OFAC has instructed the RDFI to return the Entry. The Originator must immediately stop initiation of future Entries.
R17 File Record Edit Criteria/Entry with Invalid Account Number Initiated Under Questionable Circumstances/Return of an Improperly Initiated Reversal Fields in the Entry cannot be processed by the RDFI; the Entry contains an invalid account number and is believed by the RDFI to have been initiated under questionable circumstances; or either the RDFI or Receiver has identified a Reversing Entry as one that was improperly initiated by the Originator or ODFI. Identify and correct errors prior to reinitiating.
R20 Non-Transaction Account ACH Entry is to a non-transaction account (an account to which transactions are prohibited or limited). Originator must immediately stop initiation of future Entries.
R23 Credit Entry Refused by Receiver Any credit Entry refused by the Receiver may be returned by the RDFI. The Originator must obtain a new Authorization prior to reinitiating the Entry.
R24 Duplicate Entry The RDFI has received what appears to be a duplicate Entry. The trace number, date, dollar amount, and other data match another transaction. The Originator must accept the return when an Entry is duplicated.
R29

 

Corporate Customer Advised Not Authorized The RDFI has been notified by the Receiver (non-consumer) that an Entry has not been authorized by the Receiver. Stop future Entries until a new Authorization is obtained from the Receiver.
R51 Item related to  RCK Payment RCK Entry has been presented for payment. TBK Treasury Management does not allow RCK payments.

 

Originator Obligations for Return Rate Thresholds

Originating Depository Financial Institutions (ODFIs) are required to monitor and evaluate Originators based on their risk and the Return Risk Thresholds established by Nacha. The Return Risk Thresholds are broken out into three categories:

  1. An Unauthorized Return Ratio for debit entries must be below 0.5% over a 60-day/two calendar month period. The ratio is calculated by the number of debits returned divided by the number of debits originated for the preceding 60-day/two calendar month period. An Unauthorized ratio of 0.5% or higher is a Nacha Rule violation, which can result in a loss of ACH Origination for your company and may include fines imposed by Nacha.

Immediately discontinue processing Entries to an account number upon receiving an unauthorized return for an account. Reach out to your customer and try to resolve the issue. Resolution can be in the form of your customer providing a new bank account number or removing a block on debit transactions received from your ACH Company ID. A new Authorization is required to begin processing Entries to that customer again. Unauthorized Return Codes:

  • R05 – Unauthorized Debit to Consumer Account Using Corporate SEC Code
  • R07 – Authorization Revoked by Customer
  • R10 – Customer Advises Unauthorized
  • R11 – Customer Advises Entry Not in Accordance with the Terms of the Authorization
  • R29 – Corporate Customer Advises Not Authorized
  • R51 – Notice not Provided/Signature not Authentic/Item Altered/Ineligible for Conversion
  1. Administrative or account data debit returns must be below 3.0% over a 60-day / two calendar month period.

These returns are easier to fix with your customer; they also are good candidates for reinitiating. Working with your customer to collect new account information or to update the routing/account number on file is the best way to resolve these errors.

Administrative Return Codes:

  • R02 – Account Closed
  • R03 – No Account/Unable to Locate Account
  • R04 – Invalid Account Number Structure
  1. A 15.0% Overall return rate applies to all debit Entries returned for any reason over a 60-day/two calendar month period, including Unauthorized and Administrative returns. Some debit returns are unavoidable; however, excessive returns can indicate problematic origination practices by the Originating Company.

3.0% Administrative and 15.0% Overall returns are not automatically considered Nacha Rules violations. Instead, a return rate above the respective level is a reason for the ODFI and Nacha to review the Originator’s activity and determine if a reduction in the return ratio is required.

Reinitiating an Entry

There are explicit ACH Rules regarding reinitiating an Entry after its return. All reinitiated Entries must be the same amount, pay the same obligation as the original Entry, and must contain RETRY PYMT in the Company Entry Description. The Originators should consider the likelihood of return on the reinitiated Entry and how it will affect an Originator’s Return Ratio.

Entries reinitiated on Administrative returns have a lower chance of being returned. In comparison, Entries reinitiated on Unauthorized returns have a higher chance of return. Returns on reinitiated Entries affect the Originator’s Return Ratio. Nacha advises Originators to consider this and be confident in the Receiver’s explanation before attempting to reinitiate an Unauthorized return. For guidelines on reinitiating a returned Entry refer to the Table of Return Codes above.

Originators’ Obligation for Providing a Company Entry Description.

The Company Entry Description is a mandatory field in the ACH file’s Batch Header Record. The field holds up to 10 characters and establishes the purpose of the Entry to the Receiver.

Examples of common Company Entry Descriptions for ACH are Payment, Payroll, Purchase, Billing, Salary, and Transfer. Certain Entries require specific descriptions, such as RETRY PYMT for reinitiated return Entries and REVERSAL for reversing Entries.

Originators often confuse the Company Entry Description with the Company Discretionary Data Field. The Company Discretionary Data Filed is also located in the Batch Header Record and holds up to 20 characters. Originators use this field for information significant to themselves, or the ODFI can use it to describe special handling. The field is not mandatory.

Originator Obligations for a Notification of Change

Occasionally, an RDFI may accept and correct an Entry instead of creating an Administrative return. In this instance, the RDFI will send a Notification of Change (NOC) to notify the Originator of an Entry containing invalid or erroneous information.

Originators are responsible for responding to a NOC by investigating incorrect data and making corrections within 6 banking days or before initiating another Entry to the Receiver’s account. They must not originate additional Entries to the Receiver until the corrections are made.

Common NOC Change Codes:

Code Description Comments
C01 Incorrect Account Number The account number needs to be corrected or formatted correctly.
C02 Incorrect Routing Number Routing number is incorrect or has been changed by the RDFI.
C03 Incorrect Account Number and Incorrect Routing Number The account and routing number need to be corrected or formatted correctly.
C05 Incorrect Transaction Code The account number contained in the Entry has a Transaction code for a different type of account. A checking account may be coded as a savings account or a savings account coded as a checking account.
C06 Incorrect Account Number and Incorrect Transaction Code The account number and Transaction Code need to be corrected, and attempting to post to the wrong account and type.

Vendor Spoofing Scam – An employee receives an email or phone call from a trusted vendor requesting a change in payment instructions. The employee transfers the funds to the fraudster’s bank account without due diligence or validation to confirm the request. Usually, these ACH and Wire requests closely mimic legitimate requests you’d typically receive from that supplier.

Business email compromise (BEC) and phishing scams – BEC scams are a type of phishing scam. It begins with a criminal sending a phishing email that seems to be from someone the employee knows. The employee clicks on a link requesting banking information or other sensitive data, and the fraudster gains access to the email account. The fraudster will monitor that email account to determine who initiates payments or who requests them.

CEO or Executive Spoofing Scam – The scammer poses as your company’s CEO or an Executive within the company and requests a transfer request via email. The email will look very similar to other company emails. However, the request comes from a hacked email account or an account created to appear legitimate.

Best Practices to Protect Your Company

  • Implement verification policies to check any changes to existing invoices, banking info, and contact information.
  • Require live confirmation for fund transfer requests and verify by calling an authorized contact.
  • Implement an approved contact list for vendors, and never use a telephone number listed in an email to confirm payment information.
  • Create strict internal controls around payments initiated by emails or other less secure messaging systems.
  • Require signatures from senior management for payments over a specified amount.
  • Use strict user authentication and tracking to access the network and payment initiations.
  • Use dual control for payments.

What do all of these scams have in common? Generally, the fraudster creates a sense of urgency and attempts to rush the employee into making a quick decision to send the payment before the employee can verify the request by phone or in person.

If you are a target of a scam, take immediate action. Refer to your company’s procedures and immediately contact your Bank Officer or TBK Treasury Management Support.

Treasury Management Support:
Email: tm@tbkbank.com
Phone: 844-824-2265
Available Monday – Friday: 8 a.m. – 6 p.m. CT (excluding Federal holidays)