SUPPLEMENTARY INFORMATION:

1. Background

Title 31 CFR part 210 (part 210) governs the use of the ACH Network by Federal agencies. The ACH Network is a nationwide electronic fund transfer system that provides for the interbank clearing of electronic credit and debit transactions and for the exchange of payment-related information among participating financial institutions.

The ACH Network facilitates payment transactions between several types of participants, including the:

• Originator: An organization or individual that agrees to initiate an ACH entry according to an arrangement with a Receiver.
• Originating Depository Financial Institution (ODFI): An institution that receives the payment instruction from the Originator and forwards the ACH entry to the ACH Operator.
• ACH Operator: A central clearing facility that receives entries from ODFIs, distributes the entries to appropriate Receiving Depository Financial Institutions, and performs settlement functions for the financial institutions.
• Receiving Depository Financial Institution (RDFI): An institution that receives entries from the ACH Operator and posts them to the accounts of its depositors (Receivers).
• Receiver: An organization or consumer that has authorized an Originator to initiate an ACH entry to the Receiver's account with the RDFI.
• Third-Party Service Provider: An entity other than the Originator, ODFI, or RDFI that performs any functions on behalf of the Originator, ODFI, or RDFI in connection with processing ACH entries. These functions may include, for example, creating ACH files on behalf of an Originator or ODFI, or acting as a sending point or receiving point on behalf of an ODFI or RDFI.

Rights and obligations among participants in the ACH Network are governed by Nacha's Operating Rules & Guidelines. There is an industry consensus that the Operating Rules & Guidelines provide a uniform set of standards for ACH transactions and that these standards enable efficient transaction processing.

Part 210 incorporates the Operating Rules & Guidelines by reference, with certain exceptions. From time to time, the Fiscal Service amends part 210 to address changes that Nacha periodically makes to the Operating Rules & Guidelines or to revise the regulation as otherwise appropriate. Given their coverage across the payment system and to promote consistent application to all ACH Network participants, the federal government generally adopts changes to the Operating Rules & Guidelines unless the changes address enforcement and compliance of the Operating Rules & Guidelines, would adversely impact government operations, or are irrelevant to Federal agency participation in the ACH Network.

Currently, part 210 incorporates the 2021 Operating Rules & Guidelines, including Supplement #1-2021, subject to certain exceptions. Nacha has adopted several changes since the publication of the 2021 Operating Rules & Guidelines, including Supplement #1-2021, as reflected in the 2024 Operating Rules & Guidelines and supplements thereto.^[1] We are proposing to incorporate all of these changes in part 210.

We are requesting public comment on all the proposed amendments to part 210, including with respect to changes that would be incorporated by reference.

2. Summary of Proposed Rule Changes

Since the publication of the 2021 Operating Rules & Guidelines, including Supplement #1-2021, Nacha has published three versions of the Operating Rules & Guidelines: the 2022 Operating Rules & Guidelines, the 2023 Operating Rules & Guidelines, and the 2024 Operating Rules & Guidelines, including Supplement #1-2024. Below, we outline the major changes that were included in these updates.

(a) 2022 Operating Rules & Guidelines Changes

The 2022 Operating Rules & Guidelines implemented several changes to the Operating Rules & Guidelines, some of which Nacha had previously adopted with a delayed implementation date and were addressed in a prior Fiscal Service rulemaking.^[2] The 2022 Operating Rules & Guidelines also clarified the rules regarding third-party senders in the ACH Network.

Nacha first defined “nested” third-party senders and addressed the roles and responsibilities applicable to ODFIs working with them. Nacha defined a Nested Third-Party Sender (Nested TPS) as a Third-Party Sender (TPS) that has an agreement with another TPS to act on behalf of an Originator and does not have a direct agreement with the ODFI. Nacha requires ODFIs' origination agreements with TPSs to address Nested TPSs, and to update their TPS obligations and warranties to cover Nested TPSs.

Moreover, ODFIs must identify all TPSs that have Nested TPS relationships in Nacha's Risk Management Portal and must provide Nacha with the Nested TPS relationships for any of their TPSs upon request. The 2022 Operating Rules & Guidelines provides timeframes for compliance and establishes requirements for updating information that has changed.

Additionally, the Third-Party Senders and Risk Assessments rule requires that a TPS, whether or not it is a Nested TPS, conduct a Risk Assessment. Under that rule, a TPS must implement, or have implemented, a risk management program based on its risk assessment. The rule states that the obligation for the TPS to perform a risk assessment, as with the required rules compliance audit, cannot be passed on to another party. Each TPS must conduct or have conducted its own risk assessment.

The Fiscal Service proposes to adopt these rule changes, in order to maintain consistency with other ACH Network participants and facilitate uniform processing of transactions.

(b) 2023 Operating Rules & Guidelines Changes

The 2023 Operating Rules & Guidelines implement several additional changes beyond those in the 2022 Operating Rules & Guidelines, some of which were previously adopted by Fiscal Service.^[3] Additional changes include, but are not limited to, implementing parts of the TPS rule discussed above and adopting “Phase 1” of Nacha's Micro-Entry Rule.

Phase 1 of the Micro-Entry Rule defined “Micro-Entries” as a type of payment in the Operating Rules & Guidelines. “Micro-Entries” are ACH credits of less than $1, and any offsetting ACH debits, used for the purpose of verifying a Receiver's account. Originators of Micro-Entries must use a standard “Company Entry Description” and populate the “Company Entry Name” field with the same or similar name to be used in future entries. The rule also requires Originators using debit entry offsets to send the debit and corresponding credit Micro-Entries simultaneously for settlement at the same time, establishes certain limits on the amount of the Micro-Entries, and prohibits Micro-Entries that result in a net debit to the Receiver.

The Fiscal Service proposes to adopt these rule changes. Adoption of these changes will maintain consistency with other ACH Network participants and facilitate fraud-prevention strategies that may reduce the incidence of improper payments.

(c) 2024 Operating Rules & Guidelines Changes

The 2024 Operating Rules & Guidelines implement several additional changes, including “Phase 2” of Nacha's Micro-Entry Rule. Phase 2 of the Micro-Entry Rule built upon Phase 1 (discussed above) by requiring Originators of Micro-Entries to use commercially reasonable fraud-detection practices, including the monitoring of forward and return Micro-Entry volumes.

The Fiscal Service proposes to adopt these rule changes. Adoption of these changes will maintain consistency with other ACH Network participants and facilitate fraud-prevention strategies that may reduce the incidence of improper payments.

(d) 2024 Operating Rules & Guidelines, Supplement #1-2024 Changes

On April 12, 2024, Nacha published Supplement #1-2024 to the 2024 Nacha Operating Rules (Supplement #1-2024). Supplement #1-2024 included several updates to the Nacha Operating Rules ACH risk management requirements and made several other updates.

(i) Risk Management Requirements

The risk management topics covered in Supplement #1-2024 include clarifying and expanding the use of certain codes, formalizing a current practice regarding certain transactions that are suspected of origination under false pretenses, updating requirements for a “Written Statement of Unauthorized Debit,” specifying a timeframe for return of authorized debits, updating certain fraud-monitoring requirements, imposing ACH credit monitoring requirements on RDFIs, creating two new Company Entry Descriptions, and several other minor updates. Each is discussed below in turn.

(1) Use of Return Reason Code R17

The Operating Rules & Guidelines provide several codes to provide additional detail on an ACH transaction. Previously, the Operating Rules & Guidelines did not have a defined code to identify an ACH transaction, in its return, as fraudulent. Supplement #1-2024 will explicitly allow an RDFI to use Return Reason Code R17 to return an entry that it believes is fraudulent. Use of this code is optional, and the Fiscal Service has followed this procedure for several years. Nacha expects, and the Fiscal Service agrees, that this rule is expected to improve the recovery of funds originated due to fraud.

The Fiscal Service proposes to adopt these rule changes. Adoption of these changes will maintain consistency with other ACH Network participants and facilitate fraud-prevention strategies that may reduce the incidence of improper payments.

(2) Expanded Use of ODFI Request for Return—R06

Previously, under the Operating Rules & Guidelines, an ODFI could request that an RDFI return a defined “Erroneous Entry” or a credit entry that was originated without the authorization of the Originator using Return Reason Code R06. The RDFI may, but has not been obligated to, comply with the ODFI's request. ODFIs that wish to request the return of a potentially fraudulent entry have not had a clear means to do so, because the rules limited the use of R06 to specific situations.

Supplement #1-2024 expands the permissible uses of the Request for Return to allow an ODFI to request a return from the RDFI for any reason. This updated rule will not impact the Operating Rules & Guidelines' indemnification provisions. However, it requires the RDFI to respond to the ODFI, regardless of whether the RDFI complies with the ODFI's request to return the entry. The RDFI must advise the ODFI of its decision or the status of the request within 10 banking days of receipt of the ODFI's request.

Nacha indicates, and the Fiscal Service agrees, that this update is intended to improve the recovery of funds when fraud has occurred. The update also more accurately reflects how some ACH participants currently conduct their operations.

The Fiscal Service proposes to adopt these rule changes. Adoption of these changes will maintain consistency with other ACH Network participants and facilitate fraud-prevention strategies that may reduce the incidence of improper payments.

(3) Additional Funds Availability Exceptions

The Operating Rules & Guidelines have provided RDFIs with an exemption from funds availability requirements if the RDFI reasonably suspects the credit entry was unauthorized. Supplement #1-2024 provides RDFIs with an additional exemption from the funds availability requirements to include credit ACH entries that the RDFI suspects are originated under false pretenses. While RDFIs remain subject to Regulation CC's funds availability requirements, an RDFI can delay funds availability if its fraud-detection processes and procedures identify a flag.

Nacha asserts that this change will provide participants with an additional tool to manage potentially questionable or suspicious transactions that fall under the “authorized fraud” category, and provide RDFIs and ODFIs with additional time to communicate before funds availability is required.

The Fiscal Service proposes to adopt this rule change. Adoption of this change will maintain consistency with other ACH Network participants and may improve the potential for recovery of funds when fraud has occurred.

(4) Timing of Written Statement of Unauthorized Debit

Under the Operating Rules & Guidelines, when a consumer Receiver notifies an RDFI of an unauthorized debit, the RDFI must obtain a “Written Statement of Unauthorized Debit” (WSUD). Before Supplement #1-2024, the WSUD was required to be dated on or after the Settlement Date (as defined in the Operating Rules & Guidelines) of the unauthorized debit entry. However, through digital notifications and alerts, a consumer may be able to report an unauthorized debit prior to its posting to the account.

Supplement #1-2024 updates the WSUD rules to allow a consumer Receiver to sign and date a WSUD on or after the date on which the entry is presented to the Receiver, even if the debit has not yet posted to the account. The updated rule does not otherwise change the requirement for an RDFI to obtain a consumer's WSUD.

The Fiscal Service proposes to adopt this rule change. Adoption of this change will maintain consistency with other ACH Network participants and may improve the process and experience when debits are claimed to be unauthorized. Moreover, increasing the speed of returns can help participants manage risk and receive returns faster.

(6) Prompt RDFI Return of Unauthorized Debits

The Operating Rules & Guidelines previously stated that an RDFI must transmit an extended return entry for which it recredits a Receiver's account in such time that the entry can be made available to the ODFI no later than the opening of business on the banking day following the 60th calendar day following the settlement date of the original entry. However, the rules were silent as to the timeframe for the RDFI to return the entry after receiving a signed and dated WSUD.

Supplement #1-2024 updates the Operating Rules & Guidelines to require RDFIs to transmit these returns in such time that the entry can be made available to the ODFI no later than the opening of business on the sixth banking day following the completion of RDFI's review of the consumer's signed WSUD, and in such time that it is made available to the ODFI no later than the opening of business on the banking day following the 60th calendar day following the settlement date of the original entry.

The Fiscal Service proposes to adopt this rule change. Adoption of this change will maintain consistency with other ACH Network participants. Moreover, increasing the speed of returns can help participants manage risk and receive returns faster.

(7) Fraud Monitoring by Originators, Third-Party Service Providers/Third-Party Senders and ODFIs

The Operating Rules & Guidelines have required Originators to use a commercially reasonable fraudulent-transaction detection system to screen WEB debits and when using Micro-Entries. However, these requirements did not encompass any other transaction types, and have not applied to other types of debits or to any credits other than Micro-Entries.

Supplement #1-2024 will require each non-consumer Originator, ODFI, Third-Party Service Provider, and Third-Party Sender to establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud. Each of these parties will need to review at least annually their processes and procedures and make any appropriate updates to address evolving risks.

The Fiscal Service proposes to adopt this rule change. Adoption of this change will maintain consistency with other ACH Network participants and may further reduce the incidence of fraud or other improper payments or collections.

(8) ACH Credit Monitoring by RDFIs

The Operating Rules & Guidelines have required ODFIs, but not RDFIs, to perform debit transaction monitoring. These requirements are distinct from existing requirements to monitor suspicious transactions.^[4]

Supplement #1-2024 will require RDFIs to establish and implement risk-based processes and procedures reasonably intended to identify credit ACH entries initiated due to fraud. As with the other entities, RDFIs will need to review at least annually their processes and procedures and make any appropriate updates to address evolving risks.

The Fiscal Service proposes to adopt this rule change.^[5] Adoption of this change will maintain consistency with other ACH Network participants and may further reduce the incidence of fraud or other improper payments or collections.

(9) Standard Company Entry Descriptions—PAYROLL and PURCHASE

The Operating Rules & Guidelines contain standards to identify certain types of Company Entry Descriptions. This allows network participants to readily identify the type of ACH transaction. Supplement #1-2024 establishes two new Company Entry Descriptions, PAYROLL and PURCHASE. The PAYROLL description must be used for PPD ACH credits that are for the payment of wages, salaries, and other similar types of compensation. The PURCHASE description will be required for e-commerce purchases, which for the purpose of the Operating Rules & Guidelines will be defined as a debit entry authorized by a consumer Receiver for the online purchase of goods.

The new descriptions will enable identification of payroll and e-commerce transactions, which may assist in the identification and reduction of certain types of fraud, such as payroll redirections.

The Fiscal Service proposes to adopt this rule change. Adoption of this change will maintain consistency with other ACH Network participants and can help parties manage risk and improve ACH Network quality.

ii. Minor Updates to the Operating Rules & Guidelines

In addition, Nacha updated and clarified minor topics.^[6] These topics include:

• Revising the definition of a “WEB” entry and the general rules applying to such entries to clarify that this code must be used for all consumer-to-consumer credits, regardless of how the consumer communicates the payment instruction to the ODFI or the Person-to-Person service provider.
• Revising the definition of “Originator” to add a reference to the Originator's authority to credit or debit the Receiver's account. The change includes a notation to the definition that the rules do not always require a Receiver's authorization, such as with Reversing, Reclamation and Person-to-Person Entries.
• Revising the rules regarding Notifications of Change (NOCs) entries to provide Originators discretion on whether to make NOC changes for any single entry, regardless of SEC Code. Previously, the rules applied to single entries bearing certain SEC Codes (ARC, BOC, POP, RCK, TEL, WEB, and XCK), but were silent on single entries bearing other SEC Codes. This change aligned the Operating Rules & Guidelines with common practice, where Originators have treated NOCs for all one-time entries similarly.
• Revising the requirements regarding the protection of account numbers to clarify that once a covered party meets the volume threshold for protecting account numbers for the first time, this requirement remains in effect even if the covered party's future volume falls below the threshold.
• Aligning prenotification rules with current industry practice. The Operating Rules & Guidelines previously allowed Originators to transmit prenotification entries for account validation before initiation of the first credit or debit entry to the Receiver's account. The amendment removed language that limited prenote use to only prior to the first credit or debit entry.
• Replacing references to “subsequent entry” in the Operating Rules & Guidelines with synonymous terms (e.g., future, additional, another) to avoid any confusion with the new definition “Subsequent Entry” and remedy ambiguous references to the phrase “subsequent entry” that result from the other changes.

The Fiscal Service proposes to adopt these rule changes. These changes do not appear to make significant substantive changes. Therefore, adopting these changes will maintain consistency with other ACH Network participants, which can lead to more efficient operations.

(e) Entry of Federal Government Transactions Into the ACH Network

In addition to the above updates to the Operating Rules & Guidelines, the Fiscal Service proposes to eliminate a current exemption from the Operating Rules & Guidelines.

Currently, the definition of “Applicable ACH Rules” in part 210 exempts the federal government from “[t]he requirement in Appendix Three that the Effective Entry Date of a credit entry be no more than two Banking Days following the date of processing by the Originating ACH Operator.” ^[7]

This exemption has been used to allow the federal government to transmit ACH transactions outside of the Operating Rules & Guidelines' window. This has facilitated federal government disbursement operations.

However, Treasury believes that this exemption no longer provides material benefits to the government or the public. Removing this restriction would place the federal government on equal footing with industry, with regard to the timing of initiating ACH entries. It may also facilitate Treasury's cash management operations. Accordingly, the Fiscal Service proposes to eliminate current section 210.2(d)(4).

3. Section-by-Section Analysis

§ 210.2(a)

In order to incorporate in part 210 the Operating Rules & Guidelines changes as described above, we propose to replace references to the 2021 Operating Rules & Guidelines, including Supplement #1-2021, with references to the 2024 Operating Rules & Guidelines, as updated through Supplement #1-2024. In particular, we are proposing to amend the definition of “ACH Rules” at § 210.2(a) by replacing the reference to the “2021 Operating Rules and Guidelines, including Supplement #1-2021” with a reference to the ACH Rules as published in the 2024 Nacha Operating Rules & Guidelines, as updated through Supplement #1-2024.

§ 210.2(d)

We are proposing to remove paragraphs (d)(4) and (d)(8) from current section 210.2(d). The reasons for removing paragraph (d)(4) are described in section 2(e) above. The Fiscal Service proposes to remove paragraph (d)(8) because that paragraph ceased to be effective, by its terms, on March 19, 2022.

§§ 210.0 and 210.3(b)

To conform with current Office of the Federal Register structure and format requirements for incorporation by reference (IBR), we are proposing to remove the centralized IBR content currently in § 210.3(b) (reserving paragraph (b)) and add it as a new stand-alone section, § 210.0. We are also proposing to amend the IBR content in new § 210.0 by replacing the references to the 2021 Operating Rules & Guidelines and Supplement #1-2021 with references to Nacha's 2024 Operating Rules & Guidelines, including Supplement #1-2024.

4. Incorporation by Reference

In this proposal, the Fiscal Service is proposing to incorporate by reference the 2024 Operating Rules & Guidelines, including Supplement #1-2024, as amended through April 12, 2024. The Office of the Federal Register regulations require that agencies discuss in the preamble of a proposed rule ways that the materials the agency proposes to incorporate by reference are reasonably available to interested parties or how it worked to make those materials reasonably available to interested parties. In addition, the preamble of the proposed rule must summarize the material. 1 CFR 51.5(a). In accordance with those regulations, the discussion in sections 1 and 2 of this SUPPLEMENTARY INFORMATION describes the Nacha Operating Rules and summarizes the changes to them since the 2021 Operating Rules & Guidelines, including Supplement #1-2021, were incorporated by reference into part 210. Financial institutions utilizing the ACH Network are bound by the Operating Rules & Guidelines and have access to them in the course of their everyday business. The Operating Rules & Guidelines (including the supplements) are available as a bound book or in online form from Nacha—The Electronic Payments Association at: 2550 Wasser Terrace, Suite 400, Herndon, Virginia 20171; phone: 703-561-1100; email: info@nacha.org.

5. Procedural Analysis

Request for Comment on Plain Language

Executive Order 12866 requires each agency in the Executive branch to write regulations that are simple and easy to understand. We invite comment on how to make the proposed rule clearer. For example, you may wish to discuss: (1) whether we have organized the material to suit your needs; (2) whether the requirements of the rule are clear; or (3) whether there is something else we could do to make the rule easier to understand.

Regulatory Planning and Review

The proposed rule does not meet the criteria for a “significant regulatory action” as defined in Executive Order 12866, as amended. Therefore, the regulatory review procedures contained therein do not apply.

Regulatory Flexibility Act Analysis

It is hereby certified that the proposed rule will not have a significant economic impact on a substantial number of small entities. The proposed rule imposes on the federal Government a number of changes that Nacha has already adopted and imposed on private-sector entities that use the ACH Network. The proposed rule does not impose any additional burdens, costs, or impacts on any private-sector entities, including any small entities. Accordingly, a regulatory flexibility analysis under the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) is not required.

Unfunded Mandates Act of 1995

Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1532 (Unfunded Mandates Act), requires that an agency prepare a budgetary impact statement before promulgating any rule likely to result in a Federal mandate that may result in the expenditure by state, local, and Tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also requires the agency to identify and consider a reasonable number of regulatory alternatives before promulgating the rule. We have determined that the proposed rule will not result in expenditures by state, local, and Tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. Accordingly, we have not prepared a budgetary impact statement or specifically addressed any regulatory alternatives.

For the reasons set out above, the Fiscal Service proposes to amend 31 CFR part 210 as follows:

1. The authority citation for part 210 continues to read as follows:

Authority: 5 U.S.C. 5525; 12 U.S.C. 391; 31 U.S.C. 321, 3301, 3302, 3321, 3332, 3335, and 3720.

2. Add § 210.0 to read as follows:

3. In § 210.2:

a. Revise paragraph (a);

b. Remove paragraphs (d)(4) and (d)(8); and

c. Redesignate paragraphs (d)(5) through (7) as paragraphs (d)(4) through (6).

The revisions read as follows:

4. In § 210.3, remove and reserve paragraph (b).