2015 ACH Rule Changes for Greater Milwaukee APA Presented by PAR/WACHA-The Premier Payments Resource Luann Kohlmann, AAP, NCP Vice President 262-345-1245 or 800-453-1843 www.wacha.org info@wacha.org .

Disclaimer WACHA, through its Direct Membership in NACHA, is a specially recognized and licensed provider of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA. This material is derived from collaborative work product developed by NACHA ─ The Electronic Payments Association and its member Regional Payments Associations, and is not intended to provide any warranties or legal advice, and is intended for educational purposes only. This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only. This document could include technical inaccuracies or typographical errors and individual users are responsible for verifying any information contained herein. No part of this material may be used without the prior written permission of WACHA/PAR © PAR/WACHA All rights reserved As always, we start with our disclaimer which states that this presentation is for educational purposes only and does not provide any warranties or legal advice.

WACHA The Premier Payments Resource Wisconsin Automated Clearing House Association Not for Profit Trade Association Membership Driven (FIs and Corporations) Specialize in training and education for electronic payments 14 similar associations in US Help Desk Compliance arm called Payments Advisory Resource (PAR) Covers Audit and Compliance For membership info contact us at info@wacha.org or go to our website.

Level Setting How many of you use Direct Deposit? Do you mandate Direct Deposit? How many of you use ACH for Payroll Taxes? How many companies use Direct Payment for bill payments? Promote 1-2 times per year. Promote financial goals by putting $$ into savings Save over 3 days per years by not going to the bank

Direct Deposit http://www.electronicpayments.org Typically, it costs more to process a paper check than a Direct Deposit transaction. Usually between $2.87-$3.15 per payments Find out how much you could save using the Direct Deposit Calculator

ACH Transaction Flow ORIGINATOR RECEIVER ODFI ACH RDFI OPERATOR 2/25/2019 ORIGINATOR RECEIVER ODFI ACH OPERATOR Here is the basic flow of an ACH entry. The Receiver and the Originator establish a relationship through an authorization. The Originator creates an ACH entry and forwards it to the Originating Depository Financial Institution (ODFI), who they have an agreement with. The ODFI sends the transactions to the ACH Operator who sorts the entries by routing & transit number and sends them on to the Receiving Depository Financial Institution (RDFI) who posts the transactions to the Receiver’s account. The RDFI gives the account holder a periodic statement where he sees the ACH entry posted. Whether the entry is a debit or a credit, the ACH transaction flows in the same direction. RDFI Copyright WACHA; All Rights Reserved

Prearranged Payment and Deposit (PPD) 2/25/2019 Prearranged Payment and Deposit (PPD) Consumer entry Debit or Credit Single or Recurring Most commonly used for Direct Deposit or Direct Payment We will start out our study of SEC codes with the one most commonly used, Prearranged Payment and Deposit or PPD entry. A PPD can be used for both credit and debit entries to consumer accounts. They can be single or recurring entries, and are most commonly used for direct deposit or direct payments. Copyright WACHA; All Rights Reserved

Corporate Credit or Debit (CCD) 2/25/2019 Corporate Credit or Debit (CCD) Used when Originator & Receiver are both companies Debit or Credit Single or Recurring A Corporate Credit or Debit or CCD entry is used when the Originator and the Receiver are both companies. A CCD can be either a debit or credit entry and can be a single or recurring entry. An example of a CCD debit entry is, ABC Bank buys the Originating Depository Financial Institution training module from WACHA and pays them via the ACH system. Copyright WACHA; All Rights Reserved

Corporate Trade Exchange (CTX) 2/25/2019 Corporate Trade Exchange (CTX) Used when Originator & Receiver are both companies Debit or Credit Single or Recurring 9999 Addenda records An entry very similar to a CCD entry is the Corporate Trade Exchange or CTX entry. The only difference between a CCD and a CTX entry is that a CTX entry can contain many more addenda records which will be explained on the next slide. Copyright WACHA; All Rights Reserved

Addenda Records Extra information about the entry 2/25/2019 Addenda Records Extra information about the entry CTX may contain 9,999 addenda records Upon request from the Receiver, payment related info from Addenda records must be provided by the open of business on the second banking day following settlement An Addenda Record is extra information about the payment which travels with the entry. An example of an addenda record would be invoice information which the receiver would need to post the entry correctly to his accounts receivables or a government entry for a representative payee, where the addenda record contains the name of the beneficiary who may not be on the account, such as a minor. A PPD and a CCD entry can have one addenda record but a CTX entry can have up to 9,999. That is, 9,999 lines of information about the entry. Upon the request of the Receiver, the RDFI must provide all payment related information contained within the addenda records transmitted with CCD, CIE and CTX entries. The RDFI must supply this information by the opening of business on the second banking following settlement of the entry. It is therefore very important to know where to find addenda information in case it would be requested. Copyright WACHA; All Rights Reserved

Authorizations Give a copy Reversal clause DFI request for proof Retention 2 years after final payroll settlement date

Did you know? You can reclaim benefits received after death (Reclamation) Can get extra information about entries you receive (Addenda records) You can send payroll outside of the US (IAT)

2014 Rule Changes

ACH Security Framework Effective September 20, 2013 for 2014 Audit Creates a Security Framework aimed at protecting the security and integrity of certain ACH data throughout its lifecycle The Security Framework establishes minimum data security obligations for ACH Network participants to protect ACH data within their purview Protected Information is defined as: – “the non-public personal information, including financial information, of a natural person used to create, or contained within, an Entry and any related Addenda Record”

ACH Security Framework Require non-consumer Originators, Participating DFIs, Third-Party Service Providers and Third-Party Senders to establish, implement and, as appropriate, update security policies, procedures, and systems related to the initiation, processing and storage of Entries Require each Participating DFI, Third-Party Service Provider, and Third-Party Sender to verify, as part of its annual ACH Rules Compliance Audit, that it has established, implemented, and updated the data security policies, procedures, and systems required by the Rule Require an ODFI to use a commercially reasonable method to establish the identity of each non-consumer Originator or Third-Party Sender with which the ODFI enters into an Origination Agreement SECTION 1.6 Security Requirements Each non-consumer Originator, Participating DFI, and Third-Party Service Provider must establish, implement, and update, as appropriate, policies, procedures, and systems with respect to the initiation, processing, and storage of Entries that are designed to: (a) protect the confidentiality and integrity of Protected Information until its destruction; (b) protect against anticipated threats or hazards to the security or integrity of Protected Information until its destruction; and (c) protect against unauthorized use of Protected Information that could result in substantial harm to a natural person. Such policies, procedures, and systems must include controls, that comply with applicable regulatory guidelines, on access to all systems used by such non-consumer Originator, Participating DFI, or Third-Party Service Provider to initiate, process, and store Entries.

ACH Security Framework-FAQ’s As an ODFI does my FI have to modify our Origination Agreements to address the Framework? As an ODFI, does my FI have to audit my Originator’s compliance with this rule? Is it possible that my we already meets the requirements of this rule? Yes. Your institution needs to asses whether it is in compliance with these responsibilities. Due to current regulatory requirements, it is likely that your institution is already in compliance with this Framework. ODFI’s should evaluate their agreements for this rule in the same manner as they evaluate any other rules changes that affect origination obligations. This is a business decision of the ODFI. The Rules do not establish specific oversight requirements for ODFI’s attempting to monitor and enforce the compliance with these provisions by their Originators, Third-Party Senders and other Third Party Service Providers. Instead, as with all other provisions of the Rules, there is a requirement that ODFI’s perform due diligence with respect to their Originators and Third-Party Senders that is sufficient to form a reasonable belief that the Originator or Third-Party Sender has the capacity to perform its obligations in conformance with the Rules. Such due diligence should be risk-based since the threats to the security of confidential ACH information vary depending on the circumstances under which such information may be gathered and used. For example, the risks posed by a small business Originator that uses ACH principally to initiate ACH credits for its internal direct deposit of payroll are very different from the risks posed by an Originator that is an internet-based bill payment services provider handling payments for thousands of individuals. These risks may also shift over time with changing patterns of fraud and ACH usage. Similarly, although there is no requirement in the Rules that an ODFI audit their Originators’ compliance with the Rules, the Rules provide ODFI’s with the express right to perform such an audit if warranted. Thus, the Rules leave to each ODFI the flexibility to determine the best approach to oversight of the parties for which it provides access to the ACH network. While this rule applies directly to the protection of Consumer information, an ACH participant may choose to cover business information as well. Many financial institutions already have established business practices that address the security of all customer information in a consistent manner.

Prenotification Timing Requirements Effective September 19, 2014 Reduce current six banking-day waiting period for initiating “live Entries” Allows an Originator to initiate Entries to the Receiver’s account as soon as the third Banking Day following the settlement date of the Prenotification Entry, provided that the ODFI has not received a return or Notification of Change related to the Prenotification Concern: the lack of a defined communication method and time frame between ODFI and Originator to indicate “all clear” as the primary barrier to adoption

2015 Rule Changes January 1, 2015 March 20, 2015 September 18, 2015

Reversals In case of error a “Reversal” file or entry can be sent Reversal is not guaranteed! NACHA is working on an initiative to tie the reversal to the original entry

Dishonored/Contested Reversal Issue Effective March 20, 2015 Provides an Originator/ODFI with an additional mechanism to resolve situations in which the use of the reversal process has resulted in an unintended credit to the Receiver Establishes the right of an ODFI to dishonor the Return Entry of either debit by using a new Return Reason Code R62, provided that the associated credit Entry was not also returned by the RDFI This was passed last year but didn’t go into effect until 2015 because of programming change requirements An unintended credit to the Receiver may be caused by either of the following conditions: A debit Erroneous Entry and a subsequent credit Reversing Entry are both transmitted to the Receiver’s account. The erroneous debit is returned, but the reversing credit is posted and made available to the Receiver. – A credit Erroneous Entry and a subsequent debit Reversing Entry are both transmitted to the Receiver’s account. The erroneous credit is posted and made available to the Receiver, but the reversing debit is returned.

Dishonored/Contested Reversal Issue • Also establishes the right of an RDFI to contest this type of dishonored Return, using new Return Reason Code R77, if either of the following conditions exists: – the RDFI returned both the Erroneous Entry and the related Reversal; or – the RDFI is unable to recover the funds from the Receiver

Unauthorized Return Rate Thresholds Effective Date: September 18, 2015 Reduce the existing Return Rate threshold for unauthorized debits from 1.0% to 0.5% R05, R07, R10, R29 & R51 Establishes a preliminary inquiry process to evaluate and research outlier cases in which an Originator’s administrative returns exceed 3% return rate level R02, R03, R04 Establishes a preliminary inquiry process to evaluate and research outlier cases in which an Originator’s overall returns exceed 15% return rate level excludes RCK Why?? Demonstrate effective self-regulation via private-sector rulemaking Deter governmental rulemaking that might impact and impose costs on RDFIs and the ACH Network Respond to abuses of the ACH Network Keep ACH value proposition in balance for RDFIs Address major RDFI pain points Reduce exceptions Reduce and partially compensate for costs caused by exceptions Virtually no additional work required by RDFIs Improve ACH Network Quality Establish economic incentives for all ODFIs and Originators to improve quality Provide partial cost-recovery to RDFIs for exception handling Each proposal should be seen as part of a process of continuous improvement There is no single solution for risk and quality Bullet 1: .05% is still 16% higher than the average return rate…….does not change the rules enforcement process and will trigger a rules violation if not handled properly by the ODFI…..make sure you change the tools you use to monitor your return activity. Bullet 2: 3% is well above the average by 9% Bullet 3: the average overall return rate is 1.42% so this is meant to catch problematic origination practices RCK –because it is a re-presentment of check that was returned in the first place, it makes establishing a valid return rate impractical. A return rate above the stated return rate level would not automatically be considered a Rules violation resulting in enforcement – Rather, a return rate above the level can be considered a starting point for a review of the Originator’s or Third-Party Sender’s origination activity to determine if a reduction is warranted The rate will be figured much as they have in the past depending the number of entries on a daily or monthly basis. They are not looking at 2 entries originated and one being returned= 50% return rate….

Unauthorized Entry Fee Effective for returns with a settlement date of October 3, 2016 (ODFIs could be assessed fees for returns related to forward entries originated as early as August 2, 2016 ) Define and establish a methodology for a fee paid by the ODFI to the RDFI for returns for unauthorized debits (R05, R07, R10, R29, R51) Fee amount will be less than RDFIs’ weighted average cost to handle unauthorized entries, while not unduly impacting use of the ACH Network Fee not yet determined Best currently available data supports a fee in the range of $3.50 - $5.50 per return Additional data on RDFI cost will continue to be gathered to validate fee amount Re-evaluate every three years Fees will be collected and distributed by the ACH Operators via monthly statements NACHA is not a beneficiary of the fees; the entire fee will be passed to the RDFI IAT Excluded The Rule is intended to improve quality by providing an incentive for every ODFI and their Originators to minimize unauthorized transactions ODFI agrees to pay Quality Fees to the RDFI: Incentives would be paid by the ODFI and passed through to the RDFI to help offset the cost for exception processing and customer service Effective Date: This Rule will become effective beginning with applicable return entries that have a Settlement Date of October 3, 2016 (a Monday, and the first banking day of the quarter). • ODFIs in particular should note that fees applied to return entries as of October 3, 2016 could relate to forward entries initiated as early as August 1, 2016 ---60 day right of return Discuss only if asked: RDFI would only have to account for 1 credit on a monthly basis ODFI Line item on on Fed Statement—not broke down

Re-initiation Effective September 18, 2015 Define and establish standards for reinitiated entries Require reinitiated entries to have same Company Name, Company ID and Amount as original entry Content in other fields can be modified only to the extent necessary to correct an error or facilitate processing of an Entry. Standard use of Company Entry Description “RETRY PYMT” Identify practices that constitute improper re-initiation Give ACH Rules Enforcement Panel authority to determine whether a practice was improper re-initiation Improper reinitiated Entries can be returned as Unauthorized (R10) 4th bullet: Clarifies that a debit Entry in a series of preauthorized recurring debit Entries will not be treated as a reinitiated Entry, even if a subsequent debit Entry follows a returned debit Entry, as long as the subsequent Entry is not contingent upon whether an earlier debit Entry in the series has been returned • States that a debit Entry will not be considered a reinitiation if the Originator obtains a new authorization for the debit Entry after the receipt of the Return. The timing requirement is important, however, since Originators will not be permitted to obtain advance approval to debit an account in a manner that would otherwise violate the Reinitiation Rule

What does the future hold?

Same Day ACH Phased Implementation Concept 1 2 3 ACH Credits and Debits AM & PM Transmissions Mid-day & 5 PM ET Settlement Faster Funds Availability ACH Credits and Debits AM & PM Transmissions 5 PM ET Settlement ACH Credits AM & PM Transmissions 5 PM ET Settlement “A phased implementation enables us to introduce new capabilities more quickly, and then continue to build over time, creating value for all participants at each step along the way.” NACHA Rules initiative to enable a premium ACH processing and settlement window Faster and more flexible settlement ACH Network-wide solution All endpoints participating Same-day processing and settlement, not “real-time” As currently outlined, a first implementation phase would provide a foundation to better enable same-day ACH credits to support important use cases such as payroll, person-to-person (P2P) payments and expedited billpay. A second phase would introduce same-day ACH debits and enable a wide variety of consumer bill payment use cases like utility, mortgage, loan and credit card payments. A third phase would improve the service level across the ACH Network and reduce counter-party risk by adding a second same-day settlement and accelerating funds availability. Builds functionality over time, adding value to end-users with each step

QUESTIONS Please fill out your Evaluations

Resources PAR/WACHA- The Premier Payments Resource HELP DESK Phone: 262-345-1245 Toll Free: 800-453-1843 Fax: 262-345-1246 info@wacha.org