New NACHA Requirements for WEB Debit Entries
In November 2018, Nacha (formerly known as the National Clearing House Association) amended its rules concerning fraud prevention requirements for electronically authorized debits to consumer deposit accounts. Such automated clearing house (“ACH”) payments are given the standard entry class (SEC) code “WEB” and are known under the Nacha Operating Rules as “WEB Debit Entries.”
Prior to adoption of the WEB Debit Rule, the Nacha Operating Rules required Originators of WEB Debit Entries (i.e., the payees who initiate such payments with the consumer’s authorization) to establish and implement commercially reasonable (A) fraudulent transaction detection systems to screen WEB Debit Entries; (B) methods of authentication to verify the identity of the Receiver (the depositor of the consumer deposit account that will be debited) of a WEB Debit Entry; and (C) procedures to verify that the routing number used in the WEB Debit Entry is valid.
The WEB Debit Rule amended this rule to explicitly identify account validation as a required part of an Originator’s “commercially reasonable fraudulent transaction detection system.” While the Nacha Operating Rules do not define “validate,” additional guidance posted to Nacha’s website clarifies the meaning of “validate”:
At a minimum, the Originator must use a commercially reasonable means to determine that the account number to be used for the WEB debit is for a valid account—that is, that the account to be used is a legitimate, open account to which ACH entries may be posted at the [consumer’s bank].
The rule change does not require Originators to validate that the consumer who authorizes the payment is the owner or an authorized user of the account.
The Web Debit FAQs provide the following examples of methods one could use to satisfy the validation requirement:
- ACH micro-transaction verification—This validation process typically involve two steps: The payee makes a small deposit into the consumer’s account, and the consumer confirms the amount deposited.
- Prenotification Entry—Prenotification entries are non-monetary ACH entries. The payee sends a prenotification entry through the ACH network to verify that the account is valid. If the account is not valid or is not set up to receive WEB Debit ACH entries, the consumer’s bank will respond with that information.
- Commercially available account validation database service—This validation method compares the account and routing number information provided by the consumer to a database of previously validated accounts.
- Account validation APIs—This validation method uses an application program interface (“API”) and a secure digital connection to the consumer’s bank to retrieve the account and routing numbers from the consumer’s online banking interface.
The account validation rule was originally scheduled to become effective on January 1, 2020, but Nacha postponed the effective date until March 19, 2021. The WEB Debit FAQs state that “[a]s of the effective date, originating WEB debit entries with first use of new account numbers would not be in compliance with the Rule if the fraudulent transaction detection system does not include an account validation component.” However, Nacha issued additional guidance which states that due to the impact of COVID-19 on organizations’ staffing and resources, “Nacha will not enforce this rule for an additional year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions.”
CFPB Consent Orders and Enforcement Actions
In March 2021, the CFPB filed a complaint in the U.S. District Court for the Northern District of Illinois against BrightSpeed Solutions, Inc. and its former CEO Kevin Howard. The complaint alleged that BrightSpeed acted as a third-party payment processor for certain “high-risk” telemarketing businesses, and processed remotely created checks for such businesses. The FTC’s Telemarketing Sales Rule prohibits telemarketers from creating remotely created payment orders, including remotely created checks, and prohibits any person from providing substantial assistance or support to any telemarketer when that person “knows or consciously avoids knowing” that the telemarketer is engaged in any act or practice that violates that prohibition. The complaint alleged that BrightSpeed and Howard violated the Telemarketing Sales Rule and by doing so, committed unfair acts and practices in violation of section 1031 of the Consumer Financial Protection Act (“CFPA”). While the defendants negotiated a settlement in principle with the CFPB in June 2021, they could not raise the funds necessary to implement it, so the matter remains pending as of this writing.
Omni Financial of Nevada
In December 2020, Omni Financial of Nevada, Inc. entered into an administrative consent order with the CFPB regarding installment loan repayment practices. The CFPB found that Omni violated the Military Lending Act by requiring repayment of loans to members of the military by military allotment. The CFPB also found that Omni violated the Electronic Fund Transfer Act’s (“EFTA”) prohibition against requiring that consumers preauthorize electronic fund transfers as a condition of receiving credit. The CFPB further found that the violations of the EFTA constituted violations of the CFPA. The consent order required Omni to pay a $2.175 million civil money penalty and imposed injunctive relief to stop ongoing violations and prevent future violations.
Discover Bank, The Student Loan Corporation, and Discover Products, Inc.
On December 22, 2020, Discover Bank, The Student Loan Corporation, and Discover Products, Inc. entered into an administrative consent order with the CFPB concerning student loan servicing practices. Among many other violations of law not addressed here, the CFPB found that the respondents withdrew automatic payments on student loans without proper authorization by withdrawing higher amounts than specified in billing statements, not providing advance notice to consumers of the amount to be withdrawn, and withdrawing the same payments twice. In addition, the CFPB found that the respondents cancelled or failed to withdraw automatic payments without notice to consumers. The CFPB found these practices to be unfair acts and practices in violation of the CFPA and violations of the EFTA and Regulation E. The CFPB also found that the EFTA violations also constituted a violation of section 1036(a)(1)(A) of the CFPA.
The consent order requires the respondents to pay at least $10 million in consumer redress and a $25 million civil money penalty and contains requirements to prevent future violations.
Envios de Valore’s La Nacional
On December 21, 2020, Envios de Valores La Nacional Corp. (“La Nacional”) entered into an administrative consent order with the CFPB. The CFPB found that La Nacional violated the EFTA and the CFPB’s Remittance Transfer Rule by failing to properly honor cancellation requests, failing to develop and maintain required policies and procedures for error resolution, failing to investigate and make error determinations, failing to provide consumers with written reports of its investigation findings, failing to refund certain fees and taxes, failing to treat international bill pay services as remittance transfers, failing to disclose the appropriate currency on prepayment disclosures and receipts, failing to use the term “transfer fees” or a substantially similar term in certain disclosures, and issuing receipts that failed to disclose the date on which remittance transfers would be available for pick-up.
The consent order requires La Nacional to adopt a compliance plan to ensure that its remittance transfer acts and practices comply with all applicable federal consumer financial laws and the consent order. The order also requires La Nacional to pay a civil money penalty of $750,000.
FTC Consent Orders and Enforcement Actions
As discussed in a previous Annual Survey, the FTC filed suit against LendingClub Corporation in April 2018 for, among other things, initiating unauthorized ACH payments. In July 2021, LendingClub entered into a consent order with the FTC to resolve all matters in the action. Under the consent order, LendingClub has agreed to pay $18 million as equitable monetary relief.