The New NACHA Rules and Regulation E:
 How Will They Affect Your ISO Business?

by Bill Wade

The Independent Sales Organization (ISO) is vital to the success of e-commerce. Merchants and Financial Institutions both look to the ISO to explore and tame the new technologies and services that shape the new global economy. E-commerce presents the ISO with many new electronic payment selling opportunities - the virtual terminal, the payment gateway, increased fraud prevention services, electronic checks, electronic benefits transfer (EBT) and automated clearinghouse (ACH) fund transfers, just to name a few. These opportunities also may present some confusion or inconsistency of standards and service quality. To mitigate the chaos, the operating rules and business practices for electronic payments and the ACH Network are developed, managed and disseminated by the National Automated Clearinghouse Association (NACHA).

Effective March 16, 2001, NACHA released new rules surrounding the creation of the WEB entry code that will affect ISOs currently selling (or looking to sell) e-commerce products and services. While ISOs should familiarize themselves with the complete index of NACHA guidelines, this article focuses on the capabilities required by Internet solutions (i.e. virtual terminal, payment gateway) that provide e-commerce services (i.e. virtual checks, ACH transfers) in conjunction with the Federal Reserve and ACH Network. The mandatory compliance date is January 1, 2002.

What is a WEB Entry?

The Internet Initiated Entry code (WEB) applies to transactions where authorization is acquired via the Internet. Three factors make WEB entry transactions unique; an increased level of anonymity, an open network platform and high volume/velocity rates. WEB entries are subject to the NACHA Operating Rules, the Electronic Fund Transfer Act (EFTA) and Regulation E.

Who Are the Players?

Probably the most confusing aspect of the regulations is identifying the entities involved in the ACH Web transaction process and their responsibilities. Figure 1 depicts the flow of the Web entry and the subsequent return flow of funds. Once the terms originator, ODFI (originating depository financial institution), RDFI (receiving depository financial institution) and receiver are replaced with terms familiar to the ISO, it becomes easy to understand.

What About the ISO?

Although the originator, in this case the merchant (using a website or virtual terminal), is ultimately responsible for the transactions initiated, the ISO must ensure that the EFT product he/she is selling enables the merchant to fulfill his/ her obligations under NACHA, EFTA and Reg. E. Otherwise the ISO won't sell many accounts once the word is out that their solution gets merchants into trouble with the Federal Reserve. ISOs must also manage and update the contract documentation between merchants and the merchant underwriting bank to include WEB transaction rules. Listed below are the major areas affected by the new rules.

Multiple Payment Types. Both one-time (single-entry) payments and recurring payments can be designated as WEB entries. In order to manage risk most effectively, the EFT solution should monitor and track one-time and recurring transactions separately.

Security Requirements. WEB transactions must be transmitted using 128 bit (at minimum) SSL encryption technology and a secure encrypted session must begin when the consumer enters their financial information and continues through the transmission of data to the originator. Including a timeout feature for each Internet session can enhance security.

Authorization Procedure. The ACH authorization must 1) be signed or similarly authenticated by the consumer (see "The Most Difficult New Rule"), 2) be easily identifiable as an ACH debit authorization, 3) clearly state its terms and 4) (for recurring payments only) provide the consumer with a method to revoke their authorization (at least 3 days before scheduled settlement). It is also a good idea to prompt the consumer to print and retain a copy of the authorization.

Risk Management. Fraud detection systems must be used for all transactions and must:

   Authenticate the identity of the receiver (consumer),
   Minimize the potential for fraudulent transactions and
   Verify the validity of routing numbers (using an internal or external database, manual intervention or automated system).

Legal Status. WEB transactions can only be authorized by the consumer - never by a third-party service provider on behalf of the consumer.

Merchant Shipping Bonus. Unlike credit cards, merchants can delay the shipment of goods until after the settlement date of a web entry, thereby preventing potential losses.

Annual Audit. Each originator must complete a yearly audit (by December 31, 2001) to ensure that consumers' financial information is protected. The audit must evaluate physical security, personnel access and controls and network security.

Obviously, the ISO solution that allows merchants to fulfill these obligations easily and completely will enjoy the most successful sales penetration.

Can ACH Debits be Returned?

Of primary interest to the ISO is the WEB entry return process (the equivalent of chargebacks in the credit card world). ISOs should monitor the web entry return rate for each merchant processing WEB transactions.

For one-time WEB entries, consumers are allowed to stop payment at their financial institution. While the consumer cannot revoke a one-time authorization, he retains the right to:
   Request that his bank (RDFI) stop payment
   Request that his bank (RDFI) return an unauthorized WEB entry
   Ask the merchant to return an unauthorized WEB entry
   Request that his bank (RDFI) revoke the authorization of a recurring transaction
   Claim a WEB transaction is unauthorized within a 60-day window (from the settlement date of the original WEB entry). The consumer must submit a signed affidavit to their bank (RDFI) to claim an unauthorized WEB entry.

To stop payment on recurring WEB entries, the consumer must stop the payment at least three days prior to the scheduled settlement date.

What are the Effects of Non-Compliance?

Although the level of ISO risk and liability due to fraudulent transactions is dependent upon the relationship with their sponsoring bank, all ISOs can benefit from employing a secure and reliable payment gateway and virtual terminal system for authorizing and managing payment transactions over the Internet. Look for products designed to protect the acquirer (as well as the merchant) through extensive fraud and risk prevention. In addition to monetary losses through fraud, the ISO selling products not compliant with the new rules may:

   Be terminated by their sponsoring bank,
   Face fines of up to $1000 for rules violations and
   Lose merchant business to competitors.

The Most Difficult New Rule

By January 1, 2002, electronic payment systems for non-recurring Web transactions must be able to authenticate the consumer. This is not an easy task. Network 1 has invested tremendous product development resources to ensure compliance to this federal regulation. Authenticating a consumer requires obtaining unique information known only by the consumer (such as social security number, date of birth or mother's maiden name) and verifying that information against a national database (such as Equifax, TRW or TeleCheck).

Further reading: Understanding Internet-Initiated ACH Debits from NACHA at

Bill Wade, President and CEO, early identified the potential of alternate payment processes and created the Electronic Funds Transfer (EFT) family of payment processing products: EFTBankcard, EFTSecure, EFTVirtualCheck, EFTWebStore, EFTCash and EFTCheque. You may contact Bill at 703. 848.2980.

back to articles