CUNA Regulatory Comment Call


March 14, 2003

Proposed Warranties for Third-Party Service Providers
(NOT A MAJOR RULE)

EXECUTIVE SUMMARY

NACHA-The Electronic Payments Association has issued a request for comments to make third-party service providers and their Originators (entities that originate automated clearing house payments, usually merchants) more accountable under NACHA Operating Rules. Comments on the proposal are due by April 1, 2003. A NACHA working group proposes that the requirements regarding the use of these “Third–Party Service Providers” be expanded in the following way:

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.com and to Assistant General Counsel Michelle Profit at mprofit@cuna.com; or mail them to Mary and Michelle in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, D.C. 20004-2601. You may also click here for a copy of NACHA’s request for comments at http://www.nacha.org/ACH_Rules/ach_rules.htm

NACHA asks that credit unions complete a survey to provide comments on this rule change. If you would like to respond directly to NACHA and copy CUNA you may do so by using their survey form at http://www.nacha.org/ACH_Rules/ach_rules.htm

Comments sent directly to NACHA should be sent to William Colbert, Network Services Manager, NACHA, 13665 Dulles Technology Drive, Suite #300, Herndon, VA 20171, fax: (703) 787-0996 or email: wcolbert@nacha.org, no later than Tuesday, April 1, 2003. Please provide CUNA a copy by sending your comments to Michelle Profit at mprofit@cuna.com.

BACKGROUND

These rules are meant to address situations in which the Originator does not have a direct agreement with the ODFI. Traditionally, the Originator has an agreement with the ODFI that sends the automated clearing house (ACH) item to an ACH Operator that sends it to another Operator, that in turn sends it to the receiving depository financial institution (RDFI) that gives it to the consumer. However, it has become a common practice that some Originators do not have agreements directly with the ODFI. Instead, a Third -arty Service Provider serves as the connection between the Originator and the ODFI. . As such, the Third-Party Service Provider also has an agreement with an Originator to deliver the Originator’s entries to the ODFI; however, there is no direct agreement between the ODFI and the Originator. The figure below illustrates the case, where there may be no agreement between the ODFI and the Originator because there is a third-party intermediary.

Although both electronic and paper-based payment systems rely extensively on the use of Third-Party Service Providers to process transactions, the statutory laws and agreements that implement these systems, including the NACHA Operating Rules, place responsibility for these transactions on the ODFIs and Originators.

The scenario where the Originator and ODFI do not have an agreement that binds the Originator to the NACHA Operating Rules (Rules) is inconsistent with the current requirements of the Rules. This arrangement may expose the ODFI to additional credit risk, since these entries settle through an account of a Third-Party Service Provider and the ODFI may not have a direct claim against the Originator for the amount of entries.

The NACHA Rules Work Group considered two options to address the use of Third–Party Service Providers with respect to ACH processing. The first option was to actively enforce current rules, which require that an agreement be entered into between an ODFI and the Originator. The second option, which is the basis of the current proposal is to amend the Rules to require either (1) a contractual agreement between each Originator and the ODFI under which the Originator agrees to be bound by the NACHA Operating Rules, or (2) a contractual agreement between each Originator and each Third-Party Service Provider acting as a Third-Party Sender under which both parties agree to be bound by the NACHA Operating Rules. The term “Third-Party Sender” will be defined within the Rules to identify an entity that is not the Originator but that has authorized an ODFI or another Third-Party Sender to transmit credit or debit entries on behalf of the Originator. These changes also imply the need for a contractual agreement between the ODFI and any Third-Party Service Provider with which the ODFI has a direct relationship.

In order to accomplish that result, the following changes to the NACHA Operating Rules will be made. The term “Third-Party Sender” will be defined to identify an entity that is not the Originator but that has authorized an ODFI or another Third-Party Sender to transmit credit or debit entries on behalf of the Originator. Third-Party Service Providers, in the role of Third-Party Senders, will be specifically bound to the NACHA Operating Rules, as follows:

  1. When an Originator does not have a contractual relationship with an ODFI but instead utilizes the services of a Third-Party Sender to authorize entries on the Originator’s behalf, the Originator and Third-Party Sender must enter into a contractual agreement under which the Originator and each Third-Party Sender agree to be bound by the NACHA Operating Rules.
  2. Each Third-Party Sender will be subject to the requirements of the NACHA Operating Rules, which specifically address the obligations, responsibilities, and liabilities of Third-Party Senders.
  3. Each Third-Party Sender will be obligated to retain records of all entries for six years from the date the entry was transmitted. The Third-Party Sender must be able to provide copies of such information on request.
  4. An ODFI must (1) establish an exposure limit for each Third-Party Sender from which it receives entries, (2) implement procedures to review that exposure limit periodically, (3) implement procedures to monitor entries initiated by that Third-Party Sender, relative to its exposure limit, across multiple settlement dates, and (4) implement procedures to monitor the payments system risk associated with certain entries.
  5. An ODFI’s warranties regarding revocation of authorization will be expanded. They will require ODFIs to warrant that, when a Third-Party Sender is involved in the processing of an ACH entry, the agreement between and Originator and the Third-Party Sender has not been terminated. Also, the ODFI will warrant that with regard to Third-Party Senders that the Third-Party Sender has no knowledge of the revocation of the Receiver’s authorization or of the termination of the arrangement between the RDFI and the Receiver concerning the entry.
  6. The ODFI’s warranties with respect to exposure limits for WEB entries will be expanded. They will require ODFIs to warrant that Third-Party Senders utilize commercially reasonable methods to establish the identity of Originators and establish procedures to continually monitor the creditworthiness of any Originator or Third-Party Sender from which it receives WEB entries. In addition, they will require ODFIs to warrant that Third-Party Senders establish exposure limits for each Originator or Third-Party Sender from whom it receives WEB entries and implement procedures to review exposure limits for Web entries period. Finally, ODFI will warrant that Third- Party Senders implement procedures to monitor entries initiated by Originators or Third-Party Senders relative to their exposure limits across multiple settlement dates.
  7. Originators and Third-Party Senders that utilize the services of Third-Party Senders to authorize an ODFI to transmit entries on behalf of an Originator will be required to guarantee payment to the ODFI for any credit entries originated and for any debit entries returned by the RDFI.
  8. Third-Party Senders transmitting entries to an ODFI must provide the ODFI with information to identify each Originator for which it processes. The information provided must meet the standards for customer identification as defined by Section 326 of the USA Patriot Act and must, at a minimum, include the Originator’s name, address, contact person, telephone number and taxpayer identification number.
  9. Each Third-Party Sender authorizing an ODFI to transmit credit or debit entries will assume the following specific warranties with respect to those entries: (1) the Originator has agreed to be bound by the NACHA Operating Rules and has satisfied all obligations of an Originator under the Rules. If the Originator fails to do so, the Third-Party Sender that authorizes the entries indemnifies any other Third-Party Sender, ODFI, RDFI, ACH Operator, and Association from any and all loss or liability, (2) each Third-Party Sender assumes all responsibilities, warranties, and liabilities of the ODFI with certain exceptions.
  10. The definition of “Originator” will be clarified to identify it as an entity that is distinctly different from a “Third-Party Sender.”
  11. Third-Party Senders will be obligated to perform an annual audit of ACH rules compliance.

QUESTIONS REGARDING THE PROPOSAL

  1. Does your credit union agree with the proposal that would expand the Originator authorization and agreement rules provision to require a contractual agreement between the Originator and Third-Party Sender that binds them to the NACHA Operating Rules when the Originator does not have a contractual relationship with the ODFI? Why or why not?












  2. Does your credit union agree with the expansion of the ODFI warranties to address entries initiated by Third-Party Sender?












    The expanded warranties will require the ODFI to establish exposure limits for each Third-Party Sender from which it directly receives entries; review those exposure limits periodically, and monitor entries initiated by that Third-Party Sender relative to its exposure limits across multiple settlement dates.












  3. Should the ODFI be required to establish such exposure limits for both the Third-Party Sender and the ultimate Originator?












    Furthermore, the ODFI will be required to warrant that the agreement between the Originator and Third-Party Sender has not been terminated, and that neither the Originator or Third-Party Sender has knowledge of the revocation of the Receiver’s authorization or of the termination of the arrangement between the RDFI and the Receiver concerning the entry. Does your credit union agree with the expansion of these warranties?












    In addition the ODFI will have to make certain warranties for Third-Party Senders with regard to WEB transactions. Specifically, they will warrant that, in the case of WEB entries, the Third-Party Sender has (1) utilized a commercially reasonable method to establish the identity of the Originator, (2) established procedures to monitor the credit worthiness of the Originator or any Third-Party Sender from which it receives entries, (3) established an exposure limit for the Originator or any such Third-Party Sender, (4) implemented procedures to review that exposure limit periodically, and (5) implemented procedures to monitor entries initiated by the Originator or any such Third-Party Sender relative to its exposure limit across multiple settlement dates. Does your credit union agree with the expansion of these warranties?












  4. Does your credit union agree with the proposed requirement that both the Originator and the Third-Party Sender guarantee payment to the ODFI for any credit entries orignated and any debit entries returned by the RDFI?












  5. Does your credit union believe that a Third-Party Sender having a direct relationship with an ODFI should be required to enter into a contractual agreement with that ODFI that binds the Third-Party Sender to the NACHA Operating Rules?












  6. Does your credit union agree that each Third-Party Sender that transmits entries to an ODFI must provide the ODFI with information to identify each Originator for which it transmits entries to the ODFI?












    At a minimum, the information provided to the ODFI about the Originator must include the Originator’s name, address, contact person, telephone number and taxpayer identification number. Do you agree with these pieces of information?












  7. The Third-Party Service provider, in its role as Third-Party Sender, takes on various obligations and responsibilities of an ODFI with respect to ACH processing. Does your credit union agree with the requirement that the Third-Party Sender should perform an annual audit of ACH compliance?












  8. Would this proposal be beneficial, detrimental or neutral for your credit union? Please explain.












  9. As general research, which is not part of this Request for Comment, NACHA requests information on the following. Direct access to the ACH Operator occurs when an ODFI gives a Third Party Service Provider or a company permission to transmit entries directly to the ACH Operator using the ODFI’s routing number. According to NACHA, direct access to the ACH Operator by Third-Party Service Providers has the potential to increase risk to the ACH network when ODFIs are not actively involved in monitoring and limiting transactions originated and settled using the ODFI’s routing number. Does your credit union believe that strict risk controls should be established to minimize risk related to direct access? Please specify specific practices and controls that could be employed to minimize risk exposure related to direct access:












  10. It has been proposed that a process be established to audit Third-Party Service Providers to certify that such third parties are compliant with the NACHA Operating Rules. Although not proposed in the Request for Comment, would your institution be supportive of a certification program for Third-Party Service Providers?












    Please submit your address and phone number.












Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com