Wrestling Payments
Wrestling Payments is a podcast for professionals working at banks, credit unions, and FinTechs who are responsible for managing ACH and payment operations. In each episode, members of NEACH guide conversations to help professionals examine the challenges of modernizing payment operations. Ultimately, the stories uncovered through guest interviews and solo episodes will highlight industry trends and identify how organizations can build their payment operations for the future.
Wrestling Payments
Nacha Smackdown Series - Part 2 Unauthorized Cage Match
Send us a text. (email us if you need a response)
EPISODE SUMMARY:
QUESTIONS ALWAYS WELCOME. jcasali@neach.org
In this episode of Wrestling Payments, host Joseph Casali continues his three-part NACHA SmackDown series, taking listeners inside the high-stakes world of ACH rules violations. Through compelling real-world cases, Joseph reveals the consequences when financial institutions fail to follow proper authorization procedures.
The episode examines Steward Bank's repeated failures to provide valid authorization proof, resulting in escalating fines from warnings to $7,500. Joseph also explores O'Leary Bank's improper SEC code use, demonstrating critical compliance errors that payment professionals must avoid.
"These are really places to learn how the rules apply," Joseph explains. "Look what happened here. This went wrong, and they got fined for it. It's a really good way to learn how the rules work."
While emphasizing that NACHA's enforcement process doesn't recover funds for affected parties, Joseph provides valuable insights for operations managers and directors responsible for ACH compliance.
KEY INSIGHTS:
The Enforcement Process Protects the Network, Not Individual Cases
NACHA's enforcement process exists to uphold system integrity, not recover funds for affected parties. The process identifies rule-breakers and imposes fines to discourage future violations, but consumers must look elsewhere for recovery. Understanding this distinction is crucial for banking professionals managing payment operations—rules enforcement serves as a deterrent while arbitration offers a path for financial recovery. This separation of powers helps maintain ACH Network quality while giving institutions multiple ways to address unauthorized transactions.
Authorization Type Must Match the SEC Code
SEC codes must align with the authorization type obtained from customers—a critical compliance point for operations managers. Converting a check into a WEB debit constitutes an automatic rules violation because the authorization types differ fundamentally. Payment professionals must understand that each SEC code requires its distinct authorization format. This knowledge helps institutions avoid costly violations while ensuring proper payment processing across different channels.
Progressive Enforcement Drives Compliance
NACHA's enforcement panel uses progressively increasing penalties to encourage compliance, starting with warnings before moving to monetary fines. For payment professionals, this highlights the importance of addressing issues immediately rather than ignoring them.
The panel's willingness to impose recurring monthly fines for persistent violators underscores NACHA's commitment to maintaining network integrity.
Proper Documentation Prevents Costly Violations
Under NACHA rules, the obligation to provide valid proof of authorization within 10 banking days is non-negotiable. Financial institutions must maintain organized, accessible records and ensure staff understand how to respond properly to authorization requests.
Both cases highlight the importance of having knowledgeable staff (ideally AAP-certified) who can identify proper authorization formats and requirements. Operations managers should implement procedures ensuring authorization documentation matches receiver information exactly, as mismatches invalidate the proof and trigger violations.
NEACH - Wrestling Payments - SMACKDOWN SERIES - EPISODE 2: "UNAUTHORIZED ENTRY CAGE MATCH"
Season 3. Episode 11
Joseph Casali: [00:00:00] Stewart Bank denied the rule violation stating that the proof of authorization was provided in a timely manner and that they had reached out to McCarthy Bank directly to resolve the issue.
That's okay. All right, great. What happened next? Not just staff contacted Stewart Bank to notify the bank that the di denial of the VI violation was not accepted by nacha. The name on the proof of authorization did not match. That of the receiver, which deemed the deems, the proof of authorization Invalid
Welcome to Wrestling [00:01:00] Payments. I continue with our three part, not just SmackDown rules violations in the ring episodes. Hoping to give you some insights into what happens when folks break the rules when participants in the ACH Network break the rules and face the consequences. You like that?
That was good. Trying something new. We're doing a little bit of a mashup between wrestling and payments, and we're talking about what I really started this podcast to talk about the rules. What issues in the rules, what happens when things go wrong. This is, this episode is heated, so let's talk about what's going on.
First note. This is the NACHA Rules enforcement process. This process punishes, if you will, finds potentially the bad guys [00:02:00] in the ACH Network. It finds them, it doesn't get your money back. It doesn't. Doesn't stop them necessarily from doing it. They would be silly to do it, as you'll see from our first case, but it doesn't get the money back.
So there are other things you should do outside the network to get your money back. First in the network is arbitration. You can present cases to arbitration the cases in this book available to and we, the book is the NACHA National System of Fines, ACH Rules Enforcement Case Studies. It's available to members, via the login, we're gonna make this available to everyone. You can see all the cases in here. There are arbitration cases, and the arbitration cases are decided by one multiple depending on the circumstances arbitrators, and they can order a payment from one party to the other. And I say one party to the other [00:03:00] because R dfi are.
Equal opportunity for being fined if they do something wrong. So don't think we're picking on ods in these stories, but the first story is fantastic. I gasped as I read it. So I will try to put on my rustling hat again and talk about this case. And I'm I may be sure that some of you have actually had this experience.
So let's see if you're in ac, if you're in ACH operations. I'm pretty sure you've felt this pain. So let's see what happened. Okay. Stewart Bank failed to provide proof of authorization. Okay. One of the, one of the things and RDFI can do is to ask for proof of authorization as one of the steps in determining whether a receiver.
Truly authorized or the entry is unauthorized and part of the obligations is An ODFI must provide copy of the authorization within 10 days of written notice. Great. So [00:04:00] Cutler Bank was notified by one of its customers of an unauthorized tele debit transaction from Stewart Bank.
Okay. Cutler Bank's, the RDI, the Stewart Banks, the ODFI, Cutler Bank was unable to return the transactions. R 10 because. It was outside the extended return timeframe. If you know a talent entry is a consumer entry, they do get 60 days to return that entry. But. In this case, the customer didn't check their statement or whatever the case may be.
They called them after the 60th date. So now we're looking at a breach of warranty. And in order to prove that you need to prove the entry was in fact unauthorized. First step in that is reaching out. For a copy of the authorization. So Cutler Bank said, Hey, can we get a copy of the authorization?
Oh. Here's where the, here's where the match turns. Several requests for proof of authorization or permission to return. Both the both, you can do one or the other. We're faxed and emailed without response [00:05:00] back from Stewart. Bank faxed and email are writing, so it was sent. In writing for permission to send the entry back after not receiving any response back from Stewart Bank.
Cutler Bank filed a rules violation. Good move. Good move Cutler Bank like it. I encourage folks in the same situation to do the same thing again. It will not get your money back, but it will get their attention when not nots calling you on the phone and saying We'd like to talk about something. It gets your attention.
So the process gives the, party, the ability to respond and they can respond, yes, I did it, or No, I didn't. So in this case, Stewart Bank denied the rule violation stating that the institution never received the facts and the person that received the email request had been out on vacation, had not set out an out of office, never really saw the entry come in the email come in.
The dog ate it all of those things. [00:06:00] Maybe most of those things were in the response. So they denied it. They said, Hey, we're done. We didn't get it not to. Staff reached out to Stewart Bank. They notified them that the denial of the violation was not accepted. So you can deny it.
NACHA determined. We're not accepting that denial documentation from the RDI proved that some of the faxes had indeed been received by Stewart Bank as this was, oh, then we, here, we got getting off with a light touch, a little bit of a light touch as it was the first instance of the infraction by Stewart Bank, the financial institution received a warning letter and was not subject to a fine.
Alas, they were subject to fixing the problem. NACHA requires them, how are you gonna fix this problem in the next it's 90 or 180 days so it doesn't happen again. But there was no financial [00:07:00] fine. And you may think that the story is over, but it's not. They kicked out at the end. Lo and behold, Stewart Bank received an additional notice of possible rule violation related to proving proof of authorization upon a request.
Oh, recurrence. Recurrence is not something you want to do in the rules enforcement process, so this means the same violation. Not to receive the report that they were doing the same thing to someone else, or the same re receiver, but in this case, McCarthy Bank was notified by one of its customers of an author unauthorized web debit. McCarthy bank faxed and emailed several requests for proof of authorization or permission to return the entry to Stewart Bank. A copy of a written statement of an authorized debit was [00:08:00] provided to Stewart Bank to show that the receiver's name did not match.
The individual's name on the transaction, I kinda imagine it was in the same beyond 60 days, because otherwise they could have just returned it. After Stewart Bank failed to respond to the request, McCarthy Bank sent in another request stating that the rule violation would be submitted if the response was not provided.
Yeah, that's nice. That's very polite. You don't wanna rat them out. But there's no reason you can't do both things. The rules violation, if it's not a rules violation, they won't get fined. They did nothing wrong. If it is a rules violation, you're helping out the network by saying, stop this ODFI from doing bad things.
Okay? So they sent the. The oh letter and the next day, Stewart Bank responded pri, providing the proof of authorization. McCarthy [00:09:00] Bank notifies Stewart Bank that the name on the proof of authorization did not match that the that of the receiver and requested permission to return the entry at this time.
McCarthy Bank submitted the rules violation. Good for you, McCarthy Bank for failing to provide a valid proof of authorization. Stewart Bank denied the rule violation stating that the proof of authorization was provided in a timely manner and that they had reached out to McCarthy Bank directly to resolve the issue.
That's okay. All right, great. What happened next? Not just staff contacted Stewart Bank to notify the bank that the di denial of the VI violation was not accepted by nacha. The name on the proof of authorization did not match. That of the receiver, which deemed the deems, the proof of authorization Invalid as a class one recurrence, right?
So now we're in the recurrences of a previous infraction. [00:10:00] The financial institution was subject to a fine between $0 and $1,000. So what happened? What happened next? The ACH rules enforcement panel, again, a panel decides these things not just staff. There's not someone in the back office saying, oh, find them.
Don't find them. This is a group of folks representing and constituting a panel that talk about the issues, debate them, determine what should happen next. And in this case, they issued a fine of $1,000.
Do you wanna know what happened next? The problems continued. So this is just in the notes of the case, but the problems continued. The Steward Bank and its originators did not provide RFIs with valid proofs of authorization or proofs of authorization in a timely manner. And what did we call that? We call that a recurrence.
So just as [00:11:00] a little lesson for a Class one rules violation. That was the first initial one. The first recurrence is a thousand dollars fine, which they received. They received a second recurrence, which was $2,500. They received a third recurrence, which was $5,000. That's all the plates in the Class one rules violation.
The fourth recurrence is a class two violation, and in this case, they had, they have as the latest update. The most recent violation involving the infraction resulted on an A CH rules enforcement panel imposing a fine of $7,500. It's pretty evident here that Stewart Bank. Isn't taking a lot of actions to resolve this issue.
I can tell you from past precedents that the fines will continue to go up. They could even continue and become [00:12:00] recurring fines. So every month they NACHA could issue a fine that says you are paying us a hundred thousand dollars a month. Because you are failing to fix this problem. I can tell you if they don't fix this problem they're probably headed that way.
I look forward to the next version of the book to see if this case continues. Okay. Let's go on to our second match. Just want to note the the title of this episode is When Rogue Originators Enter the Ring Without Permission. So this case is an interesting one too. It's definitely a head shaker.
Let's get into the, let's get into it. Okay. So what happened here? O'Leary Bank processed an unauthorized web transaction. So O O'Leary Bank seems to be our ODFI. Nope. Hold on. Let's read the case and see what, [00:13:00] who becomes who, A customer of Rohan Bank. Oh, yes. So O'Leary is gonna be the ODFI customer of Rohan Bank.
Instructed the bank to place a stop payment on a check written to a custom to custom bats LLCA customer. Of O'Leary Bank. Okay. So we're starting off in the check world. Interesting. Okay. The contract between Rowan Banks customers and custom bats, l ls e included, notice that the check may be collected electronically via the ACH network, right?
That's, there's check conversions, normal that could happen as long as notice was provided. Great. The amount of the check was debited from the receiver's account as a web. Debit. Without a check number and included a different company name which caused the item to be paid. Okay. You can imagine that.
So let's back up for a second. Stop payment. We put a stop payment on custom bats LLC because we wrote a check to them. It was check number x, and we don't want it to be paid. We don't want it to be paid, even if it's converted. [00:14:00] The rules around check conversion are, you can convert it to a arc, a balk.
Not a pop, right? Because after the fact, you can't convert a pop, maybe even an RCK if that's, if it traveled through the check network first. It is never, ever a web, a check cannot be converted into a web. It was from a different company name. Lots of things there. It's, the authorization doesn't carry over to a different company.
It none of this is good right now. Let's see what happens next. Okay. Upon contact and the pay of the check, the receiver was told that all checks were processed by a third party. That's wonderful, but. Did they tell them that? I don't think they did. Customer bank, LLC indicated to the receiver that the funds would be credited back to their account.
Oh great. Alright. We made a mistake bad on us. We're gonna fix it. [00:15:00] After not receiving the refund return funds. The receiver contacted Rohan Bank to complete a written statement of an authorized debit and have the transaction returned as unauthorized. Valid A web. Is a consumer, SEC code, consumer has an extended timeframe to return that entry.
Great. Rohan Bank returned the transaction as R 10. Customer advisors. Originator is not known to the receiver. Very valid. They don't know who that company was. It was never mentioned anywhere that a third party was gonna be collecting payments and there was no authorization in a form of a web authorization.
There. There's so much wrong with this right now. Okay. Rohan Bank filed a rules violation good against O'Leary Bank, related to the unauthorized transaction. I said good a second ago. I don't know. I don't know if that's fair to O'Leary. Let's see what O'Leary says, because they may, sometimes originators are creative on their own and it may be unknown to O'Leary Bank, but there is that due [00:16:00] diligence that O'Leary bank is supposed to know how the custom baths is processing.
Okay, we'll go back to the Good good on Rohan Bank. Okay, O'Leary. Oh, here's what they got the notice of possible rules violation from NACHA O'Leary. Bank denied the rules, viola violation, and provided a copy of the custom bats LLC agreement, along with a copy of the receiver's check.
That's wonderful. But we can tell that O'Leary Bank does not have an a P on staff not to refute it. O'Leary Bank denial of the violation because the agreement contained authorization for a check. Conversion. Not a web authorization, not a website. It's, that's basics. You cannot turn a check into a web.
It did not contain authorization for a web transaction. Oh, that's what I just said. Yeah. Okay. What did the piano find? Let's see. Oh, more, more little slaps on the wrists. Okay. As this was the first instance of its infraction by O'Leary Bank, the financial institution received a warning letter and was [00:17:00] not subject to the fine.
I would advise that I can't advise because we don't provide legal advice, but O'Leary Bank needs an a P on staff. They they just simply responding to NACHA's case saying, oh, no. Here they had authorizations to send arcs when the entry was actually a web is just not knowing the rules and how they work.
Interesting case this is a critical issue in the ACH authorizations. There are lots of issues that, that involve the fact that it wasn't authorized. The, we get calls all the time where a CCD payment for a credit card bill comes into a consumer account. Or a web debit comes into a corporate account with a person's name on it for, again, for a credit card payment.
Not valid, not they're not, the authorization for that is not [00:18:00] valid. And these cases, the timeframe went a little long. You can within the first 60 days, send the entry back as R 10 unauthorized, or did not know who the originator was in this case after that. And you could send it back and you, that could be the end of the story.
You could also say, yeah, we just wanna, cross our Ts is we wanna see what the authorization looked like. And the rule says when an ODFI gets that they either have to provide the copy of the authorization or. Give permission to send the entry back. It doesn't matter the receiver, the RDI can still ask again for a copy of the authorization and they have to provide the authorization.
So it's matter of due diligence, understanding your originators have to keep valid copies of authorizations available so that you can get it back to the RDFI in 10 banking days. Really important. Lots of consumer protection in the a CH, lots of consumer protection if you [00:19:00] use consumer SEC code. So that check conversion, which can be consumer, but when that turned into a web.
That entry didn't exist. There was unauthorized just by the format of authorization. Not saying whether they owed the money, didn't owe the money that goes on outside the network, right? If these folks didn't want to pay for a kitchen because they were unhappy with the workmanship, fine, that's fine.
But that's not an ACH issue. That doesn't get resolved in the aach. H doesn't get resolved by nacha following the rules gets resolved by nacha. That's it for this episode. Hopefully you'll turn in, tune in for part three of the episode. That's a, it's a sort of a tiny episode, but these are the, these are really places to learn how the rules apply If you're an a P candidate.
You should listen to these just because you're applying the rules. It's not just, let me read the rule. Oh, the authorization for a web is the words that [00:20:00] appear on the screen and the way we authenticated them and how they work together to be an author, it's, Hey, look. Look what happened here. This went wrong, and they got fined for it.
It's a really good way to learn how the rules work. So please tune in for the last episode and let me know how you liked them. If you didn't like 'em, we'll never do 'em again if you liked them. I can do these all day.