Nacha Smackdown Series - Part 3 Technical Foul Throwdown Artwork

Wrestling Payments

Wrestling Payments is a podcast for professionals working at banks, credit unions, and FinTechs who are responsible for managing ACH and payment operations. In each episode, members of NEACH guide conversations to help professionals examine the challenges of modernizing payment operations. Ultimately, the stories uncovered through guest interviews and solo episodes will highlight industry trends and identify how organizations can build their payment operations for the future.

All Episodes

Wrestling Payments

Nacha Smackdown Series - Part 3 Technical Foul Throwdown

May 29, 2025 • NEACH • Season 3 • Episode 12

Send us a text. (email us if you need a response)

QUESTIONS ALWAYS WELCOME. jcasali@neach.org

EPISODE SUMMARY

In this third installment of the NACHA "Smackdown" Rules Violations in the Ring series, Wrestling Payments host Joseph Casali dives into NACHA's enforcement process, examining real rules violation cases and their consequences. The episode unpacks three enforcement cases involving micro-entries to invalid accounts, entries to invalid accounts, and failure to perform annual ACH compliance audits.

Joe walks listeners through each case, detailing how financial institutions responded to violations and the resulting penalties. The podcast highlights how even seemingly minor infractions can lead to significant fines. "These are the easy things," Joe explains when discussing a $5,000 fine for missing an annual audit requirement.

The episode serves as a practical guide to understanding NACHA's enforcement process, demonstrating how financial institutions can learn from others' mistakes to improve their own compliance practices and avoid costly penalties.

KEY INSIGHTS

Compliance Mistakes Cost More Than Just Money
NACHA enforcement isn't just about penalties—it reveals operational vulnerabilities that impact multiple stakeholders. When financial institutions fail to maintain proper controls, they face monetary fines, reputational damage, increased scrutiny, and potential customer impacts. The actual cost extends beyond the immediate financial penalty, including operational adjustments, staff time, and preventative system investments. Organizations should view compliance as a strategic business function rather than a checkbox exercise, especially when scaling operations.

Fraud Prevention Requires Evolution, Not Just Detection
Effective fraud management demands a dynamic approach that evolves alongside emerging threats. When patterns of suspicious activity emerge, institutions must rapidly implement countermeasures and be willing to adjust their business models when necessary. The most successful organizations build layered defense systems that can adapt to changing fraud tactics. This requires cross-departmental collaboration, regular testing, and the courage to disable vulnerable services when controls prove insufficient—even if it temporarily impacts revenue streams.

Regulatory Compliance Cannot Rely on Good Intentions
The financial services industry operates within a complex web of overlapping regulatory frameworks that require deliberate, proactive management. Intending to comply or being unaware of requirements does not protect from enforcement actions. Every organization must establish systematic approaches to tracking, implementing, and verifying compliance activities on an ongoing basis. Leadership must prioritize creating a culture where regulatory obligations receive continual attention rather than periodic focus during examinations or audits.

Siloed Compliance Creates Dangerous Blind Spots
Financial institutions face requirements from multiple regulatory bodies with overlapping but distinct compliance demands. Treating these requirements as separate, unrelated obligations creates dangerous gaps where violations can occur despite passing specific examinations. Effective compliance programs require an integrated view of all regulatory obligations to identify interconnections and prevent requirements from falling through organizational cracks. Organizations must comprehensively map regulatory responsibilities with clear ownership and accountability across all departments that touch payment operations.

NEACH - Wrestling Payments - TECHNICAL FOUL THROWDOWN

SEASON 3 EPISODE 12

Joseph Casali: [00:00:00] The only folks that can complain of a possible rules violation are the ODFI, the RDFI and nacha. One of the things that NACHA does is randomly they go out to ODFI and RDFI and say, Hey, can I get a copy of your audit? And it's not really a copy of your audit, it's, I proof that you completed your audit.

So not during, not JUSTS quarterly ACH Rules compliance audit outreach. Thurmond Bank was requested to provide proof of the bank's annual ACH compliance audit. Thurmond Bank responded that this request to responded to this request and indicated that it had not performed an ACH Rules Compliance Audit for two consecutive years.

Joseph Casali: [00:01:00] Hi, welcome to Wrestling Payments. My name is Joe Casali. I'm your host. Welcome to the third installment of our NACHA SmackDown Rules violation. In the ring we're gonna talk about rules, violations and what to do when they have them. If you don't realize wrestling payments, we try to smash together. It was fun, it's cute.

Let's make it wrestling payments, 'cause I love wrestling, professional wrestling, and. I love payments. So we smashed them together and I have a little, trying to make this one like a in ring experience, but, I stumbled across a an a rules violation by mistake. I was searching for able payroll and it actually just found the first able in.

The book and we're going over the NA [00:02:00] system of Fines, rules enforcement case studies document available to each members. Please contact the customer service to see, if you're a member and can get access to that. But I stumbled across, across the case, but I thought it was really great. So here for the first case in this episode is a bonus issue.

So this one is commercially reasonable fraud detection of micro entries. That's what this one is. It caught my attention. I thought it was a great case, and I then I realized, oh, that's not the one I'm supposed to be doing, but let's cover it anyway. So here's the claim. The claim is BWGR initiated an excessive number of micro entries to invalid accounts, wah, wah.

So micro entries, if you're familiar with those are little under a dollar entries to try to, verify the account number of the receiver. RDFI, creed Savings and Loan. Received over 2,700 invalid micro entry transactions to three accounts from [00:03:00] O-D-F-I-B-E-W-G-R Bank and its originator, HN Haven, hn, H-A-V-E-R-N Billing.

Okay, creed savings had, been receiving thousands of fraudulent, invalid transactions contained the entry description account. Verify that is the valid, label for micro entry. The transactions were, were returned as RO three, no account on able to lo locate or RO four invalid account number structure.

As after unsuccessfully addressing the issue directly with the ODFI and its originator, a rule violation was filed. Okay? So this is bad, right? This is just, if you're in the ACH you learn the rules. You try to follow the rules. You hear things like this and you go, what would, and, where's the harm here?

You may be saying to yourself, oh, they returned them. There's no harm. Do you know how much time it took? To return 2,700 entries? Not, okay. There's a [00:04:00] cost to that. Okay. This is why I was interested in this case because, you can be part of a rules violation where you get a, you get to respond to, you deny it, or you accept that you've violated the rules, and what are you gonna do to try to fix it?

So in this case, BWGR Bank acknowledged the violation and stated that several attempts had been made to resolve the underlying issue. Wow. Wait. You did something about it and here's what they did. So remember we're talking about micro entries. If these guys were working with their originator to say, Hey, let's try this.

Let's try this. Let's fix this, let's fix this. Here's the list of things that they tried with their originator. Maintain a comprehensive set of risk controls during onboarding process. Implement limits on the bank, add and usage at various levels. Who can do that? Who can add a new entry, to prove an [00:05:00] account who can do that?

Block email domains commonly exploited by fraudsters. Implement daily monitoring to assist in identifying deactivating fraudulent accounts that bypass controls. Implement robust internal monitoring systems, specifically designed for anomaly detection related to high velocity, right? They're all going into the same account.

Micro entries create a dedicated team to investigate and ascertain the nature and extent of an the anomalies detected. Block routing numbers being targeted by fraudsters deploy two major risk controls, which significantly reduce the number of fraudulent bank additions from the double digits to single digits.

So they, they were seeing progress internally, set up, scanner and deactivate. Threats daily. Worked, on developing a long-term solution. Which is a model driven payment instrument validation service.

This would dynamically enable the ODFI to control these types of risks. And finally, [00:06:00] they disabled micro entries. IMP implemented a new commercial, commercial account verification system to verify bank account details. That was a lot. This ODFI was really trying. This customer must have been valuable to them, but, they were really trying so.

Here's all I did. I throw myself on the mercy of the court. And remember, the court isn't, a person at nacha. It is a rules enforcement panel, and the panel looked at it and, the aach h rules enforcement determined the ODFI had committed a class two rules violation due to the excessive harm. Cause to the RDI again, I said that earlier, I did not read that.

I said that earlier. This was a lot of work. There were people going through these entries every day to return them. It doesn't matter that they were 25 cents or 35 cents. The review process, the returning process all takes time, effort, and money. And did they face a fine [00:07:00] or did they get their hand slapped?

A fine of $5,000 was imposed against the ODFI. So they can add paying fines to nacha to their list of things they try to do to fix this problem. And I stumbled across that by mistake because I was looking for ABLE Payroll and ABLE was one part of the title of this one. But it was so interesting I had to read it.

Alright, let's get back to wrestling payments. What's the fun stuff? Oh, this one's a tough one. This one's a tough one. You're not really gonna this one. It's just sad, but, you're gonna, you're not gonna this one. It's a good one, but you're not gonna like it. Alright, so let's talk about it.

We're gonna talk about the case of entries to invalid accounts. Here's the claim. The claim that Kinley Bank received a notice of possible rules violation related to its originator able payroll processing for initiating an entry to an invalid account at the RDI. [00:08:00] Invalid account sending entries.

They're bad entries. If you, that happens more than once, it's a possible rules violation, you get one. The, there is a statement out there, I forget who told me. But even one entry to an invalid account is a potential for a rules violation. So you have to do d due diligence on, the account numbers.

Before you send these transactions and again, at the end of the story, you're gonna you're gonna say, oh, no. And again, it's a real story. This really happened. Okay. Background after consulting with able payroll processing, kinley blank, acknowledged the rules violation, and stated that it had resolved the issue.

Okay. We resolved it. We acknowledge it. We did it. We're gonna throw ourselves on the mercy of the court, and we did it not to received additional reports of violations. From the RDS related to the same rule infraction and escalated the issue with Kinley bank via [00:09:00] notice of possible rule of violation.

So they got a rules violation. Kinley Bank said, yep, we did it. And then they got more. Rules violations from other rds with the same problem. Knowing the rate at which RDS file rules violation, which is slim to none, it must have been a really bad problem for. Multiple TFIs to respond to the same issue.

So discussions with Kinley Bank revealed that able payroll processing had substantially increased their client base. Good news, right? Resulting in a significant growth in its origination volume. Good. Good for the payroll processor. Great job. The RA bank reported that a systemic issue occurred.

When able payroll processing system couldn't handle the increased volume triggering, this is what happened with their systems incompatible routing and account information. [00:10:00] Simply said, all the records that said, here's where we go for the funding. He it. I know it's the funding. They were going for the funding.

So the debits to the corporate accounts for funding of payrolls. The database slipped. So imagine that, line one of the database has the routing number of the first to be debited. It got it slipped and it was using the third, the fourth, the fifth, whatever account number. So the account numbers and routing numbers weren't real.

They all, they were all mixed up. So that went to the panel. It was, they were growing. There were a lot of activity, updated database, all that going on the ACH rules, enforcement panels reviewed the issue and determined that regardless of the internal systems issues, the originator, its ODFI are still responsible for the accuracy of the account information fines.

As a violation. As the violation submission had [00:11:00] escalated to Class two status, the financial institution was subject to a fine between zero and a hundred thousand per month until the issue was resolved. So for the folks who are just tuning in, and we didn't talk about the classes, a Class One Rules violation is a class rule.

One rule violation that says, one, don't do it again. We're not gonna find you this time, but don't do it again. A recurrence would be a thousand dollars. A second recurrence would be $2,500. A third recurrence would be $5,000. So they had already gone through all of those fines already. And then now we're sitting in the class two space of a rules violation.

Because it happened again, the rules enforcement, panel decided to impose a one-time fee, a fine of $20,000. That's a big fine, right? This is a part of the growing pains. And I can tell you if the rules enforcement, complaints still came in, they would be facing [00:12:00] that next month too. So all of this is important to understanding what business your customer's in and what they're doing.

In our final case, our final match of the series talks about the Audit Dodge. Okay. This is failure to perform ACH rules compliance audit. We're gonna be talking about Thurman Bank failed to perform the annual ACH compliance audit, dur. Okay? So this is the, if I haven't covered this in the series at all.

The only folks that can complain of a possible rules violation are the ODFI, the RDFI and nacha. One of the things that NACHA does is randomly they go out to ODFI and RDFI and say, Hey, can I get a copy of your audit? And it's not really a copy of your audit, it's, I proof that you completed your audit.

So not during, not JUSTS quarterly ACH ACH [00:13:00] Rules compliance audit outreach. Thurmond Bank was requested to provide proof of the bank's annual ACH compliance audit. Thurmond Bank responded that this request to responded to this request and indicated that it had not performed an ACH Rules Compliance Audit for two consecutive years.

Again. As I mentioned in the last episode, there is not an a P on staff here, that is a bad thing. It's a bad thing because of my next line, I'm gonna read. Failure To Perform an annual audit constitute a class two violation of the NACHA operating rules. You don't get to go through, oh, you didn't do an audit.

Great. Do it Next time we're gonna slap you on the wrist. They go right to class two, zero to a hundred dollars thousand dollars fine until the problem is fixed. So Thurman Bank was sent a notice of possible rules. I. Possible fine. Related to the violation. Thurman Ma Bank acknowledged that the [00:14:00] violation stated it had lost sight of the audit requirement.

The bank had been written up during its annual audit for the lack of ACH compliance audit. Oh, no. So they, regulator had said they hadn't done an ACH audit? Not. Okay. The bank had scheduled the ACH audit with its payment association and would maintain the required annual schedule. Wow. An annual audit is a.

Pretty easy thing. You just schedule it, it gets done. Typically, it's done by an outside party. Typically it's done by the same, if you're doing your audit with your association, you're probably doing that every year. This guy, these guys, staff change, people change, new system of core conversion, whatever would the case.

They lost sight of their audit. That is a class two. Not only did they lose sight, they showed up on the, random quarterly review by nacha. So they, that was it. So what did the panel decide? The ACH rules enforcement panel determined the financial institution had.[00:15:00]

Committed a class two rules violation. If you remember that rules violation, it can be anywhere from a zero to a hundred thousand per month until the problem is fixed. The ACH Rules enforcement panel decided to impose a fine of $5,000. These are the easy things. I think I have one more case. I do have one more case.

So that's an the, that was an easy $5,000 not to, face by just completing your a h annual audit every year. Let's find last case, which is really another really easy thing to do. But let's, let's find it. Hold on. I'm gonna search.

Okay, that's good. Let's search for that. Oh, why didn't I find it? Let's try it again. Nope. But, did I spell it right? Lemme pause this.

[00:16:00] Alrighty. We found the cases, and this is a two four. So this is a loaded episode. It has an extra case. It has two cases in one. Let's talk about the case. In the ring, we have a failure to register third party sender status. If you're not familiar, if you have a third party sender, you must register them with nacha.

It's an easy process. NACHA has built a database. It's a really functional and good database. Gives you the ability to report, third parties and nested third parties. So let's talk about case number one. And remember, this is a double feature. So Corner Bank received a notice of possible rule violation, a class two rules violation for failing to register their third party sender status with nacha, which was to be completed.

By March 1st, 2018. This is a, this is the primary registration that said, I have them. I don't have them. They didn't do anything. So background. I think they didn't do anything. Let's see what the background says. Conner Bank denied the [00:17:00] violation stating it had, fulfilled its obligation to NACHA when it registered its direct access participation In 2010.

Notice the words were direct access and not third party sender. They both did include registration, but that's where it stops. Staff reached out to Connor Bank to explain that the registration performed in 2010 was strictly. Related to the financial institution's direct access status and did not address whether or not the financial institution had any third party sender relations.

If you're unaware, direct access is a, a relatively risky but manageable thing. It is. The idea that you're an O-D-F-I-ODFI usually are in the position to send files to. The Fed or the clearinghouse to originate ACH transactions. In some cases, they've given that ability to a third party, to originate their [00:18:00] own entries.

So you've got a situation where the third party sending entries that the financial institution may not know about. That could be a problem. So NACHA was aware of that in 2010, or before there was a movement to register, third party, direct access. So we could identify how big is the problem.

Put in some controls that say, Hey, you're gonna know what they're doing. Gotta do your due diligence, gotta report to us if they're doing stuff that you don't know, on a quarterly basis. But that is not third party sender registration. There were two different things, and Nacha explain that. Staff also, explained that the reference to third party sender was.

Only in relationship to whether the direct access participant was a third party sender. If the financial institution indicated it did not have direct access participants, that did not identify to NACHA if it had third party senders. So [00:19:00] in this case, say they had a third party sender in 2010 and they didn't have direct access, they said to nacha, Nope, we don't have any DI direct access participants that didn't indicate whether they had a third party or not. They NACHA has no idea. Didn't know. A problem. Definitely a confusion. Let's see what the pen panel concluded. Nacha refuted Connor's Bank's denial because it had not performed the required registration by March 1st, 2018.

Easy peasy. They didn't do it. The ACH rule enforcement panel determined as no other financial institution or consumer was impacted by this rules violation, and the overall goal is compliance with the rule. The fine amount should reflect that. So what was defined? Again, reminder to everyone that class two rules violation, the financial institution could be subject between zero and a hundred thousand dollars per month until the issue is resolved.[00:20:00]

They were issued a one-time fine of $500 wasn't composed against Conor Bank. So I imagine my next episode or my next case is gonna be similar. Let's see. Yes. Very similar. In fact, it has the same title, failure to Register, third Party Sender Status. Okay, the claim of a different institution.

This is a different case. So starting right at the top again, bets Bank received a notice of possible rules violation citing a class two rule violation for failing to register its third party sender status with nacha, which was supposed to be completed on March 1st, 2018. Great background. Okay, so Betis Bank.

Denied the violation. So another organization that denied the violation. Why did they deny the violation? And I can tell you the, it, it's a positive, if I recall correctly. It's a positive acknowledgement. It's we have 'em or we don't have them. It's not, we didn't respond. So let's see. [00:21:00] It was unaware of the registration rule.

And the March 18th, A March 1st, 2018 deadline. Oh, if you didn't know about the rule, that must not apply. Sorry. Sarcasm. In addition to yearly audits, the financial institution had just gone through an FTC examination where there was no discovery of being out of compliance for this rule.

The financial institution receives NACHA rules and guidelines training, and does not recall this particular rule being a topic on the training agenda. Ooh, not much more to this case. So what did the panel conclude? Not to refute it, that beta span's denial because it had not performed the required registration.

By March 1st, 2018, the Aach H rules enforcement panel determined as no other financial institution, oh, this sounds familiar, as no other financial institution or consumer was impacted by the rules violation. And the overall goal is compliance with the rule. The fine amount should reflect that. As a class two rule violation, the financial institution was subject to [00:22:00] a fine between zero and a hundred thousand per month until the issue was resolved.

Once again, a $500 fine was issued to Bettis Bank for not filing their rules violation or their, third party sender registration. This is a kind of a couple of important notes here. We'll call it, let's call it outside interference. Was there any outside interference? No. FDIC did their audit for their stuff.

They may or may not have caught an ACH rules violation. The ACH is a thing unto itself. FDIC is a thing unto itself. You have to be compliant with all of it. O-C-C-F-F-I-C, all of it. You have to be compliant with. It's hard. I understand. That's hard. It's, these, the, the rules are getting, more complex.

The environment is getting more complex. There's more bad guys, there's more vectors, but. All of these individual rule bases have their own compliance requirements. Stating that [00:23:00] the FDIC didn't tell us, is probably not the best defense against, this fine telling them that you've had not your training, but you didn't hear this one.

Probably not. The best defense. I think that it's, we send our members a rule book every year. If we didn't send our members a rule book every year, I would say we should send our members a rule book every year. The rules change to a great degree or a little degree every year. The onus is on the participant to be compliant with the rules.

So in this case, it was, again, it was a, a. I don't want to, I guess I'll just call it a good deed. NACHA was trying to improve the network so they didn't, these fines were really a little more than a slap on the wrist, but not, not a class two full fledged, what you could expect from a 30, 40, 50, a hundred thousand dollars fine.

So it was enough to say, Hey, [00:24:00] get your registration done. Keep it up to date. Really important topics. I hope you enjoyed this style of delivery. If you did, let me know. Send an email. We can do more. This book is gigantic. There are cases, we've talked about rules violation in this series. We didn't talk about arbitration.

So there, there's a whole other part of this book that we could talk about. And it's, it's 150 plus pages, so there's a lot of cases in there. Sometimes, you can learn better by applying the rules. So rather than someone sitting up and saying, Hey, you gotta do this and you gotta do this, and this is part of the rule, and you gotta have authentication and authorization saying What happened when that went wrong?

Sometimes a better. Trainer than, anything else. And as a added bonus, if you do respond, there is a whole series of ODFI return [00:25:00] rate reporting case studies. I haven't read 'em, I don't know what they are. So if you are an ODFI and you'd like to know, hey, what happens if the return rates are, a little screwy, not that we have 'em.

We don't have, our return rates are perfect, but for someone else, what does that look like? Just a conversation between us to see what that looks like. Thank you for joining me. Your subscriptions, likes sharing. All appreciated, thank you and, I'll see you the next time.

[00:26:00]