Biller, Police Thyself: NACHA’s New Rule For Telephone-Initiated Recurring Payments
The National Automated Clearing House Association (“NACHA”) recently amended its Operating Rules to allow merchants and creditors (“Originators”) to obtain oral authorization from a consumer over the telephone for recurring automated clearing house (“ACH”) payments, provided the oral authorization complies with federal regulations for preauthorized electronic transfers. The revised rule could benefit billers generating regular recurring payments, such as utilities and insurance companies, by reducing their cost of obtaining authorization for multiple transactions and allowing billers to enroll customers faster than they currently do with online or written authorizations. It could also decrease risk in the overall payment system by reducing billers’ reliance on a high-risk alternative such as a Remotely Created Check, which has been long favored for recurring transactions since it does not require the consumer’s signature for authorization.
The catch? Methods of obtaining oral authorization for recurring debits are vulnerable to fraud if Originators are less than vigilant. Moreover, there appears to be some confusion in the market today regarding the steps Originators need to take to obtain oral authorizations that are simultaneously compliant with NACHA Operating Rules and existing federal regulations. As a result, the potential for abuse or error is high, and if recent history is any indication, incorrect implementation of the rule could place a costly burden on system participants.
Rules for Telephone-Initiated Recurring Payments
There are several bodies that develop rules that directly impact the use of recurring payments – the Federal Reserve Board (“FRB”), NACHA, and the card associations. Regulation E, which is set by the FRB and carries out the purposes of the Electronic Fund Transfer (“EFT”) Act, is the primary regulation; both NACHA and the card associations have guidelines that are consistent with this regulation.
Per Regulation E, preauthorized electronic fund transfers from a consumer’s account must be authorized “only by a writing that is signed or similarly authenticated by the consumer.” Regulation E considers the requirement for a written authorization to be satisfied if the Originator obtains the consumer’s electronic signature in compliance with the E-SIGN Act1 and provides the consumer a copy of the terms of authorization either electronically or in paper form. The original FRB commentary on Regulation E held that an oral authorization from the consumer or a tape recording of a telephone conversation in which the consumer agrees to preauthorized debits did not constitute a written authorization for recurring debits from the consumer’s account. However, this restriction was removed from the FRB’s commentary in 2006, paving the way for NACHA to amend its own rules to permit Originators to use the ACH network for recurring payments based on an oral authorization. In essence, starting September 16, 2011, NACHA has expanded the scope of its Standard Entry Class code for telephone-initiated ACH consumer debit, known as TEL (Telephone Initiated Entry), to include recurring transactions so that Originators can initiate recurring debit entries to a consumer’s account by obtaining the consumer’s authorization orally over the telephone.
To ensure that recurring TEL Entries are compliant with Regulation E, NACHA has the following guidelines for Originators:
- Obtain an oral authorization from the consumer that is (1) readily identifiable as an authorization of recurring ACH debits to the consumer’s account, (2) states the terms2 of the recurring debit clearly and in understandable terms, (3) evidences the consumer’s identity, and (4) evidences the consumer’s full consent to the transaction.
- Record the consumer’s oral authorization and provide the consumer either a recording of the oral authorization or a written copy of the full authorization (including its date and terms) before the first payment from the consumer’s account using the authorization.
- Provide “simple and easily accessible” cancellation procedure.
- Retain a copy of the recording or written notice for two years following the termination or revocation of the authorization.
Given that neither an oral communication nor a recording of an oral communication by itself qualifies as an “electronic record” under the E-SIGN Act, this still leaves open the question of whether Originators obtaining oral authorizations have to do something more (e.g., create a digital signature through the use of key presses on the telephone) to obtain a compliant electronic signature. If taped oral authorizations are used as the only basis for preauthorizing recurring debits, the potential for abuse or error appears high and could create new opportunities for fraudsters. NACHA has not yet opined on this matter. When contacted, NACHA officials advised that companies wishing to obtain oral authorization for recurring payments should seek legal counsel on obtaining a compliant electronic signature.
The Industry Experience
In January 2012, four months after NACHA implemented its new rules for telephone-initiated recurring payments, First Annapolis conducted a market survey to gauge how billers are responding to the rules. Based on this survey and anecdotal evidence, industry adoption of oral authorization for recurring payments appears nascent, and among companies that do initiate recurring payment arrangements over the phone, compliance with NACHA/Reg E rules for oral authorization appears low. The common points of weakness are:
- Not requiring the consumer to provide expressed consent to the terms of the recurring debit orally or via a written authorization form, an electronic signature, or via a Voice Response Unit. Although conversations with consumers regarding the set up of recurring payments are recorded, as are all other customer service calls, such a recording alone would likely not qualify as an electronic signature under the E-SIGN Act.
- Not disclosing the terms of the recurring debit clearly and in understandable terms.
- Not providing consumer with either a written or electronic copy of the authorization prior to the start of the first of the recurring payments.
- Not briefing consumers about cancellation procedures at the time of setting up recurring payments.
Potential for Abuse and Error
As the survey shows, companies originating TEL-based recurring debits today are relying on less than complete authorization from the consumer to initiate recurring payment arrangements. To see how potentially fraught with risk that is, we need look no further than NACHA’s own experience with unauthorized TEL entries in the early 2000’s.
In 2001, when NACHA implemented the TEL application to facilitate one-time debit entries, it experienced very high return3 rates for TEL compared to other types of ACH debits. In particular, there was a high incidence of returns due to “unauthorized” TEL transactions (i.e., cases where a consumer’s account was debited but the consumer asserts that he did not authorize the transaction) and Non-Sufficient Funds (“NSF”) TEL transactions. For instance, in 2002, nearly one percent4 of TEL transactions were unauthorized, which is more than three times the return rate for traditional pre-authorized ACH debits (“PPD”) initiated based on a standing written authorization from the consumer.
On examination5, NACHA observed a strong correlation between high unauthorized return rates and merchants/Originators that were engaged in fraudulent or deceptive marketing practices and were abusing the TEL application by skirting the rules of authorization. The Federal Trade Commission (“FTC”) also discovered substantial evidence of fraudulent merchants that had “gamed” the system with tape recordings manipulated to indicate the consumer’s authorization to a payment. For instance, some such merchants were found to have billed consumers using taped portions of telemarketing calls containing the consumer’s assent to something other than the payment. In some other cases, the tape recordings contained ambiguous consumer comments that were manipulated to create an impression that the consumer had authorized the payment. In addition, a significant portion of NSF returns was also linked to fraudulent activity. These cases came to light when account holders were charged an NSF fee for an ACH debit returned due to non-sufficient or uncollected funds in the account even though the entry itself did not appear on the consumer’s statement. It was determined that debits returned for NSF reasons were actually unauthorized.
These events highlight the potential for abuse inherent in relying solely on tape recordings to evidence consumer authorization for recurrent debits. They also underline the importance for Originators to ensure that merchants obtain valid authorization for all recurrent debits that are orally authorized by the consumer.
Indeed, although unauthorized transaction rates for TEL have declined since 2002, thanks to concerted industry efforts, unauthorized return rate for TEL in 3Q2011 was still nearly three times the rate for traditional preauthorized (“PPD”) debit entries, indicating that TEL is still a hotbed for fraudsters taking advantage of vulnerable customers. As can be seen from Figure 1, total return rates (comprised of returns due to unauthorized, NSF, and administrative reasons) for TEL entries are twice as high as that for PPD entries (authorization via document signed by individual) and nearly four times as high as that for WEB entries (authorization via the Internet) even though TEL volumes are only 12% and 14% of total PPD and WEB volumes.
Figure 1: Return Volume by Key NACHA SEC Codes, 3Q 2011
Note: TEL : Telephone-Initiated Entry; WEB: Internet-Initiated Entry; PPD: Prearranged Payment and Deposit Entry; POP: Point-of-Purchase Entry; ARC: Accounts Receivable Entry; CCD: Cash Concentration or Disbursement.
Source: various NACHA documents and FTC commentaries.
As noted above, weaknesses and errors in obtaining proper oral authorization for recurring debits could lead to a high volume of unauthorized returns and create opportunities for fraudulent exploitation of system vulnerabilities. In such a situation, both financial institutions and consumers stand to lose.
- ACH returns are costly (between $12 and $17 per item)6 for the payor’s bank (the bank receiving unauthorized or fraudulent ACH debits to the consumer account), as they have to bear the cost of the return process, including the cost of obtaining a written statement from the account holder victimized by the unauthorized transaction.
- Unauthorized returns also put a strain on Originator-customer relationships.
- Unauthorized debits put customers at risk of having their accounts depleted or overdrawn, threatening their ability to pay bills and damaging their credit.
- Since liability for unauthorized electronic fund transfers is contingent upon the timing of the consumer’s claim, a consumer may be liable for up to $50, $500, or an unlimited amount depending on when the unauthorized EFT occurs. To complicate matters, the confusion about what constitutes a compliant electronic signature in oral authorization could make it difficult for consumers to invoke protection under the unauthorized transfer rules and error resolution rules of the EFT Act.
In summary, Originators wishing to take advantage of NACHA’s new rules for telephone-initiated recurring ACH debits must ensure they understand and implement all the steps necessary to obtain their consumer’s oral authorization in a manner compliant with Regulation E, the E-SIGN Act, and NACHA operating rules.
1 The Electronic Signatures in Global and National Commerce (E-SIGN) Act provides for legal equivalence of electronic records and signatures with their physical counterparts.
2 To satisfy these requirements, the recorded authorization must include certain information including a telephone number for consumer inquiries that is answered during normal business hours, the date of the oral authorization, the account to be debited, and the amount, timing, and frequency of transfers.
3 A “return” item is returned to the originating bank because the originating bank warrants that all transactions it originates into the network are authorized. The key reasons for returns are (a) “unauthorized” entries where a consumer has notified his bank that the transaction was not authorized, (b) NSF or returns due to non-sufficient funds in the consumer’s account, and (c) administrative error which usually means the information with respect to the consumer’s account has been incorrectly entered or changed.
4 Source: NACHA for all ACH return statistics.
5 Source: Various NACHA documents and FTC commentaries.
6 Source: NACHA.
For additional information or assistance with recurring payment authorization compliance, please contact Raymond Carter, Principal specializing in Commercial Risk, firstname.lastname@example.org; or Chandita Kotoky, Consultant specializing in Commercial Risk, email@example.com
To read the rest of this article, please subscribe to