Farmers & Merchants Bank: Where Family is our Foundation

Under Nacha rules, unauthorized or improper corporate ACH debits must be returned no later than the start of business on the second banking day after the transaction’s settlement date—essentially giving you one business day to return the debit. Failing to return it within this timeframe significantly reduces the chances of recovering the funds.

• A returned ACH entry may not be reinitiated unless (1) the entry has been returned for insufficient or uncollected funds; (2) the entry has been returned for stopped payment and re-initiation has been authorized by the Account Holder, or (3) the Originating Depository Financial Institution (Farmers & Merchants Bank) has taken corrective action to remedy the reason for the return.
• An originator may re-initiate a debit entry within 180 days up to two times. Those entries must be sent in a separate batch and contain identical content in the Company Name, Company ID, and Amount field.
• Re-initiated entries must contain “RETRY PYMT” in the Company Entry Description Field.

Nacha rules require ACH originators to update information requested by the Receiving Depository Financial Institution (RDFI) within six banking days of receiving a Notification of Change (NOC), or by the next time the transaction is initiated—whichever occurs later. These updates often involve corrections to transaction codes, account numbers, or routing numbers.

Implement procedures that alert to “red flag” activity. Train employees to stay alert for anything unusual or suspicious. This could include changes in the appearance of FMB’s Business Online Banking, such as unexpected layout or color scheme differences, obvious spelling errors on the website or in email notifications, or unexpected “system down” messages.

Another potential warning sign is being unable to log in to FMB’s Business Online Banking after multiple attempts using known credentials. This may suggest that login information has been compromised or that the account is already active on another device.

When feasible, responsibilities should be divided among multiple employees. To help prevent unauthorized ACH transactions, separate the payment process so that one employee creates or uploads ACH batches, while another is responsible for reviewing and approving them. Additionally, to minimize the risk of unauthorized system access, ensure that the user who manages account permissions—such as adding or removing users—does not have the ability to approve, delete, or modify ACH batches.

Avoid allowing employees to access social networking sites on the same computers used for your business’s online banking activities. Social media platforms are common targets for cyberattacks, including tactics like likejacking—where fake “like” buttons trick users into downloading malware or automatically posting malicious content to spread the attack. Other threats include fake apps or group invitations that offer incentives but are actually designed to steal login credentials or collect personal information.

Similar to consumer transactions, all ACH credits and debits to a business account must be authorized by the business Receiver (Company).

• For transactions using CCD (Corporate Credit or Debit), CTX (Corporate Trade Exchange), or IAT (International ACH Transactions) codes, the business Receiver must enter into a formal agreement with the Originator. This agreement should explicitly state that the Receiver agrees to comply with the Nacha Operating Rules.
• The agreement should also clearly outline the purpose and details of the credit or debit entries, ensuring the corporate customer fully understands the nature of the transactions.

Unlike consumer entries, non-consumer Receivers of CCD, CTX, or IAT transactions are generally required to return unauthorized entries no later than the start of business on the second banking day after the settlement date. This necessitates prompt and diligent review of all transactions to identify any unauthorized activity in a timely manner.

Originators are required to obtain proper authorization for both consumer credit and debit entries, ensuring that the terms are clearly presented and easily understood by the account holder (Receiver).

• The authorization should include specific details such as the account number, routing number (often provided via a copy of the account holder’s check), and the type of account (e.g., checking or savings).
• For debit entries, the consumer must date the authorization and either sign it or provide an equivalent form of authentication.
• It’s important to periodically review all authorizations to confirm they comply with the requirements outlined in the Nacha Operating Rules

Originators should be prepared for the return of consumer entries that lack proper authorization.

A debit entry is considered unauthorized if:

1. The authorization was not obtained in compliance with Nacha Operating Rules or is otherwise invalid under applicable laws.

2. The transaction amount differs from what the Receiver authorized; or

3. The transaction was initiated for settlement earlier than the date authorized by the Receiver.

Generally, consumer debit entries must be returned by the Receiving Depository Financial Institution (RDFI) in a way that ensures the return is available to the Originating Depository Financial Institution (ODFI) no later than the start of business on the banking day following the 60th calendar day after the original entry’s settlement date. This same deadline applies to debit entries where the consumer Receiver has revoked their authorization.

For recurring debit transactions where the amount varies, Nacha Rules require the Originator to notify the account holder (Receiver) at least ten (10) calendar days prior to the scheduled debit date.

If there is a change to the date the debit will occur, the Originator must provide written notice to the Receiver at least seven (7) calendar days before the first transaction reflecting the new date is scheduled to post to the Receiver’s account.

Originators are required to retain a signed or similarly authenticated authorization for two years after it has been terminated or revoked by the Receiver.

If the authorization was obtained in paper form with a physical signature, the Originator must keep either the original document or a copy. Electronic authorizations are acceptable as long as they (1) accurately represent the content of the original record and (2) can be reliably reproduced for future reference.

Upon request by its ODFI, the Originator must provide the original, a copy, or another accurate version of the Receiver’s authorization for use by the ODFI or a requesting RDFI. This information must be provided in a timely manner, allowing the ODFI to deliver it to the RDFI within ten (10) banking days of the RDFI’s initial request.

The Originator must clearly identify the source of an ACH transaction. According to Nacha Rules, the Company Name field must contain the name the Originator is commonly known by and easily recognized by the Receiver. Since this name will appear on the account holder’s bank statement, it should be familiar and clearly identifiable to the Receiver to avoid confusion or disputes regarding the transaction.

FMB does not allow the origination of ACH transactions using the IAT (International ACH Transaction) standard entry class code. Transactions that were previously considered domestic may now be classified as international (IAT) under certain circumstances. An ACH payment may be categorized as an IAT if your business:

1. Operates as a subsidiary of a multinational corporation,

2. Has foreign subsidiaries,

3. Engages in buying or selling with parties outside the United States, or

4. Sends payroll, pension, or benefit payments through the ACH Network to individuals with permanent addresses outside the U.S.

Corporations are legally obligated to comply with OFAC (Office of Foreign Assets Control) regulations. Failure to do so can result in both civil and criminal penalties, including imprisonment and fines ranging from $10,000 to $10 million per violation. In cases where penalties are imposed on the financial institution, those costs may be transferred to the corporate Originator, depending on the terms outlined in their agreement with the institution.

These fines are issued by the U.S. government, and any collected funds become government property—not that of the financial institution. For more information on OFAC requirements and associated penalties, visit: https://www.treas.gov/offces/enforcement/ofac/.

Prenotifications are zero-dollar ACH entries used to verify the validity of an account at the Receiving Depository Financial Institution (RDFI). While Originators are permitted to send prenotes, they are not required to do so under Nacha Rules. However, if a prenotification is sent, the Originator must wait at least three (3) banking days before initiating any live dollar transactions to that account.

An Originator may initiate a reversal for an erroneous or duplicate file—or for a specific item within a file—within five banking days of the original file’s Settlement Date. The term “REVERSAL” must be included in the Company Batch Header Record. If the reversal is correcting an erroneous file, a corresponding correcting file must be submitted alongside the reversal.

Additionally, the Originator is responsible for notifying the account holder(s)/Receiver(s) of the reversal and the reason for it no later than the Settlement Date of the reversing entry.

FMB allows Originators to use the PPD (Prearranged Payments and Deposits) standard entry class code for transactions posting to consumer accounts, and CCD (Corporate Credits and Debits) for transactions posting to business accounts. Use of any other standard entry class codes must receive prior approval from FMB.

This impacts Originators because a stop payment placed by the RDFI may block all future transactions from the same Originator related to that specific payment. It’s important for Originators to train internal staff to recognize that multiple stop payments may be returned in such cases. These entries should not be reinitiated until the issue has been properly addressed and resolved.

The originating customer is responsible for ensuring that they establish and maintain appropriate security policies, procedures, and systems for the initiation, processing, and storage of ACH entries and any associated protected information.

Customers are also accountable for training their staff on how to safeguard the organization’s online banking systems. This includes taking reasonable measures to maintain the confidentiality and security of all security protocols—such as passwords, authentication codes, security devices (e.g., tokens), and secure browser sessions.

Security measures must be designed to:

1. Safeguard the confidentiality and integrity of protected information,

2. Prevent anticipated threats or risks to the security and integrity of that information until it is properly disposed of, and

3. Prevent unauthorized access or use of the information that could cause significant harm to the customer.

As an ODFI, FMB may implement additional risk management measures, such as requiring audits of Originator activity, closely monitoring return volumes, and evaluating the level of risk associated with each Originator’s ACH transactions.

It is essential for Originators to recognize the importance of these risk management practices, which include:

1. Conducting thorough due diligence on Originators,

2. Evaluating the nature and risk level of the ACH activity conducted by the Originator, and

3. Establishing procedures to track origination and return activity, enforce exposure limits, and apply restrictions on the types of ACH transactions that may be initiated.

Please refer to your fee schedule.

A Notification of Change (NOC) is sent when the receiving bank informs the originating bank that some information in the ACH entry is incorrect. Although the transaction is posted to the recipient’s account, the details need to be updated to ensure future ACH transactions are properly processed.

Please refer to your fee schedule.

When an ACH return is received, your account will be issued a chargeback or credit return entry.

You may dispute an ACH return if it was a duplicate, sent to the wrong account, contained incorrect information, was processed outside the expected time frames, or resulted in an unintended credit to the receiver due to a reversal.

Ensuring the accuracy of information when sending ACH batches or files is essential. Inaccurate details can lead to misdirected transactions and dependence on the receiving bank to correct errors. These transactions are often time-sensitive and important to the recipient, such as payroll deposits. Additionally, Nacha rules require that corrections be made within six banking days of receiving a Notification of Change or an ACH return. Failure to comply may result in penalties for the originating bank.

Reduce the likelihood of an ACH return by verifying that all input information is accurate, including the recipient’s bank routing number. The Federal Reserve offers a tool to confirm whether a routing number is valid for ACH processing: FRFS – Search for Fed ACH Participant RDFIs (frbservices.org).

Business Email Compromise (BEC) is a type of phishing scam where fraudsters attempt to hack, spoof, or impersonate legitimate business email addresses. Often, they make subtle changes—such as altering a single letter or number in the email address—to make their messages appear authentic. A spoofed email often uses a public domain vs. the sender’s domain. 

Example:
Legitimate Email: [email protected]
Spoofed Email: [email protected]

These scammers may target employees to steal login credentials or trick them into sending fraudulent wire transfers. They might also impersonate trusted third parties, such as vendors, to request unauthorized payments or sensitive information.

In some cases, scammers pose as the business itself, sending fake emails to customers in an effort to collect payment details or personal data.

BEC scams can be hard to detect, but there are several warning signs to watch for. Common indicators include:

• Messages that are brief, urgent, and encourage you to bypass standard procedures or policies
• Unusual requests from executives, vendors, or partners that seem out of the ordinary
• Requests for sensitive information, such as employee, payroll, or company data
• Emails containing spelling errors or poor grammar
• Unexpected email attachments
• Emails sent outside of typical business hours, such as evenings, weekends, or holidays

As with any type of fraud, it’s crucial to verify information before sharing sensitive details or sending payments. Always review emails carefully to confirm they’re from a trusted source.

If something seems suspicious, avoid clicking on links or opening attachments.

When you receive new payment instructions from a regular payee, always verify the changes directly with that person or company—preferably in person or by calling a known phone number you’ve used before.

If you fall victim to a BEC scam and sensitive information is compromised, take the following steps immediately:

• Report the incident to FMB’s Business Banking Team
• Call us at 920-361-1454, option 9, so we can take immediate action to protect your FMB accounts
• Update passwords for your email and financial accounts
• Carefully review account statements for any unauthorized or suspicious activity
• Contact your local police department to file a report