National Automated Clearing House Association (NACHA)

Rules Awareness Information

Each UTA Merchant Customer ("UTA Merchant") originating ACH entries through United TranzActions must comply with the NACHA Operating Rules ("Rules") as stated within the ACH agreement between United TranzActions and the UTA Merchant. The National Automated Clearing House Association (NACHA) is the rule making body governing the ACH network and therefore all participants of the ACH network must comply with these Rules. To ensure that United TranzActions communicates effectively, we have provided links below to the specific, UTA Merchant requirements as stated within the Rules.

Annually, it is recommended that you purchase a copy of the updated NACHA Operating Rules & Guidelines by visiting http://www.nacha.org. You may also obtain free limited access to the basic NACHA Operating Rules in read-only format by visiting http://www.achrulesonline.org.

As you may be aware, NACHA updates these Rules with changes, additions and deletions on an annual basis. United TranzActions will ensure that, annually, we communicate these changes to ensure that our companies are educated and can make any necessary changes to their daily process as a result of these changes.

It is important that you, as UTA Merchant utilizing the ACH network to process debit(s) and credit(s), make appropriate changes to your internal processes as necessary to accommodate any Rules changes that may be applicable to you. For a detailed and complete list of proposed rules and amendments and rule changes, visit https://www.nacha.org/rcntAmndmts. If you have any questions regarding the impact of these Rules, please do not hesitate to contact your United TranzActions' Relationship Manager.

Your Responsibilities as an Originator

Consumer Debit Authorizations

• For consumers, an authorization to debit an account must be in writing or "similarly authenticated."
• The most common SEC code for consumer debits is PPD.

Corporate Authorizations

• For companies, there must be a record of an agreement between the two parties.
• The most common SEC codes for corporate transactions are CCD or CTX, depending upon addenda origination. It is used for debits and credits.

Changing Date or Amounts of Debits

• ACH Rules require you to notify your debtors of any changes in date or amount debited under the following circumstances:
• Seven (7) calendar days' notice for a change of date (consumer and corporate).
• Ten (10) calendar days' notice for a change in amount (consumer only).
• Sending the notice via U.S. Mail is acceptable.

Pre-notifications (Pre-notes)

• Pre-notes are zero-dollar entries that precede the first live entry. The purpose of a pre note is to verify account information.
• Pre-notes are optional for you to send. However, if sent, pre note rules must be followed and a pre-note must precede the first live entry by at least three (3) banking days.
• The Receiving Bank is not required to validate the name of the payee on the prenote, although many do; they are only required to check the account number.

Notice of Change (NOC)

• NOC is created by the Receiver's financial institution to notify the originator (via the Bank) that:
• Previously valid information in an ACH entry (Direct Deposit/Direct Payment) is now outdated, and needs to be changed
• Information in an ACH entry (Direct Deposit/Direct Payment) is erroneous, and needs to be corrected.
• UTA will notify you of any NOCs received on your behalf.
• ACH Rules require the originator to make changes or corrections within three (3) banking days of receiving the information from the Bank or before another entry is sent.
• The Receiving Bank warrants that the Information they provide to you is correct.
• The Bank may pass along any fines received based upon your non-compliance.
• The Originator has the option of responding to NOCs for Single Entry (non-recurring) payments. This applies to the following SEC Codes only: ARC, BOC, POP, POS, RCK and XCK entries, as well as, TEL and WEB entries bearing a single entry indicator ("S" or "blank" for TEL and "S" for WEB).

Notification of Change (NOC) Codes (most common)

Returns

• Returns must be processed by the Receiving Bank within 24 hours of settlement. Returns that are unauthorized beyond the 24 hours are the company's liability and any disputes may have to be settled outside of the banking network. Review your account activity daily.
• An exception to the 24-hour rule is consumer unauthorized returns, which may be returned within 60 days of posting.
• The use of consumer (PPD) or corporate (CCD) entry codes determines the applicable ACH return rules.
• If the Receiving Bank receives a dispute claiming a debit was unauthorized, the Receiving Bank must get a signed Written Statement of Unauthorized Debit from the account holder. You may obtain a copy of that statement by requesting a copy through the Bank.
• You may re-initiate a debit entry up to two times if (1) the entry has been returned for insufficient or uncollected funds (Return Reason Code R01 and R09), (2) the entry has been returned for stopped payment and re-initiation has been authorized by the Account Holder, or (3) the Bank has taken corrective action to remedy the reason for the return.
• A "Stop Payment" return may be re-initiated only if you receive approval from the payee to re-send the item.
• It is a violation of NACHA Rules to re-initiate the debit entry if a return is received for any other reason.
• Disagreements regarding authorization should be handled OUTSIDE of the ACH Network
• Originators must maintain a return rate below .5% for entries returned as unauthorized.
• Originators can have no more that 3% of your total debit entries returned due to administrative or account data errors.
• Originators can have no more than 15% of your total debit entries returned for any return reason.

Return Entry Codes (most common)

Reversals

• If a reversing entry must be made, please consult the ACH Manager User Guide or contact Customer Service for instructions.
• Reversals may only be made for the following three conditions:
• wrong dollar amount
• wrong account number
• duplicate transaction
• When initiating a reversal, the reversing entry must be for the full amount, must be sent within five (5) banking days of original entry and must be sent within 24 hours of discovering the error.
• The Receiving Bank is under no obligation to post the reversing debit if it overdraws the payee's account or if the payee's account is closed.
• A payee must be notified if a reversing entry debits his or her account. However, a payee does not need to authorize the reversing debit.
• The word "REVERSAL" must be placed in the Company Batch Header Field and if the file is reversing an erroneous file, then a correcting file must be initiated with the reversing file

OFAC (Office of Foreign Asset Control)

• You are required to check payees against OFAC compliance checklists.
• OFAC lists countries, groups and individuals with which U.S. Companies are not permitted to send or receive funds.
• The Bank must protect itself by informing every client that it is against the law to send debit or credit entries to OFAC-blocked entities.
• You may check the OFAC SDN list at: http://sdnsearch.ofac.treas.gov

What is an ACH Application (SEC) Code?

ACH applications are payment types used by Originators, such as your company, to identify ACH debit and/or credit entries transmitted to a corporate or consumer account at the RDFI. Each ACH application is identified and recognized by a specific Standard Entry Class (SEC) code, which appears in the ACH record format. The SEC code also identifies the specific record layout that will be used to carry the payment and payment-related information

Standard Entry Class (SEC) Codes (most common)

What are the Fraud Risks for ACH?

ACH Origination fraud is a challenge for Financial Institutions and ACH Originators like your company. In one origination system hacking scheme, perpetrators hack into the originator's (your company) computer system using compromised User IDs and passwords and originate ACH credits to "mule" accounts created for the express purpose of committing fraud. Those accounts are then emptied and abandoned. The true originator's account (your account) is debited for the invalid origination file. The credits are usually irretrievable by the time the fraud is discovered. The originator's credentials may have been compromised by an insider within the organization or stolen through key loggers or Trojan Horse programs on the compromised computer.

Due to the risk of this type of fraud, it is essential that all computer equipment used by your company to operate UTA's ACH Origination program is regularly updated and patched for security vulnerabilities (including the use of and updating of firewall, virus protection, anti-malware protection, anti-spam protection.) You may also want to consider having one computer in your office which is not used to browse the internet or read e-mail to be your sole source of access to the UTA ACH Origination program. Limiting access to the computer which is used to house and transmit ACH data may help avoid the accidental downloading of harmful programs/viruses that could potentially compromise your transactions.

The appropriate steps should be taken within your company to ensure that all User ID's, Passwords, Authentication Methods and any other applicable security procedures issued to your employees are protected and kept confidential. All staff should be aware of the need for proper user security, password controls and separation of duties.

As ACH Origination is a higher risk commercial banking function, we suggest that your company perform your own internal risk assessment and controls evaluation periodically to be sure you are considering all available security options.

For additional information on protecting your business from Internet fraud, please visit the U.S. Chamber of Commerce website and view the free link to the "Internet Security Essentials for Business" handbook (https://www.uschamber.com/issue-brief/internet-security-essentials-business-20).

What happens if a Security Breach occurs?

Immediately contact the bank if you suspect an ACH data breach. As an ACH Originator, you are required to immediately report the breach to UTA who must report it to NACHA.

Why are Proof of Authorization forms so important?

When an accountholder questions the legitimacy of an ACH debit on their account, prior to their bank charging the item back to the originating party, the bank will request a Proof of Authorization Form from the ACH originator. It's during this process that the originator has a chance to win the dispute, that is, so long as they're able to produce a valid Proof of Authorization Form that complies with all applicable ACH rules and regulations.

What information do you need to include?

Proof of Authorization forms can be collected in paper or electronic form and (at minimum) should:

• Give permission to the ACH originator to debit/credit the recipient's account.
• Include the dollar amount (or range of amounts) to be debited (or credited). Depending on your circumstances, you may also wish to include language that permits you to correct (or reverse) any accidental over/under payments.
• Provide a time for when the transactions should be expected. Ex. Monthly, Weekly, Per Invoice, etc.
• State the terms for the POA to be revoked-verbally or in writing-and the timeframe needed for the originator to act on the notice of revocation.
• Signature (or electronic signature) of the accountholder that the ACH is being sent to.

How long do you need to retain POA forms?

ACH originators should keep POA forms for two years after the date of the last transaction. It's up to the company whether they retain the form in paper or scanned/electronic format, but regardless, it's helpful to develop a retention system whereby you can easily produce all relevant supporting documentation.

Additional Laws, Rules, and Regulations for ACH Agreements

1) Required annual UCC4A Disclosure

Uniform Commercial Code Article 4A (UCC 4A) Uniform Commercial Code (UCC) is a series of state laws that govern commercial transactions. Article 4A of the UCC governs corporate ACH transactions that are referred to as "corporate wholesale credit entries." RDFIs may identify these transactions by Standard Entry Class Codes CCD or CTX. UCC 4A also addresses the commercially reasonable security procedures’ that must in place for ACH Origination to occur.

UCC 4A Disclosure Requirements Funds Availability The financial institution may make payment provisional on "wholesale credits" until receipt of final settlement from the Federal Reserve Bank. Wholesale credits (i.e., CCD and CTX entries) generally represent larger dollar values and increased risk. If the RDFI chooses to make payment provisional until final settlement, then notification of the provisional nature of the payment must be provided by means of a "Provisional Payment Disclosure." If the financial institution does not receive final settlement for an entry posted to the Receiver's account, then it is entitled to a refund from the Receiver.

Provisional Payment Disclosure "Credit given by [us] to [you] with respect to an Automated Clearing House credit entry is provisional until [we] receive final settlement for such entry through a Federal Reserve Bank. If [we] do not receive such final settlement, [you] are hereby notified and agree that [we] are entitled to a refund of the amount credited to [you] in connection with such entry, and party making payment to [you] via such entry (i.e., the Originator of the entry) shall not be deemed to have paid [you] the amount of such entry"

Notice Disclosure Requirement. It is the RDFI's responsibility to notify Receivers of wholesale credits before midnight of its next funds transfer business day following the Settlement Date of the entry. If the financial institution fails to give such notice, it is obligated to compensate the Receiver for any interest losses incurred as a result of the failure. RDFIs are excused from providing next day notice as long as a disclosure is provided to customers/members that notification will not be given.

Choice of Law Disclosure We may accept on your behalf payments to your account which have been transmitted through one or more Automated Clearing Houses (ACH) and which are not subject to the Electronic Fund Transfer Act and your rights and obligations with respect to such payments shall be construed in accordance with and governed by the laws of the state of Pennsylvania as provided by the operating rules of the National Automated Clearing House Association, which are applicable to ACH transactions involving your account.

2) Regulation E

For Merchant's obligations with respect to consumer alleged errors, click on below link.

https://www.federalreserve.gov/supervisionreg/regecg.htm