IBA Compliance Connection

Your go to source for compliance!

A consumer customer recently discovered that one of their monthly bills was being automatically paid out of a business customer’s account for over a year. The billing company is at fault, as the ACH entries they generated used the wrong account number. The business customer found out about the unauthorized payments from the billing company and is now threatening to sue us. How should we handle this situation? The business customer is asking for more information about the consumer customer.

by

admin

Your bank may have a claim against the originating depository financial institution (ODFI) that transmitted entries with an incorrect account number — but we recommend consulting with bank counsel before pursuing those claims, particularly because the business customer is threatening litigation. As to the business customer whose account was mistakenly debited, we recommend reviewing your account agreement for any error resolution requirements and complying with those contractual requirements. We do not recommend providing any information about your other customer to the business customer.

The Nacha Rules require ODFIs to make several warranties when transmitting entries for payment, including a warranty that the entry contains the correct account number for the receiver and a warranty that the entry was properly authorized by both the originator and the receiver. In this case, it appears that the ODFI violated at least two of its warranties, since it did not provide the correct account number in the ACH entries, and because it does not appear that the billing company had your business customer’s authorization to originate entries for purposes of paying your consumer customer’s bill. Consequently, you may have a claim against the ODFI that originated the ACH entries for breach of its warranties — subject to the time limits for bringing warranty claims, as outlined in the Nacha Rules (reproduced in our resources below).

As to your responsibilities to your business customer, your bank should comply with any contractual responsibilities for unauthorized ACH payments as outlined in your account agreement with that customer. While Regulation E does not apply to business customers, if your account agreement contains Regulation E disclosures or similar provisions limiting liability for unauthorized electronic fund transfers and other error resolution procedures, you are contractually obligated to comply with those provisions.

We do not recommend providing your business customer with information about your consumer customer unless compelled to pursuant to a lawful subpoena or court order. Regulation P’s privacy requirements generally prohibit disclosing any nonpublic personal information about a consumer to a nonaffiliated third party. Similarly, the Illinois Banking Act states that a bank may not disclose any financial records relating to a bank customer unless the customer has authorized disclosure or the bank receives a lawful subpoena, summons, warrant, citation to discover assets, or court order (among other exceptions).

For resources related to our guidance, please see:

  • Nacha Rules, Subsection 3.1.2 (“RDFI May Rely Solely on Account Numbers for Posting of Entries.  An RDFI may rely solely on the account number contained in an Entry for the purpose of posting the Entry to a Receiver’s account, regardless of whether the name of the Receiver in the Entry matches the name associated with the account number in the Entry.”)
  • Nacha Rules, Section 2.4.1 (“General ODFI Warranties. An ODFI Transmitting an Entry warrants the following to each RDFI and ACH Operator in connection with such Entry at the time of the Entry’s Transmission by or on behalf of the ODFI, unless another effective time frame is provided in this Subsection 2.4.1. . .

2.4.1.1. The Entry Is Authorized by the Originator and Receiver. (a) The Entry has been properly authorized by the Originator and the Receiver in accordance with these Rules. . . .

2.4.1.4 The Entry Contains Required Information. The Entry contains the Receiver’s correct account number and all other information necessary to enable the RDFI to comply with the requirements of Subsection 3.1.5 (RDFI Obligation to Provide Information about Entries), except for information within the purview of the RDFI’s relationship with the Receiver. All information Transmitted with the Entry is related to the payment represented by the Entry.”)

  • Nacha Rules, Section 1.15 (“Limitation of Claims Based on Unauthorized Entries. Except as provided in this Section 1.15, an RDFI shall not initiate a lawsuit, claim, action, or proceeding against an ODFI for a violation, breach of warranty, or indemnity under the Rules with respect to an allegation that an Entry was unauthorized if it has been (a) more than two years after the Settlement date of an Entry to a Consumer Account, or (b) more than one year after the Settlement Date of an Entry to a Non-Consumer Account. . . .”)
  • Nacha Operating Guidelines, Chapter 6, Warranties and Indemnifications, OG 31 (“In the Nacha Operating Rules, an ODFI assumes responsibility for a number of warranties and indemnifications made to other ACH Network participants. The warranty language in the Rules limits the length of time an RDFI is permitted to make a claim against the ODFI’s authorization warranty.

    For an entry to a non-consumer account, an RDFI may make a claim for one year from the Settlement Date of the entry. This time frame is analogous to the one-year rule in UCC 4-406 that applies to checks and items charged to bank accounts. . . .”)

  • Nacha, Limitation on Warranty Claims FAQs (“How will the upcoming changes impact the warranties under the Nacha Operating Rules? Currently, the warranty language in the Rules is broad and does not limit itself to the time frame for automated returns. As a result, the ODFI’s potential liability under the Rules is limited only by the statute of limitations for breach of contract claims under the applicable state law. As of June 30, 2021, the Rules will expressly limit the time in which an RDFI may make a claim against the ODFI’s authorization warranty.”)
  • Regulation E, 12 CFR 1005.3(a) (“This part applies to any electronic fund transfer that authorizes a financial institution to debit or credit a consumer’s account. . . .”)
  • Regulation P, 12 CFR 1016.10(a)(1) (“Except as otherwise authorized in this part, you may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless: . . .”)
  • Regulation P, 12 CFR 1016.3(q)(2)(i)(C) (“Personally identifiable financial information includes: . . . The fact that an individual is or has been one of your customers or has obtained a financial product or service from you. . . .”)
  • Illinois Banking Act, 205 ILCS 5/48.1(c) (“Except as otherwise provided by this Act, a bank may not disclose to any person, except to the customer or his duly authorized agent, any financial records or financial information obtained from financial records relating to that customer of that bank unless:

(1) the customer has authorized disclosure to the person;

(2) the financial records are disclosed in response to a lawful subpoena, summons, warrant, citation to discover assets, or court order which meets the requirements of subsection (d) of this Section; or

(3) the bank is attempting to collect an obligation owed to the bank and the bank complies with the provisions of Section 2I of the Consumer Fraud and Deceptive Business Practices Act.”)

  • Illinois Banking Act, 205 ILCS 5/48.1(a) (“For the purpose of this Section, the term ‘financial records’ means any original, any copy, or any summary of:

(1) a document granting signature authority over a deposit or account; 

(2) a statement, ledger card or other record on any deposit or account, which shows each transaction in or with respect to that account;

(3) a check, draft or money order drawn on a bank or issued and payable by a bank; or

(4) any other item containing information pertaining to any relationship established in the ordinary course of a bank’s business between a bank and its customer, including financial statements or other financial information provided by the customer.”)