Stay up-to-date with Payments Insider, published twice a year by EPCOR (Electronic Payments Core of Knowledge). This newsletter contains valuable information specific to ACH Originators as well as all business customers. Click the Newsletter button below to read the most recent edition of Inside Origination. To register for your own subscription to this newsletter and other communications by EPCOR, visit epcor.org.
ACH fraud can occur when a payment transaction is initiated or altered in an attempt to misdirect or misappropriate funds by any party to the transaction. An ACH fraud trend we are seeing more frequently is the use of a spoofed email account used by a hacker to misdirect funds for their benefit. An example of this would be in someone within your business received an email request from what appears to be a legitimate source to change another employees direct deposit account information. Please review the “Social Engineering Red Flags” guide below so that you and your employees can be better prepared to review requests by email that could potentially be fraudulent.
The EPCOR Corporate User webpage serves as a valuable resource for businesses utilizing payment channels in the industry. It offers educational courses and resources aimed at ensuring compliance with the numerous rules and regulations in the payments sector. The page includes ACH originator education information, resources, tools for purchase, and frequently asked questions to assist businesses in navigating the complexities of the payments industry.
The EPCOR Third-Party Sender User webpage is a comprehensive resource for organizations participating in the ACH Network. It offers information, tools, and educational courses to help with ACH compliance, including ACH Rules obligations, audits, risk assessments, and consulting services. Find compliance resources, third-party sender education, tools, and FAQs here.
Many companies keep sensitive personal information about customers or employees in their files or on their network. Having a sound security plan in place to collect only what you need, keep it safe, and dispose of it securely can help you meet your legal obligations to protect that sensitive data. Click the Small Business Payments Toolkit button below for security tips and other payments related information.
Click on the Quick Reference Cards button to access information regarding ACH transactions including Return and Notification of Change Reason Codes.
Frequently Asked Questions
- Reversals - What do I do if I realize that there is a mistake in a batch I just initiated? How about if I find a mistake on a batch that I initiated before today?
- Look at the Status of the batch. If it shows as Initiated, you can Un-Initiate the batch and make the changes before initiating the batch again.
- If the Status shows as Processed or Ready with a recent Processed Date, the transactions have left our system and been sent on to the receiving banks. In this case, there are steps that we can take to attempt to fix the error.
- Look at the Process Date. You can send a Reversal batch as long as it is done within 5 banking days of the Process Date.
- Create a batch with the Entry Description as REVERSAL in all caps which is opposite of the incorrect one that was sent. For example, if the incorrect batch was a payroll batch, the reversing batch will have the same amounts but will be all debits instead of all credits.
- Create/Upload the correct batch and initiate the reversal and corrected batches.
- Returns and Re-Entries - You have an entry returned to you, now what?
- Look at the Return Reason on the notice that you received from us. If it is returned for Insufficient Funds (R01), Stop Payment (R08), Account Closed (R02), No Account/Unable to Locate Account (R03), or Invalid Account Number (R04), you may be able to retry the entry, but with certain stipulations.
- If the item was returned as Insufficient Funds (R01), you can retry the entry two additional times with no additional information.
- If the item was returned for any other reason, you will need to collect the correct information from the receiver before you can resend the entry. For example, a new authorization for a Stop Payment (R08) or correct account information for R02, R03, and R04.
- Create and initiate a new batch for just the items that you need to retry. For debit entries, the Entry Description for the batch will read as RETRY PYMT.
- NOC's - What is a Notification of Change (COR) and what do I have to do with it?
- A Notification of Change is a notice that you receive stating that the entry listed contained information which needs to be changed before the entry is sent again. The receiving bank does post the entry, and often provides the correct information on the notice. You do not have to obtain additional information from the receiver before making the changes.
- Limits - Why do I have to have limits and what if I need to go over them?
- The Rules state that we have to have exposure limits to protect you, as well as, to reduce our risk. When setting the limits, we try to make sure that the limits are high enough that you are able to conduct your business while balancing need to make sure that your money is secure if you are compromised. We do review the limits annually or if we find that you are exceeding the limits on a regular basis. If you find that you do need to exceed the limit, we can raise the limits on a temporary basis without any additional paperwork. When raising the limit permanently, we will have a new form for you to sign.
- Reviews - Why do I have to complete this review form that is sent to me?
- Part of our responsibility as your ACH processor is to insure that you are sending the ACH transactions in compliance with the Rules. We do this by sending a review form for you to complete each year. We do need this completed and returned as quickly as possible.
- Security - Why do I keep hearing about security?
- The Rules state that you have the responsibility of keeping the information used to create ACH entries (Protected Information) safe even if the information is not currently being used. Even further, the Rules specify certain processes that you must do to ensure that the information stays safe. You have the responsibility to have and keep updated policies, procedures and systems which:
- Protect the confidentiality of the Protected Information until destruction
- Protect against anticipated threats or hazards to the security of the Protected Information until destruction
- Protect against unauthorized use of Protected Information that could result in substantial harm to a natural person
- These policies, procedures, and systems must include controls which make sure that the information is secure during all parts of the ACH process including making sure that any Protected Information sent by email is sent in a secure fashion. Unencrypted email is not considered secure. Click on the EPCOR Security Framework Overview button for more information.