With the expansion of online commerce has come the need to obtain remote electronic payment authorizations from consumers. These authorizations include both one-time payments and ongoing or recurring payments for goods, services and financing arrangements.

In addition to paying by credit or debit card, consumers may authorize businesses to automatically take single and recurring electronic payments from the consumer's deposit account using Automated Clearing House (ACH) transactions. These are often referred to in the financial services industry as "ACH debit transactions." Businesses often prefer this method of payment because of lower transaction fees and processing costs.

Consumer authorizations may be obtained in writing, electronically or over the telephone, but must comply with both federal regulation, especially under the Electronic Fund Transfer Act1 and its implementing regulation (Regulation E)2 and the Operating Rules of the National Automated Clearing House Association (NACHA Rules).3 Application of these rules and regulations to an electronic environment can be somewhat complicated, making it easy to overlook or misinterpret some of the specifics – and the consequences of non-compliance can be significant.

Prior to passage of the federal Electronic Signatures in Global and National Commerce Act (ESIGN) it was not clear whether, and under what circumstances, it was possible to obtain authorization for recurring debit transactions electronically. Even after the passage of ESIGN, which enables electronic authorization of both single and recurring ACH debit transactions over the Internet and by telephone, there has been continued confusion over the specific requirements for obtaining and preserving a record of the authorization – especially when obtaining a telephone authorization. Authorizations for single payments are not as heavily regulated, but still must comply with the requirements of the NACHA Rules.

The requirements for either single or recurring ACH payment authorizations can be broken down into roughly four categories:

  • Obtaining the authorization
  • Terms of the authorization
  • Confirming the authorization and
  • Maintaining records of the authorization.

Key requirements that businesses often fail to meet in an electronic environment include:

  • Obtaining a signed authorization that meets the requirements of federal law
  • Including all the required information in the authorization
  • Including a sufficient description of the timing and amount of the authorized payment(s)
  • Including additional terms in the authorization that protect the business
  • Providing the consumer with a copy of the authorization, when required
  • Keeping a recording of telephone authorizations, when required and
  • Properly retaining a record of the authorization.

Another area creating a trap for the unwary relates to the requirements for ongoing notice to consumers of recurring debits that vary in amount. Both the authorization to deliver electronic notice, and the delivery process itself, requires compliance with ESIGN's consumer consent process and procedures for managing transmission of the notice to the consumer.

Failure to comply with the requirements of EFTA, Regulation E and the NACHA Rules may lead to (i) enforcement actions against the business by regulators (including the BCFP, which has authority to take action against any business engaged in non-compliant consumer ACH transactions); (ii) termination of the company's ACH processing agreements by banks and vendors; (iii) individual and class actions under federal law claiming statutory damages and attorney fees; and (iv) additional expense and time when managing or assigning authorizations.

We regularly work with clients to assess and mitigate risk on non-compliance with these payment requirements and aid in regulatory examination preparedness.