EFTA, REG E & NACHA OPERATING RULES & E-SIGN ACT POLICY & PROCEDURES

BACKGROUND

ELECTRONIC FUND TRANSFER ACT AND REGULATION E

The Electronic Fund Transfer Act (“EFTA”) and its implementing regulation, Regulation E (“Reg E”), impose requirements if a person within the statute’s scope of coverage obtains electronic funds transfers from consumers.

Terms defined in section § 1005.2 of the EFTA:

• Account means a demand deposit (checking), savings, or other consumer asset account (other than an occasional or incidental credit balance in a credit plan) held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes.

• Consumer means a natural person.

• Electronic funds transfer (“EFT”) means any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a consumer's account. The term includes, but is not limited to:

  • Point-of-sale transfers;

  • Automated teller machine transfers;

  • Direct deposits or withdrawals of funds;

  • Transfers initiated by telephone; and

  • Transfers resulting from debit card transactions, whether or not initiated through an electronic terminal.

• Person means a natural person or an organization, including a corporation, government agency, estate, trust, partnership, proprietorship, cooperative, or association.

• Preauthorized electronic funds transfer means an electronic fund transfer authorized in advance to recur at substantially regular intervals.

Section § 1005.3(b) addresses the collection of returned item fees via electronic fund transfer, which permits the person initiating an EFT to collect a fee for the return of an EFT or a check that is unpaid, if the person collecting the fee provides notice to the consumer stating that the person may electronically collect the fee if their payment is returned unpaid, the dollar amount of the fee is disclosed, and the consumer goes forward with the underlying transaction.

Section § 1005.4(a) addresses general disclosure requirements, which requires disclosures to be clear and readily understandable, in writing, and in a form the consumer may keep. The disclosures may be provided to the consumer in electronic form, as long as the means to obtain the consumer’s consent conforms with the Electronic Signatures in Global and National Commerce Act (“E-Sign Act”).

Section § 1005.10 addresses preauthorized electronic fund transfers, which states that preauthorized electronic fund transfers from a consumer's account may be authorized only by a writing signed or similarly authenticated by the consumer and the person that obtains the authorization shall provide a copy to the consumer. Persons are also required to provide the consumer written notice of the amount and date of the transfer at least ten (10) days before the scheduled date of transfer if they vary in amount from the previous transfer under the same authorization or from the preauthorized amount.

Section § 1005.13(b) addresses record retention, which states that any person subject to the EFTA shall retain evidence of compliance with the requirements imposed by the EFTA and this part for a period of not less than two (2) years from the date disclosures are required to be made or action is required to be taken.

NATIONAL AUTOMATED CLEARING HOUSE ASSOCIATION OPERATING RULES

In addition to the requirements that a person must follow related to EFTs under the EFTA and Reg E, Originators of ACH payments must also follow the Operating Rules established by the National Automated Clearing House Association (“Nacha”). Nacha governs the ACH Network and the Operating Rules provide users with the legal framework for the ACH Network.

Terms defined in the Operating Rules:

• An ACH is an electronic funds transfer made between banks and credit unions across what is called the Automated Clearing House network.

• The Automated Clearing House network is an electronic fund transfer system that facilitates payments in the U.S.

• An Automated Clearing House Operator is a central clearing facility that receives entries from ODFIs, distributes the entries to appropriate RDFIs, and performs the settlement functions for financial institutions.

• The Originator is the entity that agrees to initiate ACH entries into the payment system according to an arrangement with a Receiver.

• The Originating Depository Financial Institution (“ODFI”) is the institution that receives the payment instructions from Originators and forwards the entries to the ACH Operator.

• The Receiving Depository Financial Institution (“RDFI”) is the Depository Financial Institution that receives ACH entries from the ACH Operator and posts them to the accounts of its depositors.

• A Receiver is a consumer or an organization that has authorized an Originator to initiate an ACH entry to the Receiver’s account with the RDFI.

• A Single WEB Entry is a credit or debit initiated by an Originator based on the Receiver’s authorization for a one-time transfer of funds to or from the Receiver’s account, where the authorization is provided to the non-consumer Originator via the Internet or a Wireless Network. Example: A Single-Entry WEB transaction would be initiated if a consumer purchases a book online.

• A Recurring WEB Entry is an entry that has been set up to occur at regular intervals without any additional intervention by the Receiver, where the authorization is provided to the non-consumer Originator via the Internet or a Wireless Network. Example: A monthly debit to the Receiver’s account for a mortgage payment.

• A Third-Party Service Provider is an entity other than the Originator, ODFI, or RDFI that performs any functions on behalf of the Originator, ODFI, or RDFI with respect to the processing of ACH entries. A function of ACH processing can include, but is not limited to, the creation of ACH files on behalf of an Originator or ODFI or acting as a Sending Point or Receiving Point on behalf of an ODFI or RDFI, respectively.

Subsection 2.3.2.2 addresses debit entries to consumer accounts, which states that an Originator of a debit entry to a consumer’s account must obtain a written authorization that is signed or similarly authenticated by the consumer. The written authorization must include the following minimum information:

• Language clearly stating whether the authorization obtained from the Receiver is for a single entry, recurring entries, or one or more subsequent entries initiated under the terms of a standing authorization;

• The amount of the entry or entries, or a reference to the method of determining the amount of the entry(ies);

• The timing of the entries, including the start date, number of entries, and frequency of the entries; • The Receiver’s name or identity;

• The account to be debited (this should include whether the account is a demand deposit account or a savings account);

• The date of the Receiver’s authorization; and

• Language that instructs the Receiver how to revoke the authorization directly with the Originator. This must include the time and manner in which the Receiver must communicate the revocation to the Originator. For a single entry authorized in advance, the right of the Receiver to revoke authorization must provide the Originator a reasonable opportunity to act on the revocation instruction prior to initiating the entry.

Subsection 2.3.2.3 addresses electronic authorizations, which states that the writing and signature requirements of Subsection 2.3.2.2 may be satisfied by compliance with the E-Sign Act.

Subsection 2.3.2.6 addresses providing copies of receiver authorization, which states that an Originator must provide each Receiver with an electronic or hard copy of the authorization for all debit entries to be initiated to a Consumer Account. The copy may be provided to the consumer via mail, internet/online network, in person or any other method allowable under applicable legal requirements. When provided via the Internet/on-line network alternative, the Originator must be able to provide the consumer with a hard copy of a debit authorization if requested to do so.

Subsection 2.3.2.7 addresses retention and provision of the record of authorization, which states that an Originator must retain a copy of each written authorization of a Receiver for a period of two (2) years from the termination or revocation of the authorization.

Subsection 2.5.17.3 addresses annual audit requirements for debit WEB Entries, which states that an Originator of a debit WEB Entry must conduct, or have conducted on its behalf, annual audits to ensure that the financial information it obtains from Receivers is protected by security practices and procedures that include, at a minimum, adequate levels of: (a) physical security to protect against theft, tampering, or damage; (b) personnel and access controls to protect against unauthorized access and use; and (c) network security to ensure secure capture, storage, and distribution.

Subsection 2.5.17.4 addresses the use of fraud detection systems, which states that an Originator of a debit WEB Entry must establish and implement a commercially reasonable fraudulent transaction detection system to screen the debit WEB Entry. Such a fraudulent transaction detection system must, at a minimum, validate the account to be debited for the first use of such account number, and for any subsequent change(s) to the account number.

Electronic Signatures in Global and National Commerce Act

The Electronic Signatures in Global and National Commerce Act (“E-Sign Act”), signed into law on June 30, 2000, provides a general rule of validity for electronic records and signatures for transactions in or affecting interstate or foreign commerce. The E-Sign Act allows the use of electronic records to satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and has not withdrawn such consent.

Terms defined in the E-Sign Act:

• The term consumer means an individual who obtains, through a transaction, products or services which are used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.

• The term electronic record means a contract or other record created, generated, sent, communicated, received, or stored by electronic means.

• The term electronic signature means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

Section 101(c)(1)(B) addresses Prior Consent, Notice of Availability of Paper Records, which states that financial institutions must provide consumers with a clear and conspicuous statement informing the consumer:

• of any right or option to have the record provided or made available on paper or in a non-electronic form, and the right to withdraw consent, including any conditions, consequences, and fees in the event of such withdrawal;

• whether the consent applies only to the particular transaction that triggered the disclosure or to identified categories of records that may be provided during the course of the parties’ relationship;

• of the procedures the consumer must use to withdraw consent and to update information needed to contact the consumer electronically; and

• how the consumer may nonetheless request a paper copy of a record and whether any fee will be charged for that copy.

Section 101(c)(1)(D) addresses Hardware and Software Requirements; Notice of Changes, which states that a consumer must be provided with a statement of the hardware and software requirements for access to and retention of electronic records in a manner that reasonably demonstrates the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.

Section 101(d) addresses Record Retention, which states that a financial institution must maintain electronic records that accurately reflect the information contained in applicable contracts, notices or disclosures and that they remain accessible to all persons who are legally entitled to access for the period required by law in a form that is capable of being accurately reproduced for later reference.

PURPOSE

This Policy has been created to define the framework and authorization requirements for accepting single and preauthorized EFTs through Kredit’s consumer portal.

POLICY

It is the policy of Kredit Financial Inc. (“Kredit”) to comply with the requirements set forth in the EFTA, Reg E, Nacha’s Operating Rules, and the E-Sign Act.

SCOPE

This Policy applies to all electronic fund transfer payments accepted and processed through Kredit’s consumer portal.

ROLES AND RESPONSIBILITIES

Kredit’s Chief Compliance Officer (“CCO”) is responsible for ensuring this Policy contains the most current requirements to comply with the EFTA, Reg E, Nacha’s Operating Rules, and the E-Sign Act and for developing controls that ensure the requirements are being followed. The CCO is also responsible for reviewing this Policy on an annual basis.

Kredit’s Chief Executive Officer (“CEO”) is responsible for notifying the CCO of any changes related to the Procedures set forth in this Policy.

PROCEDURES

Kredit accepts both single and preauthorized EFTs directly from consumers via the Kredit Platform (“the Platform”); convenience fees related to the processing of these transactions are not passed on to consumers. Preauthorized EFTs can be established for a period of up to thirty-six (36) months depending on a Kredit member’s criteria; however, the Platform does not permit payments that vary in amount.

Consumers who enter a preauthorized EFT arrangement in the Platform must review and acknowledge Kredit’s Online and Mobile E-Sign Disclosure and Consent Agreement. Upon acknowledging the terms of this Agreement, the consumer is provided with a Recurring EFT Authorization Form (“the Form”), specific to their payment type (i.e., ACH or debit card), electronically via a third-party provider. The Form auto-captures the payment terms that the consumer has entered into the Platform and also provides the consumer with various disclosures and terms related to the payment authorization. Consumers cannot proceed in the Platform and recurring payments will not be processed unless the consumer electronically signs the Form. A copy of the executed Form is sent to the consumer for their records and a copy is retained by Kredit for a period of two (2) years from the date of the authorization (see Kredit Record Retention & Destruction Policy for additional details).

In the event a consumer’s payment is returned, the fee is not passed onto the consumer.

Kredit also permits businesses with whom it has a contractual arrangement to utilize the Platform to set up single ACH, debit card, and credit card payments, as well as recurring credit card payments for consumers towards their debt. These businesses are contractually responsible for providing the disclosures required under the EFTA, NACHA, and E-Sign Act.

Kredit utilizes third-party service providers to process consumer payments via the Platform; these providers utilize fraudulent transaction detection systems to screen debit WEB Entries.

COMMUNICATION

This Policy shall be communicated to all affected employees via email and maintained in the Policies folder, sub-folder Regulatory Policies, on Google Drive for reference purposes.

CONTROLS

On a monthly basis, the CCO shall review a random sample of preauthorized EFTs to ensure that the consumer has consented to Kredit’s Online and Mobile E-Sign Disclosure and Consent Agreement, the consumer has signed the Recurring EFT Payment Authorization, and that a copy of the Recurring EFT Payment Authorization Form was provided to the consumer.

VIOLATIONS

Failure to follow the above-stated procedures will result in a violation of the Electronic Funds Transfer Act, its implementing regulation, Regulation E, Nacha’s Operating Rules, and the E-Sign Act.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Regulatory

Policy Name: EFTA, Reg E & Nacha