IAT Modifications - 2012 Request for Comment Executive Summary and Rules Description REQUEST FOR COMMENT RESPONSES DUE BY MONDAY, SEPTEMBER 24, 2012 NACHA requests comment on three proposed amendments to the NACHA Operating Rules related to IAT (International ACH Transaction) Entries. These amendments would modify the IAT technical specifications in response to feedback provided to NACHA based on the industry s experience in processing IAT Entries over the last several years, and narrow an ODFI warranty for Outbound IAT Entries. These proposed changes would eliminate ambiguities and provide clarification to the rules governing IAT Entries, resulting in clearer definition and more consistent use of the IAT formats. Comments are due by September 24, 2012. NACHA STAFF CONTACTS Return comments to: Questions: Maribel Bondoc, Manager, Network Rules Fax (703) 787-0996 E-mail: mbondoc@nacha.org Cari Conahan, AAP, Senior Director, Network Rules E-mail: cconahan@nacha.org Priscilla Holland, AAP, CCM, Senior Director, Network Rules E-mail: pholland@nacha.org PART I: PROPOSAL BRIEF This proposal ( Rule ) would modify the warranties and technical requirements of the International ACH Transaction (IAT) Entry. Specifically, this Rule would: (1) narrow the scope of the ODFI warranty for Outbound IAT Entries; (2) clarify the manner in which countries must be identified within an IAT Entry, eliminating the potential for ambiguity in identifying countries to or from which IAT entries are directed; and (3) standardize a process to enable the identification of the ultimate beneficiary in certain international payment models that utilize the IAT Entry.
Executive Summary and Rules Description, Page 2 The changes proposed by this Rule would remove a perceived barrier to the origination of international payments and facilitate more accurate screening and compliance with OFAC sanctions policies by ACH Participants. PART II: BACKGROUND AND JUSTIFICATION FOR THE PROPOSAL In September 2009, the rules governing IAT became effective, requiring ODFIs and Gateways to identify all international payment transactions transmitted via the ACH Network as International ACH Transactions using the IAT Standard Entry Class Code. This application was designed to carry specific data elements defined within the Bank Secrecy Act s (BSA) Travel Rule 1 so that all parties to the transaction have the information necessary to comply with U.S. law (which includes the programs administered by the Office of Foreign Assets Control (OFAC)). Since implementation of the IAT rules in 2009, a number of topics have been identified by industry participants as requiring additional clarification and refinement to ensure accurate and efficient processing of international payments moving over the ACH Network. In 2011, NACHA s Voting Membership approved a number of amendments to clarify and enhance various aspects of the IAT rules. While the changes proposed by this Request for Comment represent a continuation of earlier rule making efforts to fine-tune the IAT application, these modifications are also necessary to resolve risk concerns related to the ability to properly identify additional parties to an international payment transaction. Of special concern to the industry is the fact that the ultimate beneficiary of a funds transfer is not visible in at least one payment model. This lack of transparency exposes ACH participants to the risk of doing business with a blocked party in violation of OFAC sanctions policies. These proposed changes are necessary to mitigate such risk in the ACH Network and follow changes made by SWIFT to provide visibility to parties to the transaction in the MT 202 COV message. These changes ensure all parties can be reviewed for regulatory compliance. PART III: REQUEST FOR COMMENT - ELEMENTS OF THE PROPOSAL AND RULES FRAMEWORK 1. Identification of Country Names Within IAT Entries This amendment would clarify that any country named within certain fields of an IAT Entry must be identified using that country s ISO Country Code, as defined by the International Organization for Standardization. Currently, the descriptions of the Originator Country and Postal Code field and the Receiver Country and Postal Code field in the third and the seventh addenda records, respectively, are ambiguous with respect to the formatting of the country name. Neither the field name nor the field description clearly states whether the country name must be spelled out, an abbreviation
Executive Summary and Rules Description, Page 3 used, written in English, or the ISO Country Code included. Since each of these fields allows for up to 35 characters to be included, there is adequate room for many countries to be spelled out; however, doing so makes running interdiction software more difficult than if ISO codes are used. The Rules Group discussed the ramifications of retaining the field descriptions as currently written versus changing them to require the use of an ISO Country Code. The Group determined that the potential for errors, both in populating the fields and in screening for OFAC compliance, could be substantially reduced by the use of standardized codes and recommended modifying the descriptions for both the Originator and Receiver country and postal code fields to specify that countries named within these fields must be denoted by their respective ISO Country Codes. Impact on Rules Framework: This amendment would revise Appendix Three, Part 3.2 (Glossary of ACH Record Format Data Elements) to explicitly require the use of an ISO Country Code to represent the country identified within the Originator Country and Postal Code field, and the Receiver Country and Postal Code field in the third and the seventh addenda records, respectively. 2. Identification of Additional Parties to an International Payment Transaction This Rule would establish a new Gateway obligation to identify, within an Inbound IAT Entry, the ultimate beneficiary of the funds transfer when the proceeds from the Inbound IAT Debit are for further credit to an ultimate beneficiary that is not the Originator of the IAT Entry. This Rule would also revise the description of the Payment Related Information Field as it relates to the IAT Remittance Addenda Record to establish specific formatting requirements for inclusion of the ultimate beneficiary s name, street address, city, state/province, postal code, and ISO Country Code. 2 The IAT application was developed on the basis of a two-party payment model where funds are transferred directly from the payor to the beneficiary. In support of that payment model, the IAT format was designed to convey the name, address, and banking information of both the payor and beneficiary of the funds (as well as any foreign correspondent banks involved in the settlement of the payment transaction). In most cases, these formatting requirements are sufficient to identify all parties to the payment transaction. However, the industry has recently identified a split transaction payment model that involves three parties to the payment transaction. To support this payment model, a change to the IAT rules is necessary to identify key information on all parties to the payment transaction and eliminate the potential risk to ACH participants of doing business with a blocked party. Unlike the more traditional Inbound IAT debit, in which the ultimate payor and ultimate beneficiary are identified as parties to the transaction (i.e., Receiver and Originator, respectively), in this model, the Originator of the Inbound IAT debit is not the ultimate beneficiary of the funds transfer. Rather, the Originator is a service provider, collecting funds from a U.S. Receiver for further credit to the ultimate beneficiary. Two separate transactions are created and settled to complete the funds transfer one between the Originator of the IAT debit (the independent service provider) and the party from which funds are being transferred (the Receiver of the Inbound IAT 2 The identification of the ultimate beneficiary takes priority in any case where a for further credit to Inbound IAT debit Entry also contains other payment related information.
Executive Summary and Rules Description, Page 4 Debit), and one between the Originator (the independent service provider) and the ultimate beneficiary of the funds transfer. In this model, only half of the payment transaction (the domestic debit from the service provider) is visible within the payment record. Because the ultimate beneficiary is not identified, ACH participants are exposed to the potential risk of doing business with a blocked party. The sample scenarios below illustrate the three-party ( for further credit to ) IAT model. Inbound IAT Debit for Further Credit to an Ultimate Beneficiary that is not the Originator: A U.S. resident uses a bank in a foreign country to send funds to a beneficiary in that (or another) country. Under this model, the bank in the foreign country transmits an Inbound IAT debit to the U.S. resident s account to fund the foreign credit to the ultimate beneficiary. The foreign bank, which is an intermediate beneficiary of the funds to be further credited to the ultimate beneficiary, is identified as the Originator of the IAT debit; however, the ultimate beneficiary of the funds is not identified anywhere within the Entry. Example A Mexican Bank provides a service allowing individuals in the U.S. to send funds easily and economically to relatives and other persons living in Mexico. Mr. Garcia, who lives in El Paso, Texas, uses the service to send money to his mother, Maria Garcia, who lives in Mexico City. Mr. Garcia logs onto Mexican Bank s website and instructs it to make a payment to Maria at her bank in Mexico City. Mr. Garcia provides Mexican Bank with Maria s name, physical address, and banking information for the funds transfer. He also provides Mexican Bank with his own banking information (i.e., the routing number and his account number from which funds will be debited at Southwest Bank) and his address in El Paso. Mexican Bank originates a SWIFT payment instruction to its U.S. correspondent bank, Trust Bank, in New York, requesting it to originate an ACH debit to Mr. Garcia at Southwest Bank and to credit Mexican Bank s correspondent account at Trust Bank with the amount of the funds. Trust Bank initiates the ACH transaction, as requested, and credits Mexican Bank s correspondent account. Mexican Bank subsequently does a book entry transfer to move the funds to Mexico for further credit to Maria. Although both Originator (Mexican Bank) and Receiver (Mr. Garcia) are identified as part of the IAT transaction, the ultimate beneficiary of the funds transfer (Maria Garcia) is not visible to the U.S. RDFI and cannot be screened for OFAC compliance. In this case, the RDFI is not able to determine if its customer is doing business with a blocked party in violation of OFAC sanctions policies and is potentially exposed to significant risk.
Executive Summary and Rules Description, Page 5 Example A Example B A U.S. resident wants to use a Canadian Bank s payment service to send funds to a beneficiary in Cuba. The Canadian Bank could potentially originate an Inbound IAT debit (in which it identifies itself as the Originator of the payment) to the U.S. Receiver s (resident s) account to fund the underlying payment transaction. The Canadian Bank, which can legally do business with Cuba, could subsequently send a separate credit payment to the ultimate beneficiary in Cuba on behalf of the U.S. resident. In this payment model, although both Originator and Receiver of the IAT Entry would be identified as part of the transaction, the ultimate beneficiary of the funds transfer would not be visible to the U.S. RDFI and could not be screened for OFAC compliance. In this case, the RDFI would not be able to determine whether its customer is doing business with a blocked party in violation of OFAC sanctions policies and could be exposed to significant risk.
Executive Summary and Rules Description, Page 6 Example B This Rule would reduce the RDFI s current risk of doing business with a blocked party by ensuring that the ultimate beneficiary in an international for further credit to arrangement is identified within an IAT Entry. These changes would add clarity to the Rules and facilitate more accurate screening and compliance with OFAC sanctions policies by ACH Participants involved with this payments model. Impact on Rules Framework: This amendment would expand Article Five (Rights and Responsibilities of Gateways for IAT Entries) to include a new subsection 5.1.3 (Gateway Obligations for Inbound IAT Debits for Further Credit to Foreign Receivers). This subsection would establish a new Gateway obligation to include the name, street address, city, state/province, postal code, and ISO country code of the ultimate beneficiary of the funds when the Inbound IAT Debit involves a for further credit to arrangement. This amendment would also revise Appendix Three, subpart 3.2.2 (Glossary of Data Elements) to explicitly require the use of the Payment Related Information field of the IAT Entry to identify the ultimate beneficiary of a payment transaction when the IAT debit is part of a for further credit to arrangement. 3. ODFI Warranties Compliance with Foreign Payment System Rules This Rule would revise the current ODFI warranty of compliance with foreign payment system rules (for Outbound IAT Entries), narrowing its scope to focus only on authorization of the Entry when such authorization is required by the laws or payment system rules of the receiving country. The narrower warranty would also limit the scope of the ODFI s indemnity for breach of warranty.
Executive Summary and Rules Description, Page 7 Currently under the Rules, the ODFI s warranty for Outbound IAT Entries is broad and requires the ODFI to warrant that it is in compliance with all laws and payment system rules of the foreign (receiving) country. In practice, however, it appears from information provided by financial institutions that the breadth of this existing warranty is a barrier for many ODFIs to originate Outbound IATs. Given the industry s investment in enabling the IAT, and given other impending regulatory requirements regarding international remittances, NACHA is interested in lowering other barriers to the use of the IAT. The modification of this warranty and addition of express language regarding allocation of risk is expected to eliminate such a barrier. Because a narrower warranty would lessen the protection to the Gateway, this amendment would also specifically allocate to the Originator of an Outbound IAT credit the risk that foreign law or payment system rules prohibit the foreign Receiver from receiving a credit, or the Originator of an Outbound IAT debit from receiving the proceeds of a debit (e.g., through some foreign analog to the U.S. OFAC requirements). As between the ODFI and the Gateway, the risk would fall to the ODFI, but as between the ODFI and the Originator, the risk would be allocated to the Originator. The amendment would also permit the ODFI and Gateway, or ODFI and Originator to re-allocate risk between themselves. Impact on Rules Framework: This amendment would revise the title and coverage of Article Two, subsection 2.5.8.4(b) (Additional ODFI Warranties for Outbound IAT Entries Compliance with Foreign Payment System Rules), narrowing this subsection s scope to apply only to authorization requirements. The amendment would also add a new subsection 2.5.8.7 (Assumption of Risk) to address the allocation of risk between Gateway, ODFI, and Originator for Outbound IAT Entries. PART IV: IMPACT OF THE PROPOSED RULE COSTS & BENEFITS Benefits and Costs of the Proposed Rule Benefits The changes proposed by this Rule would reduce ACH participants risk of doing business with blocked parties in violation of OFAC sanctions policies by ensuring that all parties to the payment transaction (including the ultimate beneficiary of the funds) and the countries to/from which such funds are transmitted are clearly identified. The efficiency of the OFAC screening process should also be positively impacted by establishing a single standard for identifying countries involved in the payment transaction. Clear identification of the countries in the third and seventh addenda records through the use of ISO Country Codes should improve the efficiency of the interdiction software, and reduce false positives due to country identification. Changes specific to the ODFI s warranty of compliance with foreign laws are expected to reduce barriers to entry into the IAT marketplace, ultimately helping to improve the adoption of IAT processing.
Executive Summary and Rules Description, Page 8 Costs ACH participants may incur costs related to software modifications needed to adopt the proposed changes, as well as costs related to educating staff and customers on properly identifying parties and places connected to the funds transfer. NACHA anticipates that the cost of adding the information on the ultimate beneficiary (when the beneficiary is not the Originator) should be minimal. By contrast, the cost of not including the information on the ultimate beneficiary and having a financial institution receive an OFAC sanction and penalty for doing business with a blocked party can be monetarily significant, in addition to having a negative impact to the reputation of the financial institution and the ACH Network. No programming costs are expected with the proposed change to the ODFI warranty on Outbound IAT Entries. PART V: EFFECTIVE DATES An effective date of March 15, 2013 is recommended for the following proposal: ODFI Warranties Compliance with Foreign Payment System Rules The narrowing of the ODFI warranty with respect to Outbound IAT Entries should have no operational impact on ACH participants. The reduction in the scope of the warranty and new statement regarding allocation of risk are expected to remove perceived barriers to entry into the international payments arena. It is important to keep in mind, however, the need for Gateways, ODFIs, and Originators to work closely together to ensure that all participants have a sound understanding of international payments processing and any potential risks that such activity entails. An effective date of March 21, 2014 is recommended for the following proposals: Identification of Country Names within IAT Entries NACHA does not anticipate that this proposed change would have any direct impact on ACH formats or systems, although some ACH participants might choose to make coding changes to their software to enable drop-down menus from which an Originator may choose the appropriate ISO country code. Software modifications may be needed to OFAC interdiction software to ensure that only ISO codes are used to identify countries within ACH transactions. Although mandatory compliance with this change would not be required until March 21, 2014, Originators/ODFIs are encouraged to adopt this change as soon as practical to minimize the potential for violations of OFAC sanctions policies. Identification of Additional Parties to an International Payment Transaction ACH software may require modification in order to include the ultimate Receiver s information in the proper format within the Payment Related Information Field of an Inbound IAT debit Entry. Although mandatory compliance with this change would not be required until March 21,
Executive Summary and Rules Description, Page 9 2014, Originators/ODFIs are encouraged to adopt this change as soon as practical to minimize the potential for violations of OFAC sanctions policies. PART VI: TECHNICAL SUMMARY The following changes to the technical language within the Rules are included in this proposal: Identification of Country Names within IAT Entries Appendix Three (ACH Record Format Specifications), Subpart 3.2.2 (Glossary of Data Elements) Originator Country and Postal Code revises the field description to require use of the ISO Country Code when identifying the country component of the Originator s address. Receiver Country and Postal Code revises the field description to require use of the ISO Country Code when identifying the country component of the Receiver s address. Identification of Additional Parties to an International Payment Transaction Article Five (Rights and Responsibilities of Gateways for IAT Entries) adds a new subsection 5.1.3 (Gateway Obligations for Inbound IAT Debits for Further Credit to Foreign Receivers) requires Gateways to populate the Payment Related Information field with the name and address of the ultimate foreign Receiver when the payment is part of a for further credit to model. Appendix Three (ACH Record Format Specifications), Subpart 3.2.2 (Glossary of Data Elements) Payment Related Information revises the field description to require the ultimate foreign Receiver/beneficiary to be identified within this field when the payment is part of a for further credit to model. ODFI Warranties Compliance with Foreign Payment System Rules Article Two (Rights And Responsibilities of ODFIs, Their Originators, and Third-Party Senders) narrows the scope of subsection 2.5.8.4(b) (Additional ODFI Warranties for Outbound IAT Entries Compliance with Foreign Payment System Rules) to address compliance with foreign laws and payment system rules regarding authorization only. Article Two (Rights And Responsibilities of ODFIs, Their Originators, and Third-Party Senders) adds a new subsection 2.5.8.7 addressing the assumption of risk for Outbound IAT Entries.