Simple and Safe Best Practices

Originators should be aware of the Operating Rules & Guidelines issued annually by the
National Automated Clearinghouse Association (Nacha). The Nacha Operating Rules &
Guidelines oversee every ACH payment and provide exact guidelines for securely storing,
accessing and transmitting sensitive customer information.

Basic knowledge of Nacha Operating Rules & Guidelines is required, even if you use a third-
party payment processing system to process ACH. It's your responsibility to know the ACH
Rules and make sure your business is compliant. Keep up with the Rules changes on
the Nacha website.

Mejores prácticas para ACH

Supervise y concilie las cuentas diariamente para detectar actividad no autorizada

Nacha rules require that unauthorized or improper corporate ACH debits posted to your
account, be returned no later than the opening of business on the second banking day following
the settlement date of the original entry (i.e., one day to return an ACH debit). If an unauthorized
debit is not returned by two days after posting, it will be much more difficult to recover lost funds.

Actúe rápidamente al recibir una entrada de NOC (Notificación de Cambio)

Nacha rules require ACH origination customers to change information (the information
requested to be changed by the Receiving Depository Financial Institution (RDFI)) within six (6)
banking days of receipt of the NOC or the next time the transaction is generated, whichever is
later. Common changes include updates to transaction codes, account numbers, and/or routing
numbers.

Corrija las devoluciones de ACH rápidamente, utilizando el proceso adecuado si se reinicia la entrada

• Una entrada ACH devuelta no puede reiniciarse a menos que (1) la entrada haya sido devuelta por fondos insuficientes o no cobrados; (2) la entrada haya sido devuelta por pago detenido y el reinicio haya sido autorizado por el titular de la cuenta, o (3) la institución financiera depositaria de origen (First Bank Texas) haya tomado medidas correctivas para remediar el motivo de la devolución.

• Un originador puede reiniciar una entrada de débito dentro de 180 días hasta dos veces. Esas entradas deben enviarse en un lote separado y contener contenido idéntico en los campos Nombre de la empresa, ID de la empresa y $ Importe.

• Re-initiated entries must contain “RETRY PYMT” in the Company Entry Description
  Field.

Inicie las entradas ACH bajo doble control

Siempre que sea posible, divida las responsabilidades entre varios empleados. To prevent unauthorized
ACH payments, separate out the payments process where one employee will create/upload the
ACH batch and another employee is responsible for approving batches. To prevent
unauthorized or inappropriate system access, separate the payments approval process where
one user can add or delete users but does not have the ability to approve, delete, or edit
batches.

Implemente procedimientos que alerten sobre actividades de "bandera roja"

Train employees to be alert for website layout changes, invoice layout changes, egregious
misspellings on a website or email notifications, "system down" warnings, etc. 
Implemente una política de seguridad para los sistemas de la empresa
Do not allow employees to use social networking sites on the same computer systems as the
business' online banking system. Common social media attacks include likejacking, where
attackers use fake “like” buttons to trick users into clicking website buttons that install malware
and post updates on a user’s newsfeed to spread the attack; or, fake offerings/apps to join a
fake group or subscription with incentives that are used to steal credentials or harvest other
personal data.

Reglas y actualizaciones que todo originador de ACH debería conocer

Requisitos de autorización para entradas de consumidores

Originator must obtain authorization for both consumer credit and debit entries and should
ensure that the authorization is clear and readily understandable by the account holder/receiver.

• The authorization should clearly state account number and routing number (i.e. a copy of
  the account holder’s check), and account type (demand deposit, savings).
• El consumidor debe fechar y firmar o autenticar de manera similar las autorizaciones de débito.
• A review of authorizations should be performed to make sure it meets the requirements
  of the NACHA Operating Rules.
• First Bank Texas proporcionará formularios de autorización a solicitud.
  Los originadores pueden esperar la devolución de las entradas de los consumidores que no estén debidamente autorizadas.
• An unauthorized debit entry is an entry in which (1) the authorization requirements have
  not been followed in accordance with the Nacha Operating Rules or invalid under
  applicable legal requirements; (2) a transaction was initiated in an amount different than
  that authorized by the Receiver; (3) a transaction was initiated for settlement earlier than
  authorized by the Receiver.
  In general, consumer debit entries must be returned by the RDFI in such time and manner that
  the return is made available to the ODFI no later than the opening of business on the banking
  day following the sixtieth (60) calendar day following the settlement date of the original entry.
  This return deadline also applies to the return of debit entries for which the consumer Receiver
  had previously revoked his authorization.
  
  

Requisitos de autorización para entradas corporativas

As with consumer entries, the business Receiver (Company) must authorize all ACH credits and
debits to its account.

• The Receiver of CCD (Corporate Credit and Debit), CTX (Corporate Trade Exchange)
  entries, and IAT (International ACH Transactions to a corporate customer account) must
  enter into an agreement with the Originator to which the Receiver has agreed to be
  bound by the Nacha Operating Rules.
• This agreement for credits and/or debits to the corporate customer account should be
  clear to the corporate customer as to what the credit/debit represents.
  Unlike consumer entries, in general, the non-consumer receiver of a CCD, CTX or IAT entry
  must return entries no later than the opening of business on the second (2) banking day
  following the settlement date requiring prompt review of transactions to detect any unauthorized
  entries.

Aviso de cambio para débitos recurrentes

For recurring debits, when the debit amount varies, the Rules require the Originator to notify the
account holder/receiver within ten (10) calendar days before the scheduled transfer date. If an
Originator changes the date in which it debits the account holder/receiver, it must notify the
account holder/ Receiver in writing of the new date of the entry at least seven (7) calendar days
before the first entry to be affected by the change is scheduled to be debited to the Receiver’s
account.

Retención de documentos para autorizaciones

The signed or similarly authenticated authorization must be retained by the Originator for a
period of two years following the termination or revocation of the authorization.

• In the case of a paper authorization that has been signed by the consumer, the
  Originator must retain either the original or a copy of the signed authorization.
• This authorization may be obtained in an electronic format that (1) accurately reflects the
  information in the record, and (2) is capable of being accurately reproduced for later
  reference.
  At the request of its ODFI, Originator must provide the original, copy or other accurate Record of
  the Receiver’s authorization to the ODFI for its use or for the use of a RDFI requesting the
  information. The Originator must provide in such time and manner as to enable the ODFI to
  deliver the authorization to a requesting RDFI within ten (10) banking days of the RDFI’s initial
  request.

Identificación del nombre de la empresa

The Originator is required to ensure there is clear identification of the source of an ACH
transaction. Specifically, the Rules require the Originator to populate the Company Name Field
with the name by which it is known to and readily recognized by the Receiver of the entry. As
this company name appears on the account holder’s statement, it should be easily recognized
by the account holder/receiver of the debit/credit.

Transacciones ACH internacionales (IAT)

Origination of the IAT standard entry class code is not permitted by First Bank Texas. Certain
ACH payments that were classified as domestic transactions may be classified as international
payments, or IAT transactions today. The ACH transaction may be classified as an international
payment (IAT transaction) if your company (1) is a subsidiary of a multi-national corporation; (2)
has foreign subsidiaries; (3) buys or sells to organizations or individuals outside of the territorial
jurisdiction of the United States; or (4) sends payroll, pension or benefit payments via the ACH
Network to individuals that have permanent resident addresses outside the territorial jurisdiction
of the United States.

Leyes relativas a la Oficina de Control de Activos Extranjeros (OFAC)

Corporations are required to comply with OFAC obligations, and the penalties for ignoring those
obligations can be both criminal and civil and include both jail time and fines ranging from
$10,000 to $10,000,000 per occurrence. If these fines are levied against the financial institution,
they may be passed back to the corporate originator depending on the specifics of the case and
the details of their contract with the financial institution. The fines are levied by the U.S.
government and funds collected are the property of the government, not the financial institution.
Additional information on OFAC obligations and fines can be found at the following
link: https://www.treas.gov/offces/enforcement/ofac/.

Notificaciones previas

Las notificaciones previas son entradas de cero dólares generadas para validar la cuenta mantenida en la RDFI.
Originators may originate a prenote; however this is not required under the Rules. If the
Originator initiates a prenotification, it must wait three (3) banking days prior to initiating the live
dollar amount.

Revertir un archivo o entrada ACH

An Originator may reverse an erroneous or duplicate file, or an item within the file, within 5
banking days after the Settlement Date of the original file. The word "REVERSAL" must be
placed in the Company Batch Header Field and if the file is reversing an erroneous file, the
Originator must initiate a correcting file with the reversing file. The Originator should notify the
account holder(s)/ receiver(s) of the reversing entry and reason of the reversing entry no later
than the Settlement Date of the reversing entry.

Códigos de clase de entrada estándar (SEC)

First Bank Texas permits Originators to send PPD (Prearranged Payments and Deposits) for
entries posting to consumer accounts and CCD (Corporate Credits and Debits), CCD+, and
CTX (Corporate Trade Exchange) for entries posting to corporate accounts. Any other types of
standard entry class codes require approval from First Bank Texas prior to its use.

Detener pagos realizados por el consumidor

This affects Originators as a stop payment may be placed on the RDFI’s system for all future
transactions relating to the one Originator for the payment. Originators need to train internal
staff to ensure they understand that there may be multiple stop payments returned. These
should not be reinitiated until resolved.

Roles y responsabilidades del remitente de terceros

A Third-Party Sender is a type of Third-Party Service Provider that acts as an intermediary
between the bank and the entity's (Third-Party Sender's) customers. The Rules require that all
Third-Party Senders conduct Rule compliance audit and risk assessment of its ACH operation
and compliance with the Rules no later than December 31 of each year. Documentation
supporting the completion of an audit must be (1) retained for a period of six years from the date
of the audit, and (2) provided to Nacha upon request. As this is a Rule requirement, First Bank
Texas requires a copy of the ACH audit and Risk Assessment each year. Approved Third-Party
Senders should reference their agreement for the additional requirements. This applies only to
Third-Party Senders.

Seguridad de datos

The originating customer is responsible for ensuring they (along with any third party service
providers acting on their behalf) implement and maintain security policies, procedures, and
systems related to the initiation, processing, and storage of entries and resulting protected
information.
In addition, it is the responsibility of the customer to educate staff on how to protect the
business’ online banking system, take reasonable steps to maintain the confidentiality and
security of the security procedures and any passwords, codes, security devices, including but
not limited to multifactor authentication, out of band authentication, and secure browser
sessions.
Security policies, procedure and systems must: (1) Protect the confidentially and integrity of the
protected information, (2) Protect against anticipated threats or hazards to the security or
integrity of protected information until its destruction and (3) Protect against unauthorized use of
protected information that could result in substantial harm to the customer.

Requisitos de gestión de riesgos y evaluación

First Bank Texas, as an ODFI, may establish additional risk management procedures such as
requiring an audit of its Originators activity be performed, closely monitoring the return volume
of its originators, and assessing the risk associated with the type of ACH activity performed by
each Originator. Originators need to understand the necessity of risk management practices
regarding the following (1) The performance of the due diligence with respect to Originators and
Third-Party Senders; (2)The assessment of the nature of the Originator’s or Third-Party
Sender’s ACH activity and the risks it presents; and, (3) the establishment of procedures to
monitor an Originator’s or a Third-Party Sender’s origination and return activity, and to enforce
exposure limits and restrictions on the types of ACH transactions that may be originated.

Preguntas frecuentes

¿Qué sucede si se devuelve un pago ACH?

When an ACH return is received, your account will receive chargeback or creditback return
entry and you will be notified of the return, along with information on how to view the return
details.

¿Cuánto cuestan los cargos por devolución de ACH y Notificación de Cambio (NOC)?

Las tarifas pueden variar, por favor consulte su tabla de tarifas.

¿Puede una empresa impugnar un pago devuelto de ACH?

Dispute an ACH return if it was a duplicate, it was misrouted, information was inaccurate, the
return didn’t occur within the expected time frames, or an unintended credit to the receiver was
the result of the reversal.

¿Qué es una notificación de cambio (NOC)?

A notification of change (NOC) occurs when the bank receiving the ACH entry notifies the bank
sending the ACH entry that some portion of the information is incorrect. With NOCs, ACH
transactions posted to the recipients account but the information within the ACH entry need to
be corrected to ensure future transactions are received will be processed.

¿Por qué es importante la revisión oportuna de la notificación de cambio y las devoluciones de ACH?

La precisión de la información al enviar ACH lotes o archivos siempre es importante. Otherwise,
there’s a risk of misdirecting ACH transaction(s) and relying on another bank to make proper
corrections. These transactions are often critical to the recipient, such as a payroll deposit. In
addition, Nacha rules require changes be made within (6) six banking days after receipt of a
notification of change or an ACH return. If this is not complied with, penalties may be assessed
against the originating bank.

¿Cuáles son las formas de reducir las devoluciones?

Decrease the odds of an ACH Return by verifying an input was correct (including the recipient’s
bank routing number). The Federal Reserve has a tool to verify the routing number is correct for
ACH processing. FRFS: Search for FedACH Participant RDFIs (frbservices.org)

Compromiso del correo electrónico de empresas (BEC)

¿Qué es el compromiso del correo electrónico de empresas?

Business Email Compromise is a type of phishing scam in which fraudsters try to hack, spoof or
impersonate business email addresses. They may change one letter or number in a familiar
email address to make their scam appear legitimate.
Example: bill.smith@ABCBuilders.com – bill.smith@ABCBuildrs.com
Scammers may send emails to employees in an attempt to gain credentials or convince
someone to send a fraudulent wire. They may also send an email that appears to be from a
known third party such as a vendor.
Scammers have also been known to send an email to customers, posing as the legitimate
business, in an attempt to obtain their payment information or other sensitive information.

¿Cómo reconocer una estafa de compromiso de correo electrónico de empresa?

Las estafas BEC suelen ser difíciles de detectar, pero hay algunas señales de alerta a las que debe prestar atención.
Los signos comunes de los mensajes BEC incluyen:

• The message is brief, urgent, and presses you to bypass normal policies and
  procedures;
• The request appears to from an executive, vendor or other partner that is outside of the
  norm;
• Una solicitud de información confidencial de empleados, nómina o empresa;
• Los correos electrónicos tienen palabras mal escritas o gramática incorrecta;
• Archivos adjuntos inesperados enviados por correo electrónico;
• Emails sent after business hours or on weekends, holidays, or other nonstandard
  business days.
  Revise cuidadosamente la dirección de correo electrónico del remitente para asegurarse de que es legítima. Since they can be just
  one character off, spoofed email addresses can be easy to miss.
  
  

¿Cómo protegerse contra el compromiso del correo electrónico de empresas?

• Verify by phone before you send funds. ALWAYS call the vendor, business partner, or
  colleague directly to verify the payment information. Use previously known numbers you
  know are correct — even across different time zones — and not the numbers provided in
  an email or text request. Never initiate any changes based only on email or
  text communication.
• Be cautious of new payment information. Beware of email requests instructing a
  routine wire payment to be sent to a new account.
• Match your payment to a legitimate invoice before paying. Quite frequently,
  fraudsters tend to pose as a trusted vendor requesting payment. Prior to sending
  payments, ensure the payment requested matches a legitimate invoice.
• Verify before clicking on a link or opening an attachment in an email or text. It may
  appear to be from someone you know, but it may be a fraudster phishing for your
  password, business bank account, or other sensitive information. Extra caution: The link
  may contain malware.
• Double-check the email address. Fraudsters are tricky and can create email
  addresses that look very similar to the legitimate account. They often find naming
  conventions for a company’s email accounts on its website and use those to fool you —
  inspect closely!
• Do not respond to email as verification. Don't reply to the requester by email. The
  fraudster either controls the spoof email account or has gotten access to the valid email
  account and can write back, making it look legitimate.
• Beware of a sense of urgency. Usually fraudsters will indicate that the funds need to
  be wired right away. These requests often ask that the client be contacted only through
  email instead of other channels.
• Know and trust who you are working with. Before doing business with a new
  company, search the company's name online with the term "scam" or "complaint." Read
  what others are saying about the company. Only purchase merchandise from reputable
  dealers or establishments.
• Be wary of using free, web-based email accounts for your business, which are
  more susceptible to being hacked. Make sure at least two-factor authentication
  is available.
• Be careful when posting information to social media and company websites, as
  fraudsters may use this information to deploy new tactics.
• Keep the processing of your financial activities limited to as few machines as
  possible and limit the other activities such as web surfing on those machines, as well.
• Consider financial security procedures that include a two-factor authentication
  process or dual control for electronic funds transfers.
• Create intrusion detection system rules that flag emails with extensions that are
  similar to company email but not exactly the same (for example, .co instead of .com). If
  possible, register all Internet domains that are slightly different from the actual
  company domain.
• Know the habits of your customers, including the reason, detail, and amount of
  payments. Beware of any significant changes.
• Consider frequent and regular patching of your business systems.
• Use a quality next-gen antivirus solution — one that watches for behavior anomalies
  and not just signatures.
  
  

Pasos a seguir en caso de fraude o pérdida debido a BEC.

If fraud or loss does happen as a result of responding to a BEC email with sensitive information,
there are a few steps to take:

• Repórtelo al equipo de TI/ciberseguridad de su organización.
• Call us at (817) 598-4900 so that we can take the necessary precautions to secure your
  First Bank Texas accounts.
• Cambie las contraseñas de las cuentas de correo electrónico y financieras.
• Revise los estados de cuenta para detectar cualquier actividad sospechosa.
• Contacto a la policía y presente una denuncia.
• File an Internet Crime Report (IC3 Report) https://www.ic3.gov/
  
  

NACHA Rules Change

Commercial ACH Authorization

Direct Deposit Authorization Form

Debit Authorization

---

First Bank Texas está comprometida a atender sus necesidades de originador de ACH. Para preguntas sobre las normas, recursos o cuestiones de ACH, contacte con el departamento de ACH.

Teléfono: 817-598-4900

Correo electrónico: FBTACHProcessing@go2fbt.com

Dirección:
First Bank Texas
Atención: ACH Departamento
220 Palo Pinto
Weatherford, TX 76086