Banner Bank ACH Originator Guide

The requirements to retain proof of authorization for TEL entries differ slightly between single entry debit and recurring debits. For telephone (oral) authorizations for debit entries to consumer accounts the following rules apply: • Single-entry: You must send a written notice to the Receiver prior to the settlement of entry or audio recording and retain for two (2) years from the debit settlement date • Recurring: You must send a copy of the authorization to the Receiver and retain authorization and audio recording for two (2) years from the termination or revocation of the authorization The written notice can be provided to the Receiver in the form of an email. If mailing the written notice, the date that the notice is postmarked (i.e. put in the mail) is considered the notice date. In addition, Regulation E requires Originators to do the following: • Retain evidence that a copy of the authorization was provided to the consumer • Provide notice to the Receivers if changing the recurring amount (10-day notice in advance) or provide authorization for an amount range • Provide notice to the Receiver if recurring debit date changes seven days before the new debit date. • Stop future entries when notified by the Receiver that the entry was unauthorized, or the authorization was revoked. WEB Entries WEB is used as the SEC code for consumer debits authorized via a website or mobile application. These also include authorized debits through a voice-activated assistance device like a smart speaker. WEB debits can be one-time, single entries, or recurring entries. The authorization must be in writing, signed or similarly authenticated, and show evidence of the consumer’s agreement. 1. Conduct an annual audit to verify financial information is protected using security practices and procedures that address the following: a. Physical security b. Personnel and access controls c. Network security 2. Implement a commercially reasonable fraudulent detection system. These processes must include a process to verify the account number used for WEB debit entries prior to the first use of the account number. Account verification processes may include micro entry (see below for further details) or online account verification through a vendor. Fraudulent detection systems may also include a process to review entries for anomalous activity or other red flags of potential fraud. An Originator that transmits WEB debit entries warrants that it has established processes to:

9