Compliance: Credit unions’ scam-related SBA economic injury disaster loan questions answered


In the New York Credit Union Association’s continuing efforts to assist credit unions, Association staff has been providing answers to a range of compliance questions from member credit unions amid the pandemic and economic crisis.

Sarah Hodgens, the Association’s director of compliance, compiled a list of recent, recurring questions regarding scams related to SBA’s economic injury disaster loans that credit unions have been contacting the Association’s compliance department about, as well as the corresponding answers.

Q: How are the EIDL ACH payments presented?

A: Credit unions have reported members receiving ACH deposits representing SBA disaster relief payments to inactive or non-business accounts. The payments are labeled “SBAD TREAS 310,” which commonly denotes SBA EIDL, and may have the company ID of 9101036151.

Q: Is the credit union liable for fraudulent EIDL ACH payments?

A: Under NACHA Operating Rules, the credit union is not liable for funds resulting from fraudulent ACH credit entries if the funds are no longer available in the member’s account. NACHA rules provide the originating depository financial institution warrants to the receiving depository financial institution that the entry is correct and properly authorized. If the RDFI posts a fraudulent credit to the account number in the entry, and the funds are withdrawn, the RDFI is not liable for the funds.

Q: Can the credit union return partial funds back to the SBA?

A: The credit union cannot return partial funds. The NACHA Operating Rules require return entries to contain the same dollar value as the original entry. A partial return of funds must be handled outside the ACH network (e.g., with a wire transfer or official check), or with a new credit entry agreed to by both institutions.

If the deposit was credited to an account that matched the account number in the ACH entry, the credit union did not violate NACHA guidelines for accepting the deposit. The credit union should be cautious if sending back funds that have posted to a members account without a request to do so from the ODFI, as the credit union is essentially making the determination of a member’s eligibility to the funds they received, and may be taking on an unnecessary role and liability in the transaction.

Q: If a member received a possible fraudulent EIDL payment, should the credit union file a suspicious activity report?         

A: Yes, a SAR should be filed. The Financial Crimes Enforcement Network recently issued an advisory that states:

“SAR reporting, in conjunction with effective implementation of due diligence requirements by financial institutions, is crucial to identifying and stopping financial crimes, including those related to the COVID-19 pandemic.”

Q: Can the credit union return an ACH credit that is believed to be fraudulent before it has posted to the member’s account?

A: Yes, an ACH credit that is believed to be fraudulent can be returned before it has posted. If the credit union returns an ACH credit that it believes is fraudulent, use Return Reason Code R23 (credit entry refused by receiver) or R03 for a name mismatch or R17 for an invalid account number initiated under questionable circumstances. The use of R17 requires “Questionable” to be inserted in the first 12 positions of the addenda record.

Q: How can suspected EIDL fraud be reported?

A: This type of fraud can be reported to the SBA using the SBA complaint form or by calling the SBA’s Office of Inspector General hotline at (800) 767-0385.



Leave a Reply