ACH Service Terms

PayPal offers services that allow merchants to originate Automated Clearing House (“ACH”) credit and debit entries to a bank account (the “ACH Service”) and Merchant desires to use such services. Such entries are sent by PayPal, acting as a Third-Party Sender, to the Originating Depository Financial Institution (the "ODFI"), which it forwards through the ACH system to the Receiving Depository Financial Institution (the "RDFI"), who debits or credits the bank account of Merchant’s Customer (the "Receiver"). Merchant agrees that its use of the ACH Service is subject to the terms herein ("ACH Service Terms") and the applicable provisions of the Payment Services Agreement (the “Agreement”). Merchant accepts and agrees to comply with all such terms. Capitalized words and phrases used and not otherwise defined in these ACH Service Terms have the same meaning as given to them in the Agreement or in the operating rules and guidelines of the National Automated Clearing House Association (administrator of the ACH network - “Nacha”), as amended from time to time (the "Nacha Rules", available on Nacha’s website). Merchant shall not originate entries on behalf of any third-party. In case Merchant intends to act as a Nested Third-Party Sender, it must enter into a separate agreement with PayPal before it originates any entries.

Merchant agrees that the ACH Service shall be deemed part of (and included in) the definition of Braintree Payment Services under the Agreement. ACH Service transactions shall be deemed part of (and included in) the definition of Transaction under the Agreement.

Merchant will pay PayPal the fees and charges as agreed in writing, as well as other amounts owed, pursuant to these terms and the Agreement. Such other amounts shall include, without limitation, any amounts charged to PayPal and/or Merchant by Nacha in connection with Merchant’s use of the Braintree Payment Services. All fees and other amounts due pursuant to these terms shall be subject to the terms and conditions applicable to fees generally in the Agreement, including, without limitation, those set forth in Section 2 of the Agreement. Any amounts owed to PayPal under these terms may be deducted from any Payout to Merchant or debited from Merchant’s Bank Account.

Merchant agrees to (i) undertake the responsibilities of an Originator under the Nacha Rules and to comply with and be bound by such rules and other applicable laws and regulations related to use of the ACH network (as may be amended); and (ii) not originate entries that violate these ACH Service Terms, laws of the United States and/or the Nacha Rules.

Merchant authorizes PayPal and the ODFI to originate entries on Merchant’s behalf to Receivers’ accounts in accordance with the Nacha Rules.

Merchant shall operate and use the ACH Service in accordance with the Transaction limits set by PayPal and/or the ODFI in accordance with the Nacha Rules. PayPal can modify the applicable Transaction limits upon reasonable notice.

Merchant is solely responsible for obtaining any authorization required by the Nacha Rules, including authorization from each person shown as the Receiver on an entry for the crediting or debiting of the Receiver’s account (e.g. to debit its Customers’ bank accounts for ACH payments), and agrees that it shall obtain such authorization in each instance (“ACH Authorization”). PayPal shall not be liable for any debit or other failure (or any related costs) arising from Merchant’s acts and omissions for failure to obtain any ACH Authorization. Merchant shall maintain data sufficient to reconstruct the transaction authorization and maintain such authorization in accordance with all applicable laws, rules and regulations. Merchant agrees PayPal is permitted to document and store ACH Authorization, including timestamp, Merchant logo and applicable ACH credentials. Merchant shall provide PayPal with evidence of ACH Authorization upon request.

Debit Web Entries. To the extent that Merchant originates Debit WEB entries, it must:

1. establish and implement a commercially reasonable (i) fraudulent transaction detection system to screen entries (which must, at a minimum, validate the account to be debited prior to the first use of any account number, and for any subsequent changes to the account number), and (ii) method of authentication to verify the identity of the Receiver of a debit entry and that the routing number is valid; and
2. conduct, or have conducted on its behalf, annual audits to ensure that the financial information it obtains from Receivers is protected by security practices and procedures that include, at a minimum, adequate levels of: (i) physical security to protect against theft, tampering, or damage; (ii) personnel and access controls to protect against unauthorized access and use; and (iii) network security to ensure secure capture, storage, and distribution (“Merchant’s Annual Audit”).

Account Validation. PayPal may offer Merchant the ability to validate Receiver’s bank account information (including, but not limited to, account number, routing number, and/or account holder name) in connection with the ACH Service. To the extent that Merchant uses any account validation method offered by PayPal, it must comply with the additional obligations set forth in the ACH Services Addendum (in addition to the ones in Sections 6.01, 6.03 and 6.08 of the Agreement).

PayPal shall not be liable for any failure (or any related costs) arising from Merchant’s acts and omissions for failure to comply with this Section 8.

1. UCC 4A Notice. In relation to credit entries subject to Article 4A of the Uniform Commercial Code, Merchant acknowledges that: (i) the entry may be transmitted through the ACH; (ii) the rights and obligations of the Merchant concerning the entry are governed by and construed in accordance with the laws of the State of Delaware; (iii) any credit given by the RDFI to the Receiver for the entry is provisional until the RDFI has received final settlement (through a Federal Reserve Bank or otherwise has received payment as provided for in Section 4A-403(a) of Article 4A); and (iv) if the RDFI does not receive such payment for the provisional entry, the RDFI is entitled to a refund from the Receiver in the amount of the credit to the Receiver’s account, and the Merchant (acting as Originator) will not be considered to have paid the amount of the credit entry to the Receiver. Merchant agrees that it shall be responsible for all refunds, and PayPal shall have the right to be reimbursed by Merchant for any and all such refunds or other amounts that are charged to PayPal in connection with the ACH Service. PayPal can deduct such amounts from any Payout to Merchant.
2. Payment to ODFI. Merchant agrees to pay the ODFI for any ACH credit entries or returned ACH debit entries if PayPal fails to pay the ODFI for such entries.
3. Cancellation or Amendment. Merchant shall not have the right to cancel or amend an ACH transaction entry after its receipt by PayPal, except as permitted or required by the Nacha Rules.
4. Inconsistency of Name and Number. If an entry describes a financial institution or the Receiver of an entry inconsistently by name and account or other identifying number, the account or other identifying number can be relied upon and the name disregarded.
5. Satisfaction of Customer Debt. In the event that a Transaction is reversed, Merchant acknowledges that, as between Merchant and its Customer, the Customer's debt to Merchant is satisfied when PayPal receives funds from the ODFI in payment of that debt, subject only to a reversal of such payment.

Merchant shall comply with any request made by PayPal, the ODFI, their personnel, auditors and/or representatives for the following: (i) access to Merchant’s facilities, data and records relating to the initiation of entries for the purpose of performing audits or on-site visits to verify Merchant’s compliance with these ACH Service Terms and the Nacha Rules; and/or (ii) copies of Merchant’s Annual Audit reports/results. Merchant shall provide, and shall cause its subcontractors to provide, the access and assistance that may be required by PayPal, the ODFI, their personnel, auditors and/or representatives, including, but not limited to, copies of any data, records, authorizations, audit reports/results, if requested, as well as any other information reasonably requested relating to entries originated by the Merchant.

Merchant represents and warrants to PayPal, as an Originator of entries under the Nacha Rules, that: (a) no entry delivered to PayPal or the ODFI, if accepted by the ODFI, will cause PayPal or the ODFI to be in violation of any regulation or sanction administered by the federal or state government or otherwise causes PayPal or the ODFI to be in violation of federal or state law or the Nacha Rules; and (b) it makes the same warranties to PayPal that PayPal, as Third-Party Sender, makes under the Nacha Rules to any ODFI when PayPal transmits an entry.

Merchant shall indemnify, defend and hold PayPal, the ODFI, any third-party and their employees, officers, directors and agents, harmless from and against any and all claims, demands, losses, liabilities or expenses (including attorneys’ fees and costs) resulting directly or indirectly from or arising out of (a) Merchant’s breach of the Nacha Rules or of these ACH Service Terms; (b) Merchant's acts and/or omissions; and (c) compliance by PayPal, the ODFI and the RDFI with any request for a cancellation, stop payment, reversal or recall of any entry originated by Merchant. PayPal shall have no responsibility for any delay by any ODFI, ACH Operator or RDFI in processing any entry PayPal transmits to the ODFI or failure to process or credit or debit any such entry.

In addition to the term and termination rights in the Agreement, PayPal or the ODFI may terminate or suspend Merchant’s use of the ACH Service for violation of any Nacha Rules, including, without limitation, acceptable limits for ACH returns. Notwithstanding anything to the contrary in these terms or the Agreement, PayPal is not required to include ACH data in any forwarding or portability services offered under the Agreement.

These ACH Service Terms, together with the ACH Services Addendum, are hereby incorporated into and made a part of the Agreement. To the extent that these ACH Service Terms conflict with the terms of the Agreement, these terms shall control with respect to the ACH Service and to the extent of such conflict. Except as amended and/or supplemented by these terms, all terms and provisions of the Agreement shall continue and remain in full force and effect and shall be binding upon the parties.

This ACH Services Addendum (this “Addendum”) forms part of the ACH Service Terms and is incorporated by reference therein. In the event there is any conflict between the terms of this Addendum and the ACH Service Terms, the terms of this Addendum will control. Capitalized terms used but not defined in this Addendum have the meaning set out in the ACH Service Terms.

ADDITIONAL TERMS APPLICABLE TO THE ACCOUNT VALIDATION METHODS OFFERED BY PAYPAL

1. PayPal may offer to you the ability to validate bank account information (including, but not limited to, account number, routing number, and/or account holder name) in connection with the ACH Services (“Account Validation”). In that case, PayPal may share personal, financial, and/or transaction data (“Data”) related to your customers (and, in the case of Platforms, customers of its sellers or billers) with PayPal’s third-party service providers which may include data consortium providers (“Data Consortium Providers”) and open banking vendors (“Open Banking Providers” and, together with Data Consortium Providers, "Account Validation Providers”), and such providers may collect certain customer Data from third-party information sources where customers hold bank accounts (“Data Sources”) and share it with PayPal. You agree to use the Account Validation methods offered by PayPal in compliance with this Addendum, the Agreement, the Nacha Rules, applicable laws and regulations.

1.1. If you select an Account Validation method offered through a Data Consortium Provider that is subject to the Fair Credit Reporting Act ("FCRA") or analogous applicable law, you instruct PayPal to act as agent for the purpose of obtaining any requested consumer report on your behalf and performing the requested validation. You agree to: (a) obtain the express written consent of the consumer before requesting any consumer report; (b) retain evidence of such consumer consent; and (c) if the information in a consumer report serves as a basis for declining a transaction or account validation request, provide notice of adverse action to the consumer.

1.2 If you select an Account Validation method offered through Open Banking Providers, you must not use any Data obtained from it for any purpose that would reasonably be expected to implicate the FCRA.

2. To the extent that you obtain access to Data or to any system or technology in connection with the Account Validation methods offered by PayPal, you must, except to the extent prohibited by applicable legal, regulatory or law enforcement requirements:
1. follow a written privacy policy describing how you use, collect, store, handle and share Data. Your customers (and, in the case of Platforms, customers of its sellers or billers) must be able to access your privacy policy and you must clearly and conspicuously reference or display such policy (including, at a minimum, via a link on your website and within your mobile application, if applicable);
2. when applicable, obtain customer consent for you to use, collect, store, handle and share customer Data in accordance with your privacy policy;
3. obtain customer consent to Account Validation Providers’ terms and conditions presented to customer;
4. if any customer submits a request to delete its Data, promptly: (i) delete using an industry standard method that ensures the deletion is permanent and information unrecoverable (“Securely Delete”), subject to any legal or regulatory requirements to maintain copies, and (ii) notify PayPal;
5. develop, maintain and implement a comprehensive written information security program that includes, without limitation: (a) technical, physical, and administrative/organizational safeguards designed to ensure the security, integrity and confidentiality of Data and protect it against any anticipated threats, hazards or Security Issue (as defined below); and (b) regular testing or otherwise monitoring of the effectiveness of your information safeguards;
6. use commercially reasonable efforts to prevent a Security Issue and Securely Delete all Data that may be at risk from a Security Issue upon PayPal’s request;
7. promptly inform PayPal if any competent authority, regulator or public authority requests disclosure of, or information about, the Data that is processed in connection with any Account Validation methods and cooperate with PayPal as reasonably necessary to comply with any direction or ruling made by such authorities;
8. obtain PayPal’s approval prior to the publication or communication of any filings, communications, notices, press releases or reports related to any Security Issue that expressly mentions PayPal or Account Validation Providers; and
9. only use, store, host, or process Data within the United States of America, however, you may allow read-only access to such data subject to confidentiality and security requirements.

For purposes if this Addendum, “Security Issue” means any: (i) unauthorized or unlawful access, transmission, corruption, deletion, or use of any Data; (ii) unauthorized access to systems storing, processing, or providing access to the same; (iii) your material failure to comply with its information security requirements under this Addendum; or (iv) any reasonably suspected case of, or flaw in, your policies, procedures, or systems reasonably likely to give rise to an incident as described above.

3. You shall not (a) attempt to gain unauthorized access to the Account Validation methods offered by PayPal or related systems or networks; (b) access and/or engage in any use of the Account Validation methods in a manner that abuses or materially disrupts PayPal’s or Account Validation Providers’ networks, security systems, and/or websites; (c) interfere with or disrupt the integrity or performance of Account Validation methods or third-party data contained therein; (d) access or use the Account Validation methods for fraudulent or unlawful purposes or otherwise in violation of the Nacha Rules or court orders; (e) access or use the Account Validation for purposes of competitive analysis, the development, provision or use of a competing software service or product; (f) retain, save or otherwise maintain any user credentials or other information that could be used to access customer’s Data (except for customers saving their own user credentials); (g) use any “screen scraping” process(es) to obtain customer Data directly or indirectly from any of the Data Sources from which PayPal or Account Validation Providers obtain customer Data on behalf of customer through the use of registration data (and not APIs or data feeds provided by or on behalf of PayPal or Account Validation Providers as part of the Account Validation); (h) in connection with cross-border transfer, export or re-export the Account Validation methods and/or any related system or technology; (i) use or disclose Data for any purpose that is not expressly permitted under this Addendum or by an explicit consent given by the customer (if applicable); and (j) sell, resell, license, transfer, or otherwise disclose Data to any other party, unless required by the Nacha Rules and or applicable laws or regulations.
4. If you become aware of any actual or threatened Security Issue or violation of its obligations under this Addendum, you must: (i) notify PayPal of any such actual or threatened Security Issue or violation and the corrective action taken or to be taken, within 48 hours of its discovery; and (ii) remediate or implement a plan to remediate the issue and mitigate its effects (including, where applicable, by discontinuing and preventing any unauthorized access to the Account Validation method) within the period determined by PayPal and communicated to you in writing. PayPal may report any Security Issue, investigations and/or remediation efforts to Account Validation Providers.
5. PayPal may immediately suspend your access to PayPal’s Account Validation and related Data, systems and/or technology, in whole or in part if PayPal reasonably believes that you violated any of your obligations under this Addendum or becomes aware of a Security Issue. In such cases, PayPal will use commercially reasonable efforts to give prior notice of any suspension but may immediately suspend access without prior notice if appropriate under the circumstances to protect customers, PayPal or Account Validation Providers from harm. PayPal may notify an Account Validation Provider of any condition permitting suspension (and related circumstances) if the condition relates to Data obtained from such Account Validation Provider (including the nature of such condition, whether access has been suspended, and the status of your efforts to cure the condition).
6. NEITHER PAYPAL NOR ANY ACCOUNT VALIDATION PROVIDER MAKE ANY WARRANTIES TO YOU OF ANY KIND (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE). PAYPAL, ACCOUNT VALIDATION PROVIDERS AND RELATED PARTIES WILL HAVE NO LIABILITY WHATSOEVER TO YOU RELATING TO (i) ACCESSING OR USING DATA; (ii) FOR ANY EXPENSES, LOSSES, OR DAMAGES RELATING TO YOUR ACCESS OR USE OF DATA, FOR ANY LOST PROFITS OR OTHER SPECIAL, CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES. THE LIMITATIONS IN THIS SECTION WILL APPLY TO THE FULLEST EXTENT PERMITTED UNDER APPLICABLE LAW NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY AND REGARDLESS OF THE FORM OF ACTION UNDER WHICH RECOVERY FOR ANY LOSS, DAMAGE, OR EXPENSE IS SOUGHT (INCLUDING NEGLIGENCE).
7. During the term of this Addendum, and for six (6) years thereafter (or a longer period if required under applicable law or regulation), you must keep documentation/records related to your use of the Account Validation methods and provide PayPal with access to such documentation/records upon request. PayPal may, by itself or through a third-party, audit your policies, procedures, books and records, data, systems, and activities to verify your compliance with this Addendum, including, but not limited to, the examination of your policies and/or procedures: (i) for ensuring the security and integrity of your systems for accessing, storing, and using Data; and (ii) in connection with FCRA related requirements, where applicable. You represent and warrant that the documents, information, responses, and materials that you provide to PayPal are true and accurate in all material respects. You agree that PayPal may provide such information to Account Validation Providers and/or Data Sources.
8. If you are a Platform, you must, prior to providing any Data or access to any Account Validation system or technology to your customers (e.g. sellers or billers on your platform), enter into a written agreement with each of them which contains terms that are substantially similar with the terms of this Addendum.
9. If any inconsistency exists between this Addendum and any applicable law or regulation (including rules implementing Section 1033 of the Consumer Financial Protection Act of 2010), then the terms of the applicable law and/or regulation shall control.