The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

ACH Audit and Risk Assessment

Mary Gilmeister AAP, NCPPresidentPAR/WACHA-The Premier Payments Resourcemgilmeister@wacha.org

Disclaimer

• WACHA, through its Direct Membership in NACHA, is a specially recognized and licensedprovider of ACH education, publications and support. • Regional Payments Associations are directly engaged in the NACHA rulemaking processand Accredited ACH Professional (AAP) program. • NACHA owns the copyright for the NACHA Operating Rules & Guidelines. • The Accredited ACH Professional (AAP) is a service mark of NACHA.• This material is derived from collaborative work product developed by NACHA ─ TheElectronic Payments Association and its member Regional Payments Associations, and isnot intended to provide any warranties or legal advice, and is intended for educationalpurposes only.• This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only. • This document could include technical inaccuracies or typographicalerrors and individual users are responsible for verifying any information contained herein.• No part of this material may be used without the prior written permission of WACHA/PAR

© 2018 PAR/WACHA All rights reserved

2

AGENDA

ACH Audit• Who & Why

• Receiving Depository Financial Institution (RDFI)

• Originating Depository Financial Institution (ODFI)

• Third Party Senders

• Third Party Processors

Risk Assessment

3

Why Do We Need To Do the ACH Audit and Risk Assessment?

• Manage Risk and Minimize Loss

• Enhance ACH Quality and Customer Satisfaction

• Improve Operational Efficiencies and Lower Processing Costs

• Avoid Fines

4

ACH Audit

• All Financial Institutions and their Third Party Senders and Third-Party Service Providers are required to do an ACH Audit by December 31 of each year.

ACH Transaction Flow/Participants

ACH Transaction Flow

with Third Parties

RECEIVERORIGINATOR ODFI

ACH

OPERATOR

RDFI

Third Party

Processor/Receiving Point

Third Party

Processor/Sending Point

Third Party Service

Provider/Sender

• Failure of a Participating DFI to provide proof of completion of an audit may be considered a Class 2 Rules Violation

• NACHA does ask for documentation of proof of audit

Required by the ACH Rules

• Rule Change: Appendix Eight of ACH Rules is no longer part of the Rules as of 1/1/2019 per Supplement 2-2018 ORxli

– Provided the requirements and minimum specifications for an audit of compliance with the ACH Rules

– Required annual audits by FIs and Third-party Service Providers, found in 1.2.2.1

– Operations Bulletin #1-2019

Rule Compliance - Audit Requirements

• The former ACH Rules Compliance Audit provisions as located in Appendix Eight specified only specific areas or Rules to verify compliance.

– Some areas of the audit may not have applied to the FI

– Some riskier areas may have needed more attention

– There are other aspects of law or regulations that should also be evaluated beyond the ACH Rules Compliance

– The objective is to audit for all Rules Compliance, not specific rules

Justification

• Manage risk and minimize loss

• Enhance ACH quality and customer satisfaction

• Improve operational efficiencies and lower processing costs

• Avoid fines

• Requirement of the NACHA Rules

Why Do We Need To Do the ACH Audit?

• Return Reason Codes

– Consumer

– Non-consumer

• NACHA Operating Rules

• 31 Code of Federal Regulations 210

• Regulation E

• Regulation CC

• Uniform Commercial Code 4A

• Office of Foreign Assets Control (OFAC)

• FFIEC Examination Handbook Retail Payment Systems

You Need to Know

• Auditing Methods– Interview personnel

– Sampling

• Random

– May wish to cluster transactions by common characteristics before selecting samples so that you are certain to address all audit requirements.

– Testing

• Follow Transactions

• Follow Procedures

What method should we use?

• Account Disclosures

• ACH Policies– Receipt

– Origination Risk

– OFAC

• Written Procedures Manual

– Do these procedures accurately reflect your policies

• Organizational chart of chain of command for ACH department

• Number of employees involved in processing ACH

– Dual Control

• Core Processing system/Internal software updates

• Balancing reports and statements daily including General Ledger

• Rules Violations

• Mergers or Acquisitions

ACH Audit Checklist

• ACH Operator, FED or EPN?

• Operator Advice

• How do you Receive Files?

• Third-party processor

• How do you process returns?

• Staff training

– AAPs, APRPs

• Physical access controls and passwords, security levels

• Contingency/Disaster Recovery Plan

ACH Audit Checklist

• How many Originators

• What origination delivery system

• How many versions of your ACH agreements do you have?

• Do you originate your own loan payments via ACH?

• Do you originate external ACH fund transfers for the following?

– Loan Payments

– Business to Business transfers

– Consumer to Consumer transfers

– Consumer to Business transfers

• Bill payment or person-to-person (P2P)transfers? (e.g., Pop money) Are you the ODFI for these transactions?

• Do you have exposure limits and reviewed how frequently?

ACH Origination Audit Checklist

• External ACH transfers through your online banking system?

• How do you authenticate users on your online banking site?

• Do you open new accounts via the internet? Do you fund these accounts with ACH debits?

– If so do you have a limit set for these transfers and what is the dollar amount?

ACH Origination Audit Checklist

• ACH Rules Reference 1.4.1 and 1.4.2

– Records of Entries

• Retention Method (paper, optical, disk..)

• Sampling for each of past 6 years

• Can Be Reproduced

• ACH Rules Reference 1.4.3

– Electronic Records

• Accurately Reflect the Information Contained in the Record

• Can Be Reproduced

All Participating DFIs

• ACH Rules Reference 1.2.2

– Verify that an audit was completed in the previous year

– Verify that issues raised during the previous audit were corrected

– Audit reviewed by board of directors?

Audit Verification

• ACH Rules Reference 1.6

– Participating DFI and originators/third party senders have established, implemented and updated security policies, procedures and systems

• Are you performing due diligence to ensure the security procedures are being conducted and how?

ACH Data Security

• ACH Rules Reference 1.7

– Commercially Reasonable level Encryption for all entries received over the internet

– Procedures in place to:• Detect a Data Breach

• Report a Data Breach applicable parties

– Personal Information including:– Name & Social Security Number

– Account Number & Routing Number

– Do you share data regarding entries, returns, or any accountholder data via email?

Data Security

• ACH Rules Reference 1.13

– Has the financial institution paid all annual fees and per-entry fees?• Automatically happens if you are sending/receiving through the FED

• Schedule of fees at the end of the Operating Rules

– This section is not applicable if you send all of your ACH entries to the ACH Operator

• N7 Form

NACHA Fees

• ACH Rules Reference 1.2.4

– Financial Institutions are required to assess the risk of their ACH activities and implement a risk management program based on the assessment• Has it been reviewed by board?

• How often do you re-assess?

• Have the identified risks been addressed?

ACH Risk Assessment

• How do you identify International ACH Transaction (IAT) entries upon receipt?

• Are all the fields within each IAT entry and all corresponding addenda records verified for OFAC Compliance?

• Are all fields with each IAT return entry and all corresponding addenda records verified for OFAC compliance?

• Do you have procedures to follow if you have a match?

• Do you post prior to srubing

International ACH Transactions (IATs)

• ACH Rules Reference 3.5

– Validate account number in prenote:• Accept

• Return or

• Initiate a Notification of Change on a timely basis

– We do not recommend NOCs for prenotifications

Prenotifications

• ACH Rule Reference 3.9.1

– Verify that NOC entries are transmitted within two banking days of the settlement date of the original entry to which the NOC relates

• with the exception of NOCs due to merger or acquisition

– Dual Control?

Notification of Change

• ACH Rules Reference 3.1.1, 3.8.2

– Verify all entries accepted as required

– Entries not required to be accepted:• XCK

– Do GL and loan entries post automatically?

Acceptance of Entries

• ACH Rule reference 3.3.1.1, 3.3.1.2, and 3.3.2

– PPD credit entries made available to the RDFI by 5:00 p.m. the banking day prior to settlement date, are available to the Receiver for withdrawal no later than the opening of business on the settlement date

– Same Day Credits

• After September 20, 2019, will you post same day entries within the time frames described within the Nacha’s Operating Rules?

– Debit entries are not posted prior to the settlement date

Credit Availability & Debit Timing

Processing Window/Schedule

RDFI receipt time Current funds availability requirement1

Revised funds availability requirement1

First same-day window

12:00 noon ET 5:00 p.m. local time 1:30 p.m. RDFI local time

Second same-day window

4:00 p.m. ET 5:00 p.m. local time 5:00 p.m. RDFI local time

New, third same-day window

5:30 p.m. ET N/A End of RDFI’s processing day2

Non-Same Day ACH credits

If received prior to 5:00 p.m. local time

- Opening of business for PPD- End of settlement date for non-PPD

9:00 a.m. RDFI local time for all SEC Codes

Overview

• ACH Rule reference 3.1.5.1

– Verify that the RDFI sends or makes available as part of the account statement for consumer customers information from transactions as dictated by the ACH Rules and Regulation E

Account Statement Content

• Send or make available to each account holder a monthly statement with the following:– Posting Date of Entry

– Dollar Amount of Entry

– Company Name, Individual name for WEB credits

– Company Entry Description

– Terminal ID, Location, City, State(POP and POS and MTE & SHR)

– Check Serial Number for ARC,BOC, POP, RCK & XCK

Account Statement Contents

• ACH Rules Reference 3.8.

– Verify that returned entries (including debit entries to a corporate account returned as unauthorized) are received by the RDFI’s ACH Operator by its deposit deadline for the return entry to be made available to the ODFI no later than the opening of business on the second banking day following the Settlement Date of the original entry

Timely Returns(Excluding RCK)

• Rules Reference 3.8.3.5, Appendix Four

– Verify that permissible return entries (i.e., the late return of unauthorized debit entries to non-Consumer Accounts) are transmitted with the permission of the ODFI and utilize the appropriate Return Reason Code

• Rules Reference 3.8.5; Appendix Four

– Verify that dishonored return entries received by the RDFI are handled appropriately, and that contested dishonored return entries and corrected returns are initiated in a timely manner. Verify that the RDFI utilizes Return Reason Codes and Contested Dishonored Return Reason Codes that accurately describe the reason for the return

Timely Returns, con’t.(Excluding RCK)

• Where are exceptions found?

• Does staff understand Dishonored Returns and Contested Dishonored Returns?

• Is staff aware of return timeframes for all return reason codes?

• What method is used for returns?

• Return with ODFI permission– R31

Timely Returns Test

• ACH Rules Reference 3.8.3.3

– Review internal procedures to ensure that the return of an RCK debit entry is transmitted to the RDFI’s ACH Operator by midnight of the second banking day following the banking day of receipt of the presentment notice

Represented Check Entries - RCK

• Transmit an adjustment entry, so the entry is made available to the ODFI by the 60th calendar day, if:– notice of RCK policy was not provided – R51

– item to which the entry relates is ineligible – R51

– signatures are not authentic or authorized – R51

– item to which RCK relates has been altered – R51

– Both items presented for payment – R53

• Verify that a Written Statement of Unauthorized Debit has been received for entries returned R51 and R53

Re-presented checks - continued

• ACH Rules Reference 3.8.3.2, 3.8.4

– Credit entries that can not post or be made available to the receiver are returned by opening of business on the second banking day following the Settlement Date

– If a receiver declines a credit• Opening of business 2nd day following request date

– Do not put into a suspense account to research

Return of Credit Entries

• ACH Rules Reference 3.7.1.1, 3.7.1.2, and 3.7.2

– Verify that the Stop Payment Orders are acted upon appropriately• Recurring Payment

– Stop Instructions 3 banking days prior to debit

• Single payment or Non-consumer payment

– RDFI needs Reasonable time to act on Stop order

– Stop one payment or all future payments based on consumers intent (Reg E)• Stop payments is not to be used for error resolution.

– Timeliness of returns-2 day

– Training, procedures & Forms

Stop Payments

• ACH Rules Reference 3.11.2.2, 3.13.1, and Appendix Four for extended returns

– Stop Payment on source document related to ARC, BOC or RCK entry• R38 & R52

• RDFI transmitting adjustment entry in a Timely manner—60 calendar days from settlement

Stop Payments con’t

• ACH Rule 3.11.1, 3.12.5, 3.12.7, 3.13.1, and Appendix Four

– Review records and procedures to ensure that signed Written Statement of Unauthorized Debit (WSUD) forms are obtained from consumers before returning entries for Return Reason Codes R05, R07, R10, R37, R51 and R53

– Returned in appropriate time frames

– Made available to ODFI upon request

– Is your financial institution following Regulation E?

Written Statement of Unauthorized Debit

R10

Consumer Claims the Entry Is Unauthorized, Ineligible or Incomplete

This code can be used for Improperly Reinitiated Debit Entries

Consumer Return Codes Requiring WSUD

• R51

– Improper RCK Entry

• R53

– Item That Relates to the RCK Has Also Been Presented for Payment

• R05

– CCD entry to a consumer account

• R07

– Cannot Be Used for RCK, ARC, BOC, POP

• R37

– Source Document for ARC or POP Has Paid

Consumer Return Codes Requiring WSUD

• Written Documentation

• To Be Used for Contested Consumer Transactions That

– Were Never Authorized or Not As Authorized

– Revoked or Cancelled

– Incomplete

– Invalid ARC, BOC, POP or RCK Transactions

– CCD transaction posted to a Consumer account

• Retention

– Must Be Able to Provide Copy to ODFI for 1 Year

– Reg E states two year retention for Error Resolution supporting documentation

Written Statement of Unauthorized Debit Procedures

Receiver’s printed name and signatureReceiver’s account numberAmount of entryParty debiting the account as identified to the Receiver or the name

of the intended payeePosting date of the entryReason for returnSignature dateReceiver assertion that the Written Statement is true and correctReceiver assertion that the Receiver is an authorized signer or has

authority to act on the account

Written Statement of Unauthorized Debit Requirments

Regulation E provides rules that protect consumers in regards to “errors” in electronic transactions.

If a consumer claims that an error has occurred, the financial institution is required to:Take ACTION by:

INVESTIGATING the error

Providing a RESOLUTION to the consumer and,

COMMUNICATING the resolution to the consumer

Error Resolution

Must be received no later than 60 days after the institution sends the periodic statement on which the alleged error is first reflected

Must identify the consumer’s name and account number

Must indicate why the consumer believes an error exists

Type, date, and amount of the error

Notice of Error from Consumer 1005.11(b)

If the consumer notifies the financial institution within 2 business days after learning of the loss or theft of the access device, his or her liability shall not exceed the lesser of:

$50 or

The amount of unauthorized transfers that occurred before notice

Consumer Liability for Unauthorized Transfers

If the consumer gives notice between the 3rd & 60th day, the liability shall not exceed the lesser of:

$500 or

The sum of $50 or the unauthorized transaction within 2 business days (whichever is less), plus the amount of unauthorized transfers from day 3 through notice to the financial institution

Consumer Liability for Unauthorized Transfers

Writing PIN on Piece of Paper Attached to the Card

Failure to Protect Card

Agreement of the Consumer cannot limit Liability

The $50.00 and $500.00 limitation do not apply if the unauthorized transfer is made without an access device

Consumer Negligence Cannot Be Used to Impose Greater Loss

If consumer gives notice beyond 60 days, consumer’s liability will not exceed the amount of the unauthorized transfer that occur after the close of 60 days and before the notice and that would not have occurred had timely notice been given

This is the consumer liability!

FI is still liable for unauthorized EFTs within the first 60 days

Timeliness of Error NoticeReg. E 1005.6.3

Notice is given when a consumer takes steps “reasonably necessary” to provide the pertinent information

Notice may be in person, by phone, or in writing

Written notice is given when the consumer mails the notice or delivers it for transmission

•Whether or not “a particular employee or agent of the institution actually receives the information.”

Notice

If the consumer’s delay in providing notice was due to extenuating circumstances (e.g. vacations and hospitals)

Institution shall extend notice periods by a reasonable amount

Notice Extensions

A financial institution may require the consumer to give written confirmation of an error within 10 business days of an oral notice.

Must inform the consumer of this requirement and provide address where written notice is to be sent

Notice of Error from Consumer

General Returns

Available to the ODFI on the morning of the second banking day following the settlement date of the original entry

CCD & CTX

“2 day” return time frame with exceptions

Improper or Unauthorized Returns

60 days from settlement date

ACH Return Timeframes

ACH items may be returned 60 days from settlement date• Could possibly return beyond the 60 days by

contacting the ODFI

Obtain a Written Statement of Unauthorized Debit (WSUD)

RDFI must be prompt in crediting the account of the receiver

NACHA Rules

Error Resolution procedures

Consumer must notify the FI within 60 days of the transmission date of the statement containing alleged error

Provisional credit becomes final after investigation concludes that an error occurred

Regulation E

Consumers Right to Re-credit

The rights of the Receiver under the NACH A

Operating Rules are in addition to any rights

under Regulation E

ODFI warranty does not run out after the return time frames for unauthorized items

Requesting a copy of the authorization from the ODFI may be the investigation

– Don’t have the authorization = Warranty Breach

– Produce the authorization= take back credit after notifying the consumer

NACHA Rules and Regulation E

Regulation E deals with the banking relationship between the RDFI and the Receiver when dealing with unauthorized entries

Regulation E does not provide a mechanism for the RDFI to recoup the provisional credit

There is no conflict between the NACHA return time frame and Regulation E ..they do not do the same thing

NACHA Rules and Regulation E

Resolution process for each error should be logged

ACH Unauthorized/Improper returns should be logged

Written Statement of Unauthorized Debit (WSUD)

Notice of Final Credit for those transactions requiring a WSUD

Error Resolution Log

58

RDFI Audit of Federal Government Payments

Compliance with requirements as outlined in 31 CFR Part 210 and the Green Book

https://www.fiscal.treasury.gov/reference-guidance/green-book/

• Written procedures for steps to be taken upon learning of death of customer/member?

– DNE Processing

– Constructive knowledge

– All benefit payment/all accounts

– Front line staff

• Verify appropriate use of R14 (Death of Rep Payee) and R15 (Death of Beneficiary or Account Holder)

• Have branch and operations employees been trained on the Green Book

• Are you aware of recent updates?

Federal Government Payments

59

Reclamations

• A procedure used by the Federal government to recover benefit payments

• Specific payments subject to Reclamation (page 5-4)

• Must be sent within 120 days after the agency learns of death

• An RDFI is not liable for any post-death payments made more than six years prior to the date of the notice of reclamation

• Posting to Closed accounts

• ENR—Use Godirect.org

• Non Receipt request or Tele-Trace

• Closing an account receiving Federal Government Benefit Payments

• Garnishments– Able to identify Federal Government Payments that are protected

Government Payments

61

Originating DepositoryFinancial Institution (ODFI)

orThird Party Service Provider

orThird Party Senders

62

The ODFI has complete responsibility forentries containing its Routing Number within the Trace

Number that are transmitted into the ACH system

Originating DepositoryFinancial Institution (ODFI)

63

• ACH Rule Reference 2.2.1.1, 2.2.2.2, and 2.5.8.3

– Has an agreement been executed with each company and financial institution for whom the financial institution originates binding them to US law and the ACH Rules?

– Verify compliance with OFAC-enforced sanctions

– Third Party Senders

– Direct Senders

• Document procedures that allow the financial institution to approve every party for whom the processor sends files directly to the ACH Operator

Binding Agreements

64

• Three additional issues are required to be addressed in ACH Originator and Third Party Sender Agreements.

– The right of the ODFI to terminate or suspend the Originator

– The ability to audit the originator

– Any restrictions on the types of transactions allowed

Binding Agreements

65

• ACH Rule reference 2.2.3

• Review internal procedures to determine that exposure limits are established for each Originator

• Exposure limits should be reviewed periodically

• Entries initiated by Originators are to be monitored relative to the exposure limits across multiple settlement dates

• The restrictions on types of SEC code of originated entries need to be enforced

• Procedures for monitoring and what happens if established limits are exceeded

ODFI Exposure Limits

66

• ACH Rule reference 2.12.1, 2.12.5.1, 2.12.5.3 and Appendix Four

– Verify that the ODFI accepts return items

• Notify the originator or TPS

• Re-initiation of R01/R09

– Verify that dishonored returns are transmitted with 5 banking days of the settlement date of the return entry

– What procedures do you have to ensure this is done correctly?

– Are you or your originators correctly Reinitiating entries?

Return Items

67

• Define and establish standards for reinitiated entries

• Require reinitiated entries to have same Company Name, Company ID and Amount as original entry

– Content in other fields can be modified only to the extent necessary to correct an error or facilitate processing of an Entry.

• Standard use of Company Entry Description “RETRY PYMT”

• Identify practices that constitute improper re-initiation

• Give ACH Rules Enforcement Panel authority to determine whether a practice was improper re-initiation

• Improper reinitiated Entries can be returned as Unauthorized (R10)

Re-initiation

68

• ACH Rules Reference 2.11.1, 2.11.2

– Review internal procedures to ensure that information relating to NOCs and Corrected NOCs is provided to Originator within two banking days of settlement of the NOC or Corrected NOC

• What method is used to deliver NOC information?

– What process is in place to ensure that changes are made by the Originators?

Notifications of Change

69

• ACH Rules Reference 2.3.2.5, 2.5.18.6, 2.3.3.3

– What procedures are in place to request a copy of an authorization from an Originator?

– If requested by the RDFI, how do you ensure it is presented within the 10 banking days?

– For CCD, CTX Originators, can you provide the name and contact information within 10 banking days

Request for Authorization

70

• Provides a means for the RDFI to obtain a copy of an authorization or Originator contact information for a CCD or CTX entry

• Provides the Receiver “more concrete evidence” for disputing an entry if no authorization can be provided

• Requires the ODFI (upon receipt of RDFI’s written request) to provide the RDFI with either:– An accurate record of the Receiver’s authorization, or

– The Originator’s contact information• Originator’s name and phone

• Originator’s name and email address

• ODFI must provide within ten banking days without charge

• Requires the Originator to provide such information to the ODFI upon the ODFI’s request

• Audit ODFI

Proof of Authorization for Non-Consumer Debits

71

• ACH Rule reference 2.12.6

– Review internal procedures to ensure that, when agreed to by the ODFI, Permissible Return Entries are accepted

– R31 – Permissible Return• ODFI agrees to accept

– Notify receiving ACH staff

– Process

• Cannot dishonor

Permissible Returns

72

• Rule reference 2.3.3.2

– Verify Compliance with UCC 4A

• Customer Agreements

– Disclosure to Originators of CCD or CTX Entries

• Commercially Reasonable Security Procedures

• Are you the FI creating ACH files on the behalf of your originators? Do you have reasonable procedures to prevent errors?

UCC4A Compliance for Origination

73

• Utilize commonly accepted commercial practices among commonly situated Originators that conduct similar types of transactions– Verify commercially reasonable security measures are taken regarding

the delivery of payment data

– Verify the following disclosures have been provided to the Originator

• Security disclosure

• Provisional payment disclosure

• Choice of law disclosure

• RDFI reliance of account number only for posting

What Is Commercially Reasonable?

74

• ACH Rules Reference 2.2.1

– ODFI has utilized a commercially reasonable method to verify the identity of each Originator or Third-Party Sender that enters into an Origination Agreement with the ODFI

– When an ODFI has a relationship with a Third-Party Sender rather than with an Originator directly, also verify that the Third-Party Sender has utilized a commercially reasonable method to establish the identity of each Originator that enters into an Origination Agreement with the Third-Party Sender

Identity Verification

75

• ACH Rules Reference 2.8 and 2.9

– Verify that reversing entries and files are done in accordance with the requirements of the rules

Reversing File

76

• Provides an Originator/ODFI with an additional mechanism to resolve situations in which the use of the reversal process has resulted in an unintended credit to the Receiver

• Establishes the right of an ODFI to dishonor the Return Entry of either debit by using Return Reason Code R62, provided that the associated credit Entry was not also returned by the RDFI

Dishonored/Contested Reversal Issue

77

• Also establishes the right of an RDFI to contest this type of dishonored Return, using Return Reason Code R77, if either of the following conditions exists:

– the RDFI returned both the Erroneous Entry and the related Reversal; or

– the RDFI is unable to recover the funds from the Receiver

Dishonored/Contested Reversal Issue

78

• ACH Rules Reference 2.17.2

– Verify the ODFI has reported information on each originator or TPS if you have been requested by the national association

– .5% Unauthorized Return Rate

– Are you tracking returns?

ODFI Reporting Requirements

79

• The Return Rate threshold for unauthorized debits is 0.5%

– R05, R07, R10, R29 & R51

• Establishes a preliminary inquiry process to evaluate and research outlier cases in which an Originator’s administrative returns exceed 3% return rate level

– R02, R03, R04

• Establishes a preliminary inquiry process to evaluate and research outlier cases in which an Originator’s overall returns exceed 15% return rate level

– excludes RCK

Unauthorized Return Rate Thresholds

80

• ACH Rules Reference 2.17.1

– Verify that the ODFI has

– (1) registered its Direct Access status with the National Association

– (2) obtained the approval of its board of directors, committee of the board of directors, or its designee for each Direct Access Debit Participant

– (3) provided required statistical reporting for each Direct Access Debit Participant

– (4) notified the National Association of any change to the information previously provided with respect to any Direct Access Debit Participant

Direct Access Registration

81

• ACH Rules Reference 2.17.3

– Verify that the ODFI has • (1) stated to NACHA that it has no Third-Party Sender relationships

• (2) If it has, then register its Third-Party Senders with NACHA

• (3) Update the registration as necessary

Third-Party Sender Registration

82

• ACH Rules Reference Articles 2.1

– Ensure that Originators & TPS are kept informed of their obligations on a continuing basis• Document method of notifying Originators of changes to the ACH

Rules

• Do you audit your originators?

ODFI Requirements of Originator & Third Party Sender

83

• Verify that the ODFI has kept Originators and Third Party Senders informed of their responsibilities under these rules. (article Two, section 2.1)

• This section also applies to your financial institution for your own origination (e.g., loan payments and external account to account)

– Authorization requirements

– Prenotes

ODFI Requirements of Originators and Third Party Senders

• Explicitly apply certain risk management and Originator transaction monitoring

requirements to Third-Party Senders

• Require third-parties to provide proof of completion of a Rules compliance audit to its Participating DFI to fulfill request from NACHA

• Provide a list to the ODFI as stated in agreement

– When a new customer is added

– When requested

Third-Party Sender

• Authorization Requirements

– Originators are Obtaining Proper Authorization for ALL Entries• Authorizations MUST be in writing, signed by the customer, or

similarly authenticated

• 10 day rule for varying amount of debit

• 7 day rule for varying date of debit

• Retain for 2 years after last transaction

• Revocation language

• Copy of authorization to consumer

Originator Obligations

86

• Prenotifications– Prenotes are initiated three days prior to settlement date of first

live entry

– If returns relating to prenotifications received ensure that related entries are not initiated.

– Upon receipt of Notifications of Change, requested changes made prior to the initiation of the next entry

Originator Obligations

87

• Standard Entry Class Code• WEB Credit - P2P entry

• Company Name Field

– P2P Service Provider Name

• Company Identification

– P2P Service Provider ID Code

• Company Entry Description

– Identifies as Person to Person (P2P)

• Individual Identification Number

– Sender’s Name

Originator Obligations – WEB Credits

88

• TEL Obligations

– Verify for TEL entries the Originator is complying with:• Authorization requirements

• Verification of identity of receiver

• Verification of routing numbers

– Single vs Recurring• Single: Recording or Notice

• Recurring: Recording AND Notice

Originator Obligations

89

• WEB Obligations

– Outside originator vs FI doing WEB via internet banking system

– Authentication vs authorization

– Fraudulent detection

– Routing number validation

– Annual Audit

Originator Obligations

90

• Compile the information gathered in your audit working papers and funnel into the Audit Report

• You may want to also write up a summary of your findings for presentation to the board of directors

Write-up Audit Report

91

• You’re ready for your own AUDIT

• You have a good understanding of ACH Compliance

CONCLUSION

92

For you - compliance should be a snap!!

Top Five ACH Examination Findings

1) Lack of Senior Management & Board Oversight

2) Lack of Adequate MIS and Reporting

3) Lack of Monitoring

4) Inappropriate Approval Process (separation of duties)

5) Inadequate Limits or No Limits

93

Risk Assessment

94

Four Main Steps in the Risk Management Program

• Business Impact Analysis(BIA)

– Identification of potential impact of uncontrolled non-specific events on business functions and processes

• Risk Assessment

– Analysis of threats based upon business impact

– Prioritization of potential disruptions based on severity

95

Four Main Steps -continued• Risk Management

– Identification, assessment, and reduction of risk to an acceptable level

– Development, implementation, and maintenance of a written, enterprise-wide Risk Management Program

• Risk Monitoring and Testing

– Incorporate the BIA and Risk Assessment findings into the Risk Management Program

– Regular assessment and revision

96

Risk Assessment

Risk Assessment Objectives:

• Determine the inherent risks and risk factors within the bank’s ACH or retail payment activities

• Identify the key control practices to limit those risks

• Evaluate the effectiveness of those controls to mitigated the risks considering the likelihood and potential impact to its capital and earnings AND its regulatory compliance obligations

97

Risk Management and MitigationCommon Risk Management Issues:• Payments risk management not sufficient for scope

of activities (informal, decentralized, or missing)• Anxiety for income combined with passive oversight of third-party

sender or originator activity• Insufficient policies and expertise for the complexity of the

payment’s environment • Lack of adequate customer due diligence/underwriting for exposure

to credit or legal liability losses • Lack of effective oversight over third party senders• Limited FI board and senior management involvement• Insufficient risk monitoring and reporting • Inadequate NACHA Operating Rules, BSA/AML, or consumer

protection training

98

Risk Management and Mitigation

Risk Management Methods:

• Policies, standards, and risk limits

• Underwriting, due diligence, & oversight

• Contracts and agreements

• Transaction limits and controls

• Risk monitoring and reporting

• Audit and Control Testing

99

ACH Risk Management and Mitigation

Lower Risk and Lower Volume• Track daily, multi-day exposure limits• Track ACH volume and return trends and

compare to capital• Identify and track customer-specific

originations and returns (risk-based and/or volume-based threshold)

• Identify and track highest risk ACH originators

• ACH originator list with SEC code restrictions, limits, ACH line review date, and agreement date

• Track ACH over limits and exceptions• Track consumer use of internet payment

generation

Higher Risk and Higher Volume• All from lower risk plus:• ACH originations and returns by debits,

credits, SEC type, third-party sender, originator

• Track ACH reserve adequacy• High-risk ACH originator risk ranking

report• High-risk ACH , tracking returns by SEC

types and return code

100

Primary Risk Mitigation Tools – Consider frequency, audience, timeliness

Risk Management and Mitigation

Credit Risk can be mitigated by:• Thorough credit and financial analysis for originators, 3rd party vendors, &

3rd party senders• Ensure agreements are maintained & updated• Ensure policy includes a list of prohibited and high risk originators and SEC

codes w/ approval process• Establish risk-based debit and credit limits w/ exception approval

requirements• Effective customer activity monitoring and reporting• Establish appropriate pre-funding and reserve requirements

101

Management and Mitigation

Mitigate Compliance and Legal Risk by:• Implementing comprehensive BSA/AML, KYC, GLBA, and OFAC

screening policies and procedures• Conducting due diligence for unfair and deceptive practices by

originators and third party senders (e.g., FTC Telemarketer Rule)• Conducting adequate monitoring of 3rd parties to ensure

effectiveness of due diligence and monitoring processes• Performing required audits and independent reviews• Ensuring that all origination agreements and third party contracts

contain regulatory and compliance language• Ensuring proper monitoring and exceptions reporting• Ensuring that employees have the proper training

102

Risk Management and Mitigation

Risk Management and Mitigation

Mitigate Liquidity Risk by:• Monitoring volumes and trends

– Identifying peaks in usage– Tracking volatility in payments activity– Assessing impact on funding

• Use of prefunding and reserves to limit additional funding requirements

• Using expiration dates for higher limits for increased seasonal or temporary needs

• Identifying deposit concentrations from payment processing activity and assessing related volatility as a source of funds

103

Risk Management and Mitigation

Mitigate Reputational and Strategic Risks by:

• Conducting background checks on originators and third-party senders

• Expanding oversight of high-risk originators– NACHA Operating Rules

– Due diligence and risk management program

– Consumer complaints and litigation

– Regulatory actions

– Marketing and business practices

104

ACH related MIS should include:Portfolio-wide

– ACH origination volume compared to capital – ACH returns – ACH contract aging– Customer distribution by risk rating

Customer-specific– ACH origination volume trends– ACH return trends– Unauthorized Return types, volume, $, and % to total transaction Volume– Rules/contract violations– Times over limit– Changes in risk rating– Contract date

Note: If available, profitability analysis may be appropriate

105

106

Mitigate Operational Risks from Systems/Technology by:

• Establishing comprehensive vendor management program

• Establishing and monitoring effective service levels

• Ensuring daily monitoring and reporting of any issues

• Ensuring that employees have the proper training and expertise

• Ensuring appropriate access controls, authentication, separation of duties, and independent control reviews

• Ensuring consistent internal controls and processing procedures across multiple technology applications and platforms

• Ensuring adequate contingency plans and testing

• Performing adequate audits with NACHA Operating Rules as starting point

Risk Management and Mitigation

107

Mitigate Operational Risk from Fraud by:• Ensuring proper due diligence including background checks• Using fraud detection software to filter suspicious activity• Verification/validation of transmission• Anomalous transaction detection • Strict adherence to credit and other related policies• Ensuring that credit originators require pre-funding or more in-depth

financial analysis and underwriting• Ensuring appropriate limits are in place• Establishing adequate reserves for debit originators• Complying with NACHA and Operator rules/regulations• Requiring and enforcing updated agreements for all originators and third-

party senders• Monitoring activity and exceptions reports on a daily basis

Risk Management and Mitigation

NACHA Rule

Key Component of Rule AmendmentEffective June 18, 2010, the Rule requires all participating DFI’s to conduct a risk assessment of their ACH activities, and to implement risk management programsbased on the results of such assessments, in accordance with the requirements of their regulator(s)

108

Risk Assessment Rule

1) Assessing the nature of risk associated with ACH activity;

2) Performing appropriate know-your-customer due diligence;

3) Establishing controls for Originators, third-parties, and direct access to ACH Operator relationships; and

4) Having adequate management, information and reporting systems to monitor and mitigate risk

109

How Often?

• Have there been any changes in technology?

– Software, processors, new services

• Have there been change in the number of originators or types

• Have customer complaints increased

• Have there been any change in returns or charge offs?

• Have there been a change in personal?

110

FFIEC

• Made up of: (each may issue their own bulletins as well)– Federal Reserve– FDIC– OCC– NCUA– CFPB– State Regulators

• Issues guidance on key issues– Authentication in an Internet Banking Environment (and recently a supplement to that Guidance)– Risk Management of Remote Deposit Capture

• Issues and updates Handbooks on key topics such as:– IT (including ACH, check, RDC)– BSA (AML)– Business Continuity

111

Risk Management Overview - FFIEC

Financial institutions can mitigate many of the risks associated with electronic payments origination & processing:

Based on a comprehensive risk assessment of the financial institution’s electronic payments environment

Board and management oversight that establishes appropriate risk tolerances, effective reporting, employee training, and prudent vendor management practices

Leverage existing risk management processes– Involve risk management, compliance, and audit resources in the electronic payments risk

management effort

– Incorporate all payment products and services into a broader Payment Risk Management Program

112

Staff

• Is the FI’s board knowledgeable and capable of understanding the risks?

• Determine if the quality and levels of staffing are adequate

– Reports showing staffing levels, turnover, trends

– Level of skill

– Staffing levels for peak periods

– Adequacy and quality of staff resources

• AAP

113

Staff (cont.)

• There is adequate capacity for current and planned transaction volumes?

• Automated vs. manual processes

• Quality of controls

–Separation of duties

–Dual control

114

Policies

Policies should include:Goals and objectives of the program

Approved products and services

Prohibited Originators or Merchants

Third Party Senders

Exposure limits and Originator review

Contracts & Agreements

OFAC, PATRIOT Act, BSA/AML

115

Policies (cont.)

UCC4A provisions

Third Party Service Providers

Direct Access to the ACH Operator

File Delivery

Data Breach

ACH and Payment Product Audits

116

Review Originator Agreements

• Do the agreements adequately set forth the responsibilities of all parties?

• Do the agreements meet the requirements of the NACHA Operating Rules?

• Do the agreements mention funding arrangements, SEC codes allowed, Regulation CC, UCC 4A.

117

Third-Party Senders

• Non Contractual Relationship with Originators

• Need a specific contract to address risks

–Contract should include:ODFI approval of all originators

Exposure limits per originator

An exposure limit for the TPS

Method to identify each originator

• Third party sender audit required

118

Before Originating Same Day ACH: Some Risk Considerations

• Develop an overall strategy for offering Same Day ACH– Should Same Day be offered to all or select Originators?

• Not all customers may be suitable for same-day origination• Not all FI products may be suitable for same-day origination

– Determine how to identify those Originators or transaction types permitted to use Same Day ACH– Consider customer’s profile (i.e., business model) when offering Same Day ACH

• Current credit limits and risk rating• Prefunding and exposure • Authentication methods

• Review Files or have processes in place to determine compliance with Same Day eligibility rules– Ensure proper use of Effective Entry Date – Other indicators (Descriptive Date, Company Discretionary Data)– Transactions appropriate to the phase (Phase 1, Credits only)

•119

Vendor Management

• Assess management’s ability to manage outsourced relationships with technology service providers– Encrypt transactions while in route between service provider and

institution

– Contract provisions• Personnel, equipment

– Contingency planning

• Measurements specify what constitutes inadequate performance– Appropriate sanctions

• Reduction in fees etc.

120

Third-Party Service Provider Risks

• Is the vendor/service provider a strategic fit for your organization?

• Is the third-party financially stable?

• Does the system allow for scalability?

• Will you have online access to real-time reports?

• Can velocity limit parameters be established?

• Does the application provide process & system monitoring capabilities?

121

Information Security

• FIs should implement the appropriate physical and logical security controls

• Look at service providers and external networks

• Consider controls on:

– Origination, approval, transmission and storage of ACH and other payment product’s information

– Corporate Account Takeover

122

FFIEC Guidance: Internet Banking

• Risk Assessment – High Risk Transactions

• Customer Authentication for High‐Risk Transactions

• Layered Security ProgramsLayered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.

• Customer Awareness and Education

123

Mobile Financial Services (MFS)

Management should identify the risks associated with the types of MFS being offered as part of the institution’s strategic plan.

Operational Risk – identify risks how the device communicates with the POS or other terminals.SMS Technology Mobile -enabled websiteMobile ApplicationsMobile PaymentsCompliance RiskReputation Risk

124

Board of Directors and Cyber Security

Questions your Board of Directors should have answers to:

What is Management’s familiarity with cyber security and account takeover?

Has Management identified where and how there is risk of an attack?

Can your Management team articulate your institution’s account takeover risk and explain your procedures to mitigate, identify and respond to attacks?

125

Board of Directors

Questions your Board of Directors should have answers to:

Has Management assigned clear roles and responsibilities within this plan?

What are the communication plans in the event of an attack on your financial institution or business client?

Does Management have a handle on the cyber security of your third-party service providers?

126

Board of Directors

Board of Director Responsibilities:

Set or approve your financial institution’s risk tolerance and ensure Management targets your cyber security preparedness to align with that stated risk tolerance

Review, approve, and support your financial institution’s procedures to address risk management and control weaknesses

127

ODFI

• Exposure limits (both originator and TPS)

–Based on the originator’s credit rating

–Relative to all services i.e. (cross-channel)

–Written agreements with originators addressing exposure

–Consumer Internet Banking limits

– Increase in unauthorized triggers require re-evaluation

128

ODFI Reports

• Automated for returns (60-75 days)

–Unauthorized

– Invalid

–NSF and other

• Entries in excess of the exposure limit and approval

• Audits from Originators

129

Credit Risk• ODFI Exposure (Credit Entries)

– Period of time between the initiation of ACH credit file until the company funds the account

– Amount of risk based on total amount of the file • Up to 2 days

• ODFI Exposure (Debit Entries)

– Date funds available to Originator until debits can no longer be returned by RDFI’s• Up to 60 days from settlement for unauthorized• Can be 2 banking days for NSF/uncollected funds

– Amount of risk based on amount of individual or multiple returned ACH debits

130

ACH Funding

• Adequacy of funding before releasing the file to the Operator

• Prefunding

–Timing

–Blocks or separate account

131

RDFI

• Assess RDFI’s overdraft policies

– Customers/members

• Funds Availability

• RDFI established procedures to deal with consumers notifications regarding unauthorized or revocation

• Stop Payments

• Freeze accounts for blocked parties (OFAC)

132

ACH Accounting

• Balancing procedures

– General ledger

– ACH activity with pending file totals

– Separate accounts for returns, unposted

• Verifies the source of the files originated

• Separation of duties

• Customer profile change request

133

Business Continuity

• Ensure you have developed a plan to continue operations in case of a emergency

• Consider all risks

• Risk rate what is critical to operations

• TEST, TEST, TEST

• Look at third party vendors plans

134

Observations and the Future Risk assessments not well integrated into enterprise

risk assessment and management NACHA Operating Rules allow audits/assessments by

non-independent parties Risk assessments performed by staff with incomplete

understanding of industry/product risks “Generous” ratings for inherent risk and internal

controls Smaller firms challenged to provide separation of

duties Industry/products and risks continue to evolve rapidly

135

136

Conclusion

• As electronic payments volume, new products, and entry points continue to increase, financial institutions must have effective and comprehensive policies, procedures, and processes to identify, measure, and limit the risk to the bank and its customers.

• Financial institutions that process payments for third parties including payment processors and high risk merchants must implement enhanced risk management practices to protect against increased credit, compliance/legal, reputational, strategic, and operational risks.

Going Forward…

• Be aware of the Supplement to the Guidance on Authentication in an Internet Banking Environment and how it continues to evolve

• Watch for updates to the IT handbook

• Be sure your institution has done risk Assessments for ACH and RDC

• Use the material presented today to ensure you’ve covered all the appropriate topics in your Assessments

137

Risk Assessment• Examples of recent risk-management requirements and

guidance by regulators include:– OCC Bulletin 2006-39, Automated Clearing House Activities, September 1, 2006

(http://www.occ.treas.gov/ftp/bulletin/2006-29.pdf)

– FFIEC’s BSA/AML Examination Manual, 2007 edition (http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_20 07.pdf (pages 199 through 205)

– OCC Bulletin 2008-12, Payment Processors, April 24, 2008 (http://www.occ.treas.gov/ftp/bulletin/2008-12.html)

– FDIC Financial Institution Letter 127-2008, Payment Processor Relationships, November 7, 2008 (http://www.fdic/gov/news/news/financial/2008/fil08127.html)

– FFIEC Guidance on Risk Management of Remote Deposit Capture, January 14, 2009 (http://www.ffiec.gov/pdf/pr011409_rde_guidance.pdf)

138

QUESTIONS

139

Resources

• WACHA- The Premier Payments Resource

• PAR- Payment Advisory Resource

HELP DESK

– Phone: 262-345-1245

– Toll Free: 800-453-1843

– Fax: 262-345-1246

– info@wacha.org

140