Upload
letram
View
218
Download
1
Embed Size (px)
Citation preview
ACH Risk:
Is It a Myth or
Reality
Mary Gilmeister, AAP, NCP
President
WACHA
Fred Laing, II, AAP, CCM, NCP
President
UMACHA
Disclaimer • WACHA and UMACHA, through their Direct Membership in NACHA, are specially recognized and
licensed
providers of ACH education, publications and support.
• Regional Payments Associations are directly engaged in the NACHA rulemaking process
and Accredited ACH Professional (AAP) program.
• NACHA owns the copyright for the NACHA Operating Rules & Guidelines.
• The Accredited ACH Professional (AAP) is a service mark of NACHA.
• This material is derived from collaborative work product developed by NACHA The
Electronic Payments Association and its member Regional Payments Associations, and is
not intended to provide any warranties or legal advice, and is intended for educational
purposes only.
• This material is not intended to provide any warranties or legal advice, and is intended for
educational purposes only.
• This document could include technical inaccuracies or typographical
errors and individual users are responsible for verifying any information contained herein.
• No part of this material may be used without the prior written permission of WACHA/PAR
© 2015 PAR/WACHA & UMACHA, All rights reserved
Agenda
Introduction
Types of Risk
Risk Management approaches for
each type
High level approaches to protect
your institution
Is ACH Risky??
Midway Airlines FAILS!
ICN, a long distance carrier declares Chapter 7 two
days after a debit file is generated
A hacker, working through a third party, set’s up a
church account that’s bogus and steals over $100,000
A banks customer sends a file for $456,000, it turns out
the item was NOT generated by the customer but by
a hacker
Types of Risk (FFIEC based)
Credit
Operational
Fraud
Systemic
Reputational
Third-Party
What is ACH Credit Risk?
• The risk that a party to a transaction will be unable to provide the necessary funds for settlement to occur
– Losses due to Credit Risk
typically result from the failure
or bankruptcy of a company
–ODFIs are responsible for
controlling credit risk • Develop and implement credit monitoring and control
procedures
6
ACH Credit Risk ODFI exposure (for credit entries)
Period of time between the initiation of ACH credit file until the company funds the account
Amount of risk based on total amount of the file Up to 2 days
7
Credit Risk – ACH Debits
ODFI Exposure Date funds available to originator until debits can no
longer be returned by RDFIs
2 Banking days (24 hrs)
Up to 60 days from settlement
Unauthorized could be returned as ODFI warrants authorization
Amount of risk based on amount of returned ACH debit
NOTE: Statute of Limitations – 7 years for most states where the ODFI would still be liable
8
ODFI Credit Monitoring
and Control Techniques
STEP 1 - Educate financial institution personnel
STEP 2 – Due diligence – including using existing credit ratings
STEP 3 - Establish exposure limits
Maximum dollars per file/batch
Maximum per entry (corporate entries)
Maximum exposure across product lines
Return percentages
STEP 4 - Establish procedures for “over limit” transactions (escalation)
STEP 5 - Provide ongoing maintenance (periodic review)
What is Operational Risk?
In the ACH payment system,
operating risk is the risk that the
exchange of ACH transactions
will not be completed
accurately or on time because
of an operational failure at some
point in the exchange process
10 PC Failure Disasters
Power Outages
Operational Failure
An operational failure is any disruption in
normal processing including:
Failure/Unavailability of Computer
Hardware or Software,
Disruptions in telecommunications
equipment
and/or
Advertent loss, alteration, or
duplication of ACH data
11
Examples of Operating Risk
Hardware, software, telecommunications and power failure
Human error late returns
timeliness of reconciliation
aged items
out of balance conditions
Staffing problems lack of training
sick or vacationing staff
12
Operational Risk Controls
Reliable equipment, regular maintenance, adequate backup
Detection and correction of “bugs” in software
Diagnostic tools, backup modes of transmissions
UPS systems, backup procedures in event of power failure
Good supervision, cross-training, audits
Disaster recovery plans
Corruption of ACH Data
File Accountability and Balancing
Secure Storage
Limited Access
Backup Copies
Audit Trails
13
What is Fraud Risk?
The risk that ACH data will be
compromised through:
introduction of false transactions
alteration of valid transactions
alteration of data that controls
the routing or settlement of valid ACH transactions
14
Causes of Fraud Risk
Fraudulent activities are usually the work
of:
disgruntled or dishonest employees
outside parties (such as intruders or
interlopers)
combination of both where two or more
individuals are acting in collusion
Fraud can also be committed by an
organization
15
Tools to Combat Fraud Risk
Sound personnel practices
Good physical security for computer,
communications and ACH Operations
areas
Effective data security
Rigorous control of all changes
Operational controls as used to reduce
Operational risk
16
What is Reputational Risk?
Risk that actions or events that
take place involving your institution
will affect your reputation.
17
Third Party Senders are a subset of Third Party Service Providers Third Party Service Provider does NOT always act as a Third Party Sender A Third Party Sender is considered to be a Third Service Provider No contractual agreement between the ODFI and the Originator
18
Third Party Service Providers
Third Party Sender
Sending Point
Receiving Point
Third Party Sender
ODFI
ABC Company
Hardware Store
Payroll Company
Grocery
Bike shop
Church
Dry Cleaner
Day Care
19
No agreements with originators
Third Party Service Provider
ODFI
Payroll Company
Grocery
Bike shop
Church
Dry Cleaner
Day Care
20
Co/ODFI Agreements
What is Systemic Risk?
The risk that the inability or unwillingness of one participant in a clearing and settlement network to settle its commitments will cause other network participants to be unable to settle their commitments
Such a chain of events could undermine confidence in the nation’s payments system and therefore systemic risk of serious concern
21
Higher Level
Approaches to
Managing Risk
ACH Origination Policy
Why do we need policies?
“..controls needed for an effective ACH
risk management program include
written policies...”
“…loan policies should include formal
underwriting standards and an approval
policy for ACH originators.”
23
With that Said…. The FFIEC
Guidance Says to…
(Federal Financial Institution Examination Council -
OCC, FDIC, OTS, NCUA & State Liaison Committee)
• Mitigate Fraud Risk through proper due diligence
for all originators and strict adherence to ACH and
credit policies
• Manage Credit Risk by establishing policies,
procedures and limits that acknowledge the risks
originators bring to an ACH operation
• Clear policies and procedures need to establish the
proper control of these highly automated activities
to manage the Operational Risk
24
ACH Origination Policy
Goals & Objectives in compliance with the Rules
Risk Management considerations
Products offered
Prohibited Originators
Third Party Senders
Agreements
Outlines steps taken to risk rate all originators and develop exposure limits to cover per file and multi-day exposure
Monitoring Exposure Limits/Over Limit Files
25
ACH Origination Policy, (Cont.)
• Timely review of Originators & Exposure Limits
• Return Monitoring
• Third Party Service Providers
• Direct Access Considerations
• File Delivery
• Data Breach
• OFAC & US Patriot Act
• UCC4A/Security Measures
• Contingency Plan
• ACH Audit & Risk Assessments
26
OFAC Policy
Guidelines for compliance
with the requirements of OFAC.
Prohibited parties
Prohibited transactions
Training of employees in regards to OFAC compliance
27
Agreements
Originator/ODFI Agreement
Third-Party Sender Agreement
Third-Party Processor Agreement
Agreement with the ACH Operator
28
Originator/ODFI Agreements
Defines parameters of relationship between parties Transmittal of Entries and Security Procedures
Company Representations, Warranties & Agreements
Financial Institution Obligations
Company’s account
Exposure Limits
Due Diligence
Cancellation, Amendment of Entries
Rejection of Entries
Provisional Credit Notice
Reversals
29
Originator/ODFI Agreements
(Cont.)
Notice of Returned Entries & Notification of Change
Entries Returned as Unauthorized
Unauthorized Return Rate in Excess of 1%
Periodic Statements
Fees
Liability
Rules Enforcement
Inconsistency of Name and Account Number
Rules Compliance Review-Right to Audit
The right of the ODFI to terminate or suspend the Originator
The ability to audit the originator
Any restrictions on the types of transactions allowed
30
National ACH Rules
Enforcement System
• If the Rules have been violated (allegedly)
• Report of possible Rules Violation filed with NACHA
• Follow up is done within specific timeframes
• Depending on that follow-up the violation may go to the Enforcement Panel for review and possible fine
• Class 1 – recurrence
• Class 2 – Eight reasons
• Class 3 – Rules violation continues
31
National System of Fines
Types of Violations
32
NOCs
76.24%
Invalid Accounts
8.82%
Authorization
8.07%
Returns
5.13%
ODFI Reporting
0.06%
POP
0.06%
Reversals
0.12%Prenotes
0.17%
RCK
0.29%ARC
1.04%
ODFI Audit Requirements
Delivery of NOC information within 2 days
Request for authorization
Permissible Return entry acceptance
Compliance with UCC 4A (Disclosures/agreements)
Verify identity of originators that use an unsecured electronic network
Reversing files and entries follow the rules
BOC entry compliance
ODFI reporting to NACHA when requested
Direct Access registration
33
ODFI Audit Requirements Ensure originators are informed and in
compliance with: How do you keep educated on proper processing
and Rule changes?
Originator Audits
Third Party Audit requirements
Authorization requirements
Pre-note requirements
Usage of correct SEC codes
Usage of correct company name
Requirements for POP entries
Proper Authorization/Notice/Receipt
Requirements for TEL entries
Proper Authorization/Verification of identity/verification of Routing number
Single vs Recurring
Notices
34
ODFI Audit Requirements
Requirements for ARC entries
Notice/storage
Requirements for RCK entries
Requirements for WEB entries
Originators have fraudulent transaction detection systems in
place
Originators verify the identity of each receiver
Evidence of assent (electronic signature)
Each Routing and Transit number has been verified
Originators will conduct an annual security audit
35
ACH Risk Assessment
The Rules requires all participating DFI’s to
conduct a risk assessment of their ACH activities,
and to implement risk management programs
based on the results of such assessments, in
accordance with the requirements of their
regulator(s)
36
ACH Risk Assessment
1) Assess the nature of risk associated with ACH activity;
2) Perform appropriate know-your-customer due diligence;
3) Establish controls for Originators, third-parties, and direct access to ACH Operator relationships
4) Have adequate management, information and reporting systems to monitor and mitigate risk
37
QUESTIONS
38
Please fill out your Evaluations
Contact Info:
Mary Gilmeister, AAP, NCP
President
WACHA
Fred Laing, II, AAP, CCM, NCP
President
UMACHA