ACH Risk:

Is It a Myth or

Reality

Mary Gilmeister, AAP, NCP

President

WACHA

Fred Laing, II, AAP, CCM, NCP

President

UMACHA

Disclaimer • WACHA and UMACHA, through their Direct Membership in NACHA, are specially recognized and

licensed

providers of ACH education, publications and support.

• Regional Payments Associations are directly engaged in the NACHA rulemaking process

and Accredited ACH Professional (AAP) program.

• NACHA owns the copyright for the NACHA Operating Rules & Guidelines.

• The Accredited ACH Professional (AAP) is a service mark of NACHA.

• This material is derived from collaborative work product developed by NACHA The

Electronic Payments Association and its member Regional Payments Associations, and is

not intended to provide any warranties or legal advice, and is intended for educational

purposes only.

• This material is not intended to provide any warranties or legal advice, and is intended for

educational purposes only.

• This document could include technical inaccuracies or typographical

errors and individual users are responsible for verifying any information contained herein.

• No part of this material may be used without the prior written permission of WACHA/PAR

© 2015 PAR/WACHA & UMACHA, All rights reserved

Agenda

Introduction

Types of Risk

Risk Management approaches for

each type

High level approaches to protect

your institution

Is ACH Risky??

Midway Airlines FAILS!

ICN, a long distance carrier declares Chapter 7 two

days after a debit file is generated

A hacker, working through a third party, set’s up a

church account that’s bogus and steals over $100,000

A banks customer sends a file for $456,000, it turns out

the item was NOT generated by the customer but by

a hacker

Types of Risk (FFIEC based)

Credit

Operational

Fraud

Systemic

Reputational

Third-Party

What is ACH Credit Risk?

• The risk that a party to a transaction will be unable to provide the necessary funds for settlement to occur

– Losses due to Credit Risk

typically result from the failure

or bankruptcy of a company

–ODFIs are responsible for

controlling credit risk • Develop and implement credit monitoring and control

procedures

6

ACH Credit Risk ODFI exposure (for credit entries)

Period of time between the initiation of ACH credit file until the company funds the account

Amount of risk based on total amount of the file Up to 2 days

7

Credit Risk – ACH Debits

ODFI Exposure Date funds available to originator until debits can no

longer be returned by RDFIs

2 Banking days (24 hrs)

Up to 60 days from settlement

Unauthorized could be returned as ODFI warrants authorization

Amount of risk based on amount of returned ACH debit

NOTE: Statute of Limitations – 7 years for most states where the ODFI would still be liable

8

ODFI Credit Monitoring

and Control Techniques

STEP 1 - Educate financial institution personnel

STEP 2 – Due diligence – including using existing credit ratings

STEP 3 - Establish exposure limits

Maximum dollars per file/batch

Maximum per entry (corporate entries)

Maximum exposure across product lines

Return percentages

STEP 4 - Establish procedures for “over limit” transactions (escalation)

STEP 5 - Provide ongoing maintenance (periodic review)

What is Operational Risk?

In the ACH payment system,

operating risk is the risk that the

exchange of ACH transactions

will not be completed

accurately or on time because

of an operational failure at some

point in the exchange process

10 PC Failure Disasters

Power Outages

Operational Failure

An operational failure is any disruption in

normal processing including:

Failure/Unavailability of Computer

Hardware or Software,

Disruptions in telecommunications

equipment

and/or

Advertent loss, alteration, or

duplication of ACH data

11

Examples of Operating Risk

Hardware, software, telecommunications and power failure

Human error late returns

timeliness of reconciliation

aged items

out of balance conditions

Staffing problems lack of training

sick or vacationing staff

12

Operational Risk Controls

Reliable equipment, regular maintenance, adequate backup

Detection and correction of “bugs” in software

Diagnostic tools, backup modes of transmissions

UPS systems, backup procedures in event of power failure

Good supervision, cross-training, audits

Disaster recovery plans

Corruption of ACH Data

File Accountability and Balancing

Secure Storage

Limited Access

Backup Copies

Audit Trails

13

What is Fraud Risk?

The risk that ACH data will be

compromised through:

introduction of false transactions

alteration of valid transactions

alteration of data that controls

the routing or settlement of valid ACH transactions

14

Causes of Fraud Risk

Fraudulent activities are usually the work

of:

disgruntled or dishonest employees

outside parties (such as intruders or

interlopers)

combination of both where two or more

individuals are acting in collusion

Fraud can also be committed by an

organization

15

Tools to Combat Fraud Risk

Sound personnel practices

Good physical security for computer,

communications and ACH Operations

areas

Effective data security

Rigorous control of all changes

Operational controls as used to reduce

Operational risk

16

What is Reputational Risk?

Risk that actions or events that

take place involving your institution

will affect your reputation.

17

Third Party Senders are a subset of Third Party Service Providers Third Party Service Provider does NOT always act as a Third Party Sender A Third Party Sender is considered to be a Third Service Provider No contractual agreement between the ODFI and the Originator

18

Third Party Service Providers

Third Party Sender

Sending Point

Receiving Point

Third Party Sender

ODFI

ABC Company

Hardware Store

Payroll Company

Grocery

Bike shop

Church

Dry Cleaner

Day Care

19

No agreements with originators

Third Party Service Provider

ODFI

Payroll Company

Grocery

Bike shop

Church

Dry Cleaner

Day Care

20

Co/ODFI Agreements

What is Systemic Risk?

The risk that the inability or unwillingness of one participant in a clearing and settlement network to settle its commitments will cause other network participants to be unable to settle their commitments

Such a chain of events could undermine confidence in the nation’s payments system and therefore systemic risk of serious concern

21

Higher Level

Approaches to

Managing Risk

ACH Origination Policy

Why do we need policies?

“..controls needed for an effective ACH

risk management program include

written policies...”

“…loan policies should include formal

underwriting standards and an approval

policy for ACH originators.”

23

With that Said…. The FFIEC

Guidance Says to…

(Federal Financial Institution Examination Council -

OCC, FDIC, OTS, NCUA & State Liaison Committee)

• Mitigate Fraud Risk through proper due diligence

for all originators and strict adherence to ACH and

credit policies

• Manage Credit Risk by establishing policies,

procedures and limits that acknowledge the risks

originators bring to an ACH operation

• Clear policies and procedures need to establish the

proper control of these highly automated activities

to manage the Operational Risk

24

ACH Origination Policy

Goals & Objectives in compliance with the Rules

Risk Management considerations

Products offered

Prohibited Originators

Third Party Senders

Agreements

Outlines steps taken to risk rate all originators and develop exposure limits to cover per file and multi-day exposure

Monitoring Exposure Limits/Over Limit Files

25

ACH Origination Policy, (Cont.)

• Timely review of Originators & Exposure Limits

• Return Monitoring

• Third Party Service Providers

• Direct Access Considerations

• File Delivery

• Data Breach

• OFAC & US Patriot Act

• UCC4A/Security Measures

• Contingency Plan

• ACH Audit & Risk Assessments

26

OFAC Policy

Guidelines for compliance

with the requirements of OFAC.

Prohibited parties

Prohibited transactions

Training of employees in regards to OFAC compliance

27

Agreements

Originator/ODFI Agreement

Third-Party Sender Agreement

Third-Party Processor Agreement

Agreement with the ACH Operator

28

Originator/ODFI Agreements

Defines parameters of relationship between parties Transmittal of Entries and Security Procedures

Company Representations, Warranties & Agreements

Financial Institution Obligations

Company’s account

Exposure Limits

Due Diligence

Cancellation, Amendment of Entries

Rejection of Entries

Provisional Credit Notice

Reversals

29

Originator/ODFI Agreements

(Cont.)

Notice of Returned Entries & Notification of Change

Entries Returned as Unauthorized

Unauthorized Return Rate in Excess of 1%

Periodic Statements

Fees

Liability

Rules Enforcement

Inconsistency of Name and Account Number

Rules Compliance Review-Right to Audit

The right of the ODFI to terminate or suspend the Originator

The ability to audit the originator

Any restrictions on the types of transactions allowed

30

National ACH Rules

Enforcement System

• If the Rules have been violated (allegedly)

• Report of possible Rules Violation filed with NACHA

• Follow up is done within specific timeframes

• Depending on that follow-up the violation may go to the Enforcement Panel for review and possible fine

• Class 1 – recurrence

• Class 2 – Eight reasons

• Class 3 – Rules violation continues

31

National System of Fines

Types of Violations

32

NOCs

76.24%

Invalid Accounts

8.82%

Authorization

8.07%

Returns

5.13%

ODFI Reporting

0.06%

POP

0.06%

Reversals

0.12%Prenotes

0.17%

RCK

0.29%ARC

1.04%

ODFI Audit Requirements

Delivery of NOC information within 2 days

Request for authorization

Permissible Return entry acceptance

Compliance with UCC 4A (Disclosures/agreements)

Verify identity of originators that use an unsecured electronic network

Reversing files and entries follow the rules

BOC entry compliance

ODFI reporting to NACHA when requested

Direct Access registration

33

ODFI Audit Requirements Ensure originators are informed and in

compliance with: How do you keep educated on proper processing

and Rule changes?

Originator Audits

Third Party Audit requirements

Authorization requirements

Pre-note requirements

Usage of correct SEC codes

Usage of correct company name

Requirements for POP entries

Proper Authorization/Notice/Receipt

Requirements for TEL entries

Proper Authorization/Verification of identity/verification of Routing number

Single vs Recurring

Notices

34

ODFI Audit Requirements

Requirements for ARC entries

Notice/storage

Requirements for RCK entries

Requirements for WEB entries

Originators have fraudulent transaction detection systems in

place

Originators verify the identity of each receiver

Evidence of assent (electronic signature)

Each Routing and Transit number has been verified

Originators will conduct an annual security audit

35

ACH Risk Assessment

The Rules requires all participating DFI’s to

conduct a risk assessment of their ACH activities,

and to implement risk management programs

based on the results of such assessments, in

accordance with the requirements of their

regulator(s)

36

ACH Risk Assessment

1) Assess the nature of risk associated with ACH activity;

2) Perform appropriate know-your-customer due diligence;

3) Establish controls for Originators, third-parties, and direct access to ACH Operator relationships

4) Have adequate management, information and reporting systems to monitor and mitigate risk

37

QUESTIONS

38

Please fill out your Evaluations

Contact Info:

Mary Gilmeister, AAP, NCP

President

WACHA

mgilmeister@wacha.org

Fred Laing, II, AAP, CCM, NCP

President

UMACHA

fredl@umacha.org