2Agenda The ACH Network NACHA Risk Management Strategy Risk Management Rules & InitiativesNetwork Enforcement RuleDirect Access Registration RuleACH Security FrameworkCorporate Account TakeoverACH BenchmarkingThird Party SendersTerminated Originator DatabaseHow Banks Approach ACH Credit Risk Exposure
3The ACH NetworkThe ACH Network is a batch processing, store-and-forward system, governed by The NACHA Operating RulesACH payments include:Direct Deposit of payroll, Social Security and other government benefits, and tax refundsDirect Payment of such consumer bills as mortgages, loans, utility bills, and insurance premiumsBusiness-to-Business paymentse-Checkse-Commerce paymentsFederal, state, and local payments
52010 Growth of Selected ACH Applications Growth / DeclineDescription of ApplicationARC-8.5%Conversion of Checks to ACH in a Lockbox EnvironmentBOC12.9%Conversion of Checks to ACH in a Back Office EnvironmentCCD3.4%Corporate Credit or Debit – Primarily B2B TransactionsCIE15.6.%Customer Initiated Entries– ACH Credits initiated by Consumers for Bill PaymentsCTX11.1%Corporate Trade Exchange – Primarily B2B TransactionsPOP6.8%Point of Purchase – Conversion of Checks to ACH at the Point of PurchasePPD3.1%Pre-Authorized Consumer Payments such as Insurance & Health Club DuesRCK-28.2%Conversion of Deposited Insufficient Funds Items from Check to ACHTELACH Transaction Initiated by Oral Authorization provided over the TelephoneWEB7.4%ACH Transaction Initiated by an Authorization Provided via the InternetOverallOverall ACH Network Growth
7NACHANACHA supports the growth of the ACH Network by managing its development, administration, and governanceNACHA represents nearly 11,000 financial institutions through 17 regional payments associations and direct membershipThrough its industry councils and forums, NACHA brings together payments system stakeholder organizations to encourage the efficient utilization of the ACH Network, and develop new ways to use the Network to benefit its diverse set of participants
8NACHANACHA occupies a unique role in the association world, serving as both an industry trade association and the administrator of the Automated Clearing House (ACH) NetworkIn its role of ACH Network Administrator, NACHA is responsible for four key functional areas: NACHA Operating RulesNetwork Enforcement & Risk ManagementNetwork Strategy & OutreachAdvanced Payment Solutions
9Key NACHA RolesSupport for the industry, facilitating the balance of risk and innovationDialogueEducationAdvocacyEnforcementRules CreationRisk Collaboration Innovation
10NACHA – Enforcement & Risk Management Network Enforcement & Risk ManagementNACHA develops and implements a comprehensive, end-to-end risk management frameworkCollectively, the strategy addresses risk and quality in the ACH NetworkAreas of responsibility include:Arbitration BoardNational System of FinesRisk Investigations & ServicesRisk Management Advisory GroupRisk Management Support & Communications
11Risk Management as a Strategic Priority NACHA’s Risk Management Advisory GroupThe RMAG currently consists of representation from:The 2 gateway operators (Federal Reserve and EPN)15 Financial institutions6 Regional Payment AssociationsAchievements include significant contributions to the NACHA rule making process and to Network education around the changing face of ACH payments riskAdvises the NACHA Board and works with staff to guide and implement the risk management strategyPlays a vital role in developing and providing a comprehensive approach to Network risk managementWorking with NACHA staff and key industry stakeholders to produce sound business practices and rules recommendations, and to share findings with payments professionals across payments channels
12Risk / Quality Continuum Risk and quality improvements cannot be accomplished through a single effort or one all-encompassing rule change. Each initiative is a complementary piece of the entire strategyHighACH Security FrameworkData SecurityAuthenticationData Breach PolicyTargeted EnforcementUnauthorized TriggerReportingFinesPossible SuspensionOperator/NACHA ToolsODFI Understanding/New ODFI TrainingFI Contact & CommunicationsData ReviewSound Business PracticesCorporate Account TakeoverThird-Party RiskDirect Access CreditRisk ManagementAssessment & AuditComplianceAssessment RequirementsRegulatory ComplianceEnhanced ACH AuditsData SharingOriginator Watch ListTerminated Originator DatabaseDirect Access RegistrationData ReviewRisk Strength Of InitiativeACH BenchmarkingFI to FI Peer GroupIndustry Collaboration with ABAQuality InitiativesMisuse of CodesWSUD/UnauthorizedAdjustmentsLowHighQuality Strength of Initiative
13ACH Return Rates Industry Return Rates - 2010 ACH Network 1.00% 0.64% TotalNSFInvalidUn-authorizedACH Network1.00%0.64%0.18%0.02%Credits – All SEC’s0.20%0.00%0.12%Debits – All SEC’s1.56%1.07%0.23%0.03%PPD Credits0.15%PPD Debits2.26%1.62%0.04%ARC0.31%0.10%BOC1.45%1.03%0.21%0.01%POP0.96%0.75%RCK60.88%49.81%1.87%0.07%TEL5.74%3.93%1.21%0.11%WEB1.33%0.87%0.24%
14Risk Continues to be Well Managed – While New Threats Continue to Emerge Network Enforcement RuleCompany Name Rule2010 Decline – 10.9%
15Network Enforcement Rule Network Enforcement Rule – March 2008Enhanced National System of FinesSets higher fine levelsEstablishes the authority for the ACH Rules Enforcement Panel to direct an ODFI to suspend an Originator/Third-Party Sender from originatingEffective December 21, 2007ODFI Reporting RequirementsEnsures ODFI’s Originators or Third-Party Senders do not exceed a return rate of 1% for unauthorized entriesRequires ODFIs to reduce unauthorized return rates below thresholdDefines circumstances under which NACHA may initiate a rules enforcement proceeding related to unauthorized return rates above the threshold
16Network Enforcement Rule Evaluation Currently Evaluating the effectiveness of the Network Enforcement Rule since implementation in 2008Overall number of unauthorized returns are downOverall percentage of unauthorized returns are downProblematic rates are .50% - .99%Currently, the ODFI has 60 days after receipt of NACHA’s written request to reduce their Originator’s or Third-Party Sender’s return rate for unauthorized reasons to below 1% before being subject to the National System of FinesThe current 1% threshold for debit entries returned as unauthorized is 33 times the 2010 unauthorized return rate for all ACH debits (0.03%)Experience has shown that the 60-day time period is ineffective for risk management purposesSome circumstances involve large volumes of unauthorized, which represents problematic transactions, but it does not exceed the current threshold due to high volume of transactions originated
17Network Enforcement Rule Evaluation NACHA’s Rule Making Process recently issued a Request For Comment (RFC) which included a proposal to reduce the unauthorized return threshold from the existing rate of 1%, down to .75%, and then eventually to .50%The Request For Comment also included proposal to modify time period before fines are possible for the over-threshold activity by reducing the 60-day period
18Network Enforcement Rule Evaluation There is also an opportunity to enhance the effectiveness of the Rule by spotlighting “Invalid returns.” Invalid returns include:R03 – No Account / Un-able to Locate AccountR04 – Invalid AccountOften, there is a correlation between originators who have high return rates for “unauthorized” transactions and high return rates for “invalid”For instance, returns for invalid account information may occur due to phishing for valid account numbersThe Request For Comment included a proposal for establishing a 1% threshold on returns for invalid returns.RMAG, through a white paper, is developing sound business practices surrounding the issue of returns for invalid account information and to educate on the potential correlation between “invalids” and “unauthorized” returns
19Direct Access Registration Rule The Direct Access Registration Rule requires all ODFIs to register their Direct Access Debit Participant status with NACHADirect Access is defined as a situation in which an Originator, Third-Party Sender, or a Third-Party Service Provider transmits credit or debit entries directly to an ACH Operator (Fed or EPN) using an ODFI’s routing number and settlement accountA Direct Access Debit Participant is an Originator, Third-Party Sender, or a Third-Party Service Provider with Direct Access for the origination of debit entries except: (i) a Third-Party Service Provider that transmits ACH files solely on behalf of an ODFI where that Third-Party Service Provider does not have a direct agreement with an Originator (and is not itself an Originator), or (ii) an ODFI that transmits files using another Participating DFI’s routing number and settlement accountOngoing monitoring of Direct Access Debit Participant registrationHigh-level, aggregate informationDeveloping sound business practicesDirect Access Credit Participant relationshipsCredit RiskKnow Your CustomerMonitoringRules ComplianceRegulatory Compliance
20Direct Access Debit Participant Example This is just one example of a Direct Access Debit Participant relationshipDirect Access can exist in many scenarios, but may not be required to be registered based on the exclusions to the definitionOriginatorsODFIThird-Party using ODFI RTNACH OperatorIt is incumbent on the ODFI to determine its Direct Access status and register accordinglyThe ODFI must define its specific relationship(s) with Third-Parties and Originators20
21ACH Security Framework Initiative RMAG has teamed with NACHA’s Internet Council to develop a proposal for an ACH Security FrameworkConsideration of FFIEC Guidance on Authentication in an Internet Banking Environment (2005; and supplement issued June 28, 2011)Framework will ensure that the ACH Network remains high-qualityFramework will reflect the unique characteristics of the ACH NetworkThe intent is to ensure basic data security obligations for Network participants to protect data in their purviewMany, if not most, financial institutions and other ACH participants are likely to already have these practices in placeRules will codify these practices and ensure they exist Network-wideNACHA’s Rule Making Process recently issued a Request For Information (RFI) and is currently compiling industry responses
22Corporate Account Takeover Initiative Corporate Account Takeover is a type of business identity theft in which a criminal entity steals a company’s valid on-line banking credentialsAttacks are typically perpetrated quietly, by the introduction of malware through a simple or infected websiteFor businesses that have low resistance to such methods of attack, the malware introduced onto its system may remain undetected for weeks and even monthsBy introducing layered security processes and procedures, technological and otherwise, and other tightened security efforts, financial institutions can help protect businesses from criminals seeking to drain accounts and steal confidential information
23Corporate Account Takeover Initiative Have introduced a Board Policy on the Importance of Sound Business Practices to Mitigate Corporate Account Takeover:ODFIs should vigilantly and proactively protect against this type of fraud in various ways, includingImplementing systems designed to prevent and detect attempts to access a business’ banking credentialsKeeping their customers informed about the importance of implementing their own systems and sound business practices to protect themselvesTaking a risk-based approach tailored to their individual characteristics and their customers to avoid losses and liability for themselves and other ACH participantsPeriodically reviewing and updating customer guidance in response to developments in the methods used by cyber thieves to perpetrate Corporate Account TakeoverNACHA BOARD OF DIRECTORS POLICY STATEMENTODFIs should take a risk-based approach tailored to their individual characteristics and their customersODFIs should establish and implement mechanisms to prevent, detect, and mitigate riskODFIs should work with their Originators and Third-Party Senders so that they are also taking a risk-based approachODFIs should periodically review and update mechanisms and customer guidanceNACHA’s Risk Management Advisory GroupDiligently working on tools and sound business practicesEducation, cooperation, collaborationThe sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.
24The Importance of Sound Business Practices for ODFIs ODFIs should evaluate their risk profiles and appropriately enhance security processes and procedures to prevent and mitigate the risk of corporate account takeoverSound Best Practices include:Minimum Security ProceduresDual Control for Payment File InitiationOut-of-Band Authentication and AlertsEnhancement of Account Security OfferingsExploration of Low-Tech Security OptionsCustomer EducationBusinessesThird-Party ProcessorsEach financial institution should evaluate its risk profile with regard to Corporate Account Takeover; and develop and implement a security plan, including sound business practices.Examples of sound business practices include:Requiring Originators and Third-Party Senders to incorporate minimum levels of security on their internal computer networksRecommend dual control for payment file initiationUse out of band authentication methods such as call backs or faxed transmittalsEncourage the use of value-added services like positive-pay, debit blocks and tokens to enhance account securityEducate business clients on prevention, detection and reporting measures; encourage daily review of accounts; and build cross-department event information sharing.Many financial institutions do use sound business practices - but it is important for all financial institutions to consider all sound business practices appropriate to the unique circumstances of their business and clientele.The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.
25The Importance of Sound Business Practices for Businesses Businesses can help protect themselves with layered security processes and procedures and other tightened security effortsSound Best Practices include:Computer SecurityStaying Informed and awareUsing layered system securityDedicated computer for online bankingAccount SecurityDual controlAccount reconcilementReport suspicious activityEach business should evaluate its risk profile with regard to Corporate Account Takeover. Businesses should consider sound business practices such asLayered security processes and procedures - likeUse of firewalls, security suites, anti-malware and anti-spyware;Dedicate one computer exclusively for online banking and cash management activity; and other security efforts, such as not allowing the dedicated computer to be used in wi-fi hotspots like airports or Internet cafes; and disallowing workstations to be used for general web browsingAlso, initiate files using dual control - for example, file creation by one employee and file approval and release by another employee on a different computer.Educate all computer users of the business and remember this analogy – an unsecure computer is the same as not locking your house when you leave – you have a significant chance of losing your valuables.The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.
26Rules Proposals to Address Corporate Account Takeover NACHA’s Rule Making Process recently issued a Request For Comment (RFC) and is currently compiling industry responses regarding the Availability Exception RuleAvailability Exception RuleWould provide an RDFI, which reasonably suspects that a credit entry is unauthorized, with an exception to the Rules provisions requiring the RDFI to make certain credit entriesRDFI would promptly notify the ODFI if using this Rule
27ACH Benchmarking Initiative RMAG has been providing input on ACH-related considerations in the American Bankers Association’s (ABA’s) Deposit Account Fraud SurveyCurrently working with the ABA to develop benchmarks on ACH “loss” data:Have developed and piloted a peer group Financial Institution benchmarking study that addresses:Emerging trendsMeasure to detect, prevent and reduce riskTypes of fraudLosses related to unauthorized returns and Corporate Account TakeoverAfter the pilot, the ongoing Financial Institution peer group study will be made available broadly for financial institution participation
28TPSP / Third Party Sender Initiative What is a Third-Party Service Provider? Third-Party Sender?Third Party Service ProviderThird Party SendersOriginates ACH Transactions on behalf of an ODFI’s customer (Originator)Originate ACH transactions on behalf of the Third-Party Sender’s own customers (Originators)ACH Origination agreement exists between the ODFI and its customer (the Originator)ACH Agreement exists between the ODFI & the Third-Party Sender, not the Third Party Sender’s customers (Originators)ACH Settlement / funding takes place in the ODFI’s customer’s account (Originator)ACH settlement / funding takes place in the Third Party Sender’s account at the ODFIReturned items are charged to the customer’s account (Originator)Returns are charged to the Third Party Sender’s accountACH Processing exposure = The dollars of ACH transactions that the ODFI’s customer is originating through the TPSP in a given periodACH Processing exposure = the aggregate dollars of the many, many originators whose funds are flowing into and out of the Third Party Sender’s account at the ODFI
29TPSP / Third Party Sender Initiative Examples:Third Party Service ProvidersThird Party SendersCPA firm that processes payroll & Direct Deposit on the behalf of its clientsProperty Management CompaniesADP Payroll SolutionsCollection AgenciesBilling Service ProvidersPayment engines for Internet Retailers
30Watch Who You Ride WithODFIs can be accountable for Third-Party’s compliance with NACHA Operating Rules & regulatory requirementsHigh-risk OriginatorsTypically use Third-Party SendersOperate under multiple DBAsUse various techniques to mask return volumeRely on multiple processors, ODFIs, & payment typesIncrease ODFI liability exponentially beyond the fee income
31ODFIs: You Must Ask These Questions Are you providing holistic risk management and oversight over your Third-Party Senders?Are you monitoring for transaction patterning?Can you monitor all activity behind the Third-Party?Does ODFI policy = Third-Party policy (e.g., any restrictions on origination)How interdependent are the Third-Party’s customers?Are you being approached by Third-Parties out of your geography?Can you answer these questions consistently across all lines of business or silos?
32Effectively Managing Third-Party Risk Rules and regulatory compliance and sound business practices are paramount
33Sound Business Practices Requirements of an ODFI (Not just sound business practices – but required in the Risk Management & Assessments Rule - June 2010)Conduct due diligence on the Third-Party Sender and OriginatorsAssess the nature of the activity and the risk it presentsEstablish procedures to monitor the TPSODFI required to address its internally-developed restrictions on origination in agreementThe right to suspend or terminate any Originator processed by the TPS for breach of the NACHA Operating RulesVerify basic facts about the Third-Party SenderEnsure ODFI’s agreement with the Third-Party Sender includes all necessary provisionsThe sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements.
34Sound Business Practices Perform these procedures on a regular basisAnnual review of the TPS’ financial conditionTake a risk-based monitoring approachReview the Originator list (their client list) provided by the TPS and properly evaluate itPerform open source research on company names and verifying the types of businessesExercise the right to audit the TPS and its Originators’ compliance with the agreement and the NACHA Operating RulesTake a risk-based monitoring approachLook for red flags like more than one Originator debiting the same consumer accountsMonitor return rates by SEC Code and by Return Reason CodeAsk for copies of authorizations, phone recording (if TEL-based), screen shots (if WEB-based) and any other customer communications as appropriateInvestigate complaints and assess the validity of concerns or warning made by other financial institutions or peer organizationsReview SEC Code use and compare to agreementThe sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements.
35Terminated Originator Database Initiative -- The Terminated Originator Database (TOD) went live on March 1, 2011 and is available for ODFI’s to sign up, contribute and queryThe TOD is a risk management tool for ODFIs to share information with other ODFIs about Originators and/or Third-Party Senders that have been terminated for causeThe TOD is not a list of originators prohibited or disapproved by NACHAODFIs can utilize this tool as one component of their due diligence processes for underwriting and continued monitoring of Originators and Third-Party SendersThe process of contributing and querying the Database is similar to processes used by other electronic payment networks that gain value from consolidated informationThe value of the Database is dependent on ODFIs of all sizes and types contributing data. The more ODFIs that contribute data, the more powerful this risk management took will be for all ODFIs
37A Bank’s Risk ExposureWhy does my bank ask me for my company’s financial statements to originate ACH transactions?The exposure associated with ACH Transactions is equivalent to granting an unsecured short-term loan for that periodNACHA strongly encourages Bank’s to:Establish credit exposure limits for both ACH Debits & Credits for each customerUnderwrite the risks associated with the exposure limits that have been establishedFactor ACH Credit risk as part of the customer’s overall credit exposure profile
38A Bank’s Risk Exposure – ACH Credits The Bank incurs exposure to credit risk for the period of time between initiation of an ACH credit file from its customer, until the company funds the accountACH rules do not allow the bank to call back / reverse ACH credits for failure of the company to fund its account at the BankFile Transmission DateSettlement DateACH Credit file is transmitted from Company A to Bank ABank A’s account is charged by the Federal ReserveEntries are effective on the next banking dayCompany A declares bankruptcyBank A processes the file and delivers transactions to the ACH OperatorBank A has an unsecured claim against Company A for the entire amount of the ACH credit file
39A Bank’s Risk Exposure – ACH Debits File Transmission DateSettlement DateACH Debit file is transmitted from Company A to Bank ABank A’s account is credited by the Federal ReserveEntries are effective on the next banking dayCompany A declares bankruptcyThe Bank’s risk is on the small percentage of ACH Debit items that are returned after bankruptcy. The Receiving bank can return items back to the Originating bank within the following timeframesTraditional Returns2 Days from Effective DateUnauthorized Returns60 Days from Effective Date