Presentation is loading. Please wait.

Presentation is loading. Please wait.

NACHA’s Risk Management Strategy Update

Similar presentations

Presentation on theme: "NACHA’s Risk Management Strategy Update"— Presentation transcript:

1 NACHA’s Risk Management Strategy Update
NAFP Treasury Management Conference September 15, 2011 Barry Gideon Vice President Treasury Services

2 Agenda The ACH Network NACHA Risk Management Strategy
Risk Management Rules & Initiatives Network Enforcement Rule Direct Access Registration Rule ACH Security Framework Corporate Account Takeover ACH Benchmarking Third Party Senders Terminated Originator Database How Banks Approach ACH Credit Risk Exposure

3 The ACH Network The ACH Network is a batch processing, store-and-forward system, governed by The NACHA Operating Rules ACH payments include: Direct Deposit of payroll, Social Security and other government benefits, and tax refunds Direct Payment of such consumer bills as mortgages, loans, utility bills, and insurance premiums Business-to-Business payments e-Checks e-Commerce payments Federal, state, and local payments

4 ACH Network Volume (billions)

5 2010 Growth of Selected ACH Applications
Growth / Decline Description of Application ARC -8.5% Conversion of Checks to ACH in a Lockbox Environment BOC 12.9% Conversion of Checks to ACH in a Back Office Environment CCD 3.4% Corporate Credit or Debit – Primarily B2B Transactions CIE 15.6.% Customer Initiated Entries– ACH Credits initiated by Consumers for Bill Payments CTX 11.1% Corporate Trade Exchange – Primarily B2B Transactions POP 6.8% Point of Purchase – Conversion of Checks to ACH at the Point of Purchase PPD 3.1% Pre-Authorized Consumer Payments such as Insurance & Health Club Dues RCK -28.2% Conversion of Deposited Insufficient Funds Items from Check to ACH TEL ACH Transaction Initiated by Oral Authorization provided over the Telephone WEB 7.4% ACH Transaction Initiated by an Authorization Provided via the Internet Overall Overall ACH Network Growth

6 ACH Volume and Value by SEC Code - 2010

7 NACHA NACHA supports the growth of the ACH Network by managing its development, administration, and governance NACHA represents nearly 11,000 financial institutions through 17 regional payments associations and direct membership Through its industry councils and forums, NACHA brings together payments system stakeholder organizations to encourage the efficient utilization of the ACH Network, and develop new ways to use the Network to benefit its diverse set of participants

8 NACHA NACHA occupies a unique role in the association world, serving as both an industry trade association and the administrator of the Automated Clearing House (ACH) Network In its role of ACH Network Administrator, NACHA is responsible for four key functional areas:  NACHA Operating Rules Network Enforcement & Risk Management Network Strategy & Outreach Advanced Payment Solutions

9 Key NACHA Roles Support for the industry, facilitating the balance of risk and innovation Dialogue Education Advocacy Enforcement Rules Creation Risk Collaboration Innovation

10 NACHA – Enforcement & Risk Management
Network Enforcement & Risk Management NACHA develops and implements a comprehensive, end-to-end risk management framework Collectively, the strategy addresses risk and quality in the ACH Network Areas of responsibility include: Arbitration Board National System of Fines Risk Investigations & Services Risk Management Advisory Group Risk Management Support & Communications 

11 Risk Management as a Strategic Priority
NACHA’s Risk Management Advisory Group The RMAG currently consists of representation from: The 2 gateway operators (Federal Reserve and EPN) 15 Financial institutions 6 Regional Payment Associations Achievements include significant contributions to the NACHA rule making process and to Network education around the changing face of ACH payments risk Advises the NACHA Board and works with staff to guide and implement the risk management strategy Plays a vital role in developing and providing a comprehensive approach to Network risk management Working with NACHA staff and key industry stakeholders to produce sound business practices and rules recommendations, and to share findings with payments professionals across payments channels

12 Risk / Quality Continuum
Risk and quality improvements cannot be accomplished through a single effort or one all-encompassing rule change. Each initiative is a complementary piece of the entire strategy High ACH Security Framework Data Security Authentication Data Breach Policy Targeted Enforcement Unauthorized Trigger Reporting Fines Possible Suspension Operator/NACHA Tools ODFI Understanding/ New ODFI Training FI Contact & Communications Data Review Sound Business Practices Corporate Account Takeover Third-Party Risk Direct Access Credit Risk Management Assessment & Audit Compliance Assessment Requirements Regulatory Compliance Enhanced ACH Audits Data Sharing Originator Watch List Terminated Originator Database Direct Access Registration Data Review Risk Strength Of Initiative ACH Benchmarking FI to FI Peer Group Industry Collaboration with ABA Quality Initiatives Misuse of Codes WSUD/Unauthorized Adjustments Low High Quality Strength of Initiative

13 ACH Return Rates Industry Return Rates - 2010 ACH Network 1.00% 0.64%
Total NSF Invalid Un-authorized ACH Network 1.00% 0.64% 0.18% 0.02% Credits – All SEC’s 0.20% 0.00% 0.12% Debits – All SEC’s 1.56% 1.07% 0.23% 0.03% PPD Credits 0.15% PPD Debits 2.26% 1.62% 0.04% ARC 0.31% 0.10% BOC 1.45% 1.03% 0.21% 0.01% POP 0.96% 0.75% RCK 60.88% 49.81% 1.87% 0.07% TEL 5.74% 3.93% 1.21% 0.11% WEB 1.33% 0.87% 0.24%

14 Risk Continues to be Well Managed – While New Threats Continue to Emerge
Network Enforcement Rule Company Name Rule 2010 Decline – 10.9%

15 Network Enforcement Rule
Network Enforcement Rule – March 2008 Enhanced National System of Fines Sets higher fine levels Establishes the authority for the ACH Rules Enforcement Panel to direct an ODFI to suspend an Originator/Third-Party Sender from originating Effective December 21, 2007 ODFI Reporting Requirements Ensures ODFI’s Originators or Third-Party Senders do not exceed a return rate of 1% for unauthorized entries Requires ODFIs to reduce unauthorized return rates below threshold Defines circumstances under which NACHA may initiate a rules enforcement proceeding related to unauthorized return rates above the threshold

16 Network Enforcement Rule Evaluation
Currently Evaluating the effectiveness of the Network Enforcement Rule since implementation in 2008 Overall number of unauthorized returns are down Overall percentage of unauthorized returns are down Problematic rates are .50% - .99% Currently, the ODFI has 60 days after receipt of NACHA’s written request to reduce their Originator’s or Third-Party Sender’s return rate for unauthorized reasons to below 1% before being subject to the National System of Fines The current 1% threshold for debit entries returned as unauthorized is 33 times the 2010 unauthorized return rate for all ACH debits (0.03%) Experience has shown that the 60-day time period is ineffective for risk management purposes Some circumstances involve large volumes of unauthorized, which represents problematic transactions, but it does not exceed the current threshold due to high volume of transactions originated

17 Network Enforcement Rule Evaluation
NACHA’s Rule Making Process recently issued a Request For Comment (RFC) which included a proposal to reduce the unauthorized return threshold from the existing rate of 1%, down to .75%, and then eventually to .50% The Request For Comment also included proposal to modify time period before fines are possible for the over-threshold activity by reducing the 60-day period

18 Network Enforcement Rule Evaluation
There is also an opportunity to enhance the effectiveness of the Rule by spotlighting “Invalid returns.” Invalid returns include: R03 – No Account / Un-able to Locate Account R04 – Invalid Account Often, there is a correlation between originators who have high return rates for “unauthorized” transactions and high return rates for “invalid” For instance, returns for invalid account information may occur due to phishing for valid account numbers The Request For Comment included a proposal for establishing a 1% threshold on returns for invalid returns. RMAG, through a white paper, is developing sound business practices surrounding the issue of returns for invalid account information and to educate on the potential correlation between “invalids” and “unauthorized” returns

19 Direct Access Registration Rule
The Direct Access Registration Rule requires all ODFIs to register their Direct Access Debit Participant status with NACHA Direct Access is defined as a situation in which an Originator, Third-Party Sender, or a Third-Party Service Provider transmits credit or debit entries directly to an ACH Operator (Fed or EPN) using an ODFI’s routing number and settlement account A Direct Access Debit Participant is an Originator, Third-Party Sender, or a Third-Party Service Provider with Direct Access for the origination of debit entries except: (i) a Third-Party Service Provider that transmits ACH files solely on behalf of an ODFI where that Third-Party Service Provider does not have a direct agreement with an Originator (and is not itself an Originator), or (ii) an ODFI that transmits files using another Participating DFI’s routing number and settlement account Ongoing monitoring of Direct Access Debit Participant registration High-level, aggregate information Developing sound business practices Direct Access Credit Participant relationships Credit Risk Know Your Customer Monitoring Rules Compliance Regulatory Compliance

20 Direct Access Debit Participant Example
This is just one example of a Direct Access Debit Participant relationship Direct Access can exist in many scenarios, but may not be required to be registered based on the exclusions to the definition Originators ODFI Third-Party using ODFI RTN ACH Operator It is incumbent on the ODFI to determine its Direct Access status and register accordingly The ODFI must define its specific relationship(s) with Third-Parties and Originators 20

21 ACH Security Framework Initiative
RMAG has teamed with NACHA’s Internet Council to develop a proposal for an ACH Security Framework Consideration of FFIEC Guidance on Authentication in an Internet Banking Environment (2005; and supplement issued June 28, 2011) Framework will ensure that the ACH Network remains high-quality Framework will reflect the unique characteristics of the ACH Network The intent is to ensure basic data security obligations for Network participants to protect data in their purview Many, if not most, financial institutions and other ACH participants are likely to already have these practices in place Rules will codify these practices and ensure they exist Network-wide NACHA’s Rule Making Process recently issued a Request For Information (RFI) and is currently compiling industry responses

22 Corporate Account Takeover Initiative
Corporate Account Takeover is a type of business identity theft in which a criminal entity steals a company’s valid on-line banking credentials Attacks are typically perpetrated quietly, by the introduction of malware through a simple or infected website For businesses that have low resistance to such methods of attack, the malware introduced onto its system may remain undetected for weeks and even months By introducing layered security processes and procedures, technological and otherwise, and other tightened security efforts, financial institutions can help protect businesses from criminals seeking to drain accounts and steal confidential information

23 Corporate Account Takeover Initiative
Have introduced a Board Policy on the Importance of Sound Business Practices to Mitigate Corporate Account Takeover: ODFIs should vigilantly and proactively protect against this type of fraud in various ways, including Implementing systems designed to prevent and detect attempts to access a business’ banking credentials Keeping their customers informed about the importance of implementing their own systems and sound business practices to protect themselves Taking a risk-based approach tailored to their individual characteristics and their customers to avoid losses and liability for themselves and other ACH participants Periodically reviewing and updating customer guidance in response to developments in the methods used by cyber thieves to perpetrate Corporate Account Takeover NACHA BOARD OF DIRECTORS POLICY STATEMENT ODFIs should take a risk-based approach tailored to their individual characteristics and their customers ODFIs should establish and implement mechanisms to prevent, detect, and mitigate risk ODFIs should work with their Originators and Third-Party Senders so that they are also taking a risk-based approach ODFIs should periodically review and update mechanisms and customer guidance NACHA’s Risk Management Advisory Group Diligently working on tools and sound business practices Education, cooperation, collaboration The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.

24 The Importance of Sound Business Practices for ODFIs
ODFIs should evaluate their risk profiles and appropriately enhance security processes and procedures to prevent and mitigate the risk of corporate account takeover Sound Best Practices include: Minimum Security Procedures Dual Control for Payment File Initiation Out-of-Band Authentication and Alerts Enhancement of Account Security Offerings Exploration of Low-Tech Security Options Customer Education Businesses Third-Party Processors Each financial institution should evaluate its risk profile with regard to Corporate Account Takeover; and develop and implement a security plan, including sound business practices. Examples of sound business practices include: Requiring Originators and Third-Party Senders to incorporate minimum levels of security on their internal computer networks Recommend dual control for payment file initiation Use out of band authentication methods such as call backs or faxed transmittals Encourage the use of value-added services like positive-pay, debit blocks and tokens to enhance account security Educate business clients on prevention, detection and reporting measures; encourage daily review of accounts; and build cross-department event information sharing. Many financial institutions do use sound business practices - but it is important for all financial institutions to consider all sound business practices appropriate to the unique circumstances of their business and clientele. The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.

25 The Importance of Sound Business Practices for Businesses
Businesses can help protect themselves with layered security processes and procedures and other tightened security efforts Sound Best Practices include: Computer Security Staying Informed and aware Using layered system security Dedicated computer for online banking Account Security Dual control Account reconcilement Report suspicious activity Each business should evaluate its risk profile with regard to Corporate Account Takeover. Businesses should consider sound business practices such as Layered security processes and procedures - like Use of firewalls, security suites, anti-malware and anti-spyware; Dedicate one computer exclusively for online banking and cash management activity; and other security efforts, such as not allowing the dedicated computer to be used in wi-fi hotspots like airports or Internet cafes; and disallowing workstations to be used for general web browsing Also, initiate files using dual control - for example, file creation by one employee and file approval and release by another employee on a different computer. Educate all computer users of the business and remember this analogy – an unsecure computer is the same as not locking your house when you leave – you have a significant chance of losing your valuables. The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.

26 Rules Proposals to Address Corporate Account Takeover
NACHA’s Rule Making Process recently issued a Request For Comment (RFC) and is currently compiling industry responses regarding the Availability Exception Rule Availability Exception Rule Would provide an RDFI, which reasonably suspects that a credit entry is unauthorized, with an exception to the Rules provisions requiring the RDFI to make certain credit entries RDFI would promptly notify the ODFI if using this Rule

27 ACH Benchmarking Initiative
RMAG has been providing input on ACH-related considerations in the American Bankers Association’s (ABA’s) Deposit Account Fraud Survey Currently working with the ABA to develop benchmarks on ACH “loss” data: Have developed and piloted a peer group Financial Institution benchmarking study that addresses: Emerging trends Measure to detect, prevent and reduce risk Types of fraud Losses related to unauthorized returns and Corporate Account Takeover After the pilot, the ongoing Financial Institution peer group study will be made available broadly for financial institution participation

28 TPSP / Third Party Sender Initiative
What is a Third-Party Service Provider? Third-Party Sender? Third Party Service Provider Third Party Senders Originates ACH Transactions on behalf of an ODFI’s customer (Originator) Originate ACH transactions on behalf of the Third-Party Sender’s own customers (Originators) ACH Origination agreement exists between the ODFI and its customer (the Originator) ACH Agreement exists between the ODFI & the Third-Party Sender, not the Third Party Sender’s customers (Originators) ACH Settlement / funding takes place in the ODFI’s customer’s account (Originator) ACH settlement / funding takes place in the Third Party Sender’s account at the ODFI Returned items are charged to the customer’s account (Originator) Returns are charged to the Third Party Sender’s account ACH Processing exposure = The dollars of ACH transactions that the ODFI’s customer is originating through the TPSP in a given period ACH Processing exposure = the aggregate dollars of the many, many originators whose funds are flowing into and out of the Third Party Sender’s account at the ODFI

29 TPSP / Third Party Sender Initiative
Examples: Third Party Service Providers Third Party Senders CPA firm that processes payroll & Direct Deposit on the behalf of its clients Property Management Companies ADP Payroll Solutions Collection Agencies Billing Service Providers Payment engines for Internet Retailers

30 Watch Who You Ride With ODFIs can be accountable for Third-Party’s compliance with NACHA Operating Rules & regulatory requirements High-risk Originators Typically use Third-Party Senders Operate under multiple DBAs Use various techniques to mask return volume Rely on multiple processors, ODFIs, & payment types Increase ODFI liability exponentially beyond the fee income

31 ODFIs: You Must Ask These Questions
Are you providing holistic risk management and oversight over your Third-Party Senders? Are you monitoring for transaction patterning? Can you monitor all activity behind the Third-Party? Does ODFI policy = Third-Party policy (e.g., any restrictions on origination) How interdependent are the Third-Party’s customers? Are you being approached by Third-Parties out of your geography? Can you answer these questions consistently across all lines of business or silos?

32 Effectively Managing Third-Party Risk
Rules and regulatory compliance and sound business practices are paramount

33 Sound Business Practices
Requirements of an ODFI (Not just sound business practices – but required in the Risk Management & Assessments Rule - June 2010) Conduct due diligence on the Third-Party Sender and Originators Assess the nature of the activity and the risk it presents Establish procedures to monitor the TPS ODFI required to address its internally-developed restrictions on origination in agreement The right to suspend or terminate any Originator processed by the TPS for breach of the NACHA Operating Rules Verify basic facts about the Third-Party Sender Ensure ODFI’s agreement with the Third-Party Sender includes all necessary provisions The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements.

34 Sound Business Practices
Perform these procedures on a regular basis Annual review of the TPS’ financial condition Take a risk-based monitoring approach Review the Originator list (their client list) provided by the TPS and properly evaluate it Perform open source research on company names and verifying the types of businesses Exercise the right to audit the TPS and its Originators’ compliance with the agreement and the NACHA Operating Rules Take a risk-based monitoring approach Look for red flags like more than one Originator debiting the same consumer accounts Monitor return rates by SEC Code and by Return Reason Code Ask for copies of authorizations, phone recording (if TEL-based), screen shots (if WEB-based) and any other customer communications as appropriate Investigate complaints and assess the validity of concerns or warning made by other financial institutions or peer organizations Review SEC Code use and compare to agreement The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements.

35 Terminated Originator Database Initiative
-- The Terminated Originator Database (TOD) went live on March 1, 2011 and is available for ODFI’s to sign up, contribute and query The TOD is a risk management tool for ODFIs to share information with other ODFIs about Originators and/or Third-Party Senders that have been terminated for cause The TOD is not a list of originators prohibited or disapproved by NACHA ODFIs can utilize this tool as one component of their due diligence processes for underwriting and continued monitoring of Originators and Third-Party Senders The process of contributing and querying the Database is similar to processes used by other electronic payment networks that gain value from consolidated information The value of the Database is dependent on ODFIs of all sizes and types contributing data. The more ODFIs that contribute data, the more powerful this risk management took will be for all ODFIs


37 A Bank’s Risk Exposure Why does my bank ask me for my company’s financial statements to originate ACH transactions? The exposure associated with ACH Transactions is equivalent to granting an unsecured short-term loan for that period NACHA strongly encourages Bank’s to: Establish credit exposure limits for both ACH Debits & Credits for each customer Underwrite the risks associated with the exposure limits that have been established Factor ACH Credit risk as part of the customer’s overall credit exposure profile

38 A Bank’s Risk Exposure – ACH Credits
The Bank incurs exposure to credit risk for the period of time between initiation of an ACH credit file from its customer, until the company funds the account ACH rules do not allow the bank to call back / reverse ACH credits for failure of the company to fund its account at the Bank File Transmission Date Settlement Date ACH Credit file is transmitted from Company A to Bank A Bank A’s account is charged by the Federal Reserve Entries are effective on the next banking day Company A declares bankruptcy Bank A processes the file and delivers transactions to the ACH Operator Bank A has an unsecured claim against Company A for the entire amount of the ACH credit file

39 A Bank’s Risk Exposure – ACH Debits
File Transmission Date Settlement Date ACH Debit file is transmitted from Company A to Bank A Bank A’s account is credited by the Federal Reserve Entries are effective on the next banking day Company A declares bankruptcy The Bank’s risk is on the small percentage of ACH Debit items that are returned after bankruptcy. The Receiving bank can return items back to the Originating bank within the following timeframes Traditional Returns 2 Days from Effective Date Unauthorized Returns 60 Days from Effective Date


Download ppt "NACHA’s Risk Management Strategy Update"

Similar presentations

Ads by Google