Presentation is loading. Please wait.

Presentation is loading. Please wait.

BCAC –ACH Risk Management

Published byByron Gabriel Wheeler Modified over 8 years ago

Similar presentations

Presentation on theme: "BCAC –ACH Risk Management"— Presentation transcript:

1 BCAC –ACH Risk Management
Sean Carter, AAP NEACH & NEACH Payments Group

2 NEACH, as a Direct Member of NACHA, is a specially recognized and licensed provider of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and the Accredited ACH Professional (AAP) program. This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. Any unauthorized use or access is expressly prohibited. As a Regional Payment Association and Direct Member of NACHA, NEACH is specifically recognized as a licensed provider of ACH Education. The material is for educational purposes only and is not intended to provide any warranties or legal advise. Please refer to legal counsel for legal advice. NACHA owns the copyright to the NACHA Operating Rules. Mark of Excellence

3 Agenda ACH Overview and Flow Participant Roles and Responsibilities
Inherent Risks of Processing ACH Transactions Areas of Risk for RDFIs and mitigation techniques Areas of Risk for ODFIs and mitigation techniques Risk Assessments & Audits

4 What is ACH? Automated Clearing House
“Processing and delivery system that provides for the distribution and settlement of electronic debits and credits among financial institutions” Batch-oriented, store-and-forward processing system Safe, secure, electronic network for consumer, business, and government payments Used by more than 11,000 participating FIs and millions of business and consumers

5 Unique ACH Network Attributes
Unlike other payment systems, the ACH Network supports all of the following: Credit transactions that “push” value Debit transactions that “pull” value Ubiquity to receive payments from and make payments to virtually all checking and savings accounts in the U.S. Both payments and robust payment information Native electronic transactions and check conversion transactions Zero-dollar transactions (for interbank messaging) Consumer transactions and Business transactions (both B2B and internal transactions) Government transactions Domestic and international transactions Recurring and one-time transactions

6 Facts about the ACH Network
Over 17.5 billion transactions in 2013 Does not include on-us Payments valued at more than $38 trillion dollars in 2013 Up almost 5% over 2012

7 Foundation of the NACHA Operating Rules is Contract Law
Originating Depository Financial Institutions (ODFIs) and Receiving Depository Financial Institutions (RDFIs) are bound collectively to each other by the Rules, as a multilateral agreement The Rules assign ODFIs and RDFIs distinct roles, responsibilities, and liabilities for ACH transactions that they originate and receive that flow via warranties and indemnification to all other DFIs and ACH Operators in the ACH Network The NACHA Operating Rules require ODFIs and RDFIs to execute agreements with Originators and third-parties, as applicable, that bind them to the Rules Rules require Originators to have a relationship with Receivers (agreement or authorization) For more information attend Recent Developments in Electronic Payments Law on Monday at 11:15

8 Legal Framework for ACH Transactions
Federal Reserve Operating Circular 4 ACH Participation of Federal Reserve Banks Code of Federal Regulations (CFR) Title 31 Part 210 U.S. Federal Government ACH Payments Regulation D Depository Financial Institution Reserve Requirements / Defines Transaction Account Regulation CC Funds Availability & Check Collection Office of Foreign Assets Control (OFAC) Financial Interdiction Corporate Debit Payments No overarching payment laws/regulations Must comply with all applicable Federal Laws and regulations. For example: OFAC Reserves on deposits: Regulation D Electronic Fund Transfer Act and Regulation E (consumer protection regulation) Must comply with all applicable State Laws. For example: Collections laws UCC 4A as adopted in each state The NACHA Operating Rules are a contract – and state contract laws apply Contract law - not Federal or State law NACHA Operating Rules Regulation E Consumer Credit & Debit EFT Payments NACHA Operating Rules Uniform Commercial Code (UCC) Article 4A Corporate Credit Payments

9 Contractual Hierarchy
ACH Operators Financial Institutions (ODFIs & RDFIs) Receivers (Consumer or Business) Third-Party Processors Third-Party Processors Originators Receivers (Consumer or Business) Originators

10 Who are the Participants?
Originator Originating Depository Financial Institution (ODFI) ACH Operator Receiving Depository Financial Institution (RDFI) Receiver

11 Who are the Participants?
Originator Party which initiates the ACH transaction Can be a company, a government agency Must have Authorization from the Receiver Examples: utility company initiating payments, employer initiating Direct Deposit of an employee’s wages 11

12 Potential ACH Originators
Possible Uses of ACH Property Management Company Collection of Monthly Condo Association Dues School District, College or University Payroll and Collection of Tuition Payments Charitable Organization Scheduled Pledge Donations Cable Company, Newspaper Subscriber Billings Church Member Tithes and Donations Insurance Company Collection of Policyholder Premiums Fitness Club, Health Club or Spa Dues and Service Fee Collections Retail Store, Doctor’s or Dentist’s Office, Credit Card Company Conversion of Check Payments Received, Electronically Re-Presenting Checks Returned as NSF Municipality Utility Bill Collections Financial Institution Loan Payments, Stockholder Dividends, Safe Deposit Box Billing, Transfers Manufacturing Company, Corporation (General) Direct Deposit of Payroll, Pension Payments, Account Transfers, Tax Payments, Expense Account Reimbursements, Vendor Payments © 2012 EastPay. All Rights Reserved

13 Who are the Participants?
ODFI The Financial Institution which originates the ACH transaction after receiving payment instructions from an Originator Warrants that each transaction is correct and authorized There must be an agreement between the ODFI and the Originator that, at a minimum, binds the Originator to the Rules ODFI must also act as an RDFI 13

14 Who are the Participants?
ACH Operator Central clearing facility for the Financial Institutions ACH Operator agrees to adhere to the Rules There are 2 ACH Operators Federal Reserve Electronic Payments Network (EPN) Both can be involved in a transaction Handles the settlement of the transactions based on the effective date and the date/time the item was received.

15 Who are the Participants?
RDFI The Financial Institution which receives an ACH transaction for posting to the Receiver’s account RDFI has ability to return entries but must do so within the proper timeframes and adhere to other requirements Does not have to act as an ODFI

16 Who are the Participants?
Receiver Party which receives the ACH transaction Has authorized the Originator to initiate the ACH entry Except for a Destroyed Check entry May be a company, individual or government agency

17 Pop Quiz! My corporate account-holder sends weekly files to me to originate Direct Deposit of payroll for their employees. Who am I? A. Originator B. ODFI C. ACH Operator D. RDFI

18 ACH Credit Payment: Entry and Funds Flow
Authorization

19 ACH Debit Payment: Entry and Funds Flow
Authorization

20 Direct Deposit via ACH The deposit of funds for payroll, T&E, government benefits, tax and other refunds, and annuities and interest payments.

21 Direct Payment via ACH The use of funds for making a payment.
Individuals or organizations can send or receive a Direct Payment. May be ACH credit or debit.

22 Pop Quiz!! If a company is paying its employees payroll by ACH, is it sending credits or debits to the employee’s accounts?

23 General ACH Rules Application of Rules Compliance with Rules Records
Effect of Illegality, Audits, Rules Enforcement, Risk Assessment, Compensation, and Arbitration Records Retention, provision upon request, may be electronic Excused Delay Secure Transmission of ACH Information

24 The Role of the ODFI

25 Origination of Entries
ODFI is responsible for entries and rules compliance Must have Originator Agreement with Originator Must perform risk management Assess & monitor nature of ACH activity, establish & enforce exposure limits Must ensure Originator has proper authorization from Receiver ODFI warranties (general and specific to SEC Code)

26 General ODFI Warranties
Each entry is properly authorized not revoked, not terminated by law, correct amount Each entry is timely Complies with other requirements of the Rules, including proper SEC Code Transmits required information ODFI warranties do not apply to goods or services Article Two, Section 2.5 addresses warranties specific to each application

27 Origination of Entries
Prenotes Non-monetary entry sent prior to first live entry to notify RDFI that Originator intends to send ACH to Receiver’s account Originator must wait 6 banking days after prenote before sending live dollar entry (effective September 2014 wait time will reduce to 3 banking days) Reversals (files and entries) Erroneous entry Duplicate, wrong Receiver, wrong amount, specific conditions related to payroll payments Must be sent within 5 days of erroneous file/entry

28 Origination of Entries
Re-initiation Originator or ODFI may reinitiate returned entry if: Returned for NSF/uncollected funds Returned for stop payment and reinitiation was authorized by Receiver Corrective action taken to remedy reason for return Reinitiation must occur within 180 days from settlement date of original entry Must be formatted as RETRYPYMT as of 09/18 All information must remain the same including company ID and dollar amount

29 Impact of Same Day Identification and Formatting Credit Policy
Agreements Prefunding Models

30 The Role of the Originator

31 Obligations of Originators
Authorization must: Be readily identifiable, have clear and readily understandable terms, provide that Receiver may revoke only by notifying Originator in manner specified Debit entries to consumer accounts Notice of change in amount Notice of change in scheduled date Copy of debit authorization

32 Obligations of Originators
Record of authorization Originator must retain original or copy of authorization for defined period of time Upon RDFI request, Originator must provide to ODFI copy of authorization so that ODFI can provide to RDFI within 10 banking days Some SEC Codes have specific requirements for Originators

33 The Role of the RDFI

34 General Rights & Responsibilities of RDFIs
RDFI must accept entries May rely solely on account numbers to post May rely on Standard Entry Class Codes May request copies of authorizations Must provide entry information as defined for various types of entries Does not have to notify Receiver of receipt of entry

35 General Rights & Responsibilities of RDFIs
Must make funds available by defined time and may not debit prior to settlement date Must verify prenotes and respond if appropriate Must honor stop payments orders provided by Receivers May return entries in a timely manner (but may not return based solely on type of entry)

36 Returns Returns Dishonor, Contested Dishonor, Correction Restrictions
Timing requirements Unposted credits ODFI request Re-initiation Return Reason Codes (e.g., R01, R02, R10) Dishonor, Contested Dishonor, Correction Return Reason Codes (e.g., R68, R73)

37 Return Time Frames Administrative (normal) return time frame – return entry must be received by RDFI’s ACH Operator by its deposit deadline for the return to be made available to the ODFI no later than opening of business on second banking day following settlement date of original entry” Consumer (extended) return – “…no later than opening of business on the banking day following the 60th calendar day following settlement date…” used mainly for unauthorized consumer debit entries

38 Return Flow Original Item ODFI sends entry to RDFI Return (either administrative or extended timeframe) RDFI returns original entry to ODFI Dishonored Return (within 5 banking days of settlement of Return) ODFI dishonors return to RDFI Contested Dishonored Return (within 2 banking days of settlement of Dishonor) RDFI contests the Dishonored return

39 Same Day Impact Pick up additional files Availability Exceptions

40 Pop Quiz!!! A RDFI can return an ACH debit whenever it wants.
True or False?

41 Types of Risk Credit - Occurs when a party to a transaction cannot provide the necessary funds, as contracted, in order for settlement to occur Operational- Occurs when a transaction is altered or delayed due to an unintentional error Fraud- Occurs when a payment transaction will be initiated or altered in an attempt to misdirect or misappropriate funds by any party to the transaction or outside intruders Compliance- Occurs when a party to a transaction fails to comply, either knowingly or inadvertently, with NACHA Operating Rules, applicable regulations, and U.S. and state law

42 Types of Risk Systemic Risk- Occurs when a payment system participant cannot settle its obligation causing other participants to be unable to settle theirs Third Party Risk- The risk that the party entrusted by the FI to perform a function of ACH processing does not meet the expectations of the FI

43 What is an ACH Risk Assessment?
It is NOT: A security assessment An audit A one time effort It Is: Required to be conducted Comply with the expectations of the FIs regulators Part of the ACH Audit

44 The Rule SUBSECTION 1.2.4 Risk Assessments A Participating DFI must:
conduct, or have conducted, an assessment of the risks of its ACH activities; implement, or have implemented, a risk management program on the basis of such an assessment; and, comply with the requirements of its regulator(s) with respect to such assessment and risk management program.

45 The Rule – In a Nutshell Must have assessment of risks from ACH activities Must have risk management program based on the assessment Must ensure assessment and risk management program comply with DFIs regulator requirements

46 The Rule Reflect ACH industry best practices
Send a strong message to the industry on the importance of risk management Ensure that all ODFIs perform know-your-customer due diligence Establish procedures, systems and controls to manage the risks of their Originator’s and Third-Party Sender’s ACH activities

47 NACHA Risk Assessment Framework
Examples of recent risk management requirements and guidance by regulators include: OCC Bulletin , Automated Clearing House Activities OCC Bulletin , Payment Processors Risk Management Guidance FFIEC’s BSA/AML Examination Manual, 2010 edition (pages 224 through 233 are specific to ACH; however ACH is referenced in numerous locations throughout this manual) FFIEC Guidance on Risk Management of Remote Deposit Capture FFIEC Retail Payments System FFIEC Supplement to Authentication in an Internet Banking Environment FDIC Financial Institution Letter , Payment Processor Relationships FDIC Financial Institution Letter , Managing Third Party Risk FDIC Financial Institution Letter , Payment Processor Relationship

48 Components Systems and controls Credit management
Policies and procedures Board reporting Audit Scope Credit management Credit risk Underwriting standards Risk selection Originator management Exception Processing Government Payment Processing Funds availability

49 Components (cont.) Compliance Third parties ACH Rules BSA/AML OFAC
Reg D, E, CC, GG UCC4A Third parties Service level agreements Contracts Management

50 Components (cont.) Direct Access Operational and transactional process
Volume Agreements Operational and transactional process RDFI ODFI IT Technology controls Data protection Business continuity

51 Components (cont) Identify Threats Vulnerabilities Controls
Consistent between institutions Vary over time Vulnerabilities Unique to each institution Not always manageable Controls Preventative Procedural Technical Detective

52 Assessment Deliverables
Measure Control effectiveness Residual risk Prioritize Remediate or accept Documentation of the process

53 Risk Management Program

54 Risk Management Program OCC 2006-39
Establish ACH Risk Management Program Clear objectives Well developed business strategy Clear risk parameters Board and Management role Board overall business strategy and risk limits Management establish management system Ongoing Process Evaluate activities v. risk parameter Policies, procedures, & controls effective FI and TPSP

55 Risk Management Program Board Reporting
Board or Committee should receive period reports Metrics & trend analyses on ACH volumes and more Metrics & trend analyses of originators and any third-party senders; Capital adequacy relative to the volume of ACH activity and level of risk associated with originators; The percentage of the deposit base linked to ACH origination; A summary of return rates by originator and third-party senders; Unauthorized returns that exceed board-established thresholds; Notices of potential/actual rules violations from NACHA; Financial reports on profitability of ACH function center; and Risk management reports, including a comparison of actual performance to approved risk parameters Metrics and trend analyses on ACH volume, returns, operational losses, and transaction types, with explanations for variances from prior reports; Metrics and trend analyses related to the composition of the bank's portfolio of originators and, as applicable, third-party senders; Capital adequacy relative to the volume of ACH activity and the level of risk associated with originators; The percentage of the deposit base that is linked to ACH origination activity; A summary of return rates by originator, and, as applicable, third-party senders; Unauthorized returns that exceed board-established thresholds; Notices of potential and actual rules violations and fines by NACHA; Financial reports on profitability of the ACH function as a cost center; and Risk management reports, including a comparison of actual performance to approved risk parameters

56 Risk Management Program Audit
Common issues: inadequate audit coverage inexperienced audit staff lack of appropriate auditor training. Audit scope growth in transaction volume new products and services new ACH systems underwriting policies and customer due diligence (CDD) policies and practices customers' online access to the ACH network. Ensure that periodic audits of third-party service providers (NACHA) Rules Compliance Audit not a substitute for a comprehensive, risk-based audit

57 Risk Assessment Findings
What Auditors and Examiners are finding (continued): Out of band authentication is not used IAT entry screening is happening but some institutions are unclear what happens if an entry is a suspect transaction Inadequate knowledge of ACH Rules by audit and compliance department

58 Risk Assessment Findings
The ACH Policy does not adequately define objectives. The role of ACH in the overall strategic plan is not defined. Including ACH in BSA/AML monitoring. Failure to have adequate controls in place to prevent Corporate Account Takeover or account takeover for Account to Account Consumer transactions. Inadequate Vendor Management controls

59 General Audit Requirements
Who is required to complete the ACH Audit? Participating Depository Financial Institutions (DFIs) Third-Party Service Providers and/or Third Party Senders that provide ACH services to DFIs

60 General Audit Requirements
Who can perform the Audit? Audit performed under the direction of: Audit Committee Audit Manager Senior Level Officer External auditor of DFI or Third-Party Service Provider

61 Non-Rule Related Best Practices
NACHA ACH Audit Update 2009 Compliance Symposium Non-Rule Related Best Practices A Participating DFI may wish to audit other aspects of its’ ACH Operations in conjunction with its annual rules compliance audit OFAC Compliance ACH Business Continuity Plans ACH Risk Management Policies Compliance with 31 C.F.R. Part 210 and Green Book Compliance Copyright UMACHA, All Rights Reserved

62 General Audit Requirements
Compliance with Appendix Eight, OR 203 Identifies Rules that should be reviewed Direct impact on quality of ACH Services Satisfaction of DFIs and Receivers

63 General Audit Requirements
Conduct annually by December 31st Retain proof for 6 years from date of audit Provide to NACHA upon request NACHA is requesting proof now

64 Audit Requirements for all DFIs
Areas of examination Record Retention Electronic Records Proof of Audit completion Data Security Payment of NACHA fees Risk Assessment completion Security Policies and Procedure

65 8.3 – 12 Rules tested for RDFI Prenote Verification Credit Returns
Proper Use of NOCs Acceptance of entries Funds availability Statement Requirements Proper handling of returns RCK returns Credit Returns Stop payments WSUDs UCC 4A Addenda Reporting

66 Most Commonly Found areas of Non-Compliance for RDFI’s
NACHA ACH Audit Update 2009 Compliance Symposium Most Commonly Found areas of Non-Compliance for RDFI’s Not Completing an ACH Audit NOC and/or Return Records not retained in full detail for six years Prenotes not being looked at or responded to WEB Credits not posted correctly on statements WSUD vs. Stop Payments Copyright UMACHA, All Rights Reserved

67 Audit Requirements for ODFIs
All ODFIs and Third-Party Service Providers required to complete audit ODFI warrants completion of audit by both of these participants Conduct audit to determine compliance with rules regarding origination of ACH entries

68 Appendix Eight, 8.4 14 Rules tested for compliance
A. Agreements with Originators and TPS B. Sending Point Agreements C. Exposure Limits D. Acceptance of Return Entries E. NOC Processing F. Copies of Authorizations G. Permissible returns

69 Appendix Eight, 8.4 H. UCC 4A I. Identity of Originators
J. Reversing Entries K. BOC entries L. NACHA Reporting M. Direct Access Registration N. Keeping Originators informed of the Rules

70 Most Commonly Found areas of Non-Compliance for ODFI’s
Origination Agreements missing the recently added requirements NOC’s Unable to location Sending Point agreement Untimely Reversals

71 Questions Sean Carter, AAP SVP, Payments Strategies & Advisor
Questions

Download ppt "BCAC –ACH Risk Management"

Similar presentations

OMB Circular A133 Audits of States, Local Governments, and Non-Profit Organizations 1 Departmental Research Administrators Training Track.

OMB Circular A133 Audits of States, Local Governments, and Non-Profit Organizations 1 Departmental Research Administrators Training Track.
WELCOME TO THE INDUSTRIAL COMMISSION SELF-INSURANCE SEMINAR.

WELCOME TO THE INDUSTRIAL COMMISSION SELF-INSURANCE SEMINAR.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 Exception Processing New Directions UMACHA August 14, 2007 1:00 – 2:30 PM, CT.

1 Exception Processing New Directions UMACHA August 14, :00 – 2:30 PM, CT.
© 2014 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA.

© 2014 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA.
LEADERSHIP + INNOVATION 2013 OLA Conference |October 16-17 |San Diego Get Educated on the NACHA Rules Marsha Jones, AAP, NCP, Director, TPPPA Lin Fellerman,

LEADERSHIP + INNOVATION 2013 OLA Conference |October |San Diego Get Educated on the NACHA Rules Marsha Jones, AAP, NCP, Director, TPPPA Lin Fellerman,
Paychecks and Tax Forms Take Charge of your Finances

Paychecks and Tax Forms Take Charge of your Finances
Check 21 and Image Exchange

Check 21 and Image Exchange
BACK TO BASICS Indiana Prosecuting Attorneys Council May 2013.

BACK TO BASICS Indiana Prosecuting Attorneys Council May 2013.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
OLA {DRAFT} BEST PRACTICES Revised 6/25/2013. Payments Landscape Update Ever increasing scrutiny and pressure from every agency OCC (J LaRoche, May, 2013)

OLA {DRAFT} BEST PRACTICES Revised 6/25/2013. Payments Landscape Update Ever increasing scrutiny and pressure from every agency OCC (J LaRoche, May, 2013)
Protect Yourself from Your Customer Kristin A. Stedman, AAP Senior Vice President Education Services 1 © 2014 TACHA. All Rights Reserved.

Protect Yourself from Your Customer Kristin A. Stedman, AAP Senior Vice President Education Services 1 © 2014 TACHA. All Rights Reserved.
REGULATION AND OPPORTUNITY JAY W. COAKLEY COAKLEY STRATEGIC SOLUTIONS LLC WWW.COAKLEYSTRATEGICSOLUTIONS.COM 573-321-3922 Overdraft Income.

REGULATION AND OPPORTUNITY JAY W. COAKLEY COAKLEY STRATEGIC SOLUTIONS LLC Overdraft Income.
Unlawful Internet Gambling Enforcement Act Final Rule Joseph Baressi June 3, 2009.

Unlawful Internet Gambling Enforcement Act Final Rule Joseph Baressi June 3, 2009.
UNIVERSITY OF PENNSYLVANIA PAYROLL CUSTOMER SERVICE OVERVIEW July 1, 2003.

UNIVERSITY OF PENNSYLVANIA PAYROLL CUSTOMER SERVICE OVERVIEW July 1, 2003.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.

Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.
1 Exemption AdministrationTraining Related to Accepting Certificates Prepared by the Streamlined Sales Tax Governing Board Audit Committee Prepared January.

1 Exemption AdministrationTraining Related to Accepting Certificates Prepared by the Streamlined Sales Tax Governing Board Audit Committee Prepared January.
Institutional Memberships November 2010. Institutional Memberships New Operational Guideline: Memberships Paid by University Funds can be found at

Institutional Memberships November Institutional Memberships New Operational Guideline: Memberships Paid by University Funds can be found at
8 th Annual Managers’ and Law Enforcement Seminar IFTA Funds Netting Information.

8 th Annual Managers’ and Law Enforcement Seminar IFTA Funds Netting Information.

Similar presentations

Ads by Google