ach audit and risk assessment · the payments institute july 21-24, 2019 • emory university,...
TRANSCRIPT
The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA
ACH Audit and Risk Assessment
Mary Gilmeister AAP, NCPPresidentPAR/WACHA-The Premier Payments [email protected]
Disclaimer
• WACHA, through its Direct Membership in NACHA, is a specially recognized and licensedprovider of ACH education, publications and support. • Regional Payments Associations are directly engaged in the NACHA rulemaking processand Accredited ACH Professional (AAP) program. • NACHA owns the copyright for the NACHA Operating Rules & Guidelines. • The Accredited ACH Professional (AAP) is a service mark of NACHA.• This material is derived from collaborative work product developed by NACHA ─ TheElectronic Payments Association and its member Regional Payments Associations, and isnot intended to provide any warranties or legal advice, and is intended for educationalpurposes only.• This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only. • This document could include technical inaccuracies or typographicalerrors and individual users are responsible for verifying any information contained herein.• No part of this material may be used without the prior written permission of WACHA/PAR
© 2018 PAR/WACHA All rights reserved
2
AGENDA
ACH Audit• Who & Why
• Receiving Depository Financial Institution (RDFI)
• Originating Depository Financial Institution (ODFI)
• Third Party Senders
• Third Party Processors
Risk Assessment
3
Why Do We Need To Do the ACH Audit and Risk Assessment?
• Manage Risk and Minimize Loss
• Enhance ACH Quality and Customer Satisfaction
• Improve Operational Efficiencies and Lower Processing Costs
• Avoid Fines
4
ACH Audit
• All Financial Institutions and their Third Party Senders and Third-Party Service Providers are required to do an ACH Audit by December 31 of each year.
ACH Transaction Flow/Participants
ACH Transaction Flow
with Third Parties
RECEIVERORIGINATOR ODFI
ACH
OPERATOR
RDFI
Third Party
Processor/Receiving Point
Third Party
Processor/Sending Point
Third Party Service
Provider/Sender
• Failure of a Participating DFI to provide proof of completion of an audit may be considered a Class 2 Rules Violation
• NACHA does ask for documentation of proof of audit
Required by the ACH Rules
• Rule Change: Appendix Eight of ACH Rules is no longer part of the Rules as of 1/1/2019 per Supplement 2-2018 ORxli
– Provided the requirements and minimum specifications for an audit of compliance with the ACH Rules
– Required annual audits by FIs and Third-party Service Providers, found in 1.2.2.1
– Operations Bulletin #1-2019
Rule Compliance - Audit Requirements
• The former ACH Rules Compliance Audit provisions as located in Appendix Eight specified only specific areas or Rules to verify compliance.
– Some areas of the audit may not have applied to the FI
– Some riskier areas may have needed more attention
– There are other aspects of law or regulations that should also be evaluated beyond the ACH Rules Compliance
– The objective is to audit for all Rules Compliance, not specific rules
Justification
• Manage risk and minimize loss
• Enhance ACH quality and customer satisfaction
• Improve operational efficiencies and lower processing costs
• Avoid fines
• Requirement of the NACHA Rules
Why Do We Need To Do the ACH Audit?
• Return Reason Codes
– Consumer
– Non-consumer
• NACHA Operating Rules
• 31 Code of Federal Regulations 210
• Regulation E
• Regulation CC
• Uniform Commercial Code 4A
• Office of Foreign Assets Control (OFAC)
• FFIEC Examination Handbook Retail Payment Systems
You Need to Know
• Auditing Methods– Interview personnel
– Sampling
• Random
– May wish to cluster transactions by common characteristics before selecting samples so that you are certain to address all audit requirements.
– Testing
• Follow Transactions
• Follow Procedures
What method should we use?
• Account Disclosures
• ACH Policies– Receipt
– Origination Risk
– OFAC
• Written Procedures Manual
– Do these procedures accurately reflect your policies
• Organizational chart of chain of command for ACH department
• Number of employees involved in processing ACH
– Dual Control
• Core Processing system/Internal software updates
• Balancing reports and statements daily including General Ledger
• Rules Violations
• Mergers or Acquisitions
ACH Audit Checklist
• ACH Operator, FED or EPN?
• Operator Advice
• How do you Receive Files?
• Third-party processor
• How do you process returns?
• Staff training
– AAPs, APRPs
• Physical access controls and passwords, security levels
• Contingency/Disaster Recovery Plan
ACH Audit Checklist
• How many Originators
• What origination delivery system
• How many versions of your ACH agreements do you have?
• Do you originate your own loan payments via ACH?
• Do you originate external ACH fund transfers for the following?
– Loan Payments
– Business to Business transfers
– Consumer to Consumer transfers
– Consumer to Business transfers
• Bill payment or person-to-person (P2P)transfers? (e.g., Pop money) Are you the ODFI for these transactions?
• Do you have exposure limits and reviewed how frequently?
ACH Origination Audit Checklist
• External ACH transfers through your online banking system?
• How do you authenticate users on your online banking site?
• Do you open new accounts via the internet? Do you fund these accounts with ACH debits?
– If so do you have a limit set for these transfers and what is the dollar amount?
ACH Origination Audit Checklist
• ACH Rules Reference 1.4.1 and 1.4.2
– Records of Entries
• Retention Method (paper, optical, disk..)
• Sampling for each of past 6 years
• Can Be Reproduced
• ACH Rules Reference 1.4.3
– Electronic Records
• Accurately Reflect the Information Contained in the Record
• Can Be Reproduced
All Participating DFIs
• ACH Rules Reference 1.2.2
– Verify that an audit was completed in the previous year
– Verify that issues raised during the previous audit were corrected
– Audit reviewed by board of directors?
Audit Verification
• ACH Rules Reference 1.6
– Participating DFI and originators/third party senders have established, implemented and updated security policies, procedures and systems
• Are you performing due diligence to ensure the security procedures are being conducted and how?
ACH Data Security
• ACH Rules Reference 1.7
– Commercially Reasonable level Encryption for all entries received over the internet
– Procedures in place to:• Detect a Data Breach
• Report a Data Breach applicable parties
– Personal Information including:– Name & Social Security Number
– Account Number & Routing Number
– Do you share data regarding entries, returns, or any accountholder data via email?
Data Security
• ACH Rules Reference 1.13
– Has the financial institution paid all annual fees and per-entry fees?• Automatically happens if you are sending/receiving through the FED
• Schedule of fees at the end of the Operating Rules
– This section is not applicable if you send all of your ACH entries to the ACH Operator
• N7 Form
NACHA Fees
• ACH Rules Reference 1.2.4
– Financial Institutions are required to assess the risk of their ACH activities and implement a risk management program based on the assessment• Has it been reviewed by board?
• How often do you re-assess?
• Have the identified risks been addressed?
ACH Risk Assessment
• How do you identify International ACH Transaction (IAT) entries upon receipt?
• Are all the fields within each IAT entry and all corresponding addenda records verified for OFAC Compliance?
• Are all fields with each IAT return entry and all corresponding addenda records verified for OFAC compliance?
• Do you have procedures to follow if you have a match?
• Do you post prior to srubing
International ACH Transactions (IATs)
• ACH Rules Reference 3.5
– Validate account number in prenote:• Accept
• Return or
• Initiate a Notification of Change on a timely basis
– We do not recommend NOCs for prenotifications
Prenotifications
• ACH Rule Reference 3.9.1
– Verify that NOC entries are transmitted within two banking days of the settlement date of the original entry to which the NOC relates
• with the exception of NOCs due to merger or acquisition
– Dual Control?
Notification of Change
• ACH Rules Reference 3.1.1, 3.8.2
– Verify all entries accepted as required
– Entries not required to be accepted:• XCK
– Do GL and loan entries post automatically?
Acceptance of Entries
• ACH Rule reference 3.3.1.1, 3.3.1.2, and 3.3.2
– PPD credit entries made available to the RDFI by 5:00 p.m. the banking day prior to settlement date, are available to the Receiver for withdrawal no later than the opening of business on the settlement date
– Same Day Credits
• After September 20, 2019, will you post same day entries within the time frames described within the Nacha’s Operating Rules?
– Debit entries are not posted prior to the settlement date
Credit Availability & Debit Timing
Processing Window/Schedule
RDFI receipt time Current funds availability requirement1
Revised funds availability requirement1
First same-day window
12:00 noon ET 5:00 p.m. local time 1:30 p.m. RDFI local time
Second same-day window
4:00 p.m. ET 5:00 p.m. local time 5:00 p.m. RDFI local time
New, third same-day window
5:30 p.m. ET N/A End of RDFI’s processing day2
Non-Same Day ACH credits
If received prior to 5:00 p.m. local time
- Opening of business for PPD- End of settlement date for non-PPD
9:00 a.m. RDFI local time for all SEC Codes
Overview
• ACH Rule reference 3.1.5.1
– Verify that the RDFI sends or makes available as part of the account statement for consumer customers information from transactions as dictated by the ACH Rules and Regulation E
Account Statement Content
• Send or make available to each account holder a monthly statement with the following:– Posting Date of Entry
– Dollar Amount of Entry
– Company Name, Individual name for WEB credits
– Company Entry Description
– Terminal ID, Location, City, State(POP and POS and MTE & SHR)
– Check Serial Number for ARC,BOC, POP, RCK & XCK
Account Statement Contents
• ACH Rules Reference 3.8.
– Verify that returned entries (including debit entries to a corporate account returned as unauthorized) are received by the RDFI’s ACH Operator by its deposit deadline for the return entry to be made available to the ODFI no later than the opening of business on the second banking day following the Settlement Date of the original entry
Timely Returns(Excluding RCK)
• Rules Reference 3.8.3.5, Appendix Four
– Verify that permissible return entries (i.e., the late return of unauthorized debit entries to non-Consumer Accounts) are transmitted with the permission of the ODFI and utilize the appropriate Return Reason Code
• Rules Reference 3.8.5; Appendix Four
– Verify that dishonored return entries received by the RDFI are handled appropriately, and that contested dishonored return entries and corrected returns are initiated in a timely manner. Verify that the RDFI utilizes Return Reason Codes and Contested Dishonored Return Reason Codes that accurately describe the reason for the return
Timely Returns, con’t.(Excluding RCK)
• Where are exceptions found?
• Does staff understand Dishonored Returns and Contested Dishonored Returns?
• Is staff aware of return timeframes for all return reason codes?
• What method is used for returns?
• Return with ODFI permission– R31
Timely Returns Test
• ACH Rules Reference 3.8.3.3
– Review internal procedures to ensure that the return of an RCK debit entry is transmitted to the RDFI’s ACH Operator by midnight of the second banking day following the banking day of receipt of the presentment notice
Represented Check Entries - RCK
• Transmit an adjustment entry, so the entry is made available to the ODFI by the 60th calendar day, if:– notice of RCK policy was not provided – R51
– item to which the entry relates is ineligible – R51
– signatures are not authentic or authorized – R51
– item to which RCK relates has been altered – R51
– Both items presented for payment – R53
• Verify that a Written Statement of Unauthorized Debit has been received for entries returned R51 and R53
Re-presented checks - continued
• ACH Rules Reference 3.8.3.2, 3.8.4
– Credit entries that can not post or be made available to the receiver are returned by opening of business on the second banking day following the Settlement Date
– If a receiver declines a credit• Opening of business 2nd day following request date
– Do not put into a suspense account to research
Return of Credit Entries
• ACH Rules Reference 3.7.1.1, 3.7.1.2, and 3.7.2
– Verify that the Stop Payment Orders are acted upon appropriately• Recurring Payment
– Stop Instructions 3 banking days prior to debit
• Single payment or Non-consumer payment
– RDFI needs Reasonable time to act on Stop order
– Stop one payment or all future payments based on consumers intent (Reg E)• Stop payments is not to be used for error resolution.
– Timeliness of returns-2 day
– Training, procedures & Forms
Stop Payments
• ACH Rules Reference 3.11.2.2, 3.13.1, and Appendix Four for extended returns
– Stop Payment on source document related to ARC, BOC or RCK entry• R38 & R52
• RDFI transmitting adjustment entry in a Timely manner—60 calendar days from settlement
Stop Payments con’t
• ACH Rule 3.11.1, 3.12.5, 3.12.7, 3.13.1, and Appendix Four
– Review records and procedures to ensure that signed Written Statement of Unauthorized Debit (WSUD) forms are obtained from consumers before returning entries for Return Reason Codes R05, R07, R10, R37, R51 and R53
– Returned in appropriate time frames
– Made available to ODFI upon request
– Is your financial institution following Regulation E?
Written Statement of Unauthorized Debit
R10
Consumer Claims the Entry Is Unauthorized, Ineligible or Incomplete
This code can be used for Improperly Reinitiated Debit Entries
Consumer Return Codes Requiring WSUD
• R51
– Improper RCK Entry
• R53
– Item That Relates to the RCK Has Also Been Presented for Payment
• R05
– CCD entry to a consumer account
• R07
– Cannot Be Used for RCK, ARC, BOC, POP
• R37
– Source Document for ARC or POP Has Paid
Consumer Return Codes Requiring WSUD
• Written Documentation
• To Be Used for Contested Consumer Transactions That
– Were Never Authorized or Not As Authorized
– Revoked or Cancelled
– Incomplete
– Invalid ARC, BOC, POP or RCK Transactions
– CCD transaction posted to a Consumer account
• Retention
– Must Be Able to Provide Copy to ODFI for 1 Year
– Reg E states two year retention for Error Resolution supporting documentation
Written Statement of Unauthorized Debit Procedures
Receiver’s printed name and signatureReceiver’s account numberAmount of entryParty debiting the account as identified to the Receiver or the name
of the intended payeePosting date of the entryReason for returnSignature dateReceiver assertion that the Written Statement is true and correctReceiver assertion that the Receiver is an authorized signer or has
authority to act on the account
Written Statement of Unauthorized Debit Requirments
Regulation E provides rules that protect consumers in regards to “errors” in electronic transactions.
If a consumer claims that an error has occurred, the financial institution is required to:Take ACTION by:
INVESTIGATING the error
Providing a RESOLUTION to the consumer and,
COMMUNICATING the resolution to the consumer
Error Resolution
Must be received no later than 60 days after the institution sends the periodic statement on which the alleged error is first reflected
Must identify the consumer’s name and account number
Must indicate why the consumer believes an error exists
Type, date, and amount of the error
Notice of Error from Consumer 1005.11(b)
If the consumer notifies the financial institution within 2 business days after learning of the loss or theft of the access device, his or her liability shall not exceed the lesser of:
$50 or
The amount of unauthorized transfers that occurred before notice
Consumer Liability for Unauthorized Transfers
If the consumer gives notice between the 3rd & 60th day, the liability shall not exceed the lesser of:
$500 or
The sum of $50 or the unauthorized transaction within 2 business days (whichever is less), plus the amount of unauthorized transfers from day 3 through notice to the financial institution
Consumer Liability for Unauthorized Transfers
Writing PIN on Piece of Paper Attached to the Card
Failure to Protect Card
Agreement of the Consumer cannot limit Liability
The $50.00 and $500.00 limitation do not apply if the unauthorized transfer is made without an access device
Consumer Negligence Cannot Be Used to Impose Greater Loss
If consumer gives notice beyond 60 days, consumer’s liability will not exceed the amount of the unauthorized transfer that occur after the close of 60 days and before the notice and that would not have occurred had timely notice been given
This is the consumer liability!
FI is still liable for unauthorized EFTs within the first 60 days
Timeliness of Error NoticeReg. E 1005.6.3
Notice is given when a consumer takes steps “reasonably necessary” to provide the pertinent information
Notice may be in person, by phone, or in writing
Written notice is given when the consumer mails the notice or delivers it for transmission
•Whether or not “a particular employee or agent of the institution actually receives the information.”
Notice
If the consumer’s delay in providing notice was due to extenuating circumstances (e.g. vacations and hospitals)
Institution shall extend notice periods by a reasonable amount
Notice Extensions
A financial institution may require the consumer to give written confirmation of an error within 10 business days of an oral notice.
Must inform the consumer of this requirement and provide address where written notice is to be sent
Notice of Error from Consumer
General Returns
Available to the ODFI on the morning of the second banking day following the settlement date of the original entry
CCD & CTX
“2 day” return time frame with exceptions
Improper or Unauthorized Returns
60 days from settlement date
ACH Return Timeframes
ACH items may be returned 60 days from settlement date• Could possibly return beyond the 60 days by
contacting the ODFI
Obtain a Written Statement of Unauthorized Debit (WSUD)
RDFI must be prompt in crediting the account of the receiver
NACHA Rules
Error Resolution procedures
Consumer must notify the FI within 60 days of the transmission date of the statement containing alleged error
Provisional credit becomes final after investigation concludes that an error occurred
Regulation E
Consumers Right to Re-credit
The rights of the Receiver under the NACH A
Operating Rules are in addition to any rights
under Regulation E
ODFI warranty does not run out after the return time frames for unauthorized items
Requesting a copy of the authorization from the ODFI may be the investigation
– Don’t have the authorization = Warranty Breach
– Produce the authorization= take back credit after notifying the consumer
NACHA Rules and Regulation E
Regulation E deals with the banking relationship between the RDFI and the Receiver when dealing with unauthorized entries
Regulation E does not provide a mechanism for the RDFI to recoup the provisional credit
There is no conflict between the NACHA return time frame and Regulation E ..they do not do the same thing
NACHA Rules and Regulation E
Resolution process for each error should be logged
ACH Unauthorized/Improper returns should be logged
Written Statement of Unauthorized Debit (WSUD)
Notice of Final Credit for those transactions requiring a WSUD
Error Resolution Log
58
RDFI Audit of Federal Government Payments
Compliance with requirements as outlined in 31 CFR Part 210 and the Green Book
https://www.fiscal.treasury.gov/reference-guidance/green-book/
• Written procedures for steps to be taken upon learning of death of customer/member?
– DNE Processing
– Constructive knowledge
– All benefit payment/all accounts
– Front line staff
• Verify appropriate use of R14 (Death of Rep Payee) and R15 (Death of Beneficiary or Account Holder)
• Have branch and operations employees been trained on the Green Book
• Are you aware of recent updates?
Federal Government Payments
59
Reclamations
• A procedure used by the Federal government to recover benefit payments
• Specific payments subject to Reclamation (page 5-4)
• Must be sent within 120 days after the agency learns of death
• An RDFI is not liable for any post-death payments made more than six years prior to the date of the notice of reclamation
• Posting to Closed accounts
• ENR—Use Godirect.org
• Non Receipt request or Tele-Trace
• Closing an account receiving Federal Government Benefit Payments
• Garnishments– Able to identify Federal Government Payments that are protected
Government Payments
61
Originating DepositoryFinancial Institution (ODFI)
orThird Party Service Provider
orThird Party Senders
62
The ODFI has complete responsibility forentries containing its Routing Number within the Trace
Number that are transmitted into the ACH system
Originating DepositoryFinancial Institution (ODFI)
63
• ACH Rule Reference 2.2.1.1, 2.2.2.2, and 2.5.8.3
– Has an agreement been executed with each company and financial institution for whom the financial institution originates binding them to US law and the ACH Rules?
– Verify compliance with OFAC-enforced sanctions
– Third Party Senders
– Direct Senders
• Document procedures that allow the financial institution to approve every party for whom the processor sends files directly to the ACH Operator
Binding Agreements
64
• Three additional issues are required to be addressed in ACH Originator and Third Party Sender Agreements.
– The right of the ODFI to terminate or suspend the Originator
– The ability to audit the originator
– Any restrictions on the types of transactions allowed
Binding Agreements
65
• ACH Rule reference 2.2.3
• Review internal procedures to determine that exposure limits are established for each Originator
• Exposure limits should be reviewed periodically
• Entries initiated by Originators are to be monitored relative to the exposure limits across multiple settlement dates
• The restrictions on types of SEC code of originated entries need to be enforced
• Procedures for monitoring and what happens if established limits are exceeded
ODFI Exposure Limits
66
• ACH Rule reference 2.12.1, 2.12.5.1, 2.12.5.3 and Appendix Four
– Verify that the ODFI accepts return items
• Notify the originator or TPS
• Re-initiation of R01/R09
– Verify that dishonored returns are transmitted with 5 banking days of the settlement date of the return entry
– What procedures do you have to ensure this is done correctly?
– Are you or your originators correctly Reinitiating entries?
Return Items
67
• Define and establish standards for reinitiated entries
• Require reinitiated entries to have same Company Name, Company ID and Amount as original entry
– Content in other fields can be modified only to the extent necessary to correct an error or facilitate processing of an Entry.
• Standard use of Company Entry Description “RETRY PYMT”
• Identify practices that constitute improper re-initiation
• Give ACH Rules Enforcement Panel authority to determine whether a practice was improper re-initiation
• Improper reinitiated Entries can be returned as Unauthorized (R10)
Re-initiation
68
• ACH Rules Reference 2.11.1, 2.11.2
– Review internal procedures to ensure that information relating to NOCs and Corrected NOCs is provided to Originator within two banking days of settlement of the NOC or Corrected NOC
• What method is used to deliver NOC information?
– What process is in place to ensure that changes are made by the Originators?
Notifications of Change
69
• ACH Rules Reference 2.3.2.5, 2.5.18.6, 2.3.3.3
– What procedures are in place to request a copy of an authorization from an Originator?
– If requested by the RDFI, how do you ensure it is presented within the 10 banking days?
– For CCD, CTX Originators, can you provide the name and contact information within 10 banking days
Request for Authorization
70
• Provides a means for the RDFI to obtain a copy of an authorization or Originator contact information for a CCD or CTX entry
• Provides the Receiver “more concrete evidence” for disputing an entry if no authorization can be provided
• Requires the ODFI (upon receipt of RDFI’s written request) to provide the RDFI with either:– An accurate record of the Receiver’s authorization, or
– The Originator’s contact information• Originator’s name and phone
• Originator’s name and email address
• ODFI must provide within ten banking days without charge
• Requires the Originator to provide such information to the ODFI upon the ODFI’s request
• Audit ODFI
Proof of Authorization for Non-Consumer Debits
71
• ACH Rule reference 2.12.6
– Review internal procedures to ensure that, when agreed to by the ODFI, Permissible Return Entries are accepted
– R31 – Permissible Return• ODFI agrees to accept
– Notify receiving ACH staff
– Process
• Cannot dishonor
Permissible Returns
72
• Rule reference 2.3.3.2
– Verify Compliance with UCC 4A
• Customer Agreements
– Disclosure to Originators of CCD or CTX Entries
• Commercially Reasonable Security Procedures
• Are you the FI creating ACH files on the behalf of your originators? Do you have reasonable procedures to prevent errors?
UCC4A Compliance for Origination
73
• Utilize commonly accepted commercial practices among commonly situated Originators that conduct similar types of transactions– Verify commercially reasonable security measures are taken regarding
the delivery of payment data
– Verify the following disclosures have been provided to the Originator
• Security disclosure
• Provisional payment disclosure
• Choice of law disclosure
• RDFI reliance of account number only for posting
What Is Commercially Reasonable?
74
• ACH Rules Reference 2.2.1
– ODFI has utilized a commercially reasonable method to verify the identity of each Originator or Third-Party Sender that enters into an Origination Agreement with the ODFI
– When an ODFI has a relationship with a Third-Party Sender rather than with an Originator directly, also verify that the Third-Party Sender has utilized a commercially reasonable method to establish the identity of each Originator that enters into an Origination Agreement with the Third-Party Sender
Identity Verification
75
• ACH Rules Reference 2.8 and 2.9
– Verify that reversing entries and files are done in accordance with the requirements of the rules
Reversing File
76
• Provides an Originator/ODFI with an additional mechanism to resolve situations in which the use of the reversal process has resulted in an unintended credit to the Receiver
• Establishes the right of an ODFI to dishonor the Return Entry of either debit by using Return Reason Code R62, provided that the associated credit Entry was not also returned by the RDFI
Dishonored/Contested Reversal Issue
77
• Also establishes the right of an RDFI to contest this type of dishonored Return, using Return Reason Code R77, if either of the following conditions exists:
– the RDFI returned both the Erroneous Entry and the related Reversal; or
– the RDFI is unable to recover the funds from the Receiver
Dishonored/Contested Reversal Issue
78
• ACH Rules Reference 2.17.2
– Verify the ODFI has reported information on each originator or TPS if you have been requested by the national association
– .5% Unauthorized Return Rate
– Are you tracking returns?
ODFI Reporting Requirements
79
• The Return Rate threshold for unauthorized debits is 0.5%
– R05, R07, R10, R29 & R51
• Establishes a preliminary inquiry process to evaluate and research outlier cases in which an Originator’s administrative returns exceed 3% return rate level
– R02, R03, R04
• Establishes a preliminary inquiry process to evaluate and research outlier cases in which an Originator’s overall returns exceed 15% return rate level
– excludes RCK
Unauthorized Return Rate Thresholds
80
• ACH Rules Reference 2.17.1
– Verify that the ODFI has
– (1) registered its Direct Access status with the National Association
– (2) obtained the approval of its board of directors, committee of the board of directors, or its designee for each Direct Access Debit Participant
– (3) provided required statistical reporting for each Direct Access Debit Participant
– (4) notified the National Association of any change to the information previously provided with respect to any Direct Access Debit Participant
Direct Access Registration
81
• ACH Rules Reference 2.17.3
– Verify that the ODFI has • (1) stated to NACHA that it has no Third-Party Sender relationships
• (2) If it has, then register its Third-Party Senders with NACHA
• (3) Update the registration as necessary
Third-Party Sender Registration
82
• ACH Rules Reference Articles 2.1
– Ensure that Originators & TPS are kept informed of their obligations on a continuing basis• Document method of notifying Originators of changes to the ACH
Rules
• Do you audit your originators?
ODFI Requirements of Originator & Third Party Sender
83
• Verify that the ODFI has kept Originators and Third Party Senders informed of their responsibilities under these rules. (article Two, section 2.1)
• This section also applies to your financial institution for your own origination (e.g., loan payments and external account to account)
– Authorization requirements
– Prenotes
ODFI Requirements of Originators and Third Party Senders
• Explicitly apply certain risk management and Originator transaction monitoring
requirements to Third-Party Senders
• Require third-parties to provide proof of completion of a Rules compliance audit to its Participating DFI to fulfill request from NACHA
• Provide a list to the ODFI as stated in agreement
– When a new customer is added
– When requested
Third-Party Sender
• Authorization Requirements
– Originators are Obtaining Proper Authorization for ALL Entries• Authorizations MUST be in writing, signed by the customer, or
similarly authenticated
• 10 day rule for varying amount of debit
• 7 day rule for varying date of debit
• Retain for 2 years after last transaction
• Revocation language
• Copy of authorization to consumer
Originator Obligations
86
• Prenotifications– Prenotes are initiated three days prior to settlement date of first
live entry
– If returns relating to prenotifications received ensure that related entries are not initiated.
– Upon receipt of Notifications of Change, requested changes made prior to the initiation of the next entry
Originator Obligations
87
• Standard Entry Class Code• WEB Credit - P2P entry
• Company Name Field
– P2P Service Provider Name
• Company Identification
– P2P Service Provider ID Code
• Company Entry Description
– Identifies as Person to Person (P2P)
• Individual Identification Number
– Sender’s Name
Originator Obligations – WEB Credits
88
• TEL Obligations
– Verify for TEL entries the Originator is complying with:• Authorization requirements
• Verification of identity of receiver
• Verification of routing numbers
– Single vs Recurring• Single: Recording or Notice
• Recurring: Recording AND Notice
Originator Obligations
89
• WEB Obligations
– Outside originator vs FI doing WEB via internet banking system
– Authentication vs authorization
– Fraudulent detection
– Routing number validation
– Annual Audit
Originator Obligations
90
• Compile the information gathered in your audit working papers and funnel into the Audit Report
• You may want to also write up a summary of your findings for presentation to the board of directors
Write-up Audit Report
91
• You’re ready for your own AUDIT
• You have a good understanding of ACH Compliance
CONCLUSION
92
For you - compliance should be a snap!!
Top Five ACH Examination Findings
1) Lack of Senior Management & Board Oversight
2) Lack of Adequate MIS and Reporting
3) Lack of Monitoring
4) Inappropriate Approval Process (separation of duties)
5) Inadequate Limits or No Limits
93
Risk Assessment
94
Four Main Steps in the Risk Management Program
• Business Impact Analysis(BIA)
– Identification of potential impact of uncontrolled non-specific events on business functions and processes
• Risk Assessment
– Analysis of threats based upon business impact
– Prioritization of potential disruptions based on severity
95
Four Main Steps -continued• Risk Management
– Identification, assessment, and reduction of risk to an acceptable level
– Development, implementation, and maintenance of a written, enterprise-wide Risk Management Program
• Risk Monitoring and Testing
– Incorporate the BIA and Risk Assessment findings into the Risk Management Program
– Regular assessment and revision
96
Risk Assessment
Risk Assessment Objectives:
• Determine the inherent risks and risk factors within the bank’s ACH or retail payment activities
• Identify the key control practices to limit those risks
• Evaluate the effectiveness of those controls to mitigated the risks considering the likelihood and potential impact to its capital and earnings AND its regulatory compliance obligations
97
Risk Management and MitigationCommon Risk Management Issues:• Payments risk management not sufficient for scope
of activities (informal, decentralized, or missing)• Anxiety for income combined with passive oversight of third-party
sender or originator activity• Insufficient policies and expertise for the complexity of the
payment’s environment • Lack of adequate customer due diligence/underwriting for exposure
to credit or legal liability losses • Lack of effective oversight over third party senders• Limited FI board and senior management involvement• Insufficient risk monitoring and reporting • Inadequate NACHA Operating Rules, BSA/AML, or consumer
protection training
98
Risk Management and Mitigation
Risk Management Methods:
• Policies, standards, and risk limits
• Underwriting, due diligence, & oversight
• Contracts and agreements
• Transaction limits and controls
• Risk monitoring and reporting
• Audit and Control Testing
99
ACH Risk Management and Mitigation
Lower Risk and Lower Volume• Track daily, multi-day exposure limits• Track ACH volume and return trends and
compare to capital• Identify and track customer-specific
originations and returns (risk-based and/or volume-based threshold)
• Identify and track highest risk ACH originators
• ACH originator list with SEC code restrictions, limits, ACH line review date, and agreement date
• Track ACH over limits and exceptions• Track consumer use of internet payment
generation
Higher Risk and Higher Volume• All from lower risk plus:• ACH originations and returns by debits,
credits, SEC type, third-party sender, originator
• Track ACH reserve adequacy• High-risk ACH originator risk ranking
report• High-risk ACH , tracking returns by SEC
types and return code
100
Primary Risk Mitigation Tools – Consider frequency, audience, timeliness
Risk Management and Mitigation
Credit Risk can be mitigated by:• Thorough credit and financial analysis for originators, 3rd party vendors, &
3rd party senders• Ensure agreements are maintained & updated• Ensure policy includes a list of prohibited and high risk originators and SEC
codes w/ approval process• Establish risk-based debit and credit limits w/ exception approval
requirements• Effective customer activity monitoring and reporting• Establish appropriate pre-funding and reserve requirements
101
Management and Mitigation
Mitigate Compliance and Legal Risk by:• Implementing comprehensive BSA/AML, KYC, GLBA, and OFAC
screening policies and procedures• Conducting due diligence for unfair and deceptive practices by
originators and third party senders (e.g., FTC Telemarketer Rule)• Conducting adequate monitoring of 3rd parties to ensure
effectiveness of due diligence and monitoring processes• Performing required audits and independent reviews• Ensuring that all origination agreements and third party contracts
contain regulatory and compliance language• Ensuring proper monitoring and exceptions reporting• Ensuring that employees have the proper training
102
Risk Management and Mitigation
Risk Management and Mitigation
Mitigate Liquidity Risk by:• Monitoring volumes and trends
– Identifying peaks in usage– Tracking volatility in payments activity– Assessing impact on funding
• Use of prefunding and reserves to limit additional funding requirements
• Using expiration dates for higher limits for increased seasonal or temporary needs
• Identifying deposit concentrations from payment processing activity and assessing related volatility as a source of funds
103
Risk Management and Mitigation
Mitigate Reputational and Strategic Risks by:
• Conducting background checks on originators and third-party senders
• Expanding oversight of high-risk originators– NACHA Operating Rules
– Due diligence and risk management program
– Consumer complaints and litigation
– Regulatory actions
– Marketing and business practices
104
ACH related MIS should include:Portfolio-wide
– ACH origination volume compared to capital – ACH returns – ACH contract aging– Customer distribution by risk rating
Customer-specific– ACH origination volume trends– ACH return trends– Unauthorized Return types, volume, $, and % to total transaction Volume– Rules/contract violations– Times over limit– Changes in risk rating– Contract date
Note: If available, profitability analysis may be appropriate
105
106
Mitigate Operational Risks from Systems/Technology by:
• Establishing comprehensive vendor management program
• Establishing and monitoring effective service levels
• Ensuring daily monitoring and reporting of any issues
• Ensuring that employees have the proper training and expertise
• Ensuring appropriate access controls, authentication, separation of duties, and independent control reviews
• Ensuring consistent internal controls and processing procedures across multiple technology applications and platforms
• Ensuring adequate contingency plans and testing
• Performing adequate audits with NACHA Operating Rules as starting point
Risk Management and Mitigation
107
Mitigate Operational Risk from Fraud by:• Ensuring proper due diligence including background checks• Using fraud detection software to filter suspicious activity• Verification/validation of transmission• Anomalous transaction detection • Strict adherence to credit and other related policies• Ensuring that credit originators require pre-funding or more in-depth
financial analysis and underwriting• Ensuring appropriate limits are in place• Establishing adequate reserves for debit originators• Complying with NACHA and Operator rules/regulations• Requiring and enforcing updated agreements for all originators and third-
party senders• Monitoring activity and exceptions reports on a daily basis
Risk Management and Mitigation
NACHA Rule
Key Component of Rule AmendmentEffective June 18, 2010, the Rule requires all participating DFI’s to conduct a risk assessment of their ACH activities, and to implement risk management programsbased on the results of such assessments, in accordance with the requirements of their regulator(s)
108
Risk Assessment Rule
1) Assessing the nature of risk associated with ACH activity;
2) Performing appropriate know-your-customer due diligence;
3) Establishing controls for Originators, third-parties, and direct access to ACH Operator relationships; and
4) Having adequate management, information and reporting systems to monitor and mitigate risk
109
How Often?
• Have there been any changes in technology?
– Software, processors, new services
• Have there been change in the number of originators or types
• Have customer complaints increased
• Have there been any change in returns or charge offs?
• Have there been a change in personal?
110
FFIEC
• Made up of: (each may issue their own bulletins as well)– Federal Reserve– FDIC– OCC– NCUA– CFPB– State Regulators
• Issues guidance on key issues– Authentication in an Internet Banking Environment (and recently a supplement to that Guidance)– Risk Management of Remote Deposit Capture
• Issues and updates Handbooks on key topics such as:– IT (including ACH, check, RDC)– BSA (AML)– Business Continuity
111
Risk Management Overview - FFIEC
Financial institutions can mitigate many of the risks associated with electronic payments origination & processing:
Based on a comprehensive risk assessment of the financial institution’s electronic payments environment
Board and management oversight that establishes appropriate risk tolerances, effective reporting, employee training, and prudent vendor management practices
Leverage existing risk management processes– Involve risk management, compliance, and audit resources in the electronic payments risk
management effort
– Incorporate all payment products and services into a broader Payment Risk Management Program
112
Staff
• Is the FI’s board knowledgeable and capable of understanding the risks?
• Determine if the quality and levels of staffing are adequate
– Reports showing staffing levels, turnover, trends
– Level of skill
– Staffing levels for peak periods
– Adequacy and quality of staff resources
• AAP
113
Staff (cont.)
• There is adequate capacity for current and planned transaction volumes?
• Automated vs. manual processes
• Quality of controls
–Separation of duties
–Dual control
114
Policies
Policies should include:Goals and objectives of the program
Approved products and services
Prohibited Originators or Merchants
Third Party Senders
Exposure limits and Originator review
Contracts & Agreements
OFAC, PATRIOT Act, BSA/AML
115
Policies (cont.)
UCC4A provisions
Third Party Service Providers
Direct Access to the ACH Operator
File Delivery
Data Breach
ACH and Payment Product Audits
116
Review Originator Agreements
• Do the agreements adequately set forth the responsibilities of all parties?
• Do the agreements meet the requirements of the NACHA Operating Rules?
• Do the agreements mention funding arrangements, SEC codes allowed, Regulation CC, UCC 4A.
117
Third-Party Senders
• Non Contractual Relationship with Originators
• Need a specific contract to address risks
–Contract should include:ODFI approval of all originators
Exposure limits per originator
An exposure limit for the TPS
Method to identify each originator
• Third party sender audit required
118
Before Originating Same Day ACH: Some Risk Considerations
• Develop an overall strategy for offering Same Day ACH– Should Same Day be offered to all or select Originators?
• Not all customers may be suitable for same-day origination• Not all FI products may be suitable for same-day origination
– Determine how to identify those Originators or transaction types permitted to use Same Day ACH– Consider customer’s profile (i.e., business model) when offering Same Day ACH
• Current credit limits and risk rating• Prefunding and exposure • Authentication methods
• Review Files or have processes in place to determine compliance with Same Day eligibility rules– Ensure proper use of Effective Entry Date – Other indicators (Descriptive Date, Company Discretionary Data)– Transactions appropriate to the phase (Phase 1, Credits only)
•119
Vendor Management
• Assess management’s ability to manage outsourced relationships with technology service providers– Encrypt transactions while in route between service provider and
institution
– Contract provisions• Personnel, equipment
– Contingency planning
• Measurements specify what constitutes inadequate performance– Appropriate sanctions
• Reduction in fees etc.
120
Third-Party Service Provider Risks
• Is the vendor/service provider a strategic fit for your organization?
• Is the third-party financially stable?
• Does the system allow for scalability?
• Will you have online access to real-time reports?
• Can velocity limit parameters be established?
• Does the application provide process & system monitoring capabilities?
121
Information Security
• FIs should implement the appropriate physical and logical security controls
• Look at service providers and external networks
• Consider controls on:
– Origination, approval, transmission and storage of ACH and other payment product’s information
– Corporate Account Takeover
122
FFIEC Guidance: Internet Banking
• Risk Assessment – High Risk Transactions
• Customer Authentication for High‐Risk Transactions
• Layered Security ProgramsLayered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.
• Customer Awareness and Education
123
Mobile Financial Services (MFS)
Management should identify the risks associated with the types of MFS being offered as part of the institution’s strategic plan.
Operational Risk – identify risks how the device communicates with the POS or other terminals.SMS Technology Mobile -enabled websiteMobile ApplicationsMobile PaymentsCompliance RiskReputation Risk
124
Board of Directors and Cyber Security
Questions your Board of Directors should have answers to:
What is Management’s familiarity with cyber security and account takeover?
Has Management identified where and how there is risk of an attack?
Can your Management team articulate your institution’s account takeover risk and explain your procedures to mitigate, identify and respond to attacks?
125
Board of Directors
Questions your Board of Directors should have answers to:
Has Management assigned clear roles and responsibilities within this plan?
What are the communication plans in the event of an attack on your financial institution or business client?
Does Management have a handle on the cyber security of your third-party service providers?
126
Board of Directors
Board of Director Responsibilities:
Set or approve your financial institution’s risk tolerance and ensure Management targets your cyber security preparedness to align with that stated risk tolerance
Review, approve, and support your financial institution’s procedures to address risk management and control weaknesses
127
ODFI
• Exposure limits (both originator and TPS)
–Based on the originator’s credit rating
–Relative to all services i.e. (cross-channel)
–Written agreements with originators addressing exposure
–Consumer Internet Banking limits
– Increase in unauthorized triggers require re-evaluation
128
ODFI Reports
• Automated for returns (60-75 days)
–Unauthorized
– Invalid
–NSF and other
• Entries in excess of the exposure limit and approval
• Audits from Originators
129
Credit Risk• ODFI Exposure (Credit Entries)
– Period of time between the initiation of ACH credit file until the company funds the account
– Amount of risk based on total amount of the file • Up to 2 days
• ODFI Exposure (Debit Entries)
– Date funds available to Originator until debits can no longer be returned by RDFI’s• Up to 60 days from settlement for unauthorized• Can be 2 banking days for NSF/uncollected funds
– Amount of risk based on amount of individual or multiple returned ACH debits
130
ACH Funding
• Adequacy of funding before releasing the file to the Operator
• Prefunding
–Timing
–Blocks or separate account
131
RDFI
• Assess RDFI’s overdraft policies
– Customers/members
• Funds Availability
• RDFI established procedures to deal with consumers notifications regarding unauthorized or revocation
• Stop Payments
• Freeze accounts for blocked parties (OFAC)
132
ACH Accounting
• Balancing procedures
– General ledger
– ACH activity with pending file totals
– Separate accounts for returns, unposted
• Verifies the source of the files originated
• Separation of duties
• Customer profile change request
133
Business Continuity
• Ensure you have developed a plan to continue operations in case of a emergency
• Consider all risks
• Risk rate what is critical to operations
• TEST, TEST, TEST
• Look at third party vendors plans
134
Observations and the Future Risk assessments not well integrated into enterprise
risk assessment and management NACHA Operating Rules allow audits/assessments by
non-independent parties Risk assessments performed by staff with incomplete
understanding of industry/product risks “Generous” ratings for inherent risk and internal
controls Smaller firms challenged to provide separation of
duties Industry/products and risks continue to evolve rapidly
135
136
Conclusion
• As electronic payments volume, new products, and entry points continue to increase, financial institutions must have effective and comprehensive policies, procedures, and processes to identify, measure, and limit the risk to the bank and its customers.
• Financial institutions that process payments for third parties including payment processors and high risk merchants must implement enhanced risk management practices to protect against increased credit, compliance/legal, reputational, strategic, and operational risks.
Going Forward…
• Be aware of the Supplement to the Guidance on Authentication in an Internet Banking Environment and how it continues to evolve
• Watch for updates to the IT handbook
• Be sure your institution has done risk Assessments for ACH and RDC
• Use the material presented today to ensure you’ve covered all the appropriate topics in your Assessments
137
Risk Assessment• Examples of recent risk-management requirements and
guidance by regulators include:– OCC Bulletin 2006-39, Automated Clearing House Activities, September 1, 2006
(http://www.occ.treas.gov/ftp/bulletin/2006-29.pdf)
– FFIEC’s BSA/AML Examination Manual, 2007 edition (http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_20 07.pdf (pages 199 through 205)
– OCC Bulletin 2008-12, Payment Processors, April 24, 2008 (http://www.occ.treas.gov/ftp/bulletin/2008-12.html)
– FDIC Financial Institution Letter 127-2008, Payment Processor Relationships, November 7, 2008 (http://www.fdic/gov/news/news/financial/2008/fil08127.html)
– FFIEC Guidance on Risk Management of Remote Deposit Capture, January 14, 2009 (http://www.ffiec.gov/pdf/pr011409_rde_guidance.pdf)
138
QUESTIONS
139
Resources
• WACHA- The Premier Payments Resource
• PAR- Payment Advisory Resource
HELP DESK
– Phone: 262-345-1245
– Toll Free: 800-453-1843
– Fax: 262-345-1246
140