andy barlow, aap, ncp executive vice president … barlow, aap, ncp executive vice president wacha....

Jen Wasmund, AAP, CTP, NCPVice President of Education & ComplianceUMACHA

Andy Barlow, AAP, NCPExecutive Vice PresidentWACHA

Disclaimer Regional Payments Associations, through their Direct Membership in

NACHA, are specially recognized and licensed providers of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program.

NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA.

This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice.

You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature.

2

Agenda ACH Risk Management in General

What do we have to do? How do we get there?

Real-life scenarios Wrap-up Questions

3

General Overview

4

What Do We Have to Do? Determine your organization’s risk tolerance and appetite

5

Objectives

Business Strategy

Risk Parameters

• Board of Directors• Management

• Board of Directors• Results reported by

Management• Board of Directors• Management

• Develop effective internal controls

• Periodic reporting

How Do We Get There? Know what your organization’s pain points are

Financial loss or fines Exam exceptions Reputation damage

How likely is it you will incur this damage and how bad could it be? Evaluate the risk vs. reward payoff Build an ongoing management program to close gaps where the risk is too great for your FI’s

appetite

6

How Do We Get There? ACH Policy

Approved by the Board of Directors Framework of overall program

Procedures Daily operational guides Ensures employees are consistently operating within risk tolerances

Reporting Results requested by Board of Directors Anomalies, exceptions Any losses

7

Where does your organization fall?R

EWA

RD

RISK

8

How Each Organization Creates a Different Approach

9

10

Same Day ACH

I want it now!

Risk Assessments

Dirty Deeds

Exposure Limits

Know When to

Hold ThemThird-Party

Senders

Should they stay or

should they go?

Educating Originators

We Don’t Need No

Education?!

Real-Life Scenarios

Same Day ACH—I want it now! To offer Same Day ACH or not…that is the question What are you going to consider?

11

Same Day ACH: Risks and Controls

Credit risk Unbalanced files

Operational risk Effective Entry Date Faster or new processing windows

Strategic risk Reputational risk

Manual review Case-by-case, limited use Software or system controls Timing of release to ACH Operator

12

Risk Assessments—Dirty Deeds… The Rules are not prescriptive Without feedback from your primary regulator, what’s good enough for you and your financial

institution? How does the ACH Risk Assessment interact with other payments systems or products?

13

Risk Assessments: Risks and Controls Compliance/Legal risk

Failure to stay current with regulatory changes

Operational risk No review of processes to ensure accuracy Verifying staff are aware of current

procedures

Complete the risk assessment Ensure other audits and compliance

obligations are also met Proper tracking of feedback from regulatory

exams

14

Exposure Limits—know when to hold them.

How do you approach setting exposure limits? Who, what, where, when and how?

15

Exposure Limits: Risks and Controls Credit risk

Too high Insufficient due diligence Not reviewed frequently enough to detect

change in condition Fraud risk

More risk of Corporate Account Takeover? Operational risk

Entered accurately for monitoring

Appropriate policies ACH and/or credit

Procedures Schedules and consistent

documentation

16

Third-Party Senders—should they stay or should they go?

All or nothing? What about if you find out an existing Originator is also acting as a

Third-Party Sender? What else do I have to do under the Rules for Third-Party Sender

Registration next year?

17

Third-Party Senders: Risks and Controls

Compliance/Legal risk Know Your Customer’s Customers (KYCC)

Credit risk Reputational risk Strategic risk

Onboarding and due diligence procedures Credit review and Standard Entry Class

(SEC) code usage Strong agreements Debits vs. credits

18

Educating Originators—We don’t need no education?!

What is sufficient? How much information do you need to share with your Originators to keep them in compliance

with the Rules?

19

Educating Originators: Risks and Controls

Compliance/Legal risk Non-compliance with Rules or regulations

Fraud risk Operational risk

Standard training at onboarding Plan for ongoing training Monitoring for exceptions or those in need

of extra help

20

21

Where does your organization fall?R

EWA

RD

RISK

22

Thank you!

23

Resources

PAR/WACHA- The Premier Payments Resource HELP DESK

Phone: 262-345-1245 Toll Free: 800-453-1843 Fax: 262-345-1246 info@wacha.org