Jen Wasmund, AAP, CTP, NCPVice President of Education & ComplianceUMACHA
Andy Barlow, AAP, NCPExecutive Vice PresidentWACHA
Disclaimer Regional Payments Associations, through their Direct Membership in
NACHA, are specially recognized and licensed providers of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program.
NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA.
This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice.
You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature.
2
Agenda ACH Risk Management in General
What do we have to do? How do we get there?
Real-life scenarios Wrap-up Questions
3
General Overview
4
What Do We Have to Do? Determine your organization’s risk tolerance and appetite
5
Objectives
Business Strategy
Risk Parameters
• Board of Directors• Management
• Board of Directors• Results reported by
Management• Board of Directors• Management
• Develop effective internal controls
• Periodic reporting
How Do We Get There? Know what your organization’s pain points are
Financial loss or fines Exam exceptions Reputation damage
How likely is it you will incur this damage and how bad could it be? Evaluate the risk vs. reward payoff Build an ongoing management program to close gaps where the risk is too great for your FI’s
appetite
6
How Do We Get There? ACH Policy
Approved by the Board of Directors Framework of overall program
Procedures Daily operational guides Ensures employees are consistently operating within risk tolerances
Reporting Results requested by Board of Directors Anomalies, exceptions Any losses
7
Where does your organization fall?R
EWA
RD
RISK
8
How Each Organization Creates a Different Approach
9
10
Same Day ACH
I want it now!
Risk Assessments
Dirty Deeds
Exposure Limits
Know When to
Hold ThemThird-Party
Senders
Should they stay or
should they go?
Educating Originators
We Don’t Need No
Education?!
Real-Life Scenarios
Same Day ACH—I want it now! To offer Same Day ACH or not…that is the question What are you going to consider?
11
Same Day ACH: Risks and Controls
Credit risk Unbalanced files
Operational risk Effective Entry Date Faster or new processing windows
Strategic risk Reputational risk
Manual review Case-by-case, limited use Software or system controls Timing of release to ACH Operator
12
Risk Assessments—Dirty Deeds… The Rules are not prescriptive Without feedback from your primary regulator, what’s good enough for you and your financial
institution? How does the ACH Risk Assessment interact with other payments systems or products?
13
Risk Assessments: Risks and Controls Compliance/Legal risk
Failure to stay current with regulatory changes
Operational risk No review of processes to ensure accuracy Verifying staff are aware of current
procedures
Complete the risk assessment Ensure other audits and compliance
obligations are also met Proper tracking of feedback from regulatory
exams
14
Exposure Limits—know when to hold them.
How do you approach setting exposure limits? Who, what, where, when and how?
15
Exposure Limits: Risks and Controls Credit risk
Too high Insufficient due diligence Not reviewed frequently enough to detect
change in condition Fraud risk
More risk of Corporate Account Takeover? Operational risk
Entered accurately for monitoring
Appropriate policies ACH and/or credit
Procedures Schedules and consistent
documentation
16
Third-Party Senders—should they stay or should they go?
All or nothing? What about if you find out an existing Originator is also acting as a
Third-Party Sender? What else do I have to do under the Rules for Third-Party Sender
Registration next year?
17
Third-Party Senders: Risks and Controls
Compliance/Legal risk Know Your Customer’s Customers (KYCC)
Credit risk Reputational risk Strategic risk
Onboarding and due diligence procedures Credit review and Standard Entry Class
(SEC) code usage Strong agreements Debits vs. credits
18
Educating Originators—We don’t need no education?!
What is sufficient? How much information do you need to share with your Originators to keep them in compliance
with the Rules?
19
Educating Originators: Risks and Controls
Compliance/Legal risk Non-compliance with Rules or regulations
Fraud risk Operational risk
Standard training at onboarding Plan for ongoing training Monitoring for exceptions or those in need
of extra help
20
21
Where does your organization fall?R
EWA
RD
RISK
22
Thank you!
23
Resources
PAR/WACHA- The Premier Payments Resource HELP DESK
Phone: 262-345-1245 Toll Free: 800-453-1843 Fax: 262-345-1246 [email protected]