Currently the ACH Rules have limited requirements for ODFIs related to risk management practices. These Rules require ODFIs to establish, review, and monitor exposure limits for their Originators' ACH activity. On May 1, 2009, NACHA’s Voting Membership approved a Risk Management and Assessment Rule which becomes effective on June 18, 2010. This change will explicitly require, within the Rules, that all Participating Depository Financial Institutions (DFIs) implement additional risk management practices within the ACH Network.
The Risk Management and Assessment Rule is a component of NACHA’s Risk Management Strategy, the goal of which is to ensure high-quality ACH transactions and reduce risk for financial institutions, businesses and consumers. The strategy addresses risk throughout the life-cycle of ACH payments, covering:
This Rule addresses network entry requirements and ongoing requirements with respect to risk management and mitigation. It aligns the ACH Rules with risk-management requirements and guidance which has been issued by various regulators within the last three years. Examples include:
- OCC Bulletin 2006-39, Automated Clearing House Activities, September 1, 2006 (Click here)
-
FFIEC's BSA/AML Examination Manual, 2010 edition (
Click here)
-
-
FDIC Financial Institution Letter 127-2008, Payment Processor Relationships, November 7, 2008 (
Click here)
-
FFIEC Guidance on Risk Management of Remote Deposit Capture, January 14, 2009 (
Click here)
These regulators stress the importance of:
-
Assessing the nature of risks associated with ACH activity;
-
Performing appropriate know-your-customer due diligence;
-
Establishing controls for Originators, third-parties, and direct-access to ACH Operator relationships; and
-
Adequate management, information and reporting systems to monitor and mitigate risk.
The Rule will provide that ODFIs have the right to:
-
Terminate or suspend an Originator, or any Originator of a Third-Party Sender, for breach of the Rules; and
-
Audit an Originator’s, or Third-Party Sender’s and its Originators’, compliance with the agreement and the Rules.
The ODFI will be required to identify any restrictions on ACH origination activity and these should be clearly stated in agreements with Originators and/or Third-Party Senders. These new requirements will be appliced on a "going-forward" basis to agreements entered into or renewd on or after June 18, 2010. Many ODFI agreements require that the Originators and Third-Party Senders be bound by the ACH Rules. Therefore, the Rules applying to termination and audit provisions will become new Originator and Third-Party Sender obligations.
The Rule will also require ODFIs to perform more comprehensive risk management in addition to the current rules on exposure limits. Specifically, an ODFI would be required to perform sufficient due diligence to determine that an Originator or Third-Party Sender is able to perform its duties under the ACH Rules; assess the nature of the Originator's or Third-Party Sender's ACH activity and the risks it presents; and establish procedures to (1) monitor the Originator’s or Third-Party Sender’s origination and return activity, relative to its exposure limit, across multiple settlement dates; (2) enforce the exposure limit; and (3) enforce restrictions on the types of ACH transactions that may be originated.
These requirements reflect ACH industry best practices to ensure that all ODFIs perform appropriate know-your-customer due diligence and establish appropriate procedures, systems and controls to manage the risks of Originators’ or Third-Party Senders’ ACH activities.
Learn more at one of EastPay's upcoming "Breaking News" workshops! Click here for more information and to register.
For information on EastPay's Risk Management Services, including ACH Compliance Audits, Remote Deposit Capture Risk Review; ACH Risk Assessments, and Service Agreement Review, contact Pam Rodriguez, AAP, CIA, CISA, EastPay's Senior Vice President of Risk Management and Education, at 1-8000-681-4224 x305.