the risk assessment and/or its role in the overall ACH risk management program for the organization was also noted. #3 Failure To Establish an ACH Risk Management Program Another frequent audit finding was the failure of the TPS to establish an ACH risk management program. This requirement also comes from Subsection 1.2.4 and goes hand-in-hand with the first two audit findings already discussed. Generally, an ACH risk management program is defined as a set of policies, procedures, limits, assessments, reviews (audits) and reporting protocols that govern the overall ACH activities of the TPS. While TPSs have a large degree of flexibility in the composition of their ACH risk management program, the general objectives of the program should include: • Assessing the risks of the activity (risk assessment); • Creating comprehensive know-yourcustomer (KYC) and onboarding due diligence (policies/procedures); • Establishing controls over Originator and Nested TPS activity (limits); • Setting up monitoring and reporting systems (reporting); and • Providing for periodic audits. Specifically, Subsection 2.2.3, ODFI Risk Management (which also applies to TPSs), requires the TPS to perform due diligence on each Originator (and Nested TPS) to assess the nature of the Originator or Nested TPS’s ACH activity implement and enforce exposure limits for each Originator or Nested TPS, and monitor ACH Return activity. All these duties are to allow the TPS to determine that the Originator or Nested TPS has the capacity to perform its ACH Rules obligations. #4 Failure To Maintain Proper Agreements A fourth audit finding that is frequently noted is noncompliance with Subsection 2.2.2.2, ODFI Must Enter Origination Agreement with TPS of the ACH Rules. Specifically, it is 2.2.2.2(h) and (i) that are of paramount importance to the TPS. Letters (h) and (i) of Subsection 2.2.2.2 require the TPS to enter into ACH Origination Agreements with each Originator, or Nested TPS, respectively. While audits almost always determine that TPSs have contractual agreements with the client Originators and/or Nested TPSs, what is often discovered is that the agreements fail to include the specific minimum ACH provisions found in Subsection 2.2.2.1(a-f) of the ACH Rules. Nacha provides some leniency on this Rule in that old agreements without the required minimum provisions are permitted to be carried forward. However, as agreements are revised or repapered, the TPS should ensure the agreement provisions detailed in Subsection 2.2.2.1 are properly included. Such flexibility Per the ACH Rules, just like participating financial institutions, Third-Party Senders (TPS) are required to conduct an annual ACH Compliance Audit. The EPCOR Audit team performs TPS audits each year, which often result in repeated findings and recommendations from one audit to the next. In this article, we will look at the audit issues we most often encountered throughout 2022 and the corresponding recommendations to assist TPSs in developing a strong ACH risk management program and promote ongoing ACH Rule compliance. #1: Failure To Perform an ACH Audit Easily, our number one audit finding is the failure of the TPS to perform an ACH Compliance Audit each of the past six years. As already stated, the ACH Rules require a TPS to have an ACH Compliance Audit conducted annually, and per Subsection 1.2.2.2, Proof of Completion of Audit, a TPS must retain proof of its annual audit for six years from completion of the audit. If the TPS was being audited for the first time in 2022 or had only begun its audit regiment a few years prior to 2022, the TPS was not able to exhibit proof of completion of prior audits for each of the past six years. EPCOR TPS audit reports for these TPSs gently remind the TPS to have the audit performed every year and to retain such documentation in accordance with Subsection 1.2.2.2. #2 Failure To Conduct an ACH Risk Assessment The second most frequent audit finding/ recommendation was the failure of the TPS to conduct an ACH risk assessment. Even before Nacha added TPSs to the risk assessment requirement in Subsection 1.2.4, Risk Assessments, EPCOR auditors have advised TPSs to perform an ACH risk assessment as part of creating an overall ACH risk management program for their organization. With the formal amendment to the ACH Rules found in Supplement #3-2021, Nacha placed the explicit requirement for TPSs to conduct an ACH risk assessment and added the effective date of Sept. 30, 2022. During 2022, EPCOR noted that the majority of TPSs had not established an ACH risk assessment. The primary reason for this omission was a lack of awareness of the requirement (ODFIs, you should be educating your TPS clients). However, a failure to understand the purpose of 2022’S TOP THIRD‑PARTY SENDER AUDIT FINDINGS BY MATTHEW WADE, AAP, APRP, CPA, EPCOR 20 In Touch
RkJQdWJsaXNoZXIy MTg3NDExNQ==