While TPSs have a large degree of flexibility in the composition of their ACH risk management program, the general objectives of the program should include: 1. Assessing the risks of the activity (risk assessment); 2. Creating comprehensive know-your-customer (KYC) and onboarding due diligence (policies/procedures); 3. Establishing controls over Originator and Nested TPS activity (limits); 4. Setting up monitoring and reporting systems (reporting); and 5. Providing for periodic audits. Specifically, Subsection 2.2.3, ODFI Risk Management (which also applies to TPSs), requires the TPS to perform due diligence on each Originator (and Nested TPS) to assess the nature of the Originator or Nested TPS’s ACH activity implement and enforce exposure limits for each Originator or Nested TPS, and monitor ACH Return activity. All these duties are to allow the TPS to determine that the Originator or Nested TPS has the capacity to perform its ACH Rules obligations. #4 Failure To Maintain Proper Agreements A fourth audit finding that is frequently noted is noncompliance with Subsection 2.2.2.2, ODFI Must Enter Origination Agreement with TPS of the ACH Rules. Specifically, it is 2.2.2.2(h) and (i) that are of paramount importance to the TPS. Letters (h) and (i) of Subsection 2.2.2.2 require the TPS to enter into ACH Origination Agreements with each Originator, or Nested TPS, respectively. While audits almost always determine that TPSs have contractual agreements with the client Originators and/or Nested TPSs, what is often discovered is that the agreements fail to include the specific minimum ACH provisions found in Subsection 2.2.2.1(a-f) of the ACH Rules. Nacha provides some leniency on this Rule in that old agreements without the required minimum provisions are permitted to be carried forward. However, as agreements are revised or repapered, the TPS should ensure the agreement provisions detailed in Subsection 2.2.2.1 are properly included. Such flexibility aside, it has been EPCOR’s audit recommendation for the TPS to add the required provisions as soon as possible. We often suggest creating an “ACH Addendum” that can be added to the existing agreements without a complete repapering project. Notable Mention Findings Other less frequently cited audit findings still worth noting for TPSs include: • Failure to establish exposure limits; • Failure to act on Notifications of Change (NOCs); • Incorrect assignment of Standard Entry Class (SEC) Codes; • Inadequate authorization language; • Lack of monitoring of Originator Return Rates; and • Best practice suggestions for the establishment of a formal ACH Management Policy and the establishment of procedures to acquire authorizations or other ACH-related documents from Originators and/or Nested TPSs. If you work for an ODFI and are reading this article, I hope this has given you some insight into deficiencies some of your TPSs may have regarding ACH Rules compliance. It is highly recommended that you request confirmation of an annual ACH Compliance Audit from your TPS client and even go further to request the ACH audit report so you can supplement your due diligence process and see what compliance issues your TPS may be experiencing. The information presented may highlight some ACH compliance topics/issues that you aren’t aware your TPS needed to follow. If you’re a TPS, I hope this article has been thought-provoking and opened your eyes to potential issues and areas to consider making changes to ensure you are compliant with the ACH Rules. Just remember your financial institution is your ally. If you feel like you need additional education or guidance from them, reach out and work together to come up with a solution that works for everyone. Matthew travels throughout EPCOR’s footprint to conduct consulting, audit and risk assessment engagements related to ACH, Wire Transfer, Third-Party and other paymentsrelated services. As part of these services, Matthew provides recommendations related to compliance with ACH Rules, payments-related regulations and regulatory guidance. Matthew also provides education and shares best practices with financial institutions and Third-Party Senders to support their efforts towards maintaining compliance, improving operational processes and mitigating risk and fraud. Matthew graduated from the University of Kentucky in 1997 with a B.S. degree in Accounting and Management. Matthew has 23 years of professional experience, including 15 years in the financial services industry with a strong emphasis in audit, ACH and financial analysis. NEBRASKA INDEPENDENT BANKER 21
RkJQdWJsaXNoZXIy MTg3NDExNQ==