Www.neach.org © 2013 NEACH. All rights reserved. BCAC –ACH Risk Management Sean Carter, AAP NEACH...

www.neach.org© 2013 NEACH. All rights reserved.

BCAC –ACH Risk Management

Sean Carter, AAP

NEACH & NEACH Payments Group

NEACH, as a Direct Member of NACHA, is a specially recognized and licensed provider of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and the Accredited ACH Professional (AAP) program.

This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. Any unauthorized use or access is expressly prohibited.

2

3www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.

• ACH Overview and Flow• Participant Roles and Responsibilities• Inherent Risks of Processing ACH Transactions• Areas of Risk for RDFIs and mitigation techniques• Areas of Risk for ODFIs and mitigation techniques• Risk Assessments & Audits

Agenda


• Automated Clearing House– “Processing and delivery system that provides for the distribution and settlement of electronic debits

and credits among financial institutions”

• Batch-oriented, store-and-forward processing system• Safe, secure, electronic network for consumer, business, and government

payments• Used by more than 11,000 participating FIs and millions of business and

consumers

What is ACH?


• Unlike other payment systems, the ACH Network supports all of the following:– Credit transactions that “push” value

– Debit transactions that “pull” value

– Ubiquity to receive payments from and make payments to virtually all checking and savings accounts in the U.S.

– Both payments and robust payment information

– Native electronic transactions and check conversion transactions

– Zero-dollar transactions (for interbank messaging)

– Consumer transactions and Business transactions (both B2B and internal transactions)

– Government transactions

– Domestic and international transactions

– Recurring and one-time transactions

Unique ACH Network Attributes


• Over 17.5 billion transactions in 2013– Does not include on-us

• Payments valued at more than $38 trillion dollars in 2013– Up almost 5% over 2012

6

Facts about the ACH Network


– Originating Depository Financial Institutions (ODFIs) and Receiving Depository Financial Institutions (RDFIs) are bound collectively to each other by the Rules, as a multilateral agreement

– The Rules assign ODFIs and RDFIs distinct roles, responsibilities, and liabilities for ACH transactions that they originate and receive that flow via warranties and indemnification to all other DFIs and ACH Operators in the ACH Network

• The NACHA Operating Rules require ODFIs and RDFIs to execute agreements with Originators and third-parties, as applicable, that bind them to the Rules

– Rules require Originators to have a relationship with Receivers (agreement or authorization)

Foundation of the NACHA Operating Rules is Contract Law

For more information attend Recent Developments in Electronic Payments Law on Monday at 11:15

Regulation DDepository Financial Institution Reserve Requirements / Defines

Transaction Account

Regulation CCFunds Availability & Check Collection

Office of Foreign Assets Control (OFAC)

Financial Interdiction

Federal Reserve Operating Circular 4ACH Participation of Federal Reserve Banks

Code of Federal Regulations (CFR) Title 31 Part 210U.S. Federal Government ACH Payments

Legal Framework for ACH Transactions

NACHA Operating RulesRegulation E

Consumer Credit & Debit EFT Payments

Uniform Commercial Code (UCC) Article 4A

Corporate Credit Payments

Corporate Debit Payments No overarching payment laws/regulations

NACHA Operating Rules

Contractual Hierarchy

ACH Operators

FinancialInstitutions

(ODFIs & RDFIs)

Third-Party Processors

OriginatorsThird-Party Processors

OriginatorsReceivers

(Consumer or Business)

Receivers(Consumer or

Business)


• Originator• Originating Depository Financial Institution (ODFI)• ACH Operator• Receiving Depository Financial Institution (RDFI)• Receiver

10

Who are the Participants?


Originator• Party which initiates the ACH transaction• Can be a company, a government agency• Must have Authorization from the Receiver• Examples: utility company initiating payments, employer initiating Direct

Deposit of an employee’s wages


11

© 2012 EastPay. All Rights Reserved

12

Potential ACH Originators Possible Uses of ACHProperty Management Company Collection of Monthly Condo Association Dues

School District, College or University Payroll and Collection of Tuition Payments

Charitable Organization Scheduled Pledge Donations

Cable Company, Newspaper Subscriber Billings

Church Member Tithes and Donations

Insurance Company Collection of Policyholder Premiums

Fitness Club, Health Club or Spa Dues and Service Fee Collections

Retail Store, Doctor’s or Dentist’s Office, Credit Card Company

Conversion of Check Payments Received, Electronically Re-Presenting Checks Returned as NSF

Municipality Utility Bill Collections

Financial Institution Loan Payments, Stockholder Dividends, Safe Deposit Box Billing, Transfers

Manufacturing Company, Corporation (General)

Direct Deposit of Payroll, Pension Payments, Account Transfers, Tax Payments, Expense Account Reimbursements, Vendor Payments


ODFI • The Financial Institution which originates the ACH

transaction after receiving payment instructions from an Originator

• Warrants that each transaction is correct and authorized

• There must be an agreement between the ODFI and the Originator that, at a minimum, binds the Originator to the Rules

• ODFI must also act as an RDFI


13


ACH Operator• Central clearing facility for the Financial Institutions• ACH Operator agrees to adhere to the Rules• There are 2 ACH Operators

– Federal Reserve – Electronic Payments Network (EPN)

• Both can be involved in a transaction



RDFI• The Financial Institution which receives an ACH

transaction for posting to the Receiver’s account• RDFI has ability to return entries but must do so within

the proper timeframes and adhere to other requirements

• Does not have to act as an ODFI



Receiver• Party which receives the ACH transaction • Has authorized the Originator to initiate the ACH entry

– Except for a Destroyed Check entry

• May be a company, individual or government agency



My corporate account-holder sends weekly files to me to originate Direct Deposit of payroll for their employees.

Who am I?

A. Originator

B. ODFI

C. ACH Operator

D. RDFI

Pop Quiz!


ACH Credit Payment: Entry and Funds Flow

Authorization


ACH Debit Payment: Entry and Funds Flow

Authorization


• The deposit of funds for payroll, T&E, government benefits, tax and other refunds, and annuities and interest payments.

Direct Deposit via ACH


• The use of funds for making a payment. • Individuals or organizations can send or receive a Direct

Payment. • May be ACH credit or debit.

Direct Payment via ACH


If a company is paying its employees payroll by ACH, is it sending credits or debits to the employee’s accounts?

Pop Quiz!!


• Application of Rules• Compliance with Rules

– Effect of Illegality, Audits, Rules Enforcement, Risk Assessment, Compensation, and Arbitration

• Records– Retention, provision upon request, may be electronic

• Excused Delay• Secure Transmission of ACH Information

General ACH Rules


The Role of the ODFI


• ODFI is responsible for entries and rules compliance• Must have Originator Agreement with Originator • Must perform risk management

– Assess & monitor nature of ACH activity, establish & enforce exposure limits

• Must ensure Originator has proper authorization from Receiver

• ODFI warranties (general and specific to SEC Code)

Origination of Entries


• Each entry is properly authorized– not revoked, not terminated by law, correct amount

• Each entry is timely • Complies with other requirements of the Rules, including proper SEC Code• Transmits required information• ODFI warranties do not apply to goods or services• Article Two, Section 2.5 addresses warranties specific to each application

General ODFI Warranties


• Prenotes– Non-monetary entry sent prior to first live entry to notify RDFI that

Originator intends to send ACH to Receiver’s account– Originator must wait 6 banking days after prenote before sending

live dollar entry (effective September 2014 wait time will reduce to 3 banking days)

• Reversals (files and entries) – Erroneous entry

• Duplicate, wrong Receiver, wrong amount, specific conditions related to payroll payments

– Must be sent within 5 days of erroneous file/entry



• Re-initiation– Originator or ODFI may reinitiate returned entry if:

• Returned for NSF/uncollected funds• Returned for stop payment and reinitiation was authorized by Receiver• Corrective action taken to remedy reason for return

– Reinitiation must occur within 180 days from settlement date of original entry

• Must be formatted as RETRYPYMT as of 09/18– All information must remain the same including company ID and dollar amount



• Identification and Formatting• Credit Policy• Agreements• Prefunding Models

Impact of Same Day


The Role of the Originator


• Authorization must:– Be readily identifiable, have clear and readily understandable terms, provide that Receiver

may revoke only by notifying Originator in manner specified

• Debit entries to consumer accounts– Notice of change in amount– Notice of change in scheduled date– Copy of debit authorization

Obligations of Originators


• Record of authorization– Originator must retain original or copy of authorization for defined period of time– Upon RDFI request, Originator must provide to ODFI copy of authorization so that ODFI

can provide to RDFI within 10 banking days

• Some SEC Codes have specific requirements for Originators

Obligations of Originators


The Role of the RDFI


• RDFI must accept entries• May rely solely on account numbers to post• May rely on Standard Entry Class Codes• May request copies of authorizations• Must provide entry information as defined for various types of entries• Does not have to notify Receiver of receipt of entry

General Rights & Responsibilities of RDFIs


• Must make funds available by defined time and may not debit prior to settlement date

• Must verify prenotes and respond if appropriate• Must honor stop payments orders provided by Receivers• May return entries in a timely manner (but may not return based solely on type

of entry)

General Rights & Responsibilities of RDFIs


Returns◦ Restrictions◦ Timing requirements ◦ Unposted credits◦ ODFI request◦ Re-initiation◦ Return Reason Codes (e.g., R01, R02, R10)

Dishonor, Contested Dishonor, Correction◦ Timing requirements ◦ Return Reason Codes (e.g., R68, R73)

Returns


• Administrative (normal) return time frame – return entry must be received by RDFI’s ACH Operator by its deposit deadline for the return to be made available to the ODFI no later than opening of business on second banking day following settlement date of original entry”

• Consumer (extended) return – “…no later than opening of business on the banking day following the 60th calendar day following settlement date…” used mainly for unauthorized consumer debit entries

Return Time Frames

Return Flow


• Pick up additional files• Availability• Exceptions

Same Day Impact


Pop Quiz!!!

– A RDFI can return an ACH debit whenever it wants.

True or False?


• Credit - Occurs when a party to a transaction cannot provide the necessary funds, as contracted, in order for settlement to occur

• Operational- Occurs when a transaction is altered or delayed due to an unintentional error

• Fraud- Occurs when a payment transaction will be initiated or altered in an attempt to misdirect or misappropriate funds by any party to the transaction or outside intruders

• Compliance- Occurs when a party to a transaction fails to comply, either knowingly or inadvertently, with NACHA Operating Rules, applicable regulations, and U.S. and state law

Types of Risk


• Systemic Risk- Occurs when a payment system participant cannot settle its obligation causing other participants to be unable to settle theirs

• Third Party Risk- The risk that the party entrusted by the FI to perform a function of ACH processing does not meet the expectations of the FI

Types of Risk


• It is NOT:– A security assessment– An audit– A one time effort

• It Is:– Required to be conducted– Comply with the expectations of the FIs regulators– Part of the ACH Audit

What is an ACH Risk Assessment?


• SUBSECTION 1.2.4 Risk Assessments A Participating DFI must: – conduct, or have conducted, an assessment of the risks of its ACH activities; – implement, or have implemented, a risk management program on the basis of such an

assessment; and, – comply with the requirements of its regulator(s) with respect to such assessment and risk

management program.

The Rule


• Must have assessment of risks from ACH activities• Must have risk management program based on the assessment• Must ensure assessment and risk management program comply with DFIs

regulator requirements

The Rule – In a Nutshell


• Reflect ACH industry best practices• Send a strong message to the industry on the importance of risk management• Ensure that all ODFIs perform know-your-customer due diligence • Establish procedures, systems and controls to manage the risks of their

Originator’s and Third-Party Sender’s ACH activities

The Rule


• Examples of recent risk management requirements and guidance by regulators include:– OCC Bulletin 2006-39, Automated Clearing House Activities– OCC Bulletin 2008-12, Payment Processors Risk Management Guidance – FFIEC’s BSA/AML Examination Manual, 2010 edition (pages 224 through 233 are specific to ACH;

however ACH is referenced in numerous locations throughout this manual)– FFIEC Guidance on Risk Management of Remote Deposit Capture– FFIEC Retail Payments System – FFIEC Supplement to Authentication in an Internet Banking Environment– FDIC Financial Institution Letter 127-2008, Payment Processor Relationships– FDIC Financial Institution Letter 144-2008, Managing Third Party Risk– FDIC Financial Institution Letter 3-2012, Payment Processor Relationship

NACHA Risk Assessment Framework


• Systems and controls– Policies and procedures– Board reporting– Audit Scope

• Credit management– Credit risk– Underwriting standards– Risk selection– Originator management– Exception Processing– Government Payment Processing– Funds availability

Components


• Compliance– ACH Rules– BSA/AML– OFAC– Reg D, E, CC, GG– UCC4A

• Third parties– Service level agreements– Contracts– Management

Components (cont.)


• Direct Access– Volume– Agreements

• Operational and transactional process– RDFI– ODFI

• IT– Technology controls– Data protection– Business continuity

Components (cont.)


• Identify– Threats

• Consistent between institutions• Vary over time

– Vulnerabilities• Unique to each institution• Not always manageable

– Controls• Preventative• Procedural• Technical• Detective

Components (cont)


• Measure– Control effectiveness– Residual risk

• Prioritize• Remediate or accept• Documentation of the process

Assessment Deliverables

53

Risk Management Program


• Establish ACH Risk Management Program– Clear objectives– Well developed business strategy– Clear risk parameters

• Board and Management role– Board overall business strategy and risk limits– Management establish management system

• Ongoing Process– Evaluate activities v. risk parameter– Policies, procedures, & controls effective

Risk Management ProgramOCC 2006-39


• Board or Committee should receive period reports– Metrics & trend analyses on ACH volumes and more– Metrics & trend analyses of originators and any third-party senders;– Capital adequacy relative to the volume of ACH activity and level of risk associated with

originators;– The percentage of the deposit base linked to ACH origination;– A summary of return rates by originator and third-party senders; – Unauthorized returns that exceed board-established thresholds;– Notices of potential/actual rules violations from NACHA;– Financial reports on profitability of ACH function center; and– Risk management reports, including a comparison of actual performance to approved risk

parameters

Risk Management ProgramBoard Reporting


• Common issues:– inadequate audit coverage– inexperienced audit staff– lack of appropriate auditor training.

• Audit scope– growth in transaction volume– new products and services– new ACH systems– underwriting policies and customer due diligence (CDD) policies and practices– customers' online access to the ACH network.

• Ensure that periodic audits of third-party service providers• (NACHA) Rules Compliance Audit

– not a substitute for a comprehensive, risk-based audit

Risk Management ProgramAudit


• What Auditors and Examiners are finding (continued):– Out of band authentication is not used– IAT entry screening is happening but some institutions are unclear what happens if an

entry is a suspect transaction– Inadequate knowledge of ACH Rules by audit and compliance department

Risk Assessment Findings


• The ACH Policy does not adequately define objectives.• The role of ACH in the overall strategic plan is not defined.• Including ACH in BSA/AML monitoring.• Failure to have adequate controls in place to prevent Corporate Account

Takeover or account takeover for Account to Account Consumer transactions.• Inadequate Vendor Management controls

Risk Assessment Findings


• Who is required to complete the ACH Audit?– Participating Depository Financial Institutions (DFIs)– Third-Party Service Providers and/or Third Party Senders that provide ACH services to

DFIs

59

General Audit Requirements


• Who can perform the Audit?– Audit performed under the direction of:

• Audit Committee• Audit Manager• Senior Level Officer• External auditor of DFI or Third-Party Service Provider

60



• A Participating DFI may wish to audit other aspects of its’ ACH Operations in conjunction with its annual rules compliance audit– OFAC Compliance– ACH Business Continuity Plans– ACH Risk Management Policies– Compliance with 31 C.F.R. Part 210 and Green Book Compliance

61

Non-Rule Related Best Practices


• Compliance with Appendix Eight, OR 203• Identifies Rules that should be reviewed

– Direct impact on quality of ACH Services– Satisfaction of DFIs and Receivers

62



• Conduct annually by December 31st• Retain proof for 6 years from date of audit• Provide to NACHA upon request

– NACHA is requesting proof now

63



8.2 7 Areas of examination– Record Retention– Electronic Records– Proof of Audit completion– Data Security– Payment of NACHA fees– Risk Assessment completion– Security Policies and Procedure

64

Audit Requirements for all DFIs


• Prenote Verification• Proper Use of NOCs• Acceptance of entries• Funds availability• Statement Requirements• Proper handling of returns• RCK returns

• Credit Returns• Stop payments• WSUDs• UCC 4A• Addenda Reporting

8.3 – 12 Rules tested for RDFI

65


• Not Completing an ACH Audit• NOC and/or Return Records not retained in full detail for six years• Prenotes not being looked at or responded to• WEB Credits not posted correctly on statements• WSUD vs. Stop Payments

66

Most Commonly Found areas of Non-Compliance for RDFI’s


• All ODFIs and Third-Party Service Providers required to complete audit

• ODFI warrants completion of audit by both of these participants

• Conduct audit to determine compliance with rules regarding origination of ACH entries

67

Audit Requirements for ODFIs


14 Rules tested for compliance• A. Agreements with Originators and TPS• B. Sending Point Agreements• C. Exposure Limits• D. Acceptance of Return Entries• E. NOC Processing• F. Copies of Authorizations• G. Permissible returns

68

Appendix Eight, 8.4


• H. UCC 4A • I. Identity of Originators• J. Reversing Entries• K. BOC entries• L. NACHA Reporting• M. Direct Access Registration• N. Keeping Originators informed of the Rules

69

Appendix Eight, 8.4


• Origination Agreements missing the recently added requirements• NOC’s• Unable to location Sending Point agreement• Untimely Reversals

Most Commonly Found areas of Non-Compliance for ODFI’s

QUESTIONS

Sean Carter, AAP

SVP, Payments Strategies & Advisor

781-321-1011

[email protected]

Www.neach.org © 2013 NEACH. All rights reserved. BCAC –ACH Risk Management Sean Carter, AAP NEACH...

Documents

Transcript of Www.neach.org © 2013 NEACH. All rights reserved. BCAC –ACH Risk Management Sean Carter, AAP NEACH...