ACH Audit and Risk Assessment: Choose Your Own Adventure

Transcription

1 THE PAYMENTS INSTITUTE July 17-20, 12-15, Emory Conference Center Hotel, Emory University, Atlanta, Georgia ACH Audit and Risk Assessment: Choose Your Own Adventure Mary Gilmeister AAP, NCP President PAR/WACHA-The Premier Payments Resource

2 Disclaimer WACHA, through its Direct Membership in NACHA, is a specially recognized and licensed provider of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA. This material is derived from collaborative work product developed by NACHA The Electronic Payments Association and its member Regional Payments Associations, and is not intended to provide any warranties or legal advice, and is intended for educational purposes only. This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only. This document could include technical inaccuracies or typographical errors and individual users are responsible for verifying any information contained herein. No part of this material may be used without the prior written permission of WACHA/PAR 2015 PAR/WACHA All rights reserved

3 AGENDA ACH Audit Who & Why All DFIs Receiving Depository Financial Institution (RDFI) Originating Depository Financial Institution (ODFI) Risk Assessment 3

4 Why Do We Need To Do the ACH Audit and Risk Assessment? Manage Risk and Minimize Loss Enhance ACH Quality and Customer Satisfaction Improve Operational Efficiencies and Lower Processing Costs Avoid Fines 4

5 What You Need to Know NACHA Operating Rules 31 Code of Federal Regulations 210 Regulation E Regulation CC Uniform Commercial Code 4A Office of Foreign Assets Control (OFAC) The Green Book FFIEC IT Examination Handbook 5

6 Who Must Do an Audit? Receiving Depository Financial Institution (RDFI) Originating Depository Financial Institution (ODFI) Third Party Service Provider Receiving Point Sending Point Any entity that performs a function of ACH Processing on behalf of a Participating DFI Correspondent Bank Corporate Credit Union Third Party Senders 6

7 Required by the ACH Rules Failure of a Participating DFI to provide proof of completed audit may be considered a Class 2 Rules Violation Must also be able to provide proof of audit for TPSP or its TPS NACHA has started to ask for documentation of proof of audit Audit documentation retained for 6 years 7

8 General Audit Requirements Section 8.1 Requires participants conduct an internal or external audit according to Appendix 8 requirements Audit of ACH operations is required Yearly by December 31 Retain documentation for six years 8

9 What method should we use? NACHA rules do not specify the method for completing the audit Some common auditing methods Interview personnel Sampling Random May wish to cluster transactions by common characteristics before selecting samples so that you are certain to address all audit requirements. Testing Follow transactions Follow procedures 9

10 Preparations: ACH Audit Checklist Audit period - most current x days ACH Policies Receipt Origination Risk BSA and OFAC Written procedures manual Organizational chart of chain of command for ACH department Number of employees involved in processing ACH Core Processing system/internal software updates ACH Operator FED or EPN? Operator Advice Risk Assessment Accountholder statements Accountholder disclosures Origination Agreements and Exposure limits Return activity tracking 10

11 ACH Audit Checklist Prior 6 years of audits How do you receive files? Third-party processor How do you process returns? How do you send origination files? Do you have any Direct-send relationships? Staff training Controls for physical access and passwords, security levels Account balancing Personnel policies OFAC controls NOCs Stop Payments and WSUDs DNEs and Reclamations Rules Violations in the past year Contingency/Disaster Recovery Plans 11

12 Audit Requirements for All DFIs, Third-Party Service Providers, and Third-Party Senders 12

13 Section 8.2.A ACH Rules Reference and Records of Entries Retention Method (paper, optical, disk..) Sampling for each of past 6 years Can Be Reproduced Section 8.2.B All Participating DFIs ACH Rules Reference Electronic Records Accurately Reflect the Information Contained in the Record 13

14 Audit Verification Section 8.2.C ACH Rules Reference Verify that an audit was completed in the previous year Verify that issues raised during the previous audit were corrected Audit reviewed by board of directors? 14

15 NACHA Fees Section 8.2.E ACH Rules Reference 1.12 The Financial Institution must file the N-7 form and pay associated Network Administration fees for sending Entries directly to a nonaffiliated Participating DFI. This section is not applicable if you send all of your ACH entries to the ACH Operator 15

16 ACH Risk Assessment Section 8.2.F ACH Rules Reference FIs are required to assess the risk of their ACH activities and implement a risk management program based on the assessment Has it been reviewed by board How often do you re-assess 16

17 ACH Data Security Section 8.2.G ACH Rules Reference 1.6 Participating DFI and originators/third party senders have established, implemented and updated security policies, procedures and systems 17

18 International ACH Transactions IATs ACH Rules Reference , , , , , , , and ODFIs and Gateway Operators must identify all international payment ACH transactions using the SEC code IAT. IATs must include specific data elements called the Travel Rule so that all parties have information necessary to comply with U.S. Law OFAC Compliance 18

19 Receiving Depository Financial Institution (RDFI) The RDFI is a legal receiver An entry is deemed to be received when it is made available to the RDFI or receiving point 19

20 Prenotifications Section 8.3.A ACH Rules Reference 3.5 Validate account number in prenotification entry: Accept Return or Initiate a Notification of Change on a timely basis We do not recommend NOCs for prenotification entries 20

21 Notification of Change Section 8.3.B ACH Rule Reference Verify that NOC entries are transmitted within two banking days of the settlement date of the original entry to which the NOC relates with the exception of NOCs due to merger or acquisition Dual Control? 21

22 Acceptance of Entries Section 8.3.C ACH Rules Reference 3.1.1, Verify all entries accepted as required Entries not required to be accepted: XCK Non-transaction account Do General Ledger and loan entries post automatically 22

23 Credit Availability & Debit Timing Section 8.3.D ACH Rule reference , , and Credit Entry received must be made available to Receiver no later than the day of settlement More specifically, PPD credit entries made available to the RDFI by 5:00 p.m. the banking day prior to settlement date, are available to the Receiver for withdrawal no later than the opening of business on the settlement date Debit entries are not posted prior to the settlement date Same Day ACH 23

24 Account Statement Content Section 8.3.E ACH Rule reference Verify that the RDFI sends or makes available as part of the account statement for consumer customers information from transactions as dictated by the ACH Rules and Regulation E 24

25 Timely Returns (Part 1)(Excluding RCK) Section 8.3.F ACH Rules Reference 3.8. Verify that return entries (including debit entries to a corporate account returned as unauthorized) are received by the RDFI s ACH Operator by its deposit deadline for the return entry to be made available to the ODFI no later than the opening of business on the second banking day following the Settlement Date of the original entry 25

26 Timely Returns (Part2&3)(Excluding RCK) Rules Reference , Appendix Four Verify that permissible return entries (i.e., the late return of unauthorized debit entries to non-consumer Accounts) are transmitted with the permission of the ODFI and utilize the appropriate Return Reason Code Rules Reference 3.8.5; Appendix Four Verify that dishonored return entries received by the RDFI are handled appropriately, and that contested dishonored return entries and corrected returns are initiated in a timely manner. Verify that the RDFI utilizes Return Reason Codes and Contested Dishonored Return Reason Codes that accurately describe the reason for the return 26

27 Represented Check Entries - RCK Section 8.3.G ACH Rules Reference Review internal procedures to ensure that the return of an RCK debit entry is transmitted to the RDFI s ACH Operator by midnight of the second banking day following the banking day of receipt of the presentment notice 27

28 Section 8.3.G continued Transmit an adjustment entry, so the entry is made available to the ODFI by the 60th calendar day, if: notice of RCK policy was not provided R51 item to which the entry relates is ineligible R51 signatures are not authentic or authorized R51 item to which RCK relates has been altered R51 Both items presented for payment R53 Verify that a Written Statement of Unauthorized Debit has been received for entries returned R51 and R53 28

29 Return of Credit Entries Section 8.3.H ACH Rules Reference , Credit entries that cannot posted or be made available to the Receiver are returned and made available to the ODFI no later than the opening of business on the second banking day following the Settlement Date If a Receiver refuses a credit it should be returned and made available to the ODFI by the opening of business 2 nd day following notification of refusal from the Receiver 29

30 Stop Payments Part 1 Section 8.3.I ACH Rules Reference , , and Verify that the RDFI honors stop payment orders appropriately Recurring payment Stop instructions 3 banking days prior to debit Single payment or Non-consumer payment RDFI needs reasonable time to act on stop 2 day return timeframe 30

31 Stop Payments Part 2 Section 8.3.I ACH Rules Reference , , and Appendix Four for extended returns Stop Payment on source document related to ARC, BOC or RCK entry Return Reason R38 Stop Payment on Source Document Return Reason R52 Stop Payment on Item Related to RCK Entry 31

32 Written Statement of Unauthorized Section 8.3.J Debit ACH Rule , , , , and Appendix Four Verify that signed Written Statement of Unauthorized Debit (WSUD) forms are obtained from consumers before returning entries for Return Reason Codes R05, R07, R10, R37, R51 and R53. Verify that the returns are conducted in the appropriate timeframes. Verify that the WSUD is available to the ODFI upon written request. 32

33 Consumer Return Codes Requiring WSUD R05 CCD entry to a Consumer Account R07 Cannot Be Used for RCK, ARC, BOC, POP R10 Consumer Claims the Entry Is Unauthorized, Ineligible or Incomplete Improperly Reinitiated Debit Entries R37 Source Document for ARC or POP Has Paid R51 Improper RCK Entry R53 Item That Relates to the RCK Has Also Been Presented for Payment 33

34 Uniform Commercial Code 4A Section 8.3.K ACH Rules Reference Ensure compliance with UCC Article 4A Disclosure to all account holders that could receive CCD or CTX credit entries With respect to ACH entries Provisional payments vs. final payment Notice requirements Choice of law (for interstate disputes) 34

35 Payment-Related Information Section 8.3.L ACH Rule Reference Review records and procedures to ensure that, when requested to do so by the Receiver, the RDFI is capable and does provide all payment-related information transmitted with CCD, CIE, CTX, and IAT entries to the Receiver by the opening of business on the second banking day following the settlement date of the entry 35

36 RDFI Audit of Federal Government Payments Compliance with requirements as outlined in 31 CFR 210 and the Green Book eenbook/greenbook_home.htm 36

37 Federal Government Payments Written procedures for steps to be taken upon learning of death of customer/member? DNE processing Constructive knowledge All benefit payment/all accounts Front line staff Verify appropriate use of R14 (Death of Rep Payee) and R15 (Death of Beneficiary or Account Holder) Have branch and operations employees been trained on the Green Book Are you aware of recent updates? 37

38 Reclamations A procedure used by the Federal government to recover benefit payments Specific payments subject to Reclamation (page 5-4) Must be sent within 120 days after the agency learns of death An RDFI is not liable for any post-death payments made more than six years prior to the date of the notice of reclamation 38

39 Government Payments Posting to Closed accounts ENR Use Godirect.org Non Receipt request or Tele-Trace Closing an account receiving Federal Government Benefit Payments Garnishments Able to identify Federal Government Payments that are protected 39

40 Originating Depository Financial Institution ODFI The ODFI is totally responsible for entries containing its Routing Number within the Trace Number that are transmitted into the ACH system 40

41 Binding Agreements Section 8.4.A ACH Rule Reference , , and Has an agreement been executed with each company and financial institution for whom the financial institution originates binding them to US law and the ACH Rules? Verify compliance with OFAC-enforced sanctions Third Party Senders Direct Senders Document procedures that allow the financial institution to approve every party for whom the 41

42 Binding Agreements Three issues are required to be addressed in ACH Originator and Third Party Sender Agreements signed or renewed after June 18, 2010 The right of the ODFI to terminate or suspend the Originator The ability to audit the originator Any restrictions on the types of transactions allowed 42

43 Sending Points Section 8.4.B ACH Rule reference Verify that, if applicable, agreements have been executed with all Sending Points transmitting transactions on behalf of the ODFI to the ACH Operator How are ACH rule changes communicated between ODFI and third-party service provider Request a verification they have completed ACH Audit 43

44 ODFI Exposure Limits Section 8.4.C ACH Rule reference Review internal procedures to determine that exposure limits are established for each Originator Exposure limits should be reviewed periodically Entries initiated by Originators are to be monitored relative to the exposure limits across multiple settlement dates The restrictions on types of SEC code of originated entries need to be enforced Procedures for monitoring and what happens if established limits are exceeded 44

45 Return Items Section 8.4.D ACH Rule reference , , and Appendix Four Verify that the ODFI accepts all Return Entries that comply with NACHA rules and that are transmitted by the RDFI within the time limits established by these rules. Dishonored Return Entries are transmitted within five Banking Days after the Settlement Date of the Return Entry. Contested Dishonored Return Entries are accepted as required. Verify that the ODFI is using Return Reason Codes in an appropriate manner. Verify proper Re-Initiation handling 45

46 Notifications of Change Section 8.4.E ACH Rules Reference , Verify that information relating to NOCs and Corrected NOCs is provided to Originator within two banking days of settlement of the NOC or Corrected NOC For CIE or WEB Entries, verify that NOC or Corrected NOC information is provided to any TPSP initiating Entries on behalf of the consumer originator Verify that refused NOCs are Transmitted within 15 days of receipt of and NOC or corrected NOC 46

47 Request for Authorization Section 8.4.F ACH Rules Reference , , Verify that the ODFI provides a copy of an authorization to the RDFI upon written request within 10 banking days of receipt of the request without charge For CCD, CTX, and IAT transactions to a Non- Consumer account, the ODFI must provide to an RDFI based on written request, an accurate record evidencing the Receiver s authorization or the Originator s contact information within 10 banking days 47

48 Permissible Returns Section 8.4.G ACH Rule reference Review internal procedures to ensure that, when agreed to by the ODFI, Permissible Return Entries are accepted R31 Permissible Return ODFI agrees to accept Notify receiving ACH staff Process Cannot dishonor 48

49 UCC4A Compliance for Origination Section 8.4.H Rule reference Verify Compliance with UCC 4A Customer Agreements Disclosure to Originators of CCD or CTX Entries Commercially Reasonable Security Procedures Are you the FI creating ACH files on the behalf of your originators? Do you have reasonable procedures to prevent errors? 49

50 Identity Verification Section 8.4.I ACH Rules Reference ODFI has utilized a commercially reasonable method to verify the identity of each Originator or Third-Party Sender that enters into an Origination Agreement with the ODFI When an ODFI has a relationship with a Third- Party Sender rather than with an Originator directly, also verify that the Third-Party Sender has utilized a commercially reasonable method to establish the identity of each Originator that 50 enters into an Origination Agreement with the

51 Reversing File Section 8.4.J ACH Rules Reference 2.8 and 2.9 Verify that reversing entries and files are done in accordance with the requirements of the rules 51

52 Back Office Conversion (BOC) Section 8.4.K ACH Rules Reference Identify those originators using BOC Document originator info Company name Address Telephone number Contact person Taxpayer ID Nature of business Must be provided to RDFI upon request 52

53 ODFI Reporting Requirements Section 8.4.L ACH Rules Reference Verify that if NACHA has requested in writing, Return Rate Information about an Originator, the ODFI has reported the information and in the time requirement 53

54 Direct Access Registration Section 8.4.M ACH Rules Reference Verify that the ODFI has (1) registered its Direct Access status with the National Association (2) obtained the approval of its board of directors, committee of the board of directors, or its designee for each Direct Access Debit Participant (3) provided required statistical reporting for each Direct Access Debit Participant (4) notified the National Association of any change to the information previously provided with respect to any Direct Access Debit Participant 54

55 ODFI Requirements of Originator & Third Party Sender Section 8.4.N ACH Rules Reference Articles 2.1 Ensure that Originators & TPS are kept informed of their obligations on a continuing basis Document method of notifying Originators of changes to the ACH Rules Do you audit your originators? 55

56 Third-Party Sender Explicitly apply certain risk management and Originator transaction monitoring requirements to Third-Party Senders Require third-parties to provide proof of completion of a Rules compliance audit to its Participating DFI to fulfill request from NACHA

57 Write-up Audit Report Compile the information gathered in your audit working papers and funnel into the Audit Report You may want to also write up a summary of you findings for presentation to the board of directors 57

58 Top Five ACH Examination Findings 1) Lack of Senior Management & Board Oversight 2) Lack of Adequate MIS and Reporting 3) Lack of Monitoring 4) Inappropriate Approval Process (separation of duties) 5) Inadequate Limits or No Limits

59 Risk Assessment 59

60 Risk Assessment Risk Assessment Objectives: Determine the inherent risks and risk factors within the bank s ACH or retail payment activities Identify the key control practices to limit those risks Evaluate the effectiveness of those controls to mitigated the risks considering the likelihood and potential impact to its capital and earnings AND its regulatory compliance obligations

61 Risk Management and Mitigation Common Risk Management Issues: Payments risk management not sufficient for scope of activities (informal, decentralized, or missing) Anxiety for income combined with passive oversight of third-party sender or originator activity Insufficient policies and expertise for the complexity of the payment s environment Lack of adequate customer due diligence/underwriting for exposure to credit or legal liability losses Lack of effective oversight over third party senders Limited FI board and senior management involvement Insufficient risk monitoring and reporting Inadequate NACHA Operating Rules, BSA/AML, or consumer protection training

62 Risk Management and Mitigation Risk Management Methods: Policies, standards, and risk limits Underwriting, due diligence, & oversight Contracts and agreements Transaction limits and controls Risk monitoring and reporting Audit and Control Testing

63 ACH Risk Management and Mitigation Primary Risk Mitigation Tools Consider frequency, audience, timeliness Lower Risk and Lower Volume Track daily, multi-day exposure limits Track ACH volume and return trends and compare to capital Identify and track customerspecific originations and returns (risk-based and/or volume-based threshold) Identify and track highest risk ACH originators ACH originator list with SEC code restrictions, limits, ACH line review date, and agreement date Track ACH over limits and exceptions Track consumer use of internet payment generation Higher Risk and Higher Volume All from lower risk plus: ACH originations and returns by debits, credits, SEC type, thirdparty sender, originator Track ACH reserve adequacy High-risk ACH originator risk ranking report High-risk ACH, tracking returns by SEC types and return code

64 Risk Management and Mitigation tion Credit Risk can be mitigated by: Thorough credit and financial analysis for originators, 3rd party vendors, & 3rd party senders Ensure agreements are maintained & updated Ensure policy includes a list of prohibited and high risk originators and SEC codes w/ approval process Establish risk-based debit and credit limits w/ exception approval requirements Effective customer activity monitoring and reporting Establish appropriate pre-funding and reserve requirements

65 Risk Management and Mitigation Mitigate Compliance and Legal Risk by: Implementing comprehensive BSA/AML, KYC, GLBA, and OFAC screening policies and procedures Conducting due diligence for unfair and deceptive practices by originators and third party senders (e.g., FTC Telemarketer Rule) Conducting adequate monitoring of 3rd parties to ensure effectiveness of due diligence and monitoring processes Performing required audits and independent reviews Ensuring that all origination agreements and third party contracts contain regulatory and compliance language Ensuring proper monitoring and exceptions reporting Ensuring that employees have the proper training

66 Risk Management and Mitigation Mitigate Liquidity Risk by: Monitoring volumes and trends Identifying peaks in usage Tracking volatility in payments activity Assessing impact on funding Use of prefunding and reserves to limit additional funding requirements Using expiration dates for higher limits for increased seasonal or temporary needs Identifying deposit concentrations from payment processing activity and assessing related volatility as a source of funds

67 Risk Management and Mitigation Mitigate Reputational and Strategic Risks by: Conducting background checks on originators and third-party senders Expanding oversight of high-risk originators NACHA Operating Rules Due diligence and risk management program Consumer complaints and litigation Regulatory actions Marketing and business practices

68 ACH related MIS should include: Portfolio-wide ACH origination volume compared to capital ACH returns ACH contract aging Customer distribution by risk rating Customer-specific ACH origination volume trends ACH return trends Unauthorized Return types, volume, $, and % to total transaction Volume Rules/contract violations Times over limit Changes in risk rating Contract date Note: If available, profitability analysis may be appropriate 68

69 ACH related MIS Lower Risk and Lower Volume Track daily, multi-day exposure limits Track ACH volume and return trends and compare to capital Identify and track customerspecific originations and returns (risk-based and/or volume-based threshold) Identify and track highest risk ACH originators ACH originator list with SEC code restrictions, limits, ACH line review date, and agreement date Track ACH over limits and exceptions Higher Risk and Higher Volume All from lower risk plus: ACH originations and returns by debits, credits, SEC type, third-party sender, originator Track ACH reserve adequacy High-risk ACH originator risk ranking report High-risk ACH, tracking returns by SEC types and return code 69

70 Risk Management and Mitigation Mitigate Operational Risks from Systems/Technology by: Establishing comprehensive vendor management program Establishing and monitoring effective service levels Ensuring daily monitoring and reporting of any issues Ensuring that employees have the proper training and expertise Ensuring appropriate access controls, authentication, separation of duties, and independent control reviews Ensuring consistent internal controls and processing procedures across multiple technology applications and platforms Ensuring adequate contingency plans and testing Performing adequate audits with NACHA Operating Rules as starting point

71 Risk Management and Mitigation Mitigate Operational Risk from Fraud by: Ensuring proper due diligence including background checks Using fraud detection software to filter suspicious activity Verification/validation of transmission Anomalous transaction detection Strict adherence to credit and other related policies Ensuring that credit originators require pre-funding or more in-depth financial analysis and underwriting Ensuring appropriate limits are in place Establishing adequate reserves for debit originators Complying with NACHA and Operator rules/regulations Requiring and enforcing updated agreements for all originators and third-party senders Monitoring activity and exceptions reports on a daily basis

72 Risk Management Program

73 Risk Management Program Planning Clearly defined objectives, well-developed business strategy, clear risk parameters, role w/in FI s strategic plan Risk Identification & Assessment Incorporate into existing risk management process, will vary by institution, & use of third-parties Mitigation & Controls Policies & procedures, clearly defined responsibilities, strong internal controls over transactions, risk-based audit program, well designed agreements Measuring & Monitoring Periodic reports allow board to determine activities remain w/in board established risk parameters

74 NACHA Rule Key Component of Rule Amendment Effective June 18, 2010, the Rule requires all participating DFI s to conduct a risk assessment of their ACH activities, and to implement risk management programs based on the results of such assessments, in accordance with the requirements of their regulator(s)

75 Risk Assessment Rule 1) Assessing the nature of risk associated with ACH activity; 2) Performing appropriate know-your-customer due diligence; 3) Establishing controls for Originators, thirdparties, and direct access to ACH Operator relationships; and 4) Having adequate management, information and reporting systems to monitor and mitigate risk

76 How Often? Have there been any changes in technology? Software, processors, new services Have there been change in the number of originators or types Have customer complaints increased Have there been any change in returns or charge offs? Have there been a change in personal? 76

77 FFIEC Made up of: (each may issue their own bulletins as well) Federal Reserve FDIC OCC NCUA CFPB State Regulators Issues guidance on key issues Authentication in an Internet Banking Environment (and recently a supplement to that Guidance) Risk Management of Remote Deposit Capture Issues and updates Handbooks on key topics such as: IT (including ACH, check, RDC) BSA (AML) Business Continuity

78 Risk Management Overview - FFIEC Financial institutions can mitigate many of the risks associated with electronic payments origination & processing: Based on a comprehensive risk assessment of the financial institution s electronic payments environment Board and management oversight that establishes appropriate risk tolerances, effective reporting, employee training, and prudent vendor management practices Leverage existing risk management processes Involve risk management, compliance, and audit resources in the electronic payments risk management effort Incorporate all payment products and services into a broader Payment Risk Management Program

79 Staff Is the FI s board knowledgeable and capable of understanding the risks? Determine if the quality and levels of staffing are adequate Reports showing staffing levels, turnover, trends Level of skill Staffing levels for peak periods Adequacy and quality of staff resources AAP

80 Staff (cont.) There is adequate capacity for current and planned transaction volumes? Automated vs. manual processes Quality of controls Separation of duties Dual control

81 Policies Policies should include: Goals and objectives of the program Approved products and services Prohibited Originators or Merchants Third Party Senders Exposure limits and Originator review Contracts & Agreements OFAC, PATRIOT Act, BSA/AML

82 Policies (cont.) UCC4A provisions Third Party Service Providers Direct Access to the ACH Operator File Delivery Data Breach ACH and Payment Product Audits

83 Review Originator Agreements Do the agreements adequately set forth the responsibilities of all parties? Do the agreements meet the requirements of the NACHA Operating Rules? Do the agreements mention funding arrangements, SEC codes allowed, Regulation CC, UCC 4A.

84 Third Party Sender ODFI ABC Company Hardware Store Payroll Company No agreements with originators Grocery Bike shop Church Dry Cleaner Day Care 84

85 ACH Transaction Flow Third Party RECEIVER ORIGINATOR Agreement Sender Payroll processor Third Party Sender Agreement ORIGINATOR s FI NO Agreement ODFI Third Party Sender s FI RDFI ACH OPERATOR

86 Third-Party Senders Non Contractual Relationship with Originators Need a specific contract to address risks Contract should include: ODFI approval of all originators Exposure limits per originator An exposure limit for the TPS Method to identify each originator Third party sender audit now required

87 Third-Party Senders Increased emphasis with regulators CIP for all parties involved Check for nested TPS New Rules implemented by NACHA effective 2015

88 Same Day ACH Origination of Same Day ACH Entries is optional Receipt of Same Day Entries is not optional All RDFIs must be prepared to pickup incoming ACH files from ACH Operator or Receiving Point and post Entries as required Next-day processing schedules will remain unchanged and will continue to be available for use 88

89 A Phased Approach to Same Day ACH To ease the industry s implementation effort, the new ACH Network functionality would be implemented across three implementation phases. Functionality Phase 1 Sept. 23, 2016 Transaction Eligibility ($25,000 limit; IAT not eligible) Phase 2 Sept. 15, 2017 Phase 3 March 16, 2018 Credits only Credits and debits Credits and debits New Same Day ACH Processing Deadlines 10:30 AM ET and 2:45 PM ET 10:30 AM ET and 2:45 PM ET 10:30 AM ET and 2:45 PM ET New Settlement Time(s) 1:00 PM ET and 5:00 PM ET 1:00 PM ET and 5:00 PM ET 1:00 PM ET and 5:00 PM ET ACH Credit Funds Availability End of RDFI s processing day End of RDFI s processing day 5:00 PM RDFI local time Times shown represent the approximate times for an ODFI s deadlines to transmit Same Day ACH transactions to an ACH Operator

90 Same Day ACH Risk Overview Same Day ACH and the faster movement of money can mitigate some risks and increase others The phased implementation of Same Day ACH is itself a risk mitigation tactic By limiting Phase 1 to credits, the industry has a year to adjust to the faster movement of funds before the introduction of same-day debits Allowing FIs and their account holders to adjust, before moving money out of accounts (debits) faster The $25,000 transaction limit (not batch or file limit) is a risk mitigation tool Controls the quantity of dollars that can move faster Controls the impact of receiving large dollar debits late in the business day 90

91 Before Originating Same Day ACH: Some Risk Considerations Develop an overall strategy for offering Same Day ACH Should Same Day be offered to all or select Originators? Not all customers may be suitable for same-day origination Not all FI products may be suitable for same-day origination Determine how to identify those Originators or transaction types permitted to use Same Day ACH Consider customer s profile (i.e., business model) when offering Same Day ACH Current credit limits and risk rating Prefunding and exposure Authentication methods Review Files or have processes in place to determine compliance with Same Day eligibility rules Ensure proper use of Effective Entry Date Other indicators (Descriptive Date, Company Discretionary Data) Transactions appropriate to the phase (Phase 1, Credits only) 91

92 Originator Risk Considerations ODFI should review policies for prefunding particularly in Phase 1 when debits will not be available for Same Day With $25,000 per Entry limit, off-set may not be eligible for Same Day Some Originators may attempt to split $25,000+ items into two or more Entries To mitigate their risk, ODFIs should monitor for this and educate Originators The ACH Rules Enforcement Panel will have final authority on any instances when it appears that an ODFI, Originator or Third- Party Sender is attempting to evade the limit To mitigate risk of an increase in unauthorized returns, ODFI should ensure Originators have clearly communicated use of same day debit Ensure customers understand the debit could take place same day 92

93 Vendor Management Assess management s ability to manage outsourced relationships with technology service providers Encrypt transactions while in route between service provider and institution Contract provisions Personnel, equipment Contingency planning Measurements specify what constitutes inadequate performance Appropriate sanctions Reduction in fees etc.

94 Third-Party Service Provider Risks Is the vendor/service provider a strategic fit for your organization? Is the third-party financially stable? Does the system allow for scalability? Will you have online access to real-time reports? Can velocity limit parameters be established? Does the application provide process & system monitoring capabilities?

95 Information Security FIs should implement the appropriate physical and logical security controls Look at service providers and external networks Consider controls on: Origination, approval, transmission and storage of ACH and other payment product s information Corporate Account Takeover

96 FFIEC Guidance: Internet Banking Risk Assessment High Risk Transactions Customer Authentication for High Risk Transactions Layered Security Programs Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. Customer Awareness and Education

97 Mobile Financial Services (MFS) Management should identify the risks associated with the types of MFS being offered as part of the institution s strategic plan. Operational Risk identify risks how the device communicates with the POS or other terminals. SMS Technology Mobile -enabled website Mobile Applications Mobile Payments Compliance Risk Reputation Risk 97

98 Board of Directors and Cyber Security Questions your Board of Directors should have answers to: What is Management s familiarity with cyber security and account takeover? Has Management identified where and how there is risk of an attack? Can your Management team articulate your institution s account takeover risk and explain your procedures to mitigate, identify and respond to attacks? 98

99 Board of Directors Questions your Board of Directors should have answers to: Has Management assigned clear roles and responsibilities within this plan? What are the communication plans in the event of an attack on your financial institution or business client? Does Management have a handle on the cyber security of your third-party service providers? 99

100 Board of Directors Board of Director Responsibilities: Set or approve your financial institution s risk tolerance and ensure Management targets your cyber security preparedness to align with that stated risk tolerance Review, approve, and support your financial institution s procedures to address risk management and control weaknesses 100

101 ODFI Exposure limits (both originator and TPS) Based on the originator s credit rating Relative to all services i.e. (cross-channel) Written agreements with originators addressing exposure Consumer Internet Banking limits Increase in unauthorized triggers require re-evaluation

102 ODFI Reports Automated for returns (60-75 days) Unauthorized Invalid NSF and other Entries in excess of the exposure limit and approval Audits from Originators

103 ODFI Exposure (Credit Entries) Period of time between the initiation of ACH credit file until the company funds the account Amount of risk based on total amount of the file Up to 2 days Credit Risk ODFI Exposure (Debit Entries) Date funds available to Originator until debits can no longer be returned by RDFI s Up to 60 days from settlement for unauthorized Can be 2 banking days for NSF/uncollected funds Amount of risk based on amount of individual or multiple returned ACH debits

104 ACH Funding Adequacy of funding before releasing the file to the Operator Prefunding Timing Blocks or separate account

105 RDFI Assess RDFI s overdraft policies Customers/members Funds Availability RDFI established procedures to deal with consumers notifications regarding unauthorized or revocation Stop Payments Freeze accounts for blocked parties (OFAC)

106 ACH Accounting Balancing procedures General ledger ACH activity with pending file totals Separate accounts for returns, unposted Verifies the source of the files originated Separation of duties Customer profile change request

107 Business Continuity Ensure you have developed a plan to continue operations in case of a emergency Consider all risks Risk rate what is critical to operations TEST, TEST, TEST Look at third party vendors plans 107

108 Observations and Conclusions

109 109 Sample Matrix

110 Observations and the Future Risk assessments not well integrated into enterprise risk assessment and management NACHA Operating Rules allow audits/assessments by non-independent parties Risk assessments performed by staff with incomplete understanding of industry/product risks Generous ratings for inherent risk and internal controls Smaller firms challenged to provide separation of duties Industry/products and risks continue to evolve rapidly

111 Conclusion As electronic payments volume, new products, and entry points continue to increase, financial institutions must have effective and comprehensive policies, procedures, and processes to identify, measure, and limit the risk to the bank and its customers. Financial institutions that process payments for third parties including payment processors and high risk merchants must implement enhanced risk management practices to protect against increased credit, compliance/legal, reputational, strategic, and operational risks.

112 Going Forward Be aware of the Supplement to the Guidance on Authentication in an Internet Banking Environment and how it continues to evolve Watch for updates to the IT handbook Be sure your institution has done risk Assessments for ACH and RDC Use the material presented today to ensure you ve covered all the appropriate topics in your Assessments

113 Risk Assessment Examples of recent risk-management requirements and guidance by regulators include: OCC Bulletin , Automated Clearing House Activities, September 1, 2006 ( FFIEC s BSA/AML Examination Manual, 2007 edition ( 07.pdf (pages 199 through 205) OCC Bulletin , Payment Processors, April 24, 2008 ( FDIC Financial Institution Letter , Payment Processor Relationships, November 7, 2008 ( FFIEC Guidance on Risk Management of Remote Deposit Capture, January 14, 2009 (

114 QUESTIONS 114

115 Resources WACHA- The Premier Payments Resource PAR- Payment Advisory Resource HELP DESK Phone: Toll Free: Fax: