Mitch Kenady, AAP Compliance Services Specialist Dahlia Penland, AAP Compliance Services Specialist
Regional Payments Associations, through their Direct Membership in NACHA, are specially recognized and licensed providers of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA. DISCLAIMER: This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice. You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature. UMACHA 2014; All rights reserved 2
Is your Financial Institution meeting all of the Appendix Eight requirements? Regular ACH Rules Compliance Audits and an ACH Risk Assessment of key processing areas will maintain your program in Rock Star form! UMACHA 2014; All rights reserved 3
» Common ACH Rules Compliance Audit Findings Potential Risk Non-Compliant Recommendations» Common ACH Risk Assessment Findings ACH Risk Areas Identified Recommendations» Tips for Your ACH Program Third-Party Senders (TPS) ACH Origination Agreements Audit Schedule and Perspective» Questions/Open UMACHA 2014; All rights reserved 4
General Audit Requirements Part 8.1 All Participating DFI Requirements Part 8.2 Requirements for RDFIs Part 8.3 Requirements for ODFIs Part 8.4 Best Practice Areas UMACHA 2014; All rights reserved 5
» Non-Compliant (NC) An annual audit has not been completed internally or by an external party Proof/Documentation is not retained for six years to support an audit which includes all Appendix Eight requirements, applicable to the Financial Institution» Recommendations (RC) Engage knowledgeable, independent staff or third-party to conduct the audit Secure all proof of audit completion electronically or in hard copy, in a manner that is readily accessible UMACHA 2014; All rights reserved 6
» Record Retention (NC) Detailed records not retained for the required six year period Paper entries damaged, destroyed, or location not identified Records not retained following a record retention system or core system change Only summary data is not available that is sufficient to recreate entries» Recommendations (RC) Periodically test ability to pull historical entries Ensure conversion process from former system allows access or provides copies of historical entries Understand available reports/ information in new system UMACHA 2014; All rights reserved 7
» Prenotification Entries (NC) Not reviewing Prenote reports Not responding to invalid entries timely or at all» Areas of Risk (AR) No procedures Dual control not in place» Recommendations (RC) Written procedures for handling prenotifications Dual control and review UMACHA 2014; All rights reserved 8
» Timely Returns (NC) Unauthorized Corporate ACH entries (CCD & CTX) returned untimely Return reason: R10 vs. R29» Recommendations (RC) Written procedures for handling returns for both consumer and nonconsumer entries Review of the Standard Entry Class (SEC) code prior to return UMACHA 2014; All rights reserved 9
» Stop Payment (NC) ACH Stop Payment entry returned untimely No or incomplete Stop Payment form on file Non-consumer Stop Payment request is not signed within 14 calendar days» Areas of Risk (AR) Forms not completed accurately Stop Payment not executed consistently with procedures and Rules Stop Payment placed for six months UMACHA 2014; All rights reserved 10
» Recommendations (RC) Written procedures for stop payment requests which include: a) Paper checks (consumer and corporate) b) Single and Recurring Consumer ACH account requests c) Single and Recurring Non-consumer account requests Training is key UMACHA 2014; All rights reserved 11
» Written Statement of Unauthorized Debit (NC) Unauthorized entries returned untimely Incorrect return reason code No WSUD or incomplete WSUD on file» Areas of Risk (AR) Forms not completed accurately WSUDs not executed consistently with procedures and Rules UMACHA 2014; All rights reserved 12
» Recommendations (RC) Written procedures for accepting and completing WSUDs which include: a) Differences between consumer and non-consumer b) Training on proper completion and use of WSUD form and procedures c) Conversation with customer Training is key UMACHA 2014; All rights reserved 13
» Origination Agreement (NC) Agreement not signed by both parties No agreement on file No identification of approved or restricted Standard Entry Class codes (SEC)» Recommendations (RC) Update agreements with ACH Security Framework provisions: a) Each Participating DFI, Third-Party Service Provider, and Third-Party Sender must establish, implement, and update data security policies, procedures, and systems related to the initiation, processing and storage of Entries and resulting Protected Information Execute Origination Agreements and retain on file Add attachment to include SEC approvals and/or restrictions UMACHA 2014; All rights reserved 14
» Exposure Limits (NC) Files being transmitted to the ACH Operator which exceed limits contained in the Origination Agreement a) Proper approval not received for over limit files b) No exposure limit review c) Origination files created by the Financial Institution and no restrictions enforced on the file totals When applicable, multiple-day settlement is not monitored UMACHA 2014; All rights reserved 15
» Areas of Risk (AR) Exposure limits are set too high or do not account for historical activity Periodic review of exposure limits not completed» Recommendations (RC) Consider historical data and volume when establishing limits Develop procedures to set consistent guidelines for approving ACH files that do not meet exposure criteria Ensure account relationship managers or loan officers are involved with decisions to mitigate risk UMACHA 2014; All rights reserved 16
» Originator/Third-Party Sender Obligations Originator/TPS not advised of improper ACH activity or Rule changes Incorrect use of: a) SEC codes b) Company Name Field c) Prenotification Entries» Areas of Risk (AR) ACH Policy is not followed for establishing procedures to notify Originators of their Rules responsibilities ACH Rules not provided or made available Formatting of origination files Company Name and SECs Periodic reviews or audits not completed UMACHA 2014; All rights reserved 17
» Recommendations (RC) On-site review/audit or self-assessment Open-house education session, newsletters, notices on website Periodic, random reviews of origination files In-person training of online origination service; provide User Guides Ready availability or access to current NACHA Corporate Rules UMACHA 2014; All rights reserved 18
» OFAC (AR) No written procedures for screening International ACH Transaction entries, including action to take if entry is determined to be a true hit Posting suspect/false positive IAT entries before final review this includes memo-posting No written Policy regarding receipt, return or origination of IAT entries» Recommendations (RC) Develop and implement procedures for handling IAT entries (received and originated) which includes suspending an IAT entry from being available to the account holder prior to final OFAC screening of suspect entries Incorporate receipt, return and origination of IAT entries into BSA/AML/OFAC policy UMACHA 2014; All rights reserved 19
» 31 CFR Part 310 (Federal Government Payments) (AR) No written procedures for handling Death Notification Entries (DNE) or Notices of Reclamation Failure to immediately return post-death Federal Government payments upon notice or constructive knowledge of death Misuse of return reason codes (R14 vs. R15)» Recommendations (RC) Develop and implement procedures for processing DNEs and Reclamations which include: flagging the beneficiary account, review of all account relationships the beneficiary has ownership in, notification to all appropriate staff, and the immediate return of all post-death benefit payments with the appropriate return reason code Knowledge of, and access to The Green Book http://www.fms.treas.gov/greenbook UMACHA 2014; All rights reserved 20
» File Delivery Methods (AR) No out-of-band authentication method, multifactor authentication system, or multilayered approach Dual control does not exist when processing or building ACH entries internally for corporate Originator» Recommendations (RC) Develop written procedures which include an out-of- band authentication for file deliveries Ensure dual control of ACH origination entries created on behalf of your Originator UMACHA 2014; All rights reserved 21
» In-House ACH Origination (AR) Transmitting B2B entries as consumer entries (PPD) No dual control on functions related to in-house origination entries» Recommendations (RC) Develop and implement procedures which require dual control on setup, maintenance and deletion of in-house ACH entries Assign appropriate SEC codes to all in-house ACH entries UMACHA 2014; All rights reserved 22
UMACHA 2014; All rights reserved 23
A Participating DFI must: a) conduct, or have conducted, an assessment of the risks of its ACH activities; b) implement, or have implemented, a risk management program on the basis of such an assessment; and, c) comply with the requirements of its regulator(s) with respect to such assessment and risk management program. (NACHA Operating Rules & Guidelines 2014, Article 1, Subsection 1.2.4) UMACHA 2014; All rights reserved 24
» ACH Risk Assessment Institutions have not conducted an ACH Risk Assessment yet a) Full assessment of the ACH Program both Receiving and Originating Activity b) An Enterprise-wide assessment may not incorporate all ACH processes c) Critical activity or changes in the ACH environment, services, or system did not result in a new or reviewed assessment» Recommendations (RC) Risk assessment should be based on the complexity of the environment and the requirements of your regulator Changes in the operating environment, emerging threats or losses incurred may be reasons to re-assess your ACH risk UMACHA 2014; All rights reserved 25
» Areas of Concern Incomplete or no risk assessment specific to the ACH program ACH Procedures not in place or outdated a) Have any of your systems changed? b) Have you had any staff turnover? ACH audit not completed annually according to Appendix Eight guidelines Board of Directors/Senior Management not informed regular, periodic reporting UMACHA 2014; All rights reserved 26
» Areas of Concern (cont.) Incomplete/Non-Compliant ACH Agreement for Originators and Third-Party Senders Unreasonable or not enforced ACH exposure limits Information System controls regarding ACH information a) Management, storage and destruction of non-public ACH information b) Network/workstation security at Originator site c) Training and awareness of information security practices for staff and Senior Management/Board of Directors Cross Channel Risk relative to ACH and overall credit exposure across an Originator s entire relationship (wire transfers, RDC, other payment products) UMACHA 2014; All rights reserved 27
» Board/Senior Management Reports ACH volumes received and originated ACH Originator listing including such things as exposure limits, transaction types, average file amount, return and NOC volumes Revenues and Expenses associated with ACH program Variances from prior reports» Regular review of agreements Updates as the Rules change (including Attachments)» Documented due diligence of Originators» Policy and Procedures How to establish ACH exposure limits How to monitor and enforce limits UMACHA 2014; All rights reserved 28
» Information System Controls Multifactor and multilayer controls within online banking Are Originators storing data securely in compliance with the ACH Security Framework Rule?» Monitor Cross Channel Risk Are you able to monitor customer activity across all access points?» Complete annual ACH audit Can proof of audit and supporting documentation be provided to NACHA? Are you reviewing this for TPSP and TPS relationships? UMACHA 2014; All rights reserved 29
» Update ACH policies and procedures Have you changed paper storage methods to electronic? Do your policies and procedures reflect the change?» Update risk assessment as needed Changes in core processing systems New products: online banking origination, remote deposit capture Acquisitions/mergers Staff turnover and loss of key employees» Ongoing education of staff and customer/members Webinars and in-person classes Review of rule changes Periodic emails containing the latest news and updates UMACHA 2014; All rights reserved 30
Depending on your size and ACH strategic plan, your ACH program may be easily managed, or may require analyzing many areas to create a strong program. Be sure to consider all areas of your Financial Institution!» Returns» Origination» Policies» Third-Party Service Providers» Exceptions» Procedures» Education» Training» Board Reporting» Exposure» Information Security» OFAC Compliance UMACHA 2014; All rights reserved 31
» Identify any Third-Party Senders ODFI s are responsible for all entries transmitted to ACH Operator Periodically check Company Name field for entries sent on behalf of Originators a) Do you see just the Company Name of your Originator OR is there a variety of Company Names? b) Multiple Company Names could mean entries are being sent for a Third-Party Sender If a Third-Party Sender relationship is discovered, (that you were not aware of), updates should be made to your KYC and CIP policy Third-Party Senders are required to do an annual ACH Audit UMACHA 2014; All rights reserved 33
Agreement here between parties similar to Co/ODFI agreement (as outlined in Article Two) Third Party Sender Agreement (Co/ODFI Agreement) Health Club Accounting Firm There is NO AGREEMENT (Relationship) between the Originator and the ODFI UMACHA 2014; All rights reserved 34
» ACH Originator / ODFI Agreement Periodic review of Origination Agreements to ensure meeting Rule Requirements and your Financial Institution s ACH policy Update File Delivery Methods - CURRENT Update Security Procedures - CURRENT Use ONE version of the ACH Origination Agreement UMACHA 2014; All rights reserved 35
» Audit perspective Schedule your annual audit a) 12 months does not have to pass between audits b) Audits can be done in December one year and January the following Make sure you give yourself as much time as you need to gather all necessary materials UMACHA 2014; All rights reserved 36
UMACHA 2014; All rights reserved 37
» Choose UMACHA to perform one or more of your Compliance needs ACH Audits ACH Risk Assessments Remote Deposit Capture (RDC) Risk Assessments Contact us today to receive a quote! UMACHA 2014; All rights reserved 38
» ACH Audit Guide on CD $75 Members/$150 Non-Members» ACH Risk Assessment Guide on CD $150 Members/$300 Non-Members» RDC Risk Assessment Guide on CD $150 Members/$300 Non-Members» Rules Review Guide for Originators $35 Members/$70 Non-Members» ACH Procedures Manual NEW! $175 Members/$350 Non-Members» ACH Procedures Manual Updates (3 Yr. Subscription) NEW! $150 Members/$300 Non-Members Be sure to visit the UMACHA booth to see our publications and place an order! UMACHA 2014; All rights reserved 39
» ACH Audit Compliance Webinar (2-Week Series)» ACH Risk Assessment Webinar (2 Week Series)» Un-Complicating Your Third Party Relationships Webinar» ACH Rule Changes for 2015 Webinar» ACH Stop Payments vs. Unauthorized Transactions Webinar» ACH Basics for the Non-ACH Person Webinar Members $300.00 Non-Members $550.00 Be sure to visit the UMACHA booth or our website www.umacha.org for details on upcoming dates for these webinars! UMACHA 2014; All rights reserved 40
UMACHA 2014; All rights reserved 41