ACH operations pose a variety of risks including credit, liquidity, and operational. NACHA and the two national ACH operators (the Reserve Banks and EPN) have clear expectations that financial institutions will manage these risks, particularly when the institutions engage in riskier ACH activities. In recent years, the ACH operators have begun to offer a variety of risk management tools to help control ACH risks. Financial institutions should employ those tools that are commensurate with the risks taken.
The risk of fraud can be mitigated through proper due diligence for all originating customers and strict adherence to ACH and credit policies. Additional mitigation can be achieved by avoiding high risk businesses and customers. Limits should be appropriate for the risks of each customer and the use of pre-funding arrangements or reserves can be effective in controlling losses. Management should review monitoring reports offered by the ACH operators that can assist in early detection of unauthorized ACH transactions.
For ACH credit entries, a financial institution that serves as the ODFI incurs credit risk upon initiating the entries until its customer funds the account. The ODFI is responsible for settling payments originated using its routing number even if the transactions are outsourced to third-party service providers. The RDFI incurs credit risk when it grants funds availability to its customer prior to the final settlement of the credit entry. For ACH debit entries, the ODFI incurs credit risk from the time it grants funds availability to the originator (usually on the settlement day) until the ACH debit can no longer be returned by the RDFI. If the transaction is properly authorized, returns must be made no later than the second banking day following settlement. If not authorized properly, the financial institution exposure can be up to 60 days from when it sends a periodic statement to the consumer. An ODFI will normally charge back a returned ACH debit to the originator. However, the ODFI may suffer a loss if the originating account has insufficient funds, is closed, or is frozen because of bankruptcy or other legal action.
To manage its credit exposures, an ODFI should establish policies, procedures, and limits that acknowledge the risks certain businesses and customers bring to an ACH operation. Higher risk businesses include gambling and adult entertainment firms. The financial institution's policies should clearly state the types of businesses and customers that are acceptable and should treat all ACH customers as unsecured borrowers that are subject to the institution's standard credit review and approval process. An ODFI should conduct thorough due diligence of its originating customers, including understanding the nature of their businesses and financial condition. For certain customers, pre-funding or reserve arrangements may be necessary to control the risk. On an ongoing basis, an ODFI (and its service providers) should monitor the creditworthiness of its customers, and establish and periodically review ACH exposure limits for them. In addition, an ODFI should implement procedures to monitor ACH entries relative to the originator's exposure limit across multiple settlement dates. Breaches in limits should be reported to the appropriate levels of management. An ODFI should monitor and research frequently the returns, particularly unauthorized returns. The Federal Reserve and EPN can provide such reports to ODFIs.
An RDFI should establish prudent overdraft and funds availability policies and practices to mitigate its credit exposures. Credit risk, with respect to a debit entry, arises if the RDFI allows the debit to overdraw its customer's account. When a financial institution fails to comply with the NACHA rules, it exposes itself to contractual liability and fines. In addition, Regulation E applies to electronic fund transfers, including ACH transactions. The notice, authorization, error resolution, and timing requirements of Regulation E are of particular importance. Noncompliance with Regulation E exposes a financial institution to litigation and civil money penalties. Financial institutions should also monitor their compliance with applicable BSA and OFAC requirements concerning unusual transactions and transactions involving blocked parties.
Financial institutions should understand the impact that ACH transaction risk has on their liquidity. For example, an ODFI may not be able to settle (collect) an ACH debit, or an RDFI may not be able to settle an ACH credit because of fraud, service disruption, or the default of an ACH Network participant. This could impair the financial institution's ability to meet its obligations and result in losses. Financial institutions should consider the volume of their uncollected ACH transactions as part of their liquidity risk management practices. For certain customers, pre-funding arrangements may be used to reduce liquidity risk.
Given the highly automated nature of ACH activities, operational risks should be managed closely. Clear policies and procedures should establish the proper control environment. Exceptions and operational problems, including processing delays and customer complaints, should be monitored in a timely manner. Management and staff should be familiar with NACHA rules and the requirements of the Reserve Banks and EPN. Well conceived and tested contingency plans are vital given the time sensitive nature of ACH transactions. Higher expectations for BSA compliance require additional attention from management. Audits should be performed on a frequent basis by qualified auditors.
Third-Party ACH Processing