Third-Party ACH Processing
While a financial institution's responsibilities do not change with the use of a technology service provider for ACH processing, its risk exposure may increase as a result of the servicer's direct access to an ACH operator. A TSP may transmit ACH transactions directly to an ACH operator using the ODFI routing number. However, it is the ODFI that warrants the validity of each entry transmitted by the service provider, including the basic requirement that a receiver has authorized all entries. To reduce risk to all parties, the financial institution should establish controls over TSP operations, and the ODFI should maintain control over its settlement accounts. See the IT Handbook Outsourcing Technology Services Booklet.
Although the federal regulators do not enforce the NACHA rules, a financial institution subject to them should have appropriate risk-management and control processes to ensure compliance with these rules. For example, NACHA requires TSPs performing ACH processing functions on behalf of an ODFI or RDFI to conduct an annual compliance audit covering the requirements of their rules. The financial institution should review and assess all audits of its service provider's internal controls. NACHA rules also require the ODFI to have contractual agreements with third-party senders specifying that the third-party sender is in compliance with NACHA rules and applicable laws and regulations. NACHA rules further require the ODFI to have an agreement with a TSP that has direct access to an ACH operator. NACHA specifies that the agreement sets out the rights and responsibilities of all parties, including:
- A requirement that the third-party service provider obtain the prior approval of the ODFI before originating ACH transactions for originators under the ODFI routing number. ODFI approval of each originator should be contingent upon the creditworthiness of the originator and the execution of an originator and ODFI agreement.
- ODFI dollar limits for files that a TSP deposits with the ACH operator. The service provider should notify the ODFI of any file exceeding established dollar limits before depositing the file at the ACH operator so that the ODFI can either approve it as an exception or hold it until the next business day.
- A provision that restricts the TSP's ability to initiate corrections to files already transmitted to the ACH operator. The ODFI should restrict correction capability. If the TSP has the ability to make file corrections, the ODFI should authorize and approve any changes to the file totals before the ACH operator releases the file for processing. The ACH operator usually requires an authorization from the ODFI before processing a file. Failure to receive ODFI authorization will result in the ACH operator deleting the file, giving the ODFI control over its exposure from files originated or subsequently changed by a TSP.
- A requirement that a third-party sender who enters into an agreement with an ODFI establish the identity of each originator using commercially reasonable methods, warrant that the originators will assume their responsibilities under NACHA rules, and warrant that it will assume the liabilities of the ODFI. Automated Clearing House Rules: Article 2.1.1, Article 5.2, and Article 5.3. The lack of a direct relationship between the ODFI and the originator poses a risk to the ODFI. The ODFI should conduct proper due diligence, establish exposure limits, and employ other monitoring procedures to ensure that the business practices of the third- party sender and its merchant clients do not create an undue risk to the ODFI. The ODFI should be able to substantiate that the third-party sender has sufficient creditworthiness to back the warranties it makes relative to the risk, nature, and volume of ACH transactions; the underlying originators; and the exposure duration.
NACHA also requires participating financial institutions to conduct annual audits of their ACH operations to assess compliance with NACHA rules. These audits can provide examiners with insights into the quality of ACH operations.
Risk Considerations for Business Banking EFT Payments
Financial institutions that offer corporate customers access to Web-based business banking applications to facilitate the direct origination of payments (e.g., ACH credits/debits, wire transfers, etc.) create special risk considerations for the financial institution and its corporate customers. These applications offer corporate customers an efficient way to conduct treasury management activities such as invoice payments and funds transfers. However, these features also increase the velocity in which errors and fraud can subject businesses or the bank to loss and can be the target of malicious software designed to circumvent online authentication methods to obtain credentials that can be used to initiate fraudulent payments.
Ongoing education of corporate customers remains one of the best ways financial institutions can mitigate the risks associated with online business banking applications. This is especially the case for some small businesses and community-based corporate entities (e.g., churches, schools, etc.) where the awareness of payments fraud techniques may be limited and the impact of a fraud can be significant. In addition to providing a secure environment for corporate payments (e.g., strong encryption, transaction risk profiling, etc.), financial institutions can help mitigate corporate payments risk by ensuring their corporate customers understand the importance of good business practices such as payment origination dual controls, daily account reconciliation, and other measures to protect the integrity of the corporate customers computer systems (e.g., virus protection, operating system upgrades, etc.).