Rules Compliance

Risk Management and Assessment

Risk management is every financial institution’s responsibility. There are three key types of risk affecting ACH payment processing that you should be aware of:
Credit Risk—the risk that a party to a transaction cannot provide funds for settlementOperational Risk—the risk of loss due to unintentional errorFraud Risk—the risk that a transaction may be initiated or altered in an intentional effort to misdirect or misappropriate funds
The ACH Rules require all financial institutions to perform a risk assessment of their ACH activities and to implement risk management programs based on the assessment, in accordance with the requirements of their regulator(s).

ACH Credit Risk

While credit risk is generally associated with ACH origination activities, RDFIs are also exposed to credit risk when they:
  • Post a credit entry prior to the Settlement Date, or
  • Do not return a debit entry in a timely manner

Controlling Credit Risk

Credit risk is generally controlled by developing and implementing processing procedures, understanding compliance obligations and ensuring ACH operations staff are properly trained.

ACH Operational Risk

Operational risk represents the amount of loss related to unintentional errors, which may occur due to a hardware/software failure or clerical errors, such as untimely returns or the incorrect use of return reason codes. Any disruption in ACH processing can jeopardize the accurate and timely processing of ACH entries.

Controlling ACH Operational Risk

The evaluation of ACH operational risk and the determination of procedures to control those risks should include participation of auditors and outside professionals to ensure objectivity. Operational risk may be managed through automated security methods, as well as controlled operational procedures, which include cross-training of staff, dual controls and a contingency plan.

ACH Fraud Risk

Fraud risk represents risk that a transaction may be initiated or altered in an intentional effort to misdirect or misappropriate funds. Risks related to fraud are affected by internal as well as external factors. Fraudulent activities may be the work of dishonest employees, third-party processing personnel, originating company personnel or other outside parties.

Controlling ACH Fraud Risk

While controls related to ACH operational and credit risk may also be effective in diverting fraud, additional areas may include specific personnel practices and security.
The following are suggestions regarding practices and procedures that contribute to fraud risk management:
  • Limit use of temporary employees
  • Screen potential full-time employees
  • Segregate duties
  • Change or rotate work assignments
  • Mandate physical security (i.e., individual passwords, physical locks, etc.)

ACH Audit

Refer to the Operating Guidelines of the ACH Rules for detailed information on the ACH Audit.
All ACH participating financial institutions and Third-Party Service Providers must conduct an audit of ACH Rules compliance annually, by December 31, in accordance with the ACH Rules. This includes both ODFIs and RDFIs and their Third-Party Service Providers (Third-Party Sender, Sending/Receiving Point).
The audit may be performed externally or internally under the direction of an audit committee, audit manager or senior level officer of the participating Depository Financial Institution or the Third-Party Service Provider.

Data Security Requirements

The ACH Rules establish data security requirements for all ACH transactions, regardless of Standard Entry Class (SEC) code, transmitted or exchanged via an Unsecured Electronic Network (UEN). An example of a UEN is the Internet.
Any banking information, which includes but is not limited to, an entry, entry data, routing number, account number, PIN or other identification symbol, that is transmitted or exchanged via a UEN must be either:
  1. Encrypted, or
  2. Transmitted via a secure session
In either case using commercially reasonable security that complies with applicable regulatory requirements.
TPS must also have policies, procedures and systems in place designed to protect banking information from being breached. Such policies, procedures and systems will need to ensure banking information is secured throughout the ACH payment cycle, including the initiation, processing and storage of entries until destruction.