ACH Risk Assessment Requirements

The ACH Risk Assessment
“Covering your Assets”
John M. Curtis, AAP/NCP
Vice President
Head of Education and Training
Western Payments Alliance
© 2008 Western Payments Alliance. All rights reserved. No reproduction or distribution in any manner without prior written consent.
About WesPay

Regional Payments Association providing:
- Education
- Risk Management and Audit Services
- Advocacy
- Support
 Banks
 Credit Unions
 Corporates
 Anyone using Electronic Payments
 Any AAP is the WesPay service territory is automatically a member
 Even if your employer is not a member.
- Have a Question? Call us!
- 415-433-1230
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Food for Thought
 Every FI has a different vision and version
 No true guidance on what is to be included
 May vary by regulator
!
 Better to err toward diligence
 Goal:
 Cover as many areas as possible and prod
you to think of at least a few items for you to
revisit on your Risk Assessment
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
The Rule
 Became effective June 18th 2010
- The Rules require all Participating DFIs to conduct a risk
assessment of their ACH activities, and to implement risk
management programs based on the results of such
assessments, in accordance with the requirements of
their regulators1
1 – 2011 NACHA Operating Rules & Guidelines: Pg. OG 21
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
What not to do
 Taking the easy way out can lead to problems
Non-So-Cautious Savings and Distrust ACH Risk Assessment
Do you offer ACH Origination Services?
Yes – It’s Risky!
Do you offer Credit Lines for ACH?
Yes – It’s Risky!
Do you have ACH Third Party Senders?
Yes – They’re Risky!
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
A More Complete Approach
Greater Diligent Bank of Prudence: ACH Risk Assessment
Risk
Category
CREDIT
Over Limit
Files
Risk
Inherent
Risk
Grade
Limits are set to protect
4
the customer and the
FI. Files exceeding
limits could be fraud
and expose the
FI/customer to loss.
Files exceeding limits
may not be processed
same day. Risks
include:
Fraudulent Items
Client may miss
payroll
Procedures, Monitoring and
Oversight Controls
ACH System automatically
suspends files and sends an
email to ACH Operations
personnel and Credit
Department.
Credit Department conducts a
review of the customer credit
line and considers available
balances in cash accounts.
Residual Risk
Grade
2
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Has your Business Changed?
• I’m only an RDFI
• Really?
–
–
–
–
–
–
Payroll
Bill Pay
P2P Transfers
Internal Book Transfers
Mortgage Payments
Auto Loan Direct Debit
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Stakeholders
 Include everyone from the start
-
ACH Operations
Audit
Credit
Compliance
Fraud / Investigations
Systems and Technology
Legal
Risk Management
Treasury Management




Customer Service
Implementation / Fulfillment
Product
Sales
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Credit Risk
• Consider all Credit Departments
– Small business
– Large corporate
– Others
• Leasing
• Agriculture
• Church Lending
• Single unit or dedicated credit staff who understand ACH
Risk
• Document your exposure limit determination process
‒ Unsecured lines of credit, prefunding, collateral
‒ How do you effect settlement?
• Balanced files = Double Exposure
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
External Participants
•
•
•
•
•
•
Originator
ODFI
ACH Operator
RDFI
Receiver
Third Party Providers / Senders
• Have you identified these?
• Regulators are looking very closely at 3rd
Party relationships
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Policies and Procedures
 Easily accessible and in one place
- Make life easy for yourself and regulators
- Demonstrate you have knowledge and are serious
 Frequency of Updates
 Are they followed? - Evidence is in your Audits
 Formal Risk Management Program for ACH
 You can refer back to Policies and Procedures
- Present to Board of Directors
Category Sub Category Risk
Credit
Credit
Bank must conduct monitoring to ensure
Risk
Monitoring
customer remains creditworthy and has
the ability to fund ACH Credits and
Returned ACH Debits. Failure to do so
may result in potential loss situations.
Procedures, Controls and Oversight
Credit Facilities greater than $100,000
must be re-underwritten and approved
annually or based on the loan review
terms if different. Refer to Per Policy
#001.C.ACH
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Credit Risk
 Client credit health monitoring
- Document periodic reviews
 Frequency
 Based on Amount
 Risk Rating
- Client Downgrading Policy & Procedures
- Insolvency procedures
 Reversals are not allowed
- Expired/Downgraded lines of credit or Overlimit
communication process
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Credit Risk
• Internal Controls
– Periodic variances in customer volumes/amounts
– Approval process for overlimit files
– After hours approval process
– Relationship manager notification and Client
Communication
• External Controls
– After hours contacts for clients
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Compliance Risk
 ACH Rules vs. Other Regulations
 Non Compliance = Opportunities for Loss
 Determine which regulations apply
- Whichever better protects the consumer
 Review all applicable Regulations
-
FDIC
OCC
FinCEN
FFIEC
Reg. E
BSA/AML
Basel II
 Reg. GG
 Note: FFIEC Exam Guidelines are a good place to start
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Compliance Risk
 OCC Bulletin 2005-35 / FFIEC Supplement
- Corporate Account Takeover
 Was Multi Factor Authentication
- Now: Out of Band
 Identify and assess the risk associated with Internet-
based products and services
 Measure and evaluate customer awareness efforts
- Document customer education
 Adjust, as appropriate, information security program
with changes in technology
 Implement appropriate risk mitigation strategies
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Compliance Risk
 Continuing education for all business lines
- Document information flow of education for new ACH
Rules
- Who informs each area of the organization?
- What is the process?
- Sign-Off by Product, Operations, Sales obtained by Audit
for all touch-points
 Customer Education
- Process / Channel
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
High Risk Activities
• Document high risk clients
•
‒ What are the qualifications?
– High $/High volume
– Visibility
– Reputation Risk
– Gaming
– Adult Content
– Payday Lending
Who is High Risk?
• Clients that deviate from standard product offerings or design, standard
legal documentation, or standard operational and / or servicing
processes
• Educate Sales on High Risk Policy – And document!
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
High Risk Activities
• Monitor client business model and changes
‒ KYC
‒ Permit specific SEC codes
• Include this in Originator Agreement
‒ Velocity Monitoring
‒ Who polices IAT eligibility?
• Educate your clients, sales and operations teams
• Do they understand when to send an IAT?
• Returns monitoring
– Should be monitored across all payment delivery
channels
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Revenue Risk
 Putting your eggs in one basket
 Effect if largest client exits
 Billing
- Leakage
- Over-Billing
- Controls to ensure billing accuracy
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Systems and Controls
What are your information protection policies within “Critical
Areas?”

-

Electronic device storage policy (smart phones, mp3 players,
cameras)
USB Storage Devices/download restrictions
Physical security
Protection/destruction of confidential paper documents
Enforce rules for visitors/clients/senior managers

Applies from top > down
Standardize policies for your internal business partners both
upstream/downstream from you
-
Don’t be the weakest link!
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Systems and Controls
 Document exception processing SLAs, performance
against them, and root causes
 Contingency options when a file is missed?
- Consider scripting/training to present client with
appropriate options
 Invalid format policies.
- Repair and go or suspend and notify?
- Ensure access rights don’t supersede policy
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Information Technology Risk
 IT Risk Assessment
- Scope must include all support functions including
stand alone PC’s or “home-grown” tools
 Establish access rights using security profiles
and separation of duties to minimum required
for business purposes
 Ensure developers understand your institutions
policies and standards before they build
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Information Technology Risk
 Documented change management process.
- Includes who/what/when/why/where of code installs
- Approvals from key stakeholders
 Contingency
- Regular hardware/software testing
- Business resumption plan (People)
 Working from home contingency plan?
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Information Technology Risk
 Assess current technologies
 Reduce or eliminate manual processes
- Humans make mistakes
- Reduce waste and costs, enhance the customer experience
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Direct Access Risk
 All ODFIs must register their status on www.nacha.org




whether they have Direct Access clients or not
Quarterly reporting of participant contact info, volumes,
return rates required if participating
If unauthorized returns > 1%, additional information
required incl. date and proof of recent audit according to
Appendix 8 of rules
Documented approval process by board of directors or
designee (Appendix 8 of Rules)
Bottom Line: Additional Due Diligence Required!!
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Direct Access Risk
 Agreement with client should include:
- Establish dollar limits with Operator and stipulate
with client that they are required to obtain FIs
approval BEFORE transmission of that file to
ACH Operator
- Limits to allowable SEC codes
- Provisions for immediate termination
- Right to audit
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Going Forward…
 Engage your Info Security, Risk and Compliance teams
in the early phases of development process
 Build governance process for reviewing impact of new
products and rules with end to end teams
 Share best practices/lessons learned to help make the
ACH network more secure
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
References

ACH Risk Assessment Workbook
-







Contact your Regional Payments Association
OCC Bulletin 2006-39: ACH Risk Activities
- www.occ.treas.gov/ftp/bulletin/2006-39.pdf
OCC Bulletin 2001-47: Third-Party Relationships: Risk Management Principles
- OCC Bulletin 2001-47, Third-Party Relationships: Risk Management Principles.
FFIEC BSA/AML Examination Manual, 2007
- www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2007.pdf Pages
199 through 205
OCC Bulletin 2008-12, Payment Processors
- www.occ.treas.gov/ftp/bulletin/2008-12.html
FDIC Financial Institution Letter 127-2008, Payment Processor Relationships
- www.fdic.gov/news/news/financial/2008/fil08127.html
FDIC Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk
- FIL- 44-2008: Guidance for Managing Third-Party Risk
FFIEC Guidance on Risk Management of Remote Deposit Capture
- www.ffiec.gov/pdf/pr011409_rdc_guidance.pdf
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Thank You
THANK YOU!
Questions?
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.