Automated Clearinghouse Risk Management Policy and Procedures
Note: We have included examples of issuances from the federal banking agencies on automated
clearinghouse (ACH) activity risk management guidance (see Appendix A). You should refer to that
guidance and details from the National Automated Clearing House Association (NACHA). Although the
NACHA Operating Rules require depository financial institutions to conduct a risk assessment and
implement a risk management program, they do not address the scope or timing of this requirement.
Rather they suggest you follow your federal regulator's requirements and implement a risk management
program that reflects the nature and complexity of your products and services. Some of the due diligence
and risk assessment procedures can also be found in our Automated Clearinghouse Policy and Procedures
for Originating and Receiving Depository Financial Institutions (ODFIs and RDFIs). You should also
consider existing risk assessment/management policies you may have in place, such as Information
Security Standards, Remote Deposit Capture, and Business Continuity Programs. Based on your
institution's practices and products, you should enhance or amend this sample accordingly. Furthermore,
as an ACH network participant, you should refer to the NACHA website
(http://www.nacha.org/c/riskTools.cfm) for additional education and risk management tools, including
manuals and checklists specific to ACH risk management.
STATEMENT OF POLICY
It is the policy of [insert the name of your bank] to manage the risks associated with ACH transactions
and daylight overdrafts. We will comply with risk management and assessment rules issued by NACHA
and our federal regulator and interagency requirements for assessing risk of ACH activities.
The [insert position name, i.e., senior loan officer] is the person responsible for managing these risks.
ACH risk includes but is not limited to:
•
Credit risk
•
Transaction risk
•
Compliance risk
BORROWING AND NON-BORROWING ACH CUSTOMERS
The board of directors recognizes that both borrowing and non-borrowing customers will have needs for
ACH services. When the customer is a borrowing customer, the customer’s ACH needs will be a
component considered during normal loan approval processing. When the customer is a non-borrower,
the customer relationship will still be assigned to a commercial loan officer and the procedures outlined
below will be followed. This will necessitate the establishment of a commercial credit file for the nonborrowing customer.
ACH TRANSACTION APPROVAL PROCEDURES
Following are general explanations of credit risk to the bank when originating ACH debit and credit
transactions:
Debit Transactions. Originating ACH debit transactions can result in exposure to our bank because
debits may be returned by receiving banks. That is, ACH debit items can be returned to the bank in
the same manner as insufficient funds returned checks, closed accounts, and the like.
When a customer that represents exposure risk due to ACH debit transactions is identified, that
customer will be assigned to a commercial loan officer if he or she is not already assigned. The loan
officer will discuss the risks with the customer, then prepare an analysis memo asking for an internal
guidance line from the senior loan officer. When a customer's ACH activities represent both a debit
risk and a credit risk, different internal guidance limits will be established for debit risk and credit
risk, and both will be based on (1) coverage needed for the customer's normal business operating
procedures, and (2) an analysis that shows that the risks to the bank are acceptable.
• Credit Transactions. Originating ACH credit transactions can put the bank at risk because ACH
transactions can be originated one or two days prior to their settlement dates (settlement date is the
day the bank must provide settlement to the ACH Operator). If settlement with the customer does not
take place before the ACH transactions are sent to the ACH Operator, there is inter-day exposures to
the bank in ACH credit transactions. Because of this credit risk, the senior loan officer will assign a
commercial loan officer to each ACH customer. These loan officers will underwrite ACH customers
and transactions in compliance with the risk management requirements of the NACHA Operating
Rules using the following procedures:
•
An ACH file limit will be established for each ACH authorized for an ACH customer. These
limits will be established through discussions with ACH customers and will be based on the
maximum dollar amount of transactions likely to be outstanding during any settlement period.
•
For each customer the loan officer will calculate a total ACH exposure. This exposure is the sum
of the exposures for all of that customer’s ACH activities. Exposure is based on the maximum
dollar amount of transactions likely to be outstanding during any settlement period.
Application
Direct Deposit Payroll
All other applications
The Exposure
One times the daily file limit
Three times the daily file limit
•
After the exposure has been quantified, the loan officer will evaluate the risk associated with this
customer by considering such things as: (1) the character and reputation of the business, owner,
or manager; (2) the type of business or organization involved, (3) the types of payments and/or
deposits that will be involved, their funding and their timing, (4) whether the risk is debit, credit,
or both, (5) the history of the customer’s relationship with the bank, (6) appropriate credit reports
D&B Credit Bureau, etc.; and (7) customer financial statements.
•
After this analysis is complete, the loan officer will ask the senior loan officer for authority to
routinely approve all ACH transactions up to specified limits. Requests for approvals will
normally be in form of a memo addressing the above topics and should be accompanied by copies
of the firm’s financial statements.
•
The senior loan officer will establish a preapproved, uncommitted internal guidance ceiling for
each ACH customer. Thereafter, it will be the responsibility of the assigned loan officer to
administer the account.
•
Some businesses will be seasonal and will require temporary increases in limits during peak
season activities. This should be considered at the time of initial approval.
•
The loan officer will conduct at least an annual review of exposure limits.
WHEN FILES EXCEED EXPOSURE LIMITS
From time to time ACH files will exceed the bank’s exposure limits. When this happens, file processing
will be suspended and will not proceed until approval has been obtained. The ACH processing
department will start calling people on its approval list. When a person with sufficient approval authority
is found, approval (or denial) can occur over the phone. This approval/denial should be immediately
confirmed by an e-mail to the ACH processing department. At the department this e-mail will be printed
and kept on file for 12 months.
APPLICABILITY OF LEGAL LENDING LIMITS
ACH limits should not be included in the customer’s loan totals when calculating legal lending limits.
DAYLIGHT OVERDRAFT UNDERWRITING PROCEDURES
Daylight overdrafts are credits extended to customers when the amount of outgoing wire transfers in a
given day exceeds the net ledger balance in a customer’s demand deposit account (DDA) (net ledger
balance is the customer’s ledger DDA balance less holds). Daylight overdrafts are the result of either
timing differences or operational difficulties and are normally settled before the end of the day.
The following are underwriting procedures that must be followed to establish daylight overdraft internal
guidance lines:
•
Through discussions with wire transfer personnel the senior loan officer will determine the names
of bank customers who routinely wire transfer funds in amounts that create significant daylight
overdraft exposure for the bank. Each of these customers will be assigned to a loan officer.
•
This loan officer will conduct a credit review to determine creditworthiness and an upper limit of
allowed bank exposure. The results of the review will be presented to the senior loan officer and
will normally be accompanied by financial statements on the customer.
•
For each customer the senior loan officer will establish a preapproved daylight overdraft internal
guidance line that will be administered by the loan officer. The internal guidance line will expire
after one year and loan officer underwriting must precede internal guidance line renewal.
•
Names of customers, loan officers, limits, and expiration dates will be given to wire transfer
personnel. Wire transfers that conform to this listing will be routinely processed by wire transfer
personnel. All other wire transfers must be approved by the responsible loan officer, otherwise
the wire transfer cannot be initiated.
•
As a general rule, the decision to grant customers permission to do daylight overdrafts will be
based on the same underwriting standards used to grant loans, and approval authorities will be
based on established loan authorities. By bank policy, daylight overdrafts are permitted only to
borrowers graded “C” or better by the bank’s loan grading system.
HIGHER RISK ACTIVITIES
There are originators that can present increased risk to our bank. If management chooses to accept
certain higher risk businesses as originators of ACH transactions, then the board directs them to
implement an increased level of monitoring and control over these originators' transactions. Our internal
control systems should have increased review of unauthorized returns (a return rate of higher than 2
percent should be investigated and documented), variances from established parameters such as volume
and correct use of codes. Furthermore, although an originator may not be considered high risk, it may use
higher-risk transactions such as those initiated over the Internet, a wireless network, or by telephone. For
those transactions we are required by the NACHA Operating Rules to have a commercially reasonable
fraudulent detection system to screen each entry.
Some examples of originators that may engage in a business that is considered higher risk are:
•
Online payment processors
•
Credit repair services
•
Mail and telephone order companies
•
Online gambling
•
Businesses located outside the United States
•
Adult entertainment
There is one type of business that represents more than a normal amount of risk referred to as a thirdparty sender. For example, a third-party sender could be a bank customer, such as a certified public
accountant (CPA) firm, that specializes in doing payrolls for other businesses. If the CPA firm is doing
50 payrolls for 50 different businesses, there is a potential risk of a domino effect. That is, each of the 50
firms represents ACH credit risk and each has to be analyzed for creditworthiness either by the bank or
the CPA firm. Under these circumstances it may be necessary that the CPA firm post a bond or
collateralize a line of credit with a certificate of deposit or other marketable securities.
UNLAWFUL INTERNET GAMBLING
Non-Exempt ACH Participants
All participants in the ACH Network are exempt from the regulation's requirement to establish such
written policies and procedures, except for:
•
The Originating Depository Financial Institution ("ODFI") of a domestic ACH debit;
•
The Receiving Depository Financial Institution ("RDFI") of a domestic ACH credit;
•
The receiving gateway operator that receives instructions from a non-U.S. sender for an ACH
debit; and
•
Certain third party processors.
A non-exempt third party processor is:
•
A service provider that has a direct relationship with the commercial customer to initiate a
domestic ACH debit;
•
A service provider that has a direct relationship with the commercial customer to receive the
proceeds of a domestic ACH credit on behalf of the last depository institution to handle the ACH
credit; and
•
The first service provider in the U.S. to receive the debit instructions initiated by a foreign sender.
In all cases, the non-exempt participant is a commercial customer's financial institution or processor,
and not an individual consumer's (gambler's) financial institution.
As a non-exempt participant, we will establish and implement written policies and procedures reasonably
designed to identify and block or otherwise prevent or prohibit unlawful Internet gambling transactions.
Below are the minimum procedures that the regulation suggests would comply with the regulation. The
board directs management to implement these procedures and any other that are necessary to ensure, we
are in compliance with the rule with respect to ACH transactions.
In general, we will implement the following procedures when accepting a commercial account for an
ACH service:
We will make a determination regarding the risk the commercial customer presents of engaging in an
Internet gambling business. If we determine that the commercial customer presents a minimal risk of
engaging in an Internet gambling business, we need not take any further action. However, we will
continue to conduct ongoing due diligence from time to time. If we cannot determine that the commercial
customer presents a minimal risk of engaging in an Internet gambling business, we will obtain the
following documentation:
•
Certification from the commercial customer that it does not engage in an Internet gambling
business; or
•
If the commercial customer does engage in an Internet gambling business, each of the following:
— Evidence of legal authority to engage in the Internet gambling business, such as:
–
A copy of the commercial customer's license that expressly authorizes the customer to
engage in the Internet gambling business issued by the appropriate state or tribal
authority or, if the commercial customer does not have such a license, a reasoned legal
opinion that demonstrates that the commercial customer's Internet gambling business
does not involve restricted transactions
–
A written commitment by the commercial customer to notify the participant of any
changes in its legal authority to engage in its Internet gambling business
We may also accept a third-party certification that the commercial customer's systems for engaging in the
Internet gambling business are reasonably designed to ensure that the commercial customer's Internet
gambling business will remain within the licensed or otherwise lawful limits, including with respect to
age and location verification.
We may rely on information gathered by the commercial relationship account officer when the account
was first opened, if they followed similar account opening procedures as those listed here.
If we determine that the customer is using the ACH system for restricted transactions as described in the
law, we will take steps to terminate both ACH debits and credits from the account and, if after a thorough
investigation, we determine the customer is engaging in unlawful Internet gambling transactions, then we
will, in coordination with the commercial account relationship officer, take steps to close the account.
Our new account agreements will include language that states that our ACH customers may not engage in
unlawful Internet gambling transactions using our system.
If we are a gateway operator and receive instructions to originate an ACH debit from a foreign sender, we
may simply send a notification, such as that provided in Appendix B, once we have "actual knowledge,"
based on notice from a government entity, that it has received instructions for a restricted transaction.
DOCUMENTATION
All ACH customers must execute a standard ACH agreement before being permitted to originate ACH
transactions. Copies of the agreement will be kept in the bank's credit files. This agreement must be
approved by our legal department and will include the agreement requirements as outlined in the NACHA
Operating Rules. We will follow our ACH origination policy for conducting due diligence for new
originators.
The senior loan officer will document established ACH limits for each originator in a memo that will be
sent to the ACH processing department. It will be the responsibility of the ACH processing department to
implement the limits and to have procedures for monitoring the limits as ACH files are processed.
Loan officers will document their ACH internal guidance lines in accordance with the procedures outlined
above. Copies of this documentation will be kept in the bank’s credit files. This documentation will
normally consist of a memo, approval initials written on the memo, and attached financial statements.
The board of directors approved and adopted this policy on ____________________.
APPENDIXES
Appendix A
List of Agency Guidance Regarding ACH Risk Assessment
You may wish to review the following examples given by NACHA:
•
See FDIC FIL-127-2008, Payment Processor Relationships, November 7, 2008.
•
See OCC Bulletin 2008-12, Payment Processors, April 24, 2008.
•
See OCC Bulletin 2006-39, Automated Clearing House Activities, September 1, 2006.
•
See FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual 4/10 — Automated
Clearing House Transactions.
•
See Interagency Statements, Risk Management of Remote Deposit Capture 1/09.
Appendix B
Sample Notification
[Date]
[Name of foreign sender or foreign banking office]
[Address]
Re: U.S. Unlawful Internet Gambling Enforcement Act Notice
Dear [Name of foreign counterparty]:
On [date], U.S. government officials informed us that your institution processed payments through our
facilities for Internet gambling transactions restricted by U.S. law on [dates, recipients, and other relevant
information if available].
We provide this notice to comply with U.S. Government regulations implementing the Unlawful Internet
Gambling Enforcement Act of 2006 (Act), a U.S. federal law. Our policies and procedures established in
accordance with those regulations provide that we will notify a foreign counterparty if we learn that the
counterparty has processed payments through our facilities for Internet gambling transactions restricted
by the Act. This notice ensures that you are aware that we have received information that your institution
has processed payments for Internet gambling restricted by the Act.