Effective June 18, 2010, the NACHA Rules will include a requirement for all
financial institutions to conduct an ACH risk assessment, and implement risk
management programs based on the results of the assessment.
However, the Rules do not address the scope or timing of these new
requirements, but instead state that these actions must be “in accordance with
the requirements of your regulator”. The Rules also focus most of their risk
management efforts on the potential risks of origination services offered to
separate business / institutional originators. Because most credit unions offer
few if any origination services to business members, your regulator may not
enforce any new specific requirement to conduct a separate ACH risk
Nevertheless, in order to comply with NACHA’s goal to improve risk management
in the ACH Network, we recommend that credit unions conduct periodic ACH risk
assessments and document your resulting risk management programs. Much of
the actual investigative activity needed for a risk assessment has probably
already been completed as part of your existing risk assessment and ACH
compliance auditing programs. Therefore you may be able to use existing
documentation to comply with this new ACH risk management requirement.
Suggested Risk Assessment Areas
For credit unions acting as RDFIs (Receiving Depository Financial Institution),
and as Originators of loan payment debits and consumer member funds transfer
entries, here are a few suggested areas for the risk assessment:
General Internet Access Security
Review internet access security measures such as firewalls, virus/spyware
protection, and IP address lockdown for users of ACH processing websites. The
review may already be included as part of your IT security audits.
User Security Settings
Review individual user security settings for access to ACH processing services.
Common security options include transaction dollar limits, restrictions on access
to software functions (user access only to functions needed), hours of access
limitations, and dual control / verification settings. This review may also be
included as part of your IT or Payment Systems security audits.
SunCorp – ACH Risk Assessment Guide 1
ACH Compliance Audit
Review the findings and recommendations from the latest annual ACH
compliance audit. The audit may reveal operational or procedural problem areas
that could lead to financial losses from missing return deadlines, incomplete or
missing agreements, or other areas of non-compliance.
ACH Policies and Procedures
Review board policies and operational procedures to discover possible
oversights or inconsistencies. Compare actual ACH operations with stated
policies and procedures. Procedures should include incoming file processing,
exception handling, and origination entry processing. These areas may have
been reviewed as part of your annual ACH compliance audit or an internal
Review processing of both return and NOC (Notification of Change) entries to
verify the use of correct return/NOC codes within the stated deadlines. Also
review the processing of disputed or unauthorized entries, and the correct usage
of the Written Statement of Unauthorized Debit form. Incorrect exception
handling can lead to potential financial losses, and is a common problem at many
credit unions with new or inexperienced ACH staff. Many of these issues are
reviewed as part of your annual ACH compliance audit.
General Ledger Account Reconcilement
Verify that ACH settlement and exception entry accounts are reconciled on a
frequent basis to ensure that potential fraudulent or erroneous entries are quickly
discovered. Delayed or missing reconcilements could cause financial losses if
deadlines have passed to rectify errors or fraudulent activity. Your regular
accounting or internal control audits have probably reviewed these areas already.
Money Laundering Activity
Review any ACH transaction reports for high-volume and high-dollar activity that
may be inconsistent with normal member behavior. Include both ACH receipt
and origination activity, and both ACH credit and debit entries. Excessive or
unusual activity may signify potential money laundering or other fraudulent
activities that could lead to financial losses by the credit union or your members.
These transactions may be reviewed already as part of your annual Bank
Secrecy Act (BSA) audit or other routine audits by your security/compliance staff.
Business Continuity / Recovery Plans
Review existing plans and testing results for ACH receipt and origination activity
in potential business continuity or recovery situations. Plans should include
system access by employees from remote locations, and if necessary, access by
outside or third-party business recovery vendors or partners. Verify that the ACH
plans and testing are integrated with other member service and payment
services business recovery plans. All these issues should be addressed as part
SunCorp – ACH Risk Assessment Guide 2
of your overall business continuity / recovery program, and documented in the
audit and testing reports from your program.
For credit unions acting as ODFIs (Originating Depository Financial Institution)
for separate business / institutional members, there are several others areas that
need to be investigated for potential risks. Because many credit unions do not
offer these types of origination services, you may be able to disregard this
section of the risk assessment. For those credit unions who do offer these
origination services, here are a few suggested areas for the risk assessment:
Origination Services Policies
Review Board policies on the types of origination services allowed. Policies
should identify any restrictions on the type of origination application (payroll,
recurring debits, etc) or the type of business or institution eligible for the service.
Make note of any potentially high-risk origination activities such as companies
using third-party senders or telephone/internet authorizations. These high-risk
activities may have been identified as part of the “customer due diligence”
process of your BSA Member Identification Program.
Review the ODFI-Originator Agreements in place with your business or
institutional originators. The agreements should detail the specific processing,
settlement, exposure limit, and authorized user provisions currently used with the
originator. Compare agreement provisions with a sample of actual origination
entries submitted in the recent past. Failure to follow agreement provisions could
subject the credit union to potential operational and credit risks.
Credit Risk Management
Review policies and procedures for establishing exposure limits, pre-funding
requirements, deposit holds, and other measures to minimize credit risk. If
origination files are not pre-funded, credit and exposure limits should be
periodically reviewed and approved by the credit union’s commercial lending
department. Loan underwriting standards should be documented. Your periodic
loan or lending operations audit may cover some of these concerns.
If you allow the use of third-party senders for the origination of entries by your
business or institutional members, review their financial and operational
condition. Your vendor management program should include details for
investigating these aspects of any third-party sender.
Review periodic reports to credit union management on originator activity
including origination and return entry volume. Make note of excessive return
activity or other originator activity that may expose the credit union to potential
SunCorp – ACH Risk Assessment Guide 3
NACHA rules violations and fines. Investigate corrective measures enforced by
credit union to minimize future return entry volume – especially unauthorized and
revoked authorization type returns.
Suggested Risk Assessment Documentation
We recommend that credit unions document your ACH risk assessments in a
manner consistent with other risk assessments. The reporting format used in
your Bank Secrecy Act or business continuity risk assessments may be useful as
a guide. At a minimum, we suggest that your risk assessment documentation
include the following:
Summary of the credit union staff involved in the risk assessment, when
the assessment was conducted, and a general description of the credit
union’s ACH activities
Listing of risk assessment areas including ratings of the probability of the
risk and potential risk impact to the credit unions financial and operational
Detailed findings on each risk assessment area, and recommendations for
improvement on areas found to be lacking sufficient attention
Signatures by risk assessors, credit union management, and Board of
Director representative to acknowledge receipt and/or approval of risk
For more information on ACH risk assessments, please refer to:
2010 NACHA Operating Rules
FFIEC Information Technology Handbooks:
OCC Bulletin 2006-39: www.occ.treas.gov/ftp/bulletin/2006-39.pdf
SunCorp – ACH Risk Assessment Guide 4