For many people, August signals such pleasantries as football season and children returning to school. To the financial institution’s operations officer, those changes are just as likely to signal the impending deadline for the annual ACH audit.
The National Automated Clearinghouse Association (NACHA) has mandated an annual audit of the ACH (Automated Clearing House) operations before December 31. While no prescribed methodology is required, most audits use the same detailed NACHA guidelines found in the NACHA rules Appendix 8.
Over the years, I’ve had the opportunity to assist a number of financial institutions with their ACH audits. Here are some common trouble spots I’ve seen that may help others to keep in mind, whether they conduct their own ACH audits or hire it out.
- Flawed Policies: Regulators love policies. ACH is no exception to this rule. In fact, given the meticulous and exacting nature of automated clearing-house transactions, a solid policy is vital to having a smooth ACH audit. This problem manifests in several ways:
- No Policy. I do occasionally see institutions with no policies at all. These are usually small institutions that do very little originating ACH transactions other than returns or their own customer loan payments. This places significant burden on the auditor or examiner, who must constantly interview personnel to get answers to simple questions. Practically, the lack of a policy creates operational risks for the institution as well. ACH personnel will have little guidance on how to deal with more unusual transactions or exceptions, should they occur. An ACH policy can establish and limit the ACH activities that the financial institution wishes to participate in or prohibit. Policies can prevent confusion, aid in training and make audits easier to conduct. In the absence of written guidance, mistakes (possibly costly ones) are far more likely to be made.
- Generic Policies. More often than no policy at all, I see policies that are not tailored to the institution. These policies are gathered from the Internet or other financial institutions. While a borrowed policy may not be a bad place to start, the resulting policy needs to reflect the actual institution and its ACH program if they are to be useful. At a minimum, the ACH policy should establish the types of transactions and activities in which institution wishes to participate. For example, an originating depository financial institution (ODFI) may state in its policy what types of transactions (Cross-Border Transactions, RCK entries, ARC entries, Back Office Conversion entries) it will originate or accept and those it will not. This can be a useful tool for limiting an institution’s overall risk.
- Manual vs. Policy: Institutions can confuse the NACHA ACH manual for a policy. A policy is a guideline established to assist in both subjective and objective decision-making on a given subject. The NACHA manual will tell you how to handle third-party sender obligations. A policy will state whether you want to handle third-party obligations. If your policy is the NACHA ACH manual (or the size of it!), it will not really be useful.
- No NACHA Certification or Membership: As a best industry practice, all depository financial institutions (DFIs) are urged to be members of NACHA or other regional payments association (SWACHA, GACHA, MACHA, NEACH, WesPay, UMACHA, etc.) These associations provide significant education and training services, tools and other resources to members. It is generally recommended that all DFI, particularly ODFI, be a member of some association and to have at least one employee in the ACH department who is NACHA certified. At minimum, this gives the DFI someone knowledgeable to answer auditor questions and who is aware of industry issues.
- Failure to Incorporate Other Regulations: While the ACH is primarily governed by the NACHA rules, other federal regulations have applicability to ACH transactions. These laws must be followed and are often forgotten. These federal regulations include: E-Sign Act, Funds Availability (Reg. CC), Electronic Funds Transfer Act (EFTA) and Bank Secrecy Act (BSA). These rules can have significant consequences and must be addressed in ACH policies and procedures.
- Handling of Stop Payment Returns and Unauthorized Debits: There is often significant confusion between stop payment returns and unauthorized debits. Stop payment returns occur when a customer wishes to stop a preauthorized transaction and must be honored within three days of notice (either verbally or in writing). Unauthorized ACH debits are transactions where the customer makes a sworn statement that the transaction was never authorized. These statements require a Written Statement of Unauthorized ACH Debits form and must be obtained for all returns bearing codes (R05, R07, R10, R37, R51 and R53). Confusion is common between these two problems, as demonstrated by use of the wrong forms, wrong time-frames and wrong disclosures to consumers.
- Direct Access Registration: NACHA rules require an ODFI to register its Direct Access status with NACHA. If the ODFI allows direct access by third-party senders, it must obtain approval from its Board of Directors or designee for each Direct Access Debit Participant and notify NACHA of any change. While few ODFIs have Third-Party Senders with Direct Access, all ODFIs are required to register their status, even when the status is none. Many institutions are unaware of this requirement.
With our society’s rapidly increasing reliance on ACH transactions (more than 21 billion transactions traveled over the ACH network last year), it is also a good idea to conduct a periodic self-assessment to determine your institution’s ACH risk profile. Knowing your ACH risks and keeping these five common ACH issues in check will help put your institution well ahead of the game when it comes time for your next operations examination.
For more information or a proposal, please contact Alberto at firstname.lastname@example.org or 888.972.3624.