Www.neach.org © 2013 NEACH. All rights reserved. BCAC –ACH Risk Management Sean Carter, AAP NEACH...
-
Upload
byron-gabriel-wheeler -
Category
Documents
-
view
215 -
download
1
Transcript of Www.neach.org © 2013 NEACH. All rights reserved. BCAC –ACH Risk Management Sean Carter, AAP NEACH...
www.neach.org© 2013 NEACH. All rights reserved.
BCAC –ACH Risk Management
Sean Carter, AAP
NEACH & NEACH Payments Group
NEACH, as a Direct Member of NACHA, is a specially recognized and licensed provider of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and the Accredited ACH Professional (AAP) program.
This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. Any unauthorized use or access is expressly prohibited.
2
3www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• ACH Overview and Flow• Participant Roles and Responsibilities• Inherent Risks of Processing ACH Transactions• Areas of Risk for RDFIs and mitigation techniques• Areas of Risk for ODFIs and mitigation techniques• Risk Assessments & Audits
Agenda
4www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Automated Clearing House– “Processing and delivery system that provides for the distribution and settlement of electronic debits
and credits among financial institutions”
• Batch-oriented, store-and-forward processing system• Safe, secure, electronic network for consumer, business, and government
payments• Used by more than 11,000 participating FIs and millions of business and
consumers
What is ACH?
5www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Unlike other payment systems, the ACH Network supports all of the following:– Credit transactions that “push” value
– Debit transactions that “pull” value
– Ubiquity to receive payments from and make payments to virtually all checking and savings accounts in the U.S.
– Both payments and robust payment information
– Native electronic transactions and check conversion transactions
– Zero-dollar transactions (for interbank messaging)
– Consumer transactions and Business transactions (both B2B and internal transactions)
– Government transactions
– Domestic and international transactions
– Recurring and one-time transactions
Unique ACH Network Attributes
6www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Over 17.5 billion transactions in 2013– Does not include on-us
• Payments valued at more than $38 trillion dollars in 2013– Up almost 5% over 2012
6
Facts about the ACH Network
7www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
– Originating Depository Financial Institutions (ODFIs) and Receiving Depository Financial Institutions (RDFIs) are bound collectively to each other by the Rules, as a multilateral agreement
– The Rules assign ODFIs and RDFIs distinct roles, responsibilities, and liabilities for ACH transactions that they originate and receive that flow via warranties and indemnification to all other DFIs and ACH Operators in the ACH Network
• The NACHA Operating Rules require ODFIs and RDFIs to execute agreements with Originators and third-parties, as applicable, that bind them to the Rules
– Rules require Originators to have a relationship with Receivers (agreement or authorization)
Foundation of the NACHA Operating Rules is Contract Law
For more information attend Recent Developments in Electronic Payments Law on Monday at 11:15
Regulation DDepository Financial Institution Reserve Requirements / Defines
Transaction Account
Regulation CCFunds Availability & Check Collection
Office of Foreign Assets Control (OFAC)
Financial Interdiction
Federal Reserve Operating Circular 4ACH Participation of Federal Reserve Banks
Code of Federal Regulations (CFR) Title 31 Part 210U.S. Federal Government ACH Payments
Legal Framework for ACH Transactions
NACHA Operating RulesRegulation E
Consumer Credit & Debit EFT Payments
Uniform Commercial Code (UCC) Article 4A
Corporate Credit Payments
Corporate Debit Payments No overarching payment laws/regulations
NACHA Operating Rules
Contractual Hierarchy
ACH Operators
FinancialInstitutions
(ODFIs & RDFIs)
Third-Party Processors
OriginatorsThird-Party Processors
OriginatorsReceivers
(Consumer or Business)
Receivers(Consumer or
Business)
10www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Originator• Originating Depository Financial Institution (ODFI)• ACH Operator• Receiving Depository Financial Institution (RDFI)• Receiver
10
Who are the Participants?
11www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
Originator• Party which initiates the ACH transaction• Can be a company, a government agency• Must have Authorization from the Receiver• Examples: utility company initiating payments, employer initiating Direct
Deposit of an employee’s wages
Who are the Participants?
11
© 2012 EastPay. All Rights Reserved
12
Potential ACH Originators Possible Uses of ACHProperty Management Company Collection of Monthly Condo Association Dues
School District, College or University Payroll and Collection of Tuition Payments
Charitable Organization Scheduled Pledge Donations
Cable Company, Newspaper Subscriber Billings
Church Member Tithes and Donations
Insurance Company Collection of Policyholder Premiums
Fitness Club, Health Club or Spa Dues and Service Fee Collections
Retail Store, Doctor’s or Dentist’s Office, Credit Card Company
Conversion of Check Payments Received, Electronically Re-Presenting Checks Returned as NSF
Municipality Utility Bill Collections
Financial Institution Loan Payments, Stockholder Dividends, Safe Deposit Box Billing, Transfers
Manufacturing Company, Corporation (General)
Direct Deposit of Payroll, Pension Payments, Account Transfers, Tax Payments, Expense Account Reimbursements, Vendor Payments
13www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
ODFI • The Financial Institution which originates the ACH
transaction after receiving payment instructions from an Originator
• Warrants that each transaction is correct and authorized
• There must be an agreement between the ODFI and the Originator that, at a minimum, binds the Originator to the Rules
• ODFI must also act as an RDFI
Who are the Participants?
13
14www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
ACH Operator• Central clearing facility for the Financial Institutions• ACH Operator agrees to adhere to the Rules• There are 2 ACH Operators
– Federal Reserve – Electronic Payments Network (EPN)
• Both can be involved in a transaction
Who are the Participants?
15www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
RDFI• The Financial Institution which receives an ACH
transaction for posting to the Receiver’s account• RDFI has ability to return entries but must do so within
the proper timeframes and adhere to other requirements
• Does not have to act as an ODFI
Who are the Participants?
16www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
Receiver• Party which receives the ACH transaction • Has authorized the Originator to initiate the ACH entry
– Except for a Destroyed Check entry
• May be a company, individual or government agency
Who are the Participants?
17www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
My corporate account-holder sends weekly files to me to originate Direct Deposit of payroll for their employees.
Who am I?
A. Originator
B. ODFI
C. ACH Operator
D. RDFI
Pop Quiz!
18www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
ACH Credit Payment: Entry and Funds Flow
Authorization
19www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
ACH Debit Payment: Entry and Funds Flow
Authorization
20www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• The deposit of funds for payroll, T&E, government benefits, tax and other refunds, and annuities and interest payments.
Direct Deposit via ACH
21www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• The use of funds for making a payment. • Individuals or organizations can send or receive a Direct
Payment. • May be ACH credit or debit.
Direct Payment via ACH
22www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
If a company is paying its employees payroll by ACH, is it sending credits or debits to the employee’s accounts?
Pop Quiz!!
23www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Application of Rules• Compliance with Rules
– Effect of Illegality, Audits, Rules Enforcement, Risk Assessment, Compensation, and Arbitration
• Records– Retention, provision upon request, may be electronic
• Excused Delay• Secure Transmission of ACH Information
General ACH Rules
25www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• ODFI is responsible for entries and rules compliance• Must have Originator Agreement with Originator • Must perform risk management
– Assess & monitor nature of ACH activity, establish & enforce exposure limits
• Must ensure Originator has proper authorization from Receiver
• ODFI warranties (general and specific to SEC Code)
Origination of Entries
26www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Each entry is properly authorized– not revoked, not terminated by law, correct amount
• Each entry is timely • Complies with other requirements of the Rules, including proper SEC Code• Transmits required information• ODFI warranties do not apply to goods or services• Article Two, Section 2.5 addresses warranties specific to each application
General ODFI Warranties
27www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Prenotes– Non-monetary entry sent prior to first live entry to notify RDFI that
Originator intends to send ACH to Receiver’s account– Originator must wait 6 banking days after prenote before sending
live dollar entry (effective September 2014 wait time will reduce to 3 banking days)
• Reversals (files and entries) – Erroneous entry
• Duplicate, wrong Receiver, wrong amount, specific conditions related to payroll payments
– Must be sent within 5 days of erroneous file/entry
Origination of Entries
28www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Re-initiation– Originator or ODFI may reinitiate returned entry if:
• Returned for NSF/uncollected funds• Returned for stop payment and reinitiation was authorized by Receiver• Corrective action taken to remedy reason for return
– Reinitiation must occur within 180 days from settlement date of original entry
• Must be formatted as RETRYPYMT as of 09/18– All information must remain the same including company ID and dollar amount
Origination of Entries
29www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Identification and Formatting• Credit Policy• Agreements• Prefunding Models
Impact of Same Day
31www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Authorization must:– Be readily identifiable, have clear and readily understandable terms, provide that Receiver
may revoke only by notifying Originator in manner specified
• Debit entries to consumer accounts– Notice of change in amount– Notice of change in scheduled date– Copy of debit authorization
Obligations of Originators
32www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Record of authorization– Originator must retain original or copy of authorization for defined period of time– Upon RDFI request, Originator must provide to ODFI copy of authorization so that ODFI
can provide to RDFI within 10 banking days
• Some SEC Codes have specific requirements for Originators
Obligations of Originators
34www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• RDFI must accept entries• May rely solely on account numbers to post• May rely on Standard Entry Class Codes• May request copies of authorizations• Must provide entry information as defined for various types of entries• Does not have to notify Receiver of receipt of entry
General Rights & Responsibilities of RDFIs
35www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Must make funds available by defined time and may not debit prior to settlement date
• Must verify prenotes and respond if appropriate• Must honor stop payments orders provided by Receivers• May return entries in a timely manner (but may not return based solely on type
of entry)
General Rights & Responsibilities of RDFIs
36www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
Returns◦ Restrictions◦ Timing requirements ◦ Unposted credits◦ ODFI request◦ Re-initiation◦ Return Reason Codes (e.g., R01, R02, R10)
Dishonor, Contested Dishonor, Correction◦ Timing requirements ◦ Return Reason Codes (e.g., R68, R73)
Returns
37www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Administrative (normal) return time frame – return entry must be received by RDFI’s ACH Operator by its deposit deadline for the return to be made available to the ODFI no later than opening of business on second banking day following settlement date of original entry”
• Consumer (extended) return – “…no later than opening of business on the banking day following the 60th calendar day following settlement date…” used mainly for unauthorized consumer debit entries
Return Time Frames
39www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Pick up additional files• Availability• Exceptions
Same Day Impact
40www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
Pop Quiz!!!
– A RDFI can return an ACH debit whenever it wants.
True or False?
4141www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Credit - Occurs when a party to a transaction cannot provide the necessary funds, as contracted, in order for settlement to occur
• Operational- Occurs when a transaction is altered or delayed due to an unintentional error
• Fraud- Occurs when a payment transaction will be initiated or altered in an attempt to misdirect or misappropriate funds by any party to the transaction or outside intruders
• Compliance- Occurs when a party to a transaction fails to comply, either knowingly or inadvertently, with NACHA Operating Rules, applicable regulations, and U.S. and state law
Types of Risk
4242www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Systemic Risk- Occurs when a payment system participant cannot settle its obligation causing other participants to be unable to settle theirs
• Third Party Risk- The risk that the party entrusted by the FI to perform a function of ACH processing does not meet the expectations of the FI
Types of Risk
43www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• It is NOT:– A security assessment– An audit– A one time effort
• It Is:– Required to be conducted– Comply with the expectations of the FIs regulators– Part of the ACH Audit
What is an ACH Risk Assessment?
44www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• SUBSECTION 1.2.4 Risk Assessments A Participating DFI must: – conduct, or have conducted, an assessment of the risks of its ACH activities; – implement, or have implemented, a risk management program on the basis of such an
assessment; and, – comply with the requirements of its regulator(s) with respect to such assessment and risk
management program.
The Rule
45www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Must have assessment of risks from ACH activities• Must have risk management program based on the assessment• Must ensure assessment and risk management program comply with DFIs
regulator requirements
The Rule – In a Nutshell
46www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Reflect ACH industry best practices• Send a strong message to the industry on the importance of risk management• Ensure that all ODFIs perform know-your-customer due diligence • Establish procedures, systems and controls to manage the risks of their
Originator’s and Third-Party Sender’s ACH activities
The Rule
47www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Examples of recent risk management requirements and guidance by regulators include:– OCC Bulletin 2006-39, Automated Clearing House Activities– OCC Bulletin 2008-12, Payment Processors Risk Management Guidance – FFIEC’s BSA/AML Examination Manual, 2010 edition (pages 224 through 233 are specific to ACH;
however ACH is referenced in numerous locations throughout this manual)– FFIEC Guidance on Risk Management of Remote Deposit Capture– FFIEC Retail Payments System – FFIEC Supplement to Authentication in an Internet Banking Environment– FDIC Financial Institution Letter 127-2008, Payment Processor Relationships– FDIC Financial Institution Letter 144-2008, Managing Third Party Risk– FDIC Financial Institution Letter 3-2012, Payment Processor Relationship
NACHA Risk Assessment Framework
48www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Systems and controls– Policies and procedures– Board reporting– Audit Scope
• Credit management– Credit risk– Underwriting standards– Risk selection– Originator management– Exception Processing– Government Payment Processing– Funds availability
Components
49www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Compliance– ACH Rules– BSA/AML– OFAC– Reg D, E, CC, GG– UCC4A
• Third parties– Service level agreements– Contracts– Management
Components (cont.)
50www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Direct Access– Volume– Agreements
• Operational and transactional process– RDFI– ODFI
• IT– Technology controls– Data protection– Business continuity
Components (cont.)
51www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Identify– Threats
• Consistent between institutions• Vary over time
– Vulnerabilities• Unique to each institution• Not always manageable
– Controls• Preventative• Procedural• Technical• Detective
Components (cont)
52www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Measure– Control effectiveness– Residual risk
• Prioritize• Remediate or accept• Documentation of the process
Assessment Deliverables
5454www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Establish ACH Risk Management Program– Clear objectives– Well developed business strategy– Clear risk parameters
• Board and Management role– Board overall business strategy and risk limits– Management establish management system
• Ongoing Process– Evaluate activities v. risk parameter– Policies, procedures, & controls effective
Risk Management ProgramOCC 2006-39
5555www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Board or Committee should receive period reports– Metrics & trend analyses on ACH volumes and more– Metrics & trend analyses of originators and any third-party senders;– Capital adequacy relative to the volume of ACH activity and level of risk associated with
originators;– The percentage of the deposit base linked to ACH origination;– A summary of return rates by originator and third-party senders; – Unauthorized returns that exceed board-established thresholds;– Notices of potential/actual rules violations from NACHA;– Financial reports on profitability of ACH function center; and– Risk management reports, including a comparison of actual performance to approved risk
parameters
Risk Management ProgramBoard Reporting
5656www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Common issues:– inadequate audit coverage– inexperienced audit staff– lack of appropriate auditor training.
• Audit scope– growth in transaction volume– new products and services– new ACH systems– underwriting policies and customer due diligence (CDD) policies and practices– customers' online access to the ACH network.
• Ensure that periodic audits of third-party service providers• (NACHA) Rules Compliance Audit
– not a substitute for a comprehensive, risk-based audit
Risk Management ProgramAudit
5757www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• What Auditors and Examiners are finding (continued):– Out of band authentication is not used– IAT entry screening is happening but some institutions are unclear what happens if an
entry is a suspect transaction– Inadequate knowledge of ACH Rules by audit and compliance department
Risk Assessment Findings
58www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• The ACH Policy does not adequately define objectives.• The role of ACH in the overall strategic plan is not defined.• Including ACH in BSA/AML monitoring.• Failure to have adequate controls in place to prevent Corporate Account
Takeover or account takeover for Account to Account Consumer transactions.• Inadequate Vendor Management controls
Risk Assessment Findings
59www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Who is required to complete the ACH Audit?– Participating Depository Financial Institutions (DFIs)– Third-Party Service Providers and/or Third Party Senders that provide ACH services to
DFIs
59
General Audit Requirements
60www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Who can perform the Audit?– Audit performed under the direction of:
• Audit Committee• Audit Manager• Senior Level Officer• External auditor of DFI or Third-Party Service Provider
60
General Audit Requirements
61www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• A Participating DFI may wish to audit other aspects of its’ ACH Operations in conjunction with its annual rules compliance audit– OFAC Compliance– ACH Business Continuity Plans– ACH Risk Management Policies– Compliance with 31 C.F.R. Part 210 and Green Book Compliance
61
Non-Rule Related Best Practices
62www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Compliance with Appendix Eight, OR 203• Identifies Rules that should be reviewed
– Direct impact on quality of ACH Services– Satisfaction of DFIs and Receivers
62
General Audit Requirements
63www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Conduct annually by December 31st• Retain proof for 6 years from date of audit• Provide to NACHA upon request
– NACHA is requesting proof now
63
General Audit Requirements
64www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
8.2 7 Areas of examination– Record Retention– Electronic Records– Proof of Audit completion– Data Security– Payment of NACHA fees– Risk Assessment completion– Security Policies and Procedure
64
Audit Requirements for all DFIs
65www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Prenote Verification• Proper Use of NOCs• Acceptance of entries• Funds availability• Statement Requirements• Proper handling of returns• RCK returns
• Credit Returns• Stop payments• WSUDs• UCC 4A• Addenda Reporting
8.3 – 12 Rules tested for RDFI
65
66www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Not Completing an ACH Audit• NOC and/or Return Records not retained in full detail for six years• Prenotes not being looked at or responded to• WEB Credits not posted correctly on statements• WSUD vs. Stop Payments
66
Most Commonly Found areas of Non-Compliance for RDFI’s
67www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• All ODFIs and Third-Party Service Providers required to complete audit
• ODFI warrants completion of audit by both of these participants
• Conduct audit to determine compliance with rules regarding origination of ACH entries
67
Audit Requirements for ODFIs
68www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
14 Rules tested for compliance• A. Agreements with Originators and TPS• B. Sending Point Agreements• C. Exposure Limits• D. Acceptance of Return Entries• E. NOC Processing• F. Copies of Authorizations• G. Permissible returns
68
Appendix Eight, 8.4
69www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• H. UCC 4A • I. Identity of Originators• J. Reversing Entries• K. BOC entries• L. NACHA Reporting• M. Direct Access Registration• N. Keeping Originators informed of the Rules
69
Appendix Eight, 8.4
70www.neach.org © 2013 NEACH. All rights reserved. Proprietary and Confidential. For NEACH use only.
• Origination Agreements missing the recently added requirements• NOC’s• Unable to location Sending Point agreement• Untimely Reversals
Most Commonly Found areas of Non-Compliance for ODFI’s