ACH Risk Assessment Requirements
Download
Report
Transcript ACH Risk Assessment Requirements
The ACH Risk Assessment
“Covering your Assets”
John M. Curtis, AAP/NCP
Vice President
Head of Education and Training
Western Payments Alliance
© 2008 Western Payments Alliance. All rights reserved. No reproduction or distribution in any manner without prior written consent.
About WesPay
Regional Payments Association providing:
- Education
- Risk Management and Audit Services
- Advocacy
- Support
Banks
Credit Unions
Corporates
Anyone using Electronic Payments
Any AAP is the WesPay service territory is automatically a member
Even if your employer is not a member.
- Have a Question? Call us!
- 415-433-1230
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Food for Thought
Every FI has a different vision and version
No true guidance on what is to be included
May vary by regulator
!
Better to err toward diligence
Goal:
Cover as many areas as possible and prod
you to think of at least a few items for you to
revisit on your Risk Assessment
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
The Rule
Became effective June 18th 2010
- The Rules require all Participating DFIs to conduct a risk
assessment of their ACH activities, and to implement risk
management programs based on the results of such
assessments, in accordance with the requirements of
their regulators1
1 – 2011 NACHA Operating Rules & Guidelines: Pg. OG 21
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
What not to do
Taking the easy way out can lead to problems
Non-So-Cautious Savings and Distrust ACH Risk Assessment
Do you offer ACH Origination Services?
Yes – It’s Risky!
Do you offer Credit Lines for ACH?
Yes – It’s Risky!
Do you have ACH Third Party Senders?
Yes – They’re Risky!
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
A More Complete Approach
Greater Diligent Bank of Prudence: ACH Risk Assessment
Risk
Category
CREDIT
Over Limit
Files
Risk
Inherent
Risk
Grade
Limits are set to protect
4
the customer and the
FI. Files exceeding
limits could be fraud
and expose the
FI/customer to loss.
Files exceeding limits
may not be processed
same day. Risks
include:
Fraudulent Items
Client may miss
payroll
Procedures, Monitoring and
Oversight Controls
ACH System automatically
suspends files and sends an
email to ACH Operations
personnel and Credit
Department.
Credit Department conducts a
review of the customer credit
line and considers available
balances in cash accounts.
Residual Risk
Grade
2
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Has your Business Changed?
• I’m only an RDFI
• Really?
–
–
–
–
–
–
Payroll
Bill Pay
P2P Transfers
Internal Book Transfers
Mortgage Payments
Auto Loan Direct Debit
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Stakeholders
Include everyone from the start
-
ACH Operations
Audit
Credit
Compliance
Fraud / Investigations
Systems and Technology
Legal
Risk Management
Treasury Management
Customer Service
Implementation / Fulfillment
Product
Sales
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Credit Risk
• Consider all Credit Departments
– Small business
– Large corporate
– Others
• Leasing
• Agriculture
• Church Lending
• Single unit or dedicated credit staff who understand ACH
Risk
• Document your exposure limit determination process
‒ Unsecured lines of credit, prefunding, collateral
‒ How do you effect settlement?
• Balanced files = Double Exposure
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
External Participants
•
•
•
•
•
•
Originator
ODFI
ACH Operator
RDFI
Receiver
Third Party Providers / Senders
• Have you identified these?
• Regulators are looking very closely at 3rd
Party relationships
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Policies and Procedures
Easily accessible and in one place
- Make life easy for yourself and regulators
- Demonstrate you have knowledge and are serious
Frequency of Updates
Are they followed? - Evidence is in your Audits
Formal Risk Management Program for ACH
You can refer back to Policies and Procedures
- Present to Board of Directors
Category Sub Category Risk
Credit
Credit
Bank must conduct monitoring to ensure
Risk
Monitoring
customer remains creditworthy and has
the ability to fund ACH Credits and
Returned ACH Debits. Failure to do so
may result in potential loss situations.
Procedures, Controls and Oversight
Credit Facilities greater than $100,000
must be re-underwritten and approved
annually or based on the loan review
terms if different. Refer to Per Policy
#001.C.ACH
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Credit Risk
Client credit health monitoring
- Document periodic reviews
Frequency
Based on Amount
Risk Rating
- Client Downgrading Policy & Procedures
- Insolvency procedures
Reversals are not allowed
- Expired/Downgraded lines of credit or Overlimit
communication process
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Credit Risk
• Internal Controls
– Periodic variances in customer volumes/amounts
– Approval process for overlimit files
– After hours approval process
– Relationship manager notification and Client
Communication
• External Controls
– After hours contacts for clients
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Compliance Risk
ACH Rules vs. Other Regulations
Non Compliance = Opportunities for Loss
Determine which regulations apply
- Whichever better protects the consumer
Review all applicable Regulations
-
FDIC
OCC
FinCEN
FFIEC
Reg. E
BSA/AML
Basel II
Reg. GG
Note: FFIEC Exam Guidelines are a good place to start
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Compliance Risk
OCC Bulletin 2005-35 / FFIEC Supplement
- Corporate Account Takeover
Was Multi Factor Authentication
- Now: Out of Band
Identify and assess the risk associated with Internet-
based products and services
Measure and evaluate customer awareness efforts
- Document customer education
Adjust, as appropriate, information security program
with changes in technology
Implement appropriate risk mitigation strategies
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Compliance Risk
Continuing education for all business lines
- Document information flow of education for new ACH
Rules
- Who informs each area of the organization?
- What is the process?
- Sign-Off by Product, Operations, Sales obtained by Audit
for all touch-points
Customer Education
- Process / Channel
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
High Risk Activities
• Document high risk clients
•
‒ What are the qualifications?
– High $/High volume
– Visibility
– Reputation Risk
– Gaming
– Adult Content
– Payday Lending
Who is High Risk?
• Clients that deviate from standard product offerings or design, standard
legal documentation, or standard operational and / or servicing
processes
• Educate Sales on High Risk Policy – And document!
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
High Risk Activities
• Monitor client business model and changes
‒ KYC
‒ Permit specific SEC codes
• Include this in Originator Agreement
‒ Velocity Monitoring
‒ Who polices IAT eligibility?
• Educate your clients, sales and operations teams
• Do they understand when to send an IAT?
• Returns monitoring
– Should be monitored across all payment delivery
channels
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Revenue Risk
Putting your eggs in one basket
Effect if largest client exits
Billing
- Leakage
- Over-Billing
- Controls to ensure billing accuracy
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Systems and Controls
What are your information protection policies within “Critical
Areas?”
-
Electronic device storage policy (smart phones, mp3 players,
cameras)
USB Storage Devices/download restrictions
Physical security
Protection/destruction of confidential paper documents
Enforce rules for visitors/clients/senior managers
Applies from top > down
Standardize policies for your internal business partners both
upstream/downstream from you
-
Don’t be the weakest link!
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Systems and Controls
Document exception processing SLAs, performance
against them, and root causes
Contingency options when a file is missed?
- Consider scripting/training to present client with
appropriate options
Invalid format policies.
- Repair and go or suspend and notify?
- Ensure access rights don’t supersede policy
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Information Technology Risk
IT Risk Assessment
- Scope must include all support functions including
stand alone PC’s or “home-grown” tools
Establish access rights using security profiles
and separation of duties to minimum required
for business purposes
Ensure developers understand your institutions
policies and standards before they build
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Information Technology Risk
Documented change management process.
- Includes who/what/when/why/where of code installs
- Approvals from key stakeholders
Contingency
- Regular hardware/software testing
- Business resumption plan (People)
Working from home contingency plan?
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Information Technology Risk
Assess current technologies
Reduce or eliminate manual processes
- Humans make mistakes
- Reduce waste and costs, enhance the customer experience
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Direct Access Risk
All ODFIs must register their status on www.nacha.org
whether they have Direct Access clients or not
Quarterly reporting of participant contact info, volumes,
return rates required if participating
If unauthorized returns > 1%, additional information
required incl. date and proof of recent audit according to
Appendix 8 of rules
Documented approval process by board of directors or
designee (Appendix 8 of Rules)
Bottom Line: Additional Due Diligence Required!!
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Direct Access Risk
Agreement with client should include:
- Establish dollar limits with Operator and stipulate
with client that they are required to obtain FIs
approval BEFORE transmission of that file to
ACH Operator
- Limits to allowable SEC codes
- Provisions for immediate termination
- Right to audit
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Going Forward…
Engage your Info Security, Risk and Compliance teams
in the early phases of development process
Build governance process for reviewing impact of new
products and rules with end to end teams
Share best practices/lessons learned to help make the
ACH network more secure
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
References
ACH Risk Assessment Workbook
-
Contact your Regional Payments Association
OCC Bulletin 2006-39: ACH Risk Activities
- www.occ.treas.gov/ftp/bulletin/2006-39.pdf
OCC Bulletin 2001-47: Third-Party Relationships: Risk Management Principles
- OCC Bulletin 2001-47, Third-Party Relationships: Risk Management Principles.
FFIEC BSA/AML Examination Manual, 2007
- www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2007.pdf Pages
199 through 205
OCC Bulletin 2008-12, Payment Processors
- www.occ.treas.gov/ftp/bulletin/2008-12.html
FDIC Financial Institution Letter 127-2008, Payment Processor Relationships
- www.fdic.gov/news/news/financial/2008/fil08127.html
FDIC Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk
- FIL- 44-2008: Guidance for Managing Third-Party Risk
FFIEC Guidance on Risk Management of Remote Deposit Capture
- www.ffiec.gov/pdf/pr011409_rdc_guidance.pdf
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.
Thank You
THANK YOU!
Questions?
© Western Payments Alliance. All rights reserved. No reproduction/distribution without prior written consent.