OFFICIAL PUBLICATION OF THE COMMUNITY BANKERS ASSOCIATION OF KANSAS

Pub. 4 2023 Issue 5

2022’s Top Third‑Party Sender Audit Findings

This story appears in the
In Touch Magazine Pub 4 2023 Issue 5

Per the ACH Rules, just like participating financial institutions, Third-Party Senders (TPS) are required to conduct an annual ACH Compliance Audit. The EPCOR Audit team performs TPS audits each year, which often result in repeated findings and recommendations from one audit to the next. In this article, we will look at the audit issues we most often encountered throughout 2022 and the corresponding recommendations to assist TPSs in developing a strong ACH risk management program and promote ongoing ACH Rule compliance.

#1: Failure To Perform an ACH Audit

Easily, our number one audit finding is the failure of the TPS to perform an ACH Compliance Audit each of the past six years. As already stated, the ACH Rules require a TPS to have an ACH Compliance Audit conducted annually, and per Subsection 1.2.2.2, Proof of Completion of Audit, a TPS must retain proof of its annual audit for six years from completion of the audit. If the TPS was being audited for the first time in 2022 or had only begun its audit regiment a few years prior to 2022, the TPS was not able to exhibit proof of completion of prior audits for each of the past six years. EPCOR TPS audit reports for these TPSs gently remind the TPS to have the audit performed every year and to retain such documentation in accordance with Subsection 1.2.2.2.

#2 Failure To Conduct an ACH Risk Assessment

The second most frequent audit finding/recommendation was the failure of the TPS to conduct an ACH risk assessment. Even before Nacha added TPSs to the risk assessment requirement in Subsection 1.2.4, Risk Assessments, EPCOR auditors have advised TPSs to perform an ACH risk assessment as part of creating an overall ACH risk management program for their organization. With the formal amendment to the ACH Rules found in Supplement #3-2021, Nacha placed the explicit requirement for TPSs to conduct an ACH risk assessment and added the effective date of Sept. 30, 2022. During 2022, EPCOR noted that the majority of TPSs had not established an ACH risk assessment. The primary reason for this omission was a lack of awareness of the requirement (ODFIs, you should be educating your TPS clients). However, a failure to understand the purpose of the risk assessment and/or its role in the overall ACH risk management program for the organization was also noted.

#3 Failure To Establish an ACH Risk Management Program

Another frequent audit finding was the failure of the TPS to establish an ACH risk management program. This requirement also comes from Subsection 1.2.4 and goes hand-in-hand with the first two audit findings already discussed. Generally, an ACH risk management program is defined as a set of policies, procedures, limits, assessments, reviews (audits) and reporting protocols that govern the overall ACH activities of the TPS.

While TPSs have a large degree of flexibility in the composition of their ACH risk management program, the general objectives of the program should include:

  • Assessing the risks of the activity (risk assessment);
  • Creating comprehensive know-your-customer (KYC) and onboarding due diligence (policies/procedures);
  • Establishing controls over Originator and Nested TPS activity (limits);
    Setting up monitoring and reporting systems (reporting); and
  • Providing for periodic audits.

Specifically, Subsection 2.2.3, ODFI Risk Management (which also applies to TPSs), requires the TPS to perform due diligence on each Originator (and Nested TPS) to assess the nature of the Originator or Nested TPS’s ACH activity implement and enforce exposure limits for each Originator or Nested TPS, and monitor ACH Return activity. All these duties are to allow the TPS to determine that the Originator or Nested TPS has the capacity to perform its ACH Rules obligations.

#4 Failure To Maintain Proper Agreements

A fourth audit finding that is frequently noted is noncompliance with Subsection 2.2.2.2, ODFI Must Enter Origination Agreement with TPS of the ACH Rules. Specifically, it is 2.2.2.2(h) and (i) that are of paramount importance to the TPS. Letters (h) and (i) of Subsection 2.2.2.2 require the TPS to enter into ACH Origination Agreements with each Originator, or Nested TPS, respectively.

While audits almost always determine that TPSs have contractual agreements with the client Originators and/or Nested TPSs, what is often discovered is that the agreements fail to include the specific minimum ACH provisions found in Subsection 2.2.2.1(a-f) of the ACH Rules. Nacha provides some leniency on this Rule in that old agreements without the required minimum provisions are permitted to be carried forward. However, as agreements are revised or repapered, the TPS should ensure the agreement provisions detailed in Subsection 2.2.2.1 are properly included. Such flexibility aside, it has been EPCOR’s audit recommendation for the TPS to add the required provisions as soon as possible. We often suggest creating an “ACH Addendum” that can be added to the existing agreements without a complete repapering project.

Notable Mention Findings

Other less frequently cited audit findings still worth noting for TPSs include:

  • Failure to establish exposure limits;
  • Failure to act on Notifications of Change (NOCs);
  • Incorrect assignment of Standard Entry Class (SEC) Codes;
  • Inadequate authorization language;
  • Lack of monitoring of Originator Return Rates; and
  • Best practice suggestions for the establishment of a formal ACH Management Policy and the establishment of procedures to acquire authorizations or other ACH-related documents from Originators and/or Nested TPSs.

If you work for an ODFI and are reading this article, I hope this has given you some insight into deficiencies some of your TPSs may have regarding ACH Rules compliance. It is highly recommended that you request confirmation of an annual ACH Compliance Audit from your TPS client and even go further to request the ACH audit report so you can supplement your due diligence process and see what compliance issues your TPS may be experiencing. The information presented may highlight some ACH compliance topics/issues that you aren’t aware your TPS needed to follow.

If you’re a TPS, I hope this article has been thought-provoking and opened your eyes to potential issues and areas to consider making changes to ensure you are compliant with the ACH Rules. Just remember your financial institution is your ally. If you feel like you need additional education or guidance from them, reach out and work together to come up with a solution that works for everyone.

Matthew travels throughout EPCOR’s footprint to conduct consulting, audit and risk assessment engagements related to ACH, Wire Transfer, Third-Party and other payments-related services. As part of these services, Matthew provides recommendations related to compliance with ACH Rules, payments-related regulations and regulatory guidance. Matthew also provides education and shares best practices with financial institutions and Third-Party Senders to support their efforts towards maintaining compliance, improving operational processes and mitigating risk and fraud.

Matthew graduated from the University of Kentucky in 1997 with a Bachelor of Science in Accounting and Management. Matthew has 23 years of professional experience, including 15 years in the financial services industry with a strong emphasis in audit, ACH and financial analysis.