A Third-Party Sender (TPS) has specific ACH Rules obligations, including the requirement to implement an ACH Risk Management Program. An effective ACH Risk Management Program typically begins with the development and implementation of a formal ACH policy demonstrating a Third-Party Sender’s understanding of its role in the ACH Network and the risks involved with its activities by addressing key ACH Rules obligations of the TPS. Additionally, this policy provides statements, rules or assertions that specify the expected behavior of an organization by defining roles and responsibilities of staff and departments as well as conditions and requirements for products, services and systems. Essentially the policy communicates an organization's values, philosophies and culture.
Having addressed the reason for the policy, let’s talk about the content of the policy. There is no specific content requirement for any given policy, however, there should be enough information contained in the policy to determine which departments or individuals play essential roles in the activities addressed within a policy. Most policies will contain some type of scope that defines what the policy is addressing as well as a strategic objective of the goals a company is striving to achieve. The policy also provides insight into an organization’s risk tolerance levels and helps to ensure staff understand their roles and responsibilities to meet the strategic goals of the organization in an acceptable manner. This is the reason the ACH policy is most often thought of as the cornerstone and formalization of a TPS’s ACH Risk Management Program.
The structure and content of an ACH policy are driven primarily by the organization's ACH participant role, the type of clients it provides services to and the type of ACH entries that are being processed. If you were to review an ACH policy of a payroll services provider, it most likely would differ in content from that of a TPS providing check conversion services to clients. Policies could also contain information about other activities such as the data security that has been implemented specific to ACH activities. Also, it may contain information specific to Customer Identification Program (CIP) and Know Your Customer (KYC) requirements. Again, defining the roles and responsibilities for each of these activities.
Also, it is considered acceptable to reference other policies within the ACH policy. For instance, if there is already a robust, comprehensive AML Policy that addresses CIP, KYC and OFAC responsibilities there is no need to restate that information in the ACH policy. However, it is recommended that the ACH policy clearly make the statement that those activities will be addressed in another specific policy. And please take note we are referencing policies that are traditionally thought of as requirements of a financial institution to have implemented but keep in mind one of the key elements noted within the ACH Rules is that a TPS will take on the roles of an ODFI and becomes subject to many same Rules and best practices, which includes the development of various policies and written procedures.
Additionally, policies are not meant to remain a static document that once developed, approved and implemented become just another document provided when requested. Policies should be reviewed at least annually to determine if they still contain relevant information of the TPSs’ processing environment. Changes to policies should be documented to better determine when a new statement or requirement has been added. Updated policies should also be provided to any stakeholders that are subject to the requirements of the policy. Some organizations will also require staff to formally acknowledge the receipt and review of updated policies.
To assist TPSs, EPCOR has developed a new publication, the Sample Third-Party Sender ACH Management Policy. This sample policy covers ACH Rules and various other policy best practices impacting essential ACH processes such as ACH origination, Nested Third-Party Sender relationships, Originator strategies and onboarding requirements. Our team of experts is also prepared to help in any way we can! Reach out to us at advisoryservices@epcor.org to learn how we can help you enhance your Third-Party Sender risk management practices.