They say the early bird gets the worm. And, while it may seem too early, now is a great time to start planning for your 2024 ACH Compliance Audit!
Unsure how to plan? No worries! I will be your guide to help you prepare for a successful audit!
First things first – deciding who is conducting your audit. Do they hold the proper accreditations and experience to conduct the audit and give you feedback on industry best practices and risk mitigation techniques? The ACH Rules require an audit annual and must be performed under the direction of the audit committee, audit manager, senior level officer or external examiner/auditor. You should also consider how many times one individual conducts your audit. While you may have a favorite auditor here at EPCOR, it is an industry best practice to rotate auditors every so often to get new and fresh perspectives on your ACH activities.
Once you have identified who will conduct the audit, take a closer look at the scope of work. Does the audit fully address key compliance risks your institution faces with your ACH activity? The ACH Rules can be overwhelming, but an effective audit program will address the risks associated with Rules compliance. Each financial institution faces its own compliance risk based on its policies, procedures and practices. Qualified experts will be able to identify your risks and tailor their auditing practices accordingly.
What’s next? Well, it is time to dive into the nitty-gritty details. Look at your previous year's audit and double-check that all recommendations and comments provided last year have been addressed and corrected. If you were not able to correct all recommendations, prepare a document to identify where you are in the process and when you expect to have the issue fully corrected.
Next, take into consideration common findings and weak areas identified within the industry. How do you do that? Well, EPCOR is here for you and will go above and beyond to help you ensure your risks are addressed.
Some of the common findings our flock of audit experts have identified are:
Risk Assessments – All Participating DFIs
· Outdated
o It is recommended that risk assessments are completed every 12-18 months or BEFORE any changes to processing or product/service offerings have occurred!
· Not Identifying All Risks
o Conducting risk assessments of EACH payments channel should be an important part of your organization's risk mitigation program.
· A risk assessment specific to ACH will identify and analyze potential risks such as fraud, theft, errors or system malfunctions.
Debit Authorization Requirements – ODFIs
· Required Topics Not Addressed
- All consumer debit authorizations (no matter how they are obtained) must include all minimum requirements of Subsection 2.3.2.2, Debit Entries to Consumer Accounts.
- Certain standard entry class (SEC) codes have additional requirements - ensure your staff is knowledgeable!
Formatting ACH Entries – ODFIs
· Improper SEC Codes
- Ensure the proper SEC codes are utilized and consider periodically reviewing ACH files to ensure proper use.
· Reinitiated Entries
- Conduct due diligence on your debit Originators to discover how NSF returns are managed.
- Ensure company entry descriptions contain "RETRY PYMT".
- Ensure only applicable entries identified in Subsection 2.13.4, Reinitiation of Returned Entries.
· Reversals
- Ensure Company Entry Descriptions contain "REVERSAL".
- The following fields must remain UNCHANGED:
- SEC Code
- Company identification/Originator identification
- Amount
NOCs (Notification of Changes) Processing – ODFIs
· NOCs not communicated effectively.
o Ensure all minimum information of a NOC received is securely communicated to Originators and/or Third-Party Senders timely AND that the originator/TPS makes corrections timely.
Proof of Authorization (POA) Requests – ODFIs
· POA requests not responded to in a timely manner.
o Consider testing your debit Originator’s abilities to provide proof of authorization.
Processing of Unauthorized Entries (WSUDs) – RDFIs
· Completion of Written Statement of Unauthorized Debit
o Ensure forms are completed in their entirety!
o Similarly authenticating the accountholder’s authorization? Ensure staff document the authentication and assent of the Receiver on the form, along with a timestamp and staff’s initials.
· Forms Utilized
o Ensure the forms include the minimum requirements of Subsection 3.12.4, Form of Written Statement of Unauthorized Debit.
· Discard any outdated forms.
· Prompt Recredits
o Per Regulation E – the recredit to the consumer account must be within one business day of the RDFI's determination that an error has occurred, which can be indicated by the return of the unauthorized debit entry.
Return Processing – RDFIs
· Untimely
o Educate staff on the proper return timeframes, next day (within two days) and extended returns (within three to 60 days of the settlement date)
· If you are past the time frame:
§ Contact the ODFI to see if they will allow you to return the Entry.
§ Request Proof of Authorization from the ODFI.
· Improper Codes
o Educate staff on the proper use of return reason codes dependent on standard entry class (SEC) codes.
Exception Item Processing – RDFIs
· Prenote Verification
o Ensure all rejected pre-notes are reviewed, and then ensure a return or NOC is initiated.
· NOC Processing
o Ensure all NOCs are initiated timely.
Hoot-E's flock of highly qualified auditors is eager to assist you and your team in achieving compliance and guiding you to having the ultimate risk management program. Reach out to our team at audit@epcor.org to secure your spot on our schedule!