The ACH Rules require Third-Party Senders (TPSs) and Third-Party Service Providers (TPSPs) to complete an ACH Rules Compliance Audit annually. In 2025, EPCOR’s team of experts conducted audits for a wide range of TPSs and TPSPs. Throughout these engagements, our team observed several recurring compliance issues. Here’s a breakdown of last year’s top audit findings and the common areas needing attention.
Audits and Risk Assessments
A surprising number of TPSs don’t even realize they are TPSs, leaving them unaware of their obligation to perform an annual ACH Rules Compliance Audit or a periodic risk assessment. EPCOR frequently conducts these first-time audits for organizations that have been operating as TPSs for years. On the flip side, some TPSs do complete their annual audits but can’t produce six years of documentation, as required by the ACH Rules. Staff turnover is usually the culprit, turning missing documentation into a compliance headache.
Risk assessments create another gap. While they aren’t required annually, TPSs must periodically evaluate the risks associated with their ACH activity and build a risk management program based on those findings. The key is staying proactive: understanding the obligations, acting on results and revisiting risk before it becomes a problem.
Originator Due Diligence and Exposure Limit Review
Due diligence goes beyond onboarding. ACH activity must be continuously monitored, and oversight of Originators and Nested TPSs can take several different forms. Reviewing the creditworthiness of the account relationship is valuable, but it does not fulfill all obligations. Many TPSs limit reviews to financial information, neglecting their Originators' actual ACH activity, leaving a significant oversight gap.
The ACH Rules explicitly require the establishment of exposure limits, which must be reviewed and enforced as part of an ongoing risk management program. Yet it remains common to find TPS programs with no limits in place, or that use prefunding requirements as a substitute, which do not meet ACH Rules requirements. Prefunding manages liquidity but does not address credit or operational risk.
Origination Agreements
Many TPSs provide a mix of services to their Originators and any nested TPSs, but their contracts often don’t keep pace. Instead of including clearly defined ACH terms, organizations rely on broad master service agreements that omit required language. Beyond the requirements, the guidance from the ACH Rules, Appendix C (outlining responsibilities, risk ownership and how responsibilities flow between parties) is frequently not included. Absent schedules, missing appendices or incomplete agreements lead to unclear roles, misaligned expectations and compliance gaps.
Invalid Authorizations
Authorization issues commonly stem from missing Rule‑required language, such as revocation terms or clear timing of the Entry. We often see authorizations that aren’t recognizable as authorizations at all. This happens most often online, where critical language gets buried behind hyperlinks rather than presented upfront. When authorizations aren’t complete or clearly identifiable, organizations face delays responding to proof‑of‑authorization (POA) requests. When POA requests start piling up, it often signals there are broader issues in the Originator’s or TPS’s authorization process.
Notifications of Change
A non-monetary Notification of Change (NOC) is the RDFI’s way of telling the ODFI, “Here’s the corrected information you need to use going forward.” When a TPS or Nested TPS is involved, updates must reach the Originator within two banking days of receiving the NOC. Then, the required changes must be implemented within six banking days, or before the next outgoing Entry, whichever comes later.
Common breakdowns usually happen in two places:
- The changes aren’t made within the required timeframe and
- There’s little to no documentation showing the Originator was notified, or that the updates were completed.
Both gaps create compliance risk and make it harder to prove that NOC requirements are being met.
These are some of the most common issues EPCOR identified during 2025 audits of TPSs and TPSPs, though they do not represent the full scope of findings. Every organization’s program is different, and even well-established processes can have gaps. If you would like help reviewing your program or preparing for your next audit, our Advisory Team is here to help. Connect with our team to see how we can support your program!
|
|
Want more practical guidance on managing TPS relationships and keeping Originators compliant? Join us at EPCOR Payments Conference – Spring 2026 in Indianapolis from April 13–15! Get practical insights in our pre-conference workshop, Demystifying Third Parties: A Hands-On ACH Workshop and rock out to sessions like Get Your Originators Compliant—and Keep Them That Way and ACH Rules Update. Explore our agenda to see the full lineup!
|