The indirect relationship with the Originator heightens risk compared to direct client relationships, making thorough due diligence essential. Ensure senior management understands both the risk profile and the control framework — existing or planned — to effectively mitigate these exposures before proceeding with any TPS partnerships.
What Type of TPSs Do We Want to Onboard?
Use risk evaluation results to define the scope of TPS relationships. Key decisions include:
- Which Standard Entry Class (SEC) codes to permit
- If the TPS can initiate debit entries, credit entries or both
- Whether to allow Nested TPS arrangements
While your institution may approve higher-risk SEC codes like WEB or TEL for direct Originators, applying stricter limitations to TPS relationships is often prudent, given the indirect oversight.
What Specific Rules Apply to TPSs?
When a TPS performs ODFI obligations under the ACH Rules, they must meet the same requirements that would apply to an ODFI. Beyond general ODFI obligations, specific ACH Rules govern TPS operations. Training staff on these TPS-specific requirements helps ensure compliance across both the TPS relationship and your institution's broader obligations.
What Are Common Audit Findings for TPSs?
According to the ACH Rules, ODFIs bear full responsibility for their Originators' and Third-Party Senders' compliance. Your institution remains liable for any TPS non-compliance. Understanding common TPS audit findings helps identify critical oversight areas for both initial due diligence and ongoing monitoring. If these typical compliance gaps exceed your risk tolerance, TPS relationships may not align with your institution's profile. You can read our Significant Third-Party Sender Audit Findings in 2024 article for an analysis of the most frequent TPS audit findings.
What Steps Do We Take if We Decide to Enter into a Relationship With a TPS?
- Have an ACH Agreement ready: Article Two, Subsection 2.2.2.2 of the ACH Rules specifies the mandatory language for Origination Agreements between ODFIs and TPSs. Although much of this required language mirrors standard ODFI-Originator agreements, institutions must verify that all TPS-specific provisions are comprehensively addressed. Furthermore, Appendix C of the Nacha Operating Guidelines outlines additional issues for consideration for Origination Agreements. While these provisions are not mandated by the Rules, their inclusion enhances protective measures and establishes clear performance expectations and obligations for both the TPS and the ODFI.
- Conduct Due Diligence During Onboarding and Regularly: Originator and TPS due diligence is required by the ACH Rules and is essential for risk mitigation. Performing due diligence before entering a TPS relationship provides critical insight into the potential TPS and supports your institution's decision on whether to establish the relationship. Require comprehensive documentation from the potential TPS, including detailed Originator information, to establish effective monitoring and control. Have a plan to conduct ongoing due diligence and regularly review transaction activity to verify it aligns with your expectations and understanding of your TPS. Building a close working relationship with your TPS strengthens this oversight by increasing visibility into their operations.
- Request Past ACH Audits: If a TPS previously processed ACH transactions through another ODFI, verify completion of the required ACH Audit by requesting documentation for up to six years, as appropriate based on their processing history. An audit report provides stronger assurance of compliance than a simple attestation letter. If no prior audit documentation exists, confirm an audit will be completed by December 31st of the current year and that their ACH Compliance Audits will continue annually thereafter.
- Establish Risk-Based Requirements and Control Framework: Develop a comprehensive requirements checklist before beginning the TPS onboarding process to ensure clarity and consistency. This should include external requirements for the TPS (such as documentation, reporting and compliance materials) and internal requirements for your staff, including review procedures and oversight responsibilities. Establish a corresponding control framework to ensure comprehensive and consistent risk mitigation. It is important to regularly evaluate and update these requirements and controls to maintain alignment with your evolving risk profile.
While this information provides foundational guidance rather than exhaustive coverage, it serves as a practical starting point for deciding whether to engage TPSs and establishing initial implementation steps.
You can also find a host of resources to help manage Third-Party Sender (TPS) compliance on our Third-Party Sender User page. For financial institutions reviewing their TPS clients, we recommend tools like the ODFI Audit Checklists for Originators and TPS to help assess client compliance and our Sample ODFI-TPS Agreement for clearly defining roles and responsibilities.
For TPSs themselves, we offer the Third-Party Sender ACH Audit & Risk Assessment Workbooks, which guide you through the process, document your compliance level and provide a report of findings.
|
|
Our Third-Party Sender Bundle includes expert-led webinars, self-paced courses and publications to help you navigate the ACH Rules, audits, risk management and more. From sample policies to quick references, gain the tools you need to strengthen your oversight and support of Third-Party Senders. After purchasing, financial institutions can invite their Third-Party Senders and Service Providers to access the bundle at no additional cost! |