Blogs

Special thanks to @Deanna Jewell, AAP, APRP, Senior Analyst, Payments Risk & Compliance for helping me write this blog!

EPCOR’s Advisory Services Team had a productive 2025, supporting financial institutions through audit engagements across core payment channels: ACH, Remote Deposit Capture (RDC) and wire transfers.While each payment channel presents its own unique operational and compliance risks, our audit results revealed consistent, recurring citations. The following insights, findings and observations are areas in which institutions can proactively strengthen their operational and compliance frameworks.

Building a Strong Foundation

A common theme across all payment channels was deficient written policies and procedures, often compounded by inadequate, outdated or nonexistent risk assessments.

• Finding: Key information regarding governance, risk management and operational processes was frequently noted to be missing from policies that should provide staff with clear guidance on all acceptable activities. Procedures often omitted sufficient detail to guide employees. In some cases, formal written procedures did not exist at all. The absence of documented procedures increases the risk of processing errors, inconsistent practices and gaps in compliance with the ACH Rules, regulatory requirements and guidance.
• Recommendation: Policies should clearly define how ACH, RDC and wire transfer programs operate within the financial institution’s internal control framework and support the objectives established by the Board of Directors. Develop or enhance formal, written operational procedures for ACH, RDC and wire transfer functions, while providing step-by-step guidance and instructions for daily operations, exception handling and risk escalation.

• Finding: Risk assessments were often inadequate, outdated or nonexistent. Many financial institutions relied solely on enterprise or IT risk assessments that did not evaluate channel-specific risks such as compliance, fraud and operational risks.
• Recommendation: Implement individual risk assessments specifically tailored to ACH, RDC and wire transfer operations. Evaluate the unique risks inherent to each payment channel. Establish a formal review and update cycle, preferably every 12 to 18 months, or sooner if there are significant changes to the product or regulatory environment. By formalizing a process for periodic and more detailed assessments, financial institutions would be better positioned to identify inherent risks, meet heightened regulatory expectations and ensure all key components of ACH, RDC and wire transfer programs are thoroughly evaluated.

• Finding: Multiple Dishonored Return Entries were received for Field Errors, Duplicate Returns and Untimely Returns, indicating a processing deficiency.
• Recommendation: Provide additional training for staff who handle outgoing Returns and review the requirements of Appendix Four of the ACH Rules.

• Finding: WSUDs were often found to be incomplete. Common errors included missing signatures, incorrect Return Reason Codes and the improper practice of documenting entries from multiple Originators on a single form.
• Recommendation: Ensure an accurately completed WSUD form is obtained prior to initiating an Extended Return, and appropriate Return Reason Codes are used. Staff responsible for processing WSUD forms should thoroughly review the documentation before initiating a Return. Review processes and procedures with staff to mitigate the risk in the processing of WSUD forms and Extended Returns.

• Finding: Review of ACH Files, created by both corporate Originators and financial institutions for internal origination purposes, identified improper SEC code usage.
• Recommendation: Incorporate a review of Originator ACH Files into ongoing due diligence processes. Provide additional training to Originators and internal staff responsible for initiating ACH Entries regarding appropriate SEC Code use.

• Finding: Merchant agreements were often missing language regarding internal controls and business continuity. Similarly, consumer mobile deposit terms frequently omitted details on deposit confirmations and security incident reporting.
• Recommendation: Review and update merchant agreements and consumer disclosures to reflect internal controls, business continuity expectations and reporting security incidents.

• Finding: Financial institutions accepted checks without proper restrictive endorsements, significantly increasing the risk of duplicate presentment.
• Recommendation: Align review practices with mobile deposit policies. Consider implementing review thresholds based on risk appetite and periodically reviewing RDC merchant deposits for proper endorsements to prevent operational inefficiencies.

• Finding: Many financial institutions lacked ongoing RDC client education, leaving clients unaware of fraud risks, endorsement requirements and retention obligations.
• Recommendation: Implement a periodic training program for RDC clients covering fraud prevention, proper endorsements, system usage and check retention or destruction.

• Finding: Missing wire confirmations, failure to perform required callback verifications and accepting wire requests through channels not approved in policy.
• Recommendation:
  • Enhance Documentation Retention Processes. Ensure all fields on wire transfer authorization forms and checklists are thoroughly completed and accurately documented. Implement a mandatory process requiring all wire transfer confirmations to be saved in a centralized, accessible and secure location
  • Strengthen Verification Procedures. Detailed documentation of callback verifications. (i.e. who, when, how)
  • Update Wire Transfer Policy, Procedures and Staff Training. Clearly define acceptable methods for receiving wire transfer requests. Specify security requirements and mandatory verification steps. Conduct training sessions to ensure all applicable staff are aware of the updated policy requirements and understand the risks associated with accepting wire transfer requests.

• Finding: Incomplete or unsigned agreements, outdated agreements that do not reflect current practices or client responsibilities and instances where no formal agreement existed. Processing wire transfers without a formal agreement increases institutional liability and reduces legal protections in the event of financial loss or litigation.
• Recommendation:
  • Formalize and execute agreements. Ensure that a formal, written wire transfer agreement is in place and fully executed by both the client and the financial institution's authorized representative.
  • Enhance agreement content. Include topics such as authorized users, security protocols, verification procedures, operational details (funding requirements) and legal provisions. Have legal counsel review the agreement template prior to use.
  • Conduct a periodic review. Identify executed agreements that are outdated or no longer reflect current regulatory requirements or operational practices. Review and "repaper" agreements for legacy or acquired banking relationships to ensure they align with the financial institution's current responsibilities, obligations and legal protections.

• Finding: Wire transfer reporting was often minimal, lacked meaningful detail or was not provided consistently. Without detailed representations of wire activity, financial institutions may not be equipped to identify fundamental risks related to their product offerings.
• Recommendation:
  • Establish consistent reporting frequency by formalizing reporting in policy and defining the required content and frequency of board reporting.
  • Enhance reporting details by including transaction volume and value totals, separate activity into detailed subcategories (such as domestic vs. international, consumer vs. non-consumer, internal, cash management, etc.) and include risk and performance indicators such as policy exceptions, errors, losses, attempted or successful fraud instances.

The consistency of these findings and observations across differing payment channels demonstrates that foundational control weaknesses continue to present elevated risk for many financial institutions. Without clear policies, detailed procedures and effective oversight, financial institutions may struggle to manage operational, compliance and fraud risks as payment activity expands. Strengthening these core components remains critical to maintaining a sound control environment, meeting regulatory requirements and expectations and safeguarding payment services.