It’s hard to believe we’re already in the second quarter of 2025! Flowers are blooming, the weather is beginning to warm up and summer is just around the corner. Many people use this opportunity to do a little cleaning around their house to freshen up and get rid of the dust and grime from winter. From an ACH operations perspective, it’s also a good idea to look over your current processes and written procedures and do a little spring cleaning, so to speak.
Are Written Procedures Required?
While the ACH Rules do not require Participating DFIs, Third-Party Senders (TPSs) or Third-Party Service Providers (TPSPs) to develop written procedures for ACH processes, written procedures can play an essential part in your ACH program. Procedures can assist staff in their day-to-day duties and ensure that processes align with the ACH Rules. This can help prevent errors that may lead to a Rules violation or even fines assessed by Nacha. Staff can also use procedures to handle uncommon scenarios, such as Dishonored Returns or Proof of Authorization requests.
It can be challenging to recall the steps to take and the various Rules requirements associated with the ACH processes that are not part of daily operations. It is also crucial that written procedures align with your board-approved ACH policy. For example, if your ACH policy states that your institution, as an RDFI, will not transmit Notifications of Change (NOCs), then the written procedures for handling non-post and exception items should note that those items are returned rather than corrected. From an ODFI standpoint, if your ACH policy prohibits the origination of specific Standard Entry Class (SEC) Codes such as “WEB” or “TEL,” onboarding and due diligence procedures should include steps to determine the method Originators, as well as internal departments, will use to obtain debit authorizations and should also confirm that only approved SEC Codes are being processed.
When developing written procedures, each participating DFI should consider what Rules apply to their ACH program and not just whether a particular event has occurred. For instance, the receipt of a Proof of Authorization (POA) request is not common, but if the ODFI does process Debit Entries, it is possible that a POA request could be received. To be sure that staff would handle the request in compliance with applicable Rules, detailed procedures should be developed that include specifics, such as the timing that the response should be provided to the RDFI.
From an audit perspective, it is difficult to determine if your financial institution would comply with the ACH Rules when there are no samples to review; therefore, having detailed procedures in place for your auditor to review can indicate to the auditor that you would be able to comply with the ACH Rules if or when you receive a POA request.
How Detailed Should Procedures Be?
Since the ACH Rules don’t require written procedures, there is nothing that prescribes what should be included and how detailed the procedures should be. From a risk perspective, procedures should be as detailed as possible and include step-by-step procedures, names of systems used, titles of reports and screenshots to assist staff in accurately following the process. Written procedures should also be considered in a participating DFI’s business continuity plan, as well as during any testing phases and during risk assessments. Also, written procedures shouldn’t just cover daily procedures. They should include procedures to be followed during disaster recovery or in the event of staff turnover.
Some things to consider:
- If a situation occurred where the primary person responsible for daily ACH processing was unable to perform that function, whether due to departure from the organization or some other event, would additional staff have sufficient procedures in place to be able to perform this function in compliance with both internal policies and the ACH Rules?
- Do your organization’s written procedures and processes allow for the separation of duties and risk mitigation?
- Are your organization’s procedures in a format that is easily accessible by staff and stored in a location, such as an intranet or shared drive on a server, that can be accessed in the event of a disaster?
How Frequently Should Procedures Be Reviewed?
Procedures should be reviewed and updated as needed, at least annually or when processes change. Individuals responsible for specific job duties should review the procedures each year to ensure that what is written is still the process in place. Your organization’s procedures should also be reviewed against ACH Rules requirements and changes to ensure compliance. Once any recommended edits have been made, another individual should perform that process using the written procedures to confirm that the procedures are clear and easy to follow. The finalized procedures should be communicated to staff, and those responsible for any aspect of the process should receive additional training.
A good practice to maintain the accuracy of written procedures is to schedule a review at the same time each year. In the spirit of spring cleaning, the beginning of the second quarter might be a good time for that. Plan ahead so staff are expecting this task and be sure to communicate the importance of the review. Procedures can be a powerful risk mitigation tool and might be all you need to save your organization the cost of dishonored returns, ACH Rules violations and Nacha fines.
|
|
Ready to direct the next blockbuster in payments operations? Our Advisory Team is your behind-the-scenes crew here to help you fine-tune your policies and procedures so your institution stays in compliance and audit-ready. Whether you're rewriting the script to align with the latest ACH Rules, updating your documentation for the sequel or just need a trusted co-director to catch any plot holes, we’ve got you covered. Reach out today for a free, no-obligation quote!
|