The ACH Rules require Third-Party Service Providers (TPSPs), which include Third-Party Senders (TPS), to perform an annual ACH compliance audit. The number of TPSP/TPS audits performed by EPCOR continues to trend upward year after year, and has included a wide range of organizations, including payroll servicers, healthcare payment providers, bill pay providers, banking platform providers and various other types of payment intermediaries.
Across the spectrum of TPSPs that EPCOR audits, there are several audit findings that our team frequently sees during those engagements. Let’s talk about the more common, and significant, audit issues we observed during 2023, along with the suggestions for remediation.
Audits
In 2023 EPCOR continued to perform many first-year ACH audits for TPSPs and TPSs. It is anticipated that this trend will continue, as more entities become aware of, and subject to, these ACH Rules requirements, and as more payment intermediaries enter the ACH Network. What we are seeing, fortunately, is that once TPSPs and TPSs become aware of the ACH audit requirement, they are prudent to ensure the audits are continually performed annually. Third parties are being reminded to not only perform the audit annually but to maintain documentation of those audits for six years as required by the ACH Rules. See ACH Rules, Subsection 1.2.2, Audits of Rules Compliance for more information.
Risk Assessments
Last year EPCOR also performed a record number of TPS ACH Risk Assessments. Most assuredly, that increase in the volume of TPS ACH Risk Assessment engagements is due to audit findings in prior years, which have contributed to the awareness of the ACH Rules requirement. However, not conducting a Risk Assessment continues to be a common issue, and will be until this Rule, which went into effect on September 30, 2022, is communicated more broadly throughout the Network. This Rule is found in Subsection 1.2.4, Risk Assessments. Please note that the requirement for an ACH risk assessment does not apply to all TPSPs, but only those who participate as TPSs.
ACH Risk Management Program
Deficiencies in the ACH Risk Management Program continue to be significant audit findings for TPSs. This requirement derives from two areas of the ACH Rules, Subsection 1.2.4, which stipulates that the ACH Risk Assessment be used as the basis for an ACH Risk Management Program, and Subsection 2.2.3, ODFI Risk Management (which also applies to TPSs). The latter Rule requires the TPS to perform due diligence on each Originator (and Nested TPS), to assess the nature of the Originator or Nested TPS’s ACH activity, implement and enforce exposure limits for each Originator or Nested TPS and monitor ACH return activity. This can be a tall order, especially for TPS personnel who don’t consider themselves bankers, and we often find deficiencies in this area. Missing items include a lack of appropriate ACH-related policies, procedures and controls, failure to establish exposure limits for individual Originators, periodic assessments of individual Originator’s ACH activity and insufficient reporting of ACH volumes, returns and losses. There is no defined formula or methodology for an ACH Risk Management Program. TPSs should structure the program based on its business model, ACH use cases, specifically identified ACH risks and their clientele. However, some key components should include: 1) a thorough know-your-customer (KYC) and onboarding due diligence process, (2) risk assessments of individual Originator/Nested TPS ACH activity and (3) establishment of monitoring and reporting systems.
Agreements
Another common audit finding relates to noncompliance with or omissions from some of the provisions required under Subsection 2.2.2.2, ODFI Must Enter Origination Agreement with TPS. Items (h) and (i) under this section require TPSs to execute ACH Origination Agreements with each Originator, or Nested TPS, that closely resemble the agreements ODFIs execute with Originators. We find that all TPSs have contractual agreements, or detailed Terms & Conditions, with their client Originators but many times the agreements fail to include the specific, minimum ACH provisions found in Subsection 2.2.2.1(a – f) of the ACH Rules. In response to reasonable resistance from many TPSs regarding complete overhaul and repapering of agreements with all originating clients, EPCOR often recommends TPSs create an “ACH Addendum” that can be added to their existing agreements without a complete repapering project.
Reinitiated Entries
For TPSs originating ACH consumer debit entries, EPCOR is repeatedly discovering issues related to reinitiated entries. The three biggest errors related to “Retry Payments” are improper use, inadequate disclosure (on the ACH authorization) and improper formatting. The Rules for reinitiated entries, found in Subsection 2.13.4, dictate that an entry can only be reinitiated a) when the original entry was returned for NSF, b) after a stop payment return and with separate subsequent authorization or other corrective action to remedy the return. Also, an entry can be reinitiated a maximum of two times. As for formatting, “RETRY PYMT” is required to be in the company entry description field of the batch header record. We often find reinitiated entries transmitted more than two times or without the proper file formatting. Another exception we have noted is the use of a reinitiated entry after the receipt of an unauthorized entry.
Micro Entries
Yet another audit finding that seems to be on the increase relates to micro entries. As the volume of micro entries increases, so too seems to be errors with their use. Common errors found with micro entries are a) entries greater than $1.00, b) debit entries that exceed the dollar amount of corresponding credit entries and c) improper formatting. Per Section 2.7 of the ACH Rules, micro entries must be less than $1.00, and the debit(s) may not exceed the credit(s). Also, similar to reinitiated entries, micro entries require specific formatting in the company entry description field of the batch header record (“ACCTVERIFY”). Finally, we sometimes find that micro entries are not properly or sufficiently disclosed on ACH authorizations. The disclosure is more of an Originator responsibility, but TPSs sometimes facilitate and/or utilize micro entries on behalf of their origination clients, so the TPS needs to ensure their proper use.
Final Thoughts
Above are some of the frequent audit issues found by EPCOR during its audits of TPSs and TPSPs in 2023. But of course, those don’t represent all issues found. Other audit findings for TPSs from 2023 include failure to establish Originator exposure limits, failure to communicate NOCs to Originators in a timely manner, incorrect assignment of Standard Entry Class (SEC) Codes, insufficient authorization language and a lack of monitoring of Originator return rates.
EPCOR’s team of experts is also available to assist with Third-Party Sender Audits or any other payments items or issues on your list. Reach out to advisoryservices@epcor.org for more information.