The ACH Rules require Third-Party Service Providers (TPSPs), which include Third-Party Senders (TPSs), to perform an annual ACH Compliance Audit.
In 2024, our Advisory Team performed a record number of these audits for a wide range of TPSPs and TPSs, including payroll processors, bill pay and banking platform providers, healthcare and employee benefit payment companies, government-type payment facilitators and various other payment intermediaries.
Across the spectrum of TPSPs that we audit, our team frequently sees several audit findings during those engagements. Let’s discuss the more common and significant audit findings we observed during 2024, along with the suggestions for remediation.
Audits
Our Advisory Team performed several first-time ACH Compliance Audits for TPSPs and TPSs in 2024. This is primarily due to the continued influx of new players entering the ACH Network, which is exciting to see as the network continues to grow! We have observed that some TPSs may not yet be fully aware of their obligation to conduct an audit. However, as financial institutions continue to make efforts to inform their TPS clients of their audit obligation, requests from these TPSs increase, and we hope to see that trend continue.
Risk Assessments
Another common finding is that some TPSs have not yet completed an ACH Risk Assessment. While this isn’t an annual requirement, TPSs must perform an ACH Risk Assessment per ACH Rules Subsection 1.2.4, Risk Assessments, and then establish a Risk Management Program based on that risk assessment. It is worth noting that although the risk assessment requirement only applies to TPSs, it would be wise for other TPSPs to perform risk assessments of their ACH functions as well. To learn more about this, check out our Did You Know video, Risk Management Programs for Third-Party Senders, where we discuss this topic in more detail.
Risk Management
ACH risk management is a broad audit topic, and we offer several key recommendations to TPSs. This requirement derives from two areas of the ACH Rules: Subsection 1.2.4, which stipulates that the ACH Risk Assessment be used as the basis for an ACH Risk Management Program and Subsection 2.2.3, ODFI Risk Management (which also applies to TPSs). The latter Rule requires the TPS to perform due diligence on each Originator and Nested TPS to assess the nature of the Originator or Nested TPS’s ACH activity, implement and enforce exposure limits for each Originator or Nested TPS and monitor ACH return activity.
This can be a tall order, especially for TPS personnel who don’t consider themselves bankers, and we often find deficiencies in this area. Missing items include appropriate ACH-related policies, procedures and controls, failure to establish exposure limits for individual Originators, periodic assessments of individual Originators’ ACH activity and insufficient reporting of ACH volumes, returns and losses. There is no defined formula or methodology for an ACH Risk Management Program. TPSs should structure the program based on their business model and ACH use-cases, specifically identified ACH risks and their clientele.
However, some key components should include:
- A thorough Know-Your-Customer (KYC) and onboarding due diligence process,
- Risk Assessments of individual Originator/Nested TPS ACH activity and
- Establishment of monitoring and reporting systems.
Office of Foreign Assets Control (OFAC) monitoring continues to be an area of confusion for TPSs. While OFAC is not always seen as a primary ACH compliance issue for TPSPs and TPSs, it remains a key regulation. TPSPs and TPSs share risk with their ODFIs, particularly when third parties are involved. Our auditors have increasingly noted confusion regarding OFAC requirements, with many TPSs unaware of their responsibilities due to limited guidance from their ODFIs. TPSs should proactively discuss OFAC requirements with their ODFIs to ensure all parties understand their respective roles and responsibilities.
Agreements
A very common ACH compliance issue that we run into quite often relates to exceptions or omissions of ACH Origination Agreement provisions required under Subsection 2.2.2.2, ODFI Must Enter Origination Agreement with Third-Party Sender, of the ACH Rules. Items (h) and (i) under Subsection 2.2.2.2 require TPSs to execute ACH Origination Agreements with each Originator or Nested TPS that closely resemble the agreements ODFIs execute with Originators. TPSs tend to have unique contractual agreements with their client Originators, but often the agreements are silent regarding the use of ACH in the services being provided. We generally recommend that TPSs create an “ACH Addendum” to include all the minimum requirements of the ACH Rulesthat can be added to their existing agreements.
Reinitiated Entries and Micro Entries
Two audit topics that often result in similar findings are Reinitiated Entries and Micro-Entries. Compliance issues noted with these types of Entries include improper use, inadequate disclosure on the ACH authorization and improper formatting. The ACH Rules related to Reinitiated Entries can be found in Subsection 2.13.4, while Section 2.7 provides the Rules related to Micro-Entries. The use of these types of Entries is growing, and along with that growth, greater exceptions are bound to follow. Inadequate and unclear disclosures for Reinitiated Entries and Micro-Entries can lead to higher levels of return entries, among other issues.
Final Thoughts
While we have discussed some of the frequent audit issues found by our Advisory Team during audits of TPSPs and TPSs in 2024, those don’t represent all issues found. Other audit findings include not establishing Originator exposure limits, delays in communicating Notifications of Change (NOCs) to Originators, incorrect assignment of Standard Entry Class (SEC) codes, insufficient authorization language and inadequate monitoring of Originator return rates.
If you’re a TPSP or TPS and have any questions or concerns, your financial institution is ready to help! And if you're a financial institution, don’t forget to share these resources with your third-party clients to support ongoing compliance and education. You can also find a host of resources to help with Third-Party Sender compliance on our Third-Party Sender User page, including our Third-Party Sender ACH Audit & Risk Assessment Workbooks, which guide you through the process, document your compliance level and provide a report of findings.
Our Advisory Team also offers Third-Party Sender ACH Audits, Risk Assessments and consulting services to help you maintain compliance and strengthen your program. Reach out to advisoryservices@epcor.org to learn more!
|
|
Need Help Tackling Third-Party Sender Compliance? Explore our Third-Party Sender Bundle for a collection of resources designed to help you stay audit-ready and compliant. Featuring expert-led webinars, on-demand courses and practical tools, this Bundle walks you through risk assessments, ACH Origination Agreements, due diligence best practices and more! After purchasing, financial institutions can invite their Third-Party Senders and Third-Party Service Providers to access the bundle at no additional cost!
|