Nacha issued ACH Operations Bulletin #3-2025 on September 11th announcing that, beginning in October 2025, proof of audit requests will move to an automated process and will be sent directly to the ODFI, which must provide the requested documentation. This change will make requests more efficient and secure while allowing Nacha to increase the total number of audit requests, including those for Third-Party Senders.
With the first batch of automated requests having gone out recently, now is a great time for our financial institution members to review their processes for verifying Third-Party Sender ACH Audit compliance.
Many of our members have asked how far a financial institution should go in confirming that their Third-Party Senders have completed their annual ACH Audit. While the ACH Rules do not provide explicit instructions on this matter, EPCOR encourages all financial institutions to include confirmation of a Third-Party Sender’s annual ACH Audit in their ODFI Risk Management Program. Subsection 2.2.3, ODFI Risk Management, of the ACH Rules requires an ODFI to perform due diligence on each Third-Party Sender sufficient to form a reasonable belief that the Third-Party Sender has the capacity to perform its obligations in conformance with the Rules.
Part (a) of that Subsection further states that the ODFI must assess the nature of the Third-Party Sender’s ACH activities and the risks it presents. EPCOR believes this due diligence should include confirmation that Third-Party Senders have completed their required ACH Audits and Risk Assessments in compliance with theRules.
The next common question is what documentation a financial institution should obtain to confirm that a Third-Party Sender has completed its ACH Audit. While the ACH Rules do not define what constitutes proof of an audit, we’ve seen members take a variety of approaches to determine what works best for their institutions, including:
- Full audit report: Some financial institutions request the complete report, including supporting workpapers.
- Audit certification letter: Others rely on a formal letter from the audit provider confirming completion.
- Institution-provided checklist: Some institutions offer their own checklist for the Third-Party Sender to complete.
- Simple confirmation: A few may accept an email, or even verbal, confirmation that the audit was performed.
All these methods provide proof of completion, though their level of detail and usefulness can differ. We recommend that your financial institution not only request the full audit report from the Third-Party Sender but also incorporate a review and evaluation of that report as part of your periodic due diligence. Reviewing the full audit can provide valuable insights into the quality of the audit and any areas of potential concern.
Depending on the expertise and qualifications of the auditor, the ACH Audit report can be a valuable tool for evaluating a Third-Party Sender’s compliance efforts. Even if the audit is conducted internally, there should be a formal report that includes:
- The audit scope,
- Key audit topics,
- Findings and recommendations and
- An overall audit summary.
Obtaining the full audit report gives financial institutions an indication of the audit’s quality. Minimal or ambiguous information may suggest the audit was not performed by a fully qualified auditor. While an audit that “checks the box” may satisfy compliance, it may not demonstrate that the Third-Party Sender is performing ACH activities proficiently.
It is equally important to assign designated personnel to review the full audit report for potential concerns. If findings or recommendations are identified, the financial institution should:
- Discuss remediation plans with the Third-Party Sender.
- Ensure appropriate actions are being taken to address issues.
- Monitor the severity of findings to mitigate potential risks to the ODFI.
This approach helps ensure that audit results translate into actionable insights and risk mitigation.
Reviewing the Third-Party Sender’s full audit report can also reveal ACH activities of which the ODFI may not be aware. For example, a Third-Party Sender might indicate it does not work with Nested Third-Party Senders, yet the audit uncovers and tests these relationships. Other findings could include Reinitiated Entries or use of unapproved Standard Entry Class (SEC) Codes. These insights should prompt discussions with the Third-Party Sender and may lead to updates in agreements, processes or internal policies.
Finally, ODFIs should be aware of any technical exceptions to ACH Rules compliance uncovered in the Third-Party Sender’s audit. Ongoing or significant exceptions (such as issues with Notifications of Change (NOCs), Reversals or other transactions) can increase risk exposure for the ODFI. When these are identified, the ODFI should provide guidance and support to help the Third-Party Sender address the issues. These types of exceptions are unlikely to be captured through a simple audit confirmation letter or email.
If you receive a proof of audit request from Nacha for you Third-Party Sender(s), remember EPCOR is here to help you navigate the request. For additional guidance on managing the audit process for your Third-Party Sender clients, reach out to our Advisory Services team. We can provide expert support, help you review audit reports and offer practical recommendations to strengthen your risk management practices.
|
|
Stay on top of Third-Party Sender audits and compliance with our Third-Party Sender Bundle! This collection of four expert-led webinars, five on-demand courses and two practical publications is designed to help verify ACH Audit performance, review audit reports effectively and strengthen due diligence practices. After purchasing, you can also invite your Third-Party Senders and Third-Party Service Providers to access the bundle at no additional cost! |