ACH Rules Subsection 1.2.2.1 indicates that DFIs, Third-Party Senders (TPSs) and Third-Party Service Providers (TPSPs) “must annually conduct, or have conducted, an audit of its compliance with these Rules”. Furthermore, this same ACH Rules subsection presents a deadline of “no later than December 31 of each year”. On top of that, Subsection 1.2.2.2 indicates that participating DFIs “must retain proof that it has completed an audit of compliance” and “must be retained for a period of six years from the date of the audit”. With December 31st, 2023, right around the corner, our auditors are extremely busy and many financial institutions are performing audits as we speak before that bell rings.
But what happens if your organization doesn’t meet that December 31st deadline? What if you just didn’t complete the annual ACH Audit at all? What is the worst that could happen? Well…
- Internally, your internal audit function has failed to comply with a key rule governing the ACH Network. This becomes a credibility issue, as maybe other audits haven’t been completed or maybe your audit area is lacking resources.
- The ACH audit, performed by an independent body other than your ACH staff, helps serve as quality control for your financial institution. If one wasn’t performed timely or at all, then any controls or procedures supporting the ACH function that are performed poorly may not be spotted or corrected. This could result in losses and other types of risk exposure. In other words, the ACH audit helps perform quality control for the department performing ACH duties.
- ACH audits typically review Origination Agreements and the enforcement of them with the Participating DFI’s account holders originating ACH. If the audit wasn’t completed, it’s an additional set of eyes missing on any ACH Originators who may be violating the rules or the terms of the agreement. Furthermore, ACH audits can help ensure that Origination Agreements are current and compliant with any recent rule changes. Outdated agreements or failure to ensure that ACH Originators are being properly monitored, reviewed or audited could open the financial institution up to losses or liability. Remember, the Origination Agreement is a binding contract.
- Nacha, per Subsection 1.2.2.2 of the ACH Rules, has the right to request the “proof of completion” of Participating DFIs, Third-Party Service Providers (TPSP) and Third-Party Senders (TPS). This request will go to the Participating DFI, even if it’s requesting proof of completion for a TPS or TPSP. Then, the TPS or TPSP must provide the necessary information to the Participating DFI acting as ODFI within 10 banking days of the receipt of the formal request by Nacha. Failure to respond or provide proof of the audit’s timely completion could result in a Class 2 Nacha Rules Violation which could cost the Participating DFI up to $100,000 per month in fines until the problem is resolved (Subsection 9.4.7.4). And if the Class 2 violation occurs for three consecutive months, it becomes a Class 3 violation with a fine of $500,000 monthly and would be reported to federal/state banking agencies and other various government agencies.
- Federal (Federal Reserve, FDIC or OCC) and State Examiners typically review audit work and knowing that the ACH audit is required by the ACH Rules, they tend to ensure that the ACH audit has occurred timely by a participating DFI. If they detect that an ACH audit wasn’t performed or completed timely, this may result in a finding presented to your Board of Directors and executive management. On the federal side, the lack of an ACH audit could receive a “matter requiring board’s attention” label and may result in an “unsatisfactory” or “needs improvement” status of an examination. This could limit a financial institution’s opportunities, such as acquiring or merging with another institution, among other things.
- ACH audits have evolved into becoming more risk-based and if an audit hasn’t been performed or completed timely, then assuring that the ACH function’s risk assessment that lays out risks, controls, compliance to rules, system and third-party service provider controls and other risk related matters may not have received proper attention. Adding to the previous point, federal examiners do focus on ensuring that risk assessments have been completed for the different areas of the financial institution. If they notice an incomplete ACH risk assessment or a clear lack of reviews of it, this too can result in an examination finding.
In short, there are potential consequences if your institution decides not to complete an ACH audit or fails to do so by December 31st. It could open you up to compliance issues, internal issues, losses or liability, exposure to different types of risks, create federal examination findings that limit your opportunities or result in very expensive fines. On top of that, you’re lacking the quality control to independently review your ACH function.
If you need any help with your annual ACH Audits, we’re here for you! Although our calendar is almost full, we have an ACH Audit Workbook to guide you along the way. And, consider joining us on November 29th for our Completing Your ACH Audit & Risk Assessment webinar. Happy auditing!