Title: The ACH and Risk Management
1The ACH and Risk Management
2Agenda
- The ACH Network
- ACH Network Participants
- Legal Framework of the ACH Network
- Risk Background
- Types of ACH Risk
- Avoiding ACH Risk
- Nature of ACH Transactions and Commiserate Risk
- Additional Risk factors
- Auditing Guidelines
3How The ACH Network Began
- Early 1970s - SCOPE (Special Committee on
Paperless Entries) - 1st ACH Association began in California in 1972
- NACHA was formed in 1974 to coordinate the ACH
movement nationwide - FRB became the ACH Operator, providing
facilities, equipment and staff to handle the ACH
transactions - One private sector ACH Operator Electronic
Payments Network (EPN)
4ACH Trends
ACH Risk
18,000 FIs using ACH
145 million consumers
2005 volume up to 13.9 billion transactions
Commercial use of ACH Network up by 16 in 2005
(2 billion more than 2005)
Over 4.5 million Corporations
5 NACHAs Mission is to promote the development of
electronic solutions that improve the payments
system for the benefit of its members and their
customers.
6ACH System Participants
Authorization
Receiver
Originator
ACH Operator
ODFI
RDFI
7Risk Background
- 31 trillion in commercial transactions was
processed by the ACH Network in 2005. - This future growth coupled with the increase in
the total value of ACH payments provides
incentive for DFIs to increase their awareness of
ACH Risk. - Concern about payment system risk among various
banking groups and regulators is increasing.
8Risk Background
- Operational and fraud risks related to cash
management services are widely understood. - Credit risk, however, is becoming more prevalent.
- To date, ACH related losses have been minimal.
- Continued risk management for ACH transactions
will ensure that the losses remain low.
9Types of ACH Risk
- Credit Risk
- Operational Risk
- Fraud Risk
10Credit Risk ODFI Exposure Credit Origination
DAY 3
DAY 1
DAY 2
Originator Deposits 3mm Direct Deposit Payroll
file with the ODFI.
The ODFI deposits the file to the ACH Operator by
Noon.
RDFI makes funds available at opening of business
Receivers withdrawal funds from accounts.
At 130pm, the Originator files for Chapter 11
protection.
ODFI experiences a potential 3mm loss.
ODFIs Exposure
11Credit Risk ODFI ExposureDebit Origination
DAY 1 DAY 2 DAY 3 DAY 4
ACH debit file is sent from Company A to Bank
A Bank A processes the file and delivers
the transactions to the ACH Operator
Bank A credits Company As account for the total
amount of the ACH debit file ACH debit
is received by Bank B
Bank B returns ACH debit
Bank A receives ACH debit return Bank
A charges back the ACH debit return to Company A
ODFI EXPOSURE
12Credit Risk Case Study
Chapter 1
- Untimely Returns
- On Sept. 27, an RDFI returned four ACH corporate
(CCD) debits totaling 56,524.00. The original
settlement date for all of these debits ranged
form Sept. 14-19. The RDFI held on to the debits
because the Receivers account was overdrawn and
the RDFI wanted to see if the Receiver would fund
the account. On Sept. 25, the originating
company in this case filed for bankruptcy. The
ODFI, faced with a potential 56,524.00 loss,
filed suit against the RDFI, citing the fact that
the returns were untimely. - 1.) Which party is liable? Why?
- 2.) Name some preventive measures the RDFI (
ODFI) could have taken. - 3.) Would your financial institution have
sustained a loss in this case?
49
13Operating Risk
- Operational risk is defined as the risk that the
exchange of ACH transactions will not be
completed accurately or on time because of an
operational failure at some point in the exchange
process.
14Operating Risk
- Examples of Operating Failure
- Failure or unavailability of computer hardware
and/or software - Failure of telecommunications equipment of
circuits. - Power failure
- Human error
- Staffing problems
- Disasters (explosions, fire, flood, or earthquake)
15Operating Risk Case Study
RDFI Risk Unsubstantiated Unauthorized
Debit For several years, an insurance company
originated 45 debits to a consumers (Receiver)
account for premiums on a 250,000 life insurance
policy. One day, a telephone request to return
that months debit as unauthorized was received
at the RDFI from an individual claiming to be the
consumer. Based on this telephone request, the
debit entry for that month and the following
month were returned. After receiving two returned
debits for R10 (Consumer Advises Not Authorized),
the insurance company canceled the consumers
life insurance policy. Subsequently, the
consumer died and the insurance company refused
to pay the life insurance claim from the
beneficiary since the policy had been canceled
due to the returned debits received form the
RDFI. The insurance company subsequently learned
that the RDFI had failed to obtain an affidavit
from the Receiver. Restitution was sought by the
beneficiary which resulted in legal action
against the insurance company and the RDFI. 1.)
What party (or parties) are liable? Why? 2.)
What preventive measures and Rules compliance
should have taken place? 3.) Would your financial
institution have sustained a loss in this case?
65
16Fraud Risk
- Fraud risk is the risk that ACH data will be
compromised through the introduction of false
transactions, the alteration of valid
transactions, or the alteration of static data
that controls the routing or settlement of valid
ACH transactions.
17Fraud Risk Case Study
ODFI Risk Employee Fraud A programmer at an ODFI
scans a file before forwarding its to the ACH
Operator, and locates a large (1 million) credit
transaction destined for an RDFI, where the
programmer has a checking account under a false
name. The programmer alters the file by placing
his account number in the 1 million
transaction. The next morning, the programmer
drives to his bank and wires 1 million to his
account in Zurich. Later that morning, the
intended Receiver realizes that the expected
transaction was not posted. The Originator
requests reimbursement for 1 million form the
ODFI for the payment that was misappropriated by
the programmer. 1.) Who is liable in this case
and why? 2.) What types of preventive measures
should have been taken by the ODFI and RDFI? 3.)
Would your financial institution have sustained a
loss in this case?
79
18Nature of ACH Transactions
- Consumer Transactions
- 60 day right of recredit
- Require an authorization
- Written
- Similarly authenticated
- Notice Authorization
- Oral authorization
- Include certain Standard Entry Class Codes
- PBR, PPD and CIE
- The eCheck applications
19Nature of ACH Transactions
- Corporate Transactions
- 24 hour right of recredit
- Require an agreement that binds both parties to
the NACHA Operating Rules - Includes certain Standard Entry Class Codes
- Corporate Cross-Border Entries (CBR)
- Corporate Cash Concentration and Disbursement
Entries (CCD) - Corporate Trade Exchange Entries (CTX)
20Additional Risk Factors
- Primary ACH Risk Most common factors affecting
the successful processing of an ACH transaction. - Transaction Level Risk Lapses in security that
affect the overall integrity of a transaction.
Occurs many times in spite of an Originators
best efforts. - Originator Level Risk Actions within the
purview of the Originators responsibilities that
lead to an ACH transaction being compromised.
21Additional Risk Factors
- Primary Risk
- Unauthorized transactions
- Returns/60 Day Right of Recredit
- Account Numbers
- ACH Returns due to Invalid Account Numbers
- Fraudulently-used Valid Account Numbers
- Closed Accounts
- Non-Sufficient Funds
22Additional Risk Factors
- Transaction-Level Risk
- Transport Vulnerabilities Interception of
financial data, usernames or passwords
transmitted in an insecure environment. - Log-In, Username and Password Cracking
Systematic generation and testing of username and
passwords designated to fraudulently authorize a
financial transaction. - One-Time Theft Identity Theft.
23Additional Risk Factors
- Originator-Level Risk
- Employee-Initiated Fraud
- Employees at Online Originators
- Employees at Real World Originators
- Spoofing ( Phishing)
- Website spoofing
- Email solicitations
- Originator Non-Delivery
24ACH Annual Self-Audit
- Rule Compliance Audit Requirements
- General audit requirements
- Annual audit by December 1
- Under the direction of audit committee, audit
manager, senior level officer, or external
examiner - Retained for 6 years and provided to NACHA upon
request - Audit requirements for Participating DFIs
- Includes all DFIs (RDFIs ODFIs) their
third-party service providers - Audit requirements for ODFIs
- Includes ODFIs and their third-party service
providers
25Resources
- www.epaynetwork.com
- www.nacha.org
- www.fdic.gov/consumers/consumer/guard/index.html
- www.usps.com/postinspectors/dvdorder.htm
- www.usps.com/missingmoneyorders/security.htm
- 2006 ACH Rules Book
- ACH Risk Management Handbook 3rd Edition
- The ACH Compliance Manual How to Comply with
ACH-Related Rules Regulations 4th Edition - Risk Management for the New Generation of ACH
Payments - Internet, Electronic Check and Telephone
- Risk Management for Consumer Internet Payments
- ACH, Credit Cards, Debit Cards and P2P
- Understanding Internet-Initiated ACH Debits
- Third Party Senders, The ACH Network An
Implementation Guide
26- Tim Mills, Director of Association Services
- Electronic Payments Network/ The Payments
University - 230 S. LaSalle, Suite 700
- Chicago, Illinois 60604
- tim.mills_at_epaynetwork.com
- 312-913-2597
27Questions/Comments