COMPLIANCE and

ACH SELF AUDIT

Presented By…

Jennifer Gatts, AAPjennifer@paymentscentral.org

PAYMENTS CENTRAL, INC.

3380 Tremont Road

Columbus, OH 43221

Phone: 800-288-2204

Fax: 614-457-4824

www.paymentscentral.org

Objectives• Learn the most common compliance

issues with regards to the ACH Network

• Understand the ACH Annual Self Audit

Legal Framework• NACHA Operating Rules• Regulation E• Uniform Commercial Code 4A• 31 CFR Part 210• OFAC

Compliance Responsibilities• The NACHA Operating Rules

apply to all commercial entries and data transmitted through one or more ACH Operator

• All participating DFIs agree to be bound by the NACHA Operating Rules

General Compliance Requirements• ACH Records

– Each RDFI and ODFI must retain records of all entries transmitted through the ACH Operator for six years

– Copies of these records must be made available to customers, Participating DFIs and ACH Operator upon request

– Any record may be retained electronically• Accurately reflect the information• Be capable of being accurately reproduced

ACH Self Audit - ODFI• ACH Records Retention

– Attach a copy of one ACH Report which show ACH entries transmitted to an ACH Operator to the DFI. The entries contained on the report must me dated at least 6 years from the date this portion of the audit is completed

– If electronic records are used, verify that the electronic version of the record accurately reflects the information contained within the records in capable of being accurately reproduced for later reference.

ACH Self Audit - RDFI• ACH Records Retention

– Attach a copy of one ACH Report which shows ACH entries transmitted from an ACH Operator. The entries contained on the report must be dated at least 6 years from the date this portion of the audit it complete.

– If electronic records are used, verify that the electronic version of the record accurately reflects the information contained within the record and is capable of being accurately reproduced for later reference.

General Compliance Requirements• ODFI Warranties

– Each entry has been authorized– Credit entries are timely– Debit entries are valid– Entries conform to NACHA Operating Rules– Authorizations have not been revoked– ODFI has no knowledge that authorization has been

terminated by law– Addenda complies with NACHA format– Reclamations are valid and timely– Agreements are in place with the Sending Points is

applicable– Audit requirements have been met– Source document has been properly handled (POP)

General Compliance Requirements• Originator’s Responsibilities

– Originator obtains Receiver's authorization– Prenotes are sent according to the Rules– Entries are not reinitiated unless within Rules– NOCs are corrected within six banking days or prior to the next

live entry– Reversing files/entries are submitted within five banking days of

the original settlement date of the erroneous or duplicate file– POP receipts– ARC and RCK entries

• Notice is given– TEL entries

• Verify identity of Receiver• Verify that routing numbers are valid

– WEB entries• Commercially reasonable fraudulent transaction detection system• Verify that routing numbers are valid• Annual Audits

ACH Self Audit – ODFI• Warranties

– Review five days worth of exception reporting and make note of the following:

• Total number of entries reviewed• Total number of R10 entries received• Total number of R29 entries received

(NOTE: Goal is to keep return rate of R10, R07 and R29 less than 1%)

ACH Self Audit - ODFI• Warranties

– Randomly select one origination report. Verify that the file format for each entry is consistent with the file format prescribed by the ACH Rules for the Standard Entry Class Code being utilized. Make not of the following:

• Total number of entries reviewed• Entries not in compliance with the file

specifications

ACH Self Audit - ODFI• Warranties

– In the case of POP entries, attach a copy of a receipt which includes the information required by the NACHA Operating Rules

– In the case of ARC and RCK entries, attach a copy of the notice provided to Receivers which states the details of the check conversion/truncation policy.

– In the case of WEB entries, attach documentation about Originator’s fraud detection system

– In the case of Web entries, visit the website of an Originator and verify that the appropriate encryption technology is being used

– In the case of WEB entries, attach a letter of certification from any Originator that states a security audit has been completed

– In the case of TEL entries, attach documentation showing evidence of a commercially reasonable system to verify routing numbers are valid

General Compliance Requirements• Agreements

– UCC4A Disclosures– Sending Points– Originator

• Binding to NACHA Operating Rules• US Law

ACH Self Audit - ODFI• Agreements

– Attach a copy of the UCC 4A disclosure provided to corporate customers. This disclosure may be included in the agreement, or may be a separate document.

– Attach a copy of the Company/FI agreement.

– Verify that agreements have been made with all Sending Points. Attach Third Party Service Agreement.

ACH Self Audit - ODFI• Receiver Authorization and

Agreement– Randomly select and review at least 10

consumer and five corporate entries originated by two or more originators. Verify that the appropriate authorization/agreement is in place for each of the entries

• Attach a copy of the authorization for each of the consumer entries reviewed

• Attach a copy of the binding agreement between the Originator and Receiverfor one of the corporate entries reviewed

ACH Self Audit - RDFI• Agreements

– Attach a copy of the UCC 4A disclosures provided to corporate customers.

– Verify that when requested, addenda records related to CCD, CTX and CIE entries are provided within two banking days to the Receiver

General Compliance Requirements• ODFI Exposure Limits

– Exposure limits for each corporate Originator prior to the origination of debits or credits for that entry.

– Review established threshold on periodic basis

– Monitor origination activity based on the threshold across multiple settlement dates

– Implement procedures to monitor payment system risk associated with Cross-Border payments

ACH Self Audit – ODFI• Risk Exposure

– Attach a copy of the procedures utilized by this institution to determine the creditworthiness of potential Originators as well as the procedures for monitoring and periodically reviewing exposure limits

– Attach a copy of written procedure for processing ACH entries

– Attach a copy of your institution’s anti-fraud procedures as they relate to the origination of ACH transactions

General Compliance Requirements• Prenotifications

– Optional, Non-Dollar entries– Transmitted prior to the first live entry– RDFI is required to verify– Live entries may not be

ACH Self Audit - ODFI• Prenotifications

– Select at least two batches of originated prenotification entries. Find the live entries to which the prenotes relate and verify that there is a minimum of six banking days difference between the transmission date of the prenote and the live entry.

– Interview the ACH Coordinator to verify that all prenotes that receive an NOC from the RDFI are corrected prior to the next live entry being transmitted. Attach documentation that shows an NOC received on a prenote and the subsequent corrected live entry.

ACH Self Audit - RDFI• Prenotifications

– Review a sampling of ACH exception reports. Select five prenotification entries that have non-posted. Verify that an NOC or return was properly initiated for each.

– Review 10 NOC entries that are submitted in response to a prenote. Verify that each NOC is initiated within two banking days.

General Compliance Requirements• Returns

– In general, returns must be transmitted by the RDFI so that they are made available to the ODFI no later than the opening of business on the 2nd banking day following settlement

• Dishonored Returns– Five banking days

• Contested Dishonored Returns– Two banking days

General Compliance Requirements• Stop Payment• Unauthorized Entries• Revoked Authorization

General Compliance Requirements• Reinitiation of entries

– If an entry is returned as NSF/UCF, the entry may be reinitiated no more than twice

– If the entry is returned as stop pay or revoked authorization, then it may not be reinitiated unless reauthorized by Receiver

– If the entry is returned because it is unprocessable, it may only be reinitiated if entry is corrected

– RCK rules

ACH Self Audit - ODFI• Exception Processing

– Review one exceptions report. Verify that no entries returned R07, R08, R10, R38 or R52 have been reinitiated

– Interview the ACH Coordinator and verify that any entries returned for R61-R70 meet the requirements set for the NACHA Operating Rules

– For any entries returned as R01 or R-09, verify that these entries are not reinitiated in excess of the limits

ACH Self Audit - RDFI• Exceptions Processing

– Review a sampling of exception reporting.– Verify that any unposted credit entries are returned

within 24 hours.– Verify that any dishonored returns are contested or

corrected within two banking days.– Verify that the number of returns dishonored as

untimely (R68) is less than 1% of the returns originated by the RDFI for any given Settlement Date.

– Verify that as a matter of policy, all types of ACH entries and prenotifications are accepted

ACH Self Audit - RDFI• Written Statement Under Penalty of

Perjury– Review records and procedures to ensure

that WSUPP are obtained from consumers for all returns using R07, R10, R37, R51 and R53.

– Interview the ACH coordinator and verify that all adjustment entries are originated within 60 days

– Verify that copies of WSUPP are provided to ODFI within 60 calendar days of the request

– Verify that WSUPP are retained for at least one year following the initiation of the adjustment entry

ACH Self Audit - RDFI• Stop Pay Orders

– Review internal procedures to ensure that for RCK and ARC entries where a stop payment has been placed on item, the adjustment entry is received by the ODFI within 60 days

– Verify that the RDFI acts on stop payment orders that have been received in such time and in such manner that allow the RDFI to act on the stop payment order prior to acting on the debit entry to which the order relates.

General Compliance Requirements• Periodic Statement

– Posting Date– Dollar Amount– Company Name– Company Entry Description– Type of Account– Number of Account– Amount of Charges– Balances– Address and Telephone number for

inquiries

ACH Self Audit - RDFI• Periodic Statements

– Attach a sample of your periodic statement and verify that the minimum description standards appear.

POST

AVAILABLE

POSTING AND FUNDS AVAILABILITY

•Debits cannot be posted prior to Settlement Date•Credits made available by ACH Operator by 5:00 PM the day prior must be made available at the opening of business on Settlement Date

ACH Self Audit• Funds Availability

– Attach a copy of the institution’s ACH posting procedure. Ensure that the procedure demonstrates compliance with the ACH funds availability requirement and that debit entries are not posted prior to Settlement Date.