Knowing your customers and their customers and their customers and so on and so on

Transcription

1 Knowing your customers and their customers and their customers and so on and so on Identifying your Third-Party s and their Nested s This ACH risk management white paper provides an overview of ACH relationships with Third-Party s and how to identify, evaluate and monitor Third-Party s and their originator customers. By Steven M. Foster Founder and Chairman, Argos Risk

2 Executive Summary Financial institutions that process Automated Clearing House (ACH) transactions are faced with multiple levels of risk. Considered to be one of the safest payment systems in the world, the ACH Network provides an extremely reliable and efficient service for the electronic transfer of funds. Although the system itself is secure, the relationships between the parties involved in the processing of these types of transactions are inherently risky. Because an Originating Depository Financial Institution (ODFI) is responsible for all the entries it originates, it must be aware of and monitor the multiple levels of risk associated with their relationships with Third-Party s and their originating customers and, potentially, their customers that act as intermediaries for an additional level of originating customer. The Problem Serving as an intermediary between an ODFI and an, the Third-Party provides ACH origination services to its customers, the s. Third-Party services were commonly utilized by payment processors in the mid-000s, and in 004, the Third-Party role was officially recognized by NACHA. 3 NACHA s official rule change to the NACHA Operating Rules & Guidelines provided financial institutions and Third-Party s with an established structure regarding the definition of these entities and their responsibilities as members of the ACH payments system. The Third-Party is a rather unique entity because it is allowed to create ACH entries on behalf of its customers, the s. In the illustration below, the Third- Figure. Knowing Third-Party s How do ODFIs efficiently and effectively know their Third-Party s and their s and, possibly, their Nested originators? Third-Party Nested Third-Party 3 Nested Nested 3Nested NACHA, History, (September 03). NACHA, NACHA Operating Rules & Guidelines, NACHA, The Third-Party Case Studies: ODFI Best Practices to Close the Gap, 0, com/wp-content/uploads/0/08/thirdpartysenderwhitepaper.pdf, (September 03).

3 In essence, when an ODFI enters into an agreement with a Third-Party, it adds a third level of risk to its operations. Party is required to enter into a separate agreement with the ODFI and also enters into separate agreements with each of its s. The ODFI does not have an agreement with each of the Third-Party s s but instead relies on the agreements between the Third-Party and its s. As such, the Third-Party creates an unintended barrier between the ODFI and the. Adding even more complexity to the ODFI-Third-Party / relationship is the possibility of an being an intermediary for another level of s or what is called a Nested or Layered Third-Party. The separation between the ODFI; the Third-Party ; the Nested and the adds additional elements of risk to the ACH transaction processing relationship. The nature of the multi-layered Third-Party and Nested Third-Party relationship makes it difficult for the ODFI to have direct visibility into the business operations of all their s. The ODFI is responsible for all the ACH entries of the and to ensure the has the capacity to perform the obligations required under the NACHA Operating Rules. In addition, the ODFI must assess the nature of the activity of each and the associated risks that may be present with their operations. Examiners and ACH auditors are focused on the risk management systems and processes associated with all Third-Party relationships. In essence, when an ODFI enters into an agreement with a Third-Party, it can add three or four more levels of risk to its operations: The first level is the Third-Party Portfolio Risk. This level of risk focuses on the ODFI s understanding and evaluation of working with Third-Party s. The ODFI should consider how working with Third-Party s will impact the ODFI s overall strategic goals, risk, and profitability objectives and establish guidelines for the specific types of Third-Party businesses it determines to be acceptable. In addition, the ODFI should understand what additional resources are necessary to effectively manage its Third-Party relationships specifically technology and staffing requirements. The second level of risk is the Third-Party Risk. This level of risk focuses on the relationship between the ODFI and its Third Party. ODFIs need to understand and monitor the origination activities of the Third-Party in addition to performing regular reviews of the financial condition of both the Third-Party business and its s. Risk evaluations should include reviews of the aggregate risk associated with industry concentrations, geographic concentrations, and other risk factors occurring within the ODFI for the Third-Party customer group. The third level of risk is the Third-Party Risk. As part of any Third-Party due diligence program, the ODFI must determine the adequacy of the Third-Party s know your customer ( KYC ) procedures, initial screening processes, and risk tolerance levels. The ODFI should also identify the types of ACH transactions and services the Third-Party intends to deliver to its s. Furthermore, it is imperative that the ODFI require the Third-Party to have an acceptable agreement with each of its s stating that they are bound by the

4 NACHA Operating Rules. The fourth level of risk is the Nested Third-Party Risk. Because an ODFI does not typically interact directly with the Third-Party s s, it must understand the s business and monitor its ACH transaction activity. Identifying a Nested Third-Party requires the existence of robust policies and procedures at each Third-Party risk level. ODFIs must have strong KYC policies and procedures to be able to adequately evaluate businesses and their recurring origination activity. The NACHA Operating Rules state that, An ODFI is responsible for all Entries originated through the ODFI, whether by an or through a Third-Party. 4 All ACH entries that are processed by an ODFI regardless if the ODFI holds an agreement with the entity it is processing for are its responsibility. Furthermore, in September 03, NACHA added the ACH Security Framework Amendment to the NACHA Operating Rules. This amendment makes the verification of Third-Party s and s using a commercially reasonable method an obligation where before it was only a warranty. 5 The amendment states: The Security Framework replaces [the former] warranty with a new prerequisite to origination that more broadly requires the ODFI to verify the identity of all s/third-party s, regardless of the manner in which the Origination Agreement was executed. The amendment makes the requirement an obligation rather than a warranty as previously used for transmissions over Unsecured Electronic Networks. 6 Because of these requirements, it is imperative that the ODFI monitor all four levels of risk associated with its Third-Party relationships. However, the challenge for all financial institutions is how to implement and manage these key risk processes without requiring resources disproportionate to the size of the organization. Four Levels of Risk ODFIs typically originate ACH transactions for multiple Third-Party s and each Third-Party will originate transactions for several hundred customers, their s. In addition, it is not uncommon for several of the Third-Party s s to act as intermediaries for their own customers, thus creating a Nested Third-Party relationship. Nested Third-Party relationships pose additional challenges to ODFIs because they are extremely difficult to monitor and control. 7 Some 4 NACHA, NACHA Operating Rules & Guidelines, NACHA, Notice of Amendments to the 0 Operating Rules Supplement #-0, 0. 6 Ibid. 7 Payment Processor Relationships Revised Guidance FIL-3-0, January 3, 0. 3

5 examples of Nested Third-Party s include property management companies, payroll processors, payday lenders, and collection agencies. Figure diagrams the relationship between an ODFI, its Third-Party s and their s and their Nested Third-Party s. In addition, this diagram identifies the different levels of risk present in the overall relationship hierarchy. Figure. Four Levels of Risk LEVEL LEVEL LEVEL 3 Third-Party Nested Third-Party Third-Party Nested Third-Party 3 Nested Third-Party Third-Party 3 LEVEL 4 Nested Nested Nested Nested Nested Nested 3Nested 3Nested 4Nested Level Third-Party Portfolio Risk Evaluating the Third-Party Portfolio Risk requires the establishment of risk systems and controls within the ODFI where it can efficiently gather information on each of its Third-Party relationships. The ODFI should evaluate its Third-Party portfolio for the following risks: Understand which originators use multiple Third-Party s to initiate ACH transactions and review the Standard Entry Class (SEC) transaction codes and volume. Review ACH volume and returns by transaction type and by Third-Party. Establish a Third-Party Portfolio aggregate scoring metric that will provide an easy way to identify changes in portfolio risk. Separate the Third-Party Portfolio into high risk, moderate risk, and low risk classifications based upon calculated risk metrics. Evaluate Third-Party geographic concentrations. Evaluate Third-Party activities in other departments within the ODFI and evaluate overall entity exposure (i.e. cross channel risk). 4

6 The ODFI should set up a regular review process that evaluates the Third-Party Portfolio and analyzes the information gathered by the internal risk systems and controls....an ODFI must investigate all Third-Party s as well as their s because the ODFI is ultimately responsible for any transaction it initiates. Level Third-Party Risk Historically, the Third-Party Risk has been the primary focus of the ODFI. The OCC s Automated Clearing House Activities, Risk Management Guidance, describes in detail how an ODFI should approach these relationships: To effectively manage risk from Third-Party [s], bank management should establish procedures that allow the bank to monitor the Third- Party [ s] operations. The first step in this process is identifying and validating the third party and the type of business it conducts. Banks should check thoroughly the background of each Third-Party [], including the principal owners, and also verify the organization s financial capacity to absorb losses. 8 The ODFI should execute a written agreement with each Third-Party. Generally, these agreements should outline specific operational guidelines, such as: Detail the obligations and liabilities of the Third-Party. Define the information to be provided before the Third-Party can initiate transactions for a new. Define who is an approved or disapproved. Define what are approved and disapproved Standard Entry Class (SEC) transaction types. Determine ODFI access/audit frequency of Third-Party documentation. Confirm the ODFI liability for performance of the Third-Party, binding the Third-Party to the ACH Rules. Confirm the ODFI s right to terminate the agreement for breach of the ACH Rules. Set guidelines for risk tolerance, approval limits, and permitted customer types (i.e. SIC/NACIS codes, permitted SEC transaction types). Some of the key elements of the initial underwriting of Third-Party entities should include: Background checks on the business and principals (using public databases such as Lexis Nexis, Merchants Information Services, etc.). Understanding the Third-Party business and the length of time the business has been in existence. Utilize government provided high risk lists such as the Financial Crimes 8 Officer of the Comptroller of the Currency, OCC Automated Clearing House Activities, 006, news-issuances/bulletins/006/bulletin html#ftnote5, (August 03). 5

7 Ideally, ODFIs should be able to evaluate and monitor the risk associated with these entities on a real-time or near real-time basis through the use of ACH risk management technology solutions. Enforcement Network ( FinCEN ) Money Services Business listing and the Office of Foreign Assets Control ( OFAC ) lists. Understand if the Third-Party works with other areas of the bank (i.e. cross channel risk). Consider requiring that the Third-Party use other services within the organization (i.e. require full banking relationships or require the Third-Party be a borrowing customer and/or require minimum account balances). Determine if the Third-Party processes transactions for highrisk s (such as telemarketing, gambling, payday lending, adult entertainment, etc.). Once the initial due diligence and underwriting process is complete for each of the Third-Party s, an ODFI should establish credit-risk controls that set relevant peak ACH exposure limits and perform an ongoing credit analysis on each Third-Party entity. Level 3 Third-Party Risk relationships, when processing through a Third-Party, are inherently more risky for an ODFI due to the struggle it faces when trying to gain a better understanding of the s business. The third level of risk, Third-Party Risk, strongly encourages an ODFI to gather information about each that processes through a Third-Party. From due diligence and underwriting to monitoring and evaluating the s business and ongoing creditworthiness, an ODFI must investigate all Third-Party s as well as their s because the ODFI is ultimately responsible for any transactions it initiates. Level 4 Nested Third-Party Risk The fourth level of risk when originating on behalf of Third-Party s is identifying and working with Nested Third-Party s. In order to identify a Nested Third- Party, the ODFI must have robust controls and due diligence processes in place to determine those Third-Party s that may be intermediaries for other merchants. ODFIs should look for businesses that offer services or products that handle the cash of other organizations. Some examples of businesses that may be Nested Third-Party s include: Property management companies processing rental payments and HOA dues. Payroll processors working with small businesses. Accounting agencies who offer payroll processing services. Collection agencies processing recovered cash payments. Rental agencies processing rental payments for their customers. This list is not all-inclusive; however, any of these businesses could function as Third- Party s or Nested Third-Party s. The OCC has provided basic guidance regarding an ODFI s knowledge of its Third-Party s customers stating that: 6

8 Banks that initiate ACH transactions for Third-Party s should know, at a minimum, for which originators they are initiating entries into the ACH network. Thus, banks should require Third-Party s to provide certain information on their customers such as the s name, taxpayer identification number, principal business activity, and geographic location. Also, before originating transactions, a bank should verify (directly or through a Third-Party ) that the is operating a legitimate business. 9 ODFIs should carefully review the validity and creditworthiness of all Third-Party s. When conducting the initial underwriting of an that is a customer of a Third-Party, an ODFI should employ a similar process to what it uses to evaluate a Third-Party. The ODFI should perform a detailed evaluation of each for which the Third-Party initiates entries for and understand its business and operations before agreeing to process transactions. The ODFI should pay particular attention to s that operate high-risk businesses such as telemarketing companies, credit-repair services, mail order and telephone order companies, online gambling operations, businesses located offshore, and adult entertainment businesses. These operations are typically riskier and incidents of unauthorized returns are more common with these businesses. ODFIs may consider establishing policies prohibiting transactions with certain high-risk s and Third- Party s. The Solution When it comes to managing Third-Party relationships, ODFIs are expected to understand and monitor the actions of multi-layered entities. This never-ending task requires the use of valuable employee resources and unique technologies. Ideally, ODFIs should be able to evaluate and monitor the risk associated with these entities on a real-time or near real-time basis through the use of ACH risk management technology solutions. By using these types of tools, ODFIs can more easily assess the risks associated with their originating customers. Through the simple process of entering basic information on its Third-Party s and their s such as the company s name, website address, and mailing address, ODFIs should be able to view specific information on their originating companies. These technology solutions would provide access to multiple data sources that generate analytical insight on the originating companies. In addition, these technology solutions, through the use of the gathered data, would allow for the continuous evaluation of a Third-Party s business and their originators, alerting ODFIs of any changes in the entity s financial health or operations. Furthermore, these technology solutions would also allow an ODFI to set specific risk tolerance levels and create measurable analytics for each business 9 Officer of the Comptroller of the Currency, OCC Automated Clearing House Activities, 006, news-issuances/bulletins/006/bulletin html#ftnote5, (August 03). 7

9 entity in order to more closely monitor its origination activities. Finally, these technology solutions would allow ODFIs to generate reports on any Third-Party or any of their s at any given time. Conclusion ODFIs are responsible for each ACH entry it initiates. As such, it must proactively manage the multiple levels of risk associated with its Third-Party s, their s, and their Nested s. However, in order to manage the risk according to suggested regulatory specifications, ODFIs need to invest a significant amount of time and resources to monitor these originating entities. ODFIs should evaluate the use of risk management technology solutions in order to efficiently and effectively gain broader visibility of the status and performance of its Third-Party s and their s. 8

10 About Argos Risk Argos Risk specializes in the development of web-based technology solutions that enable companies to proactively manage credit and financial risk and protect against business identity fraud. Argos Risk leverages its proprietary data analysis process Argonomics and its custom-built web portal the Technology Platform to deliver up-to-the-minute credit risk information and financial health scores to subscribers. Both of the company s products Argos Risk Online and Argos Risk Defender are fully-hosted, Software-as-a-Service, subscription-based solutions that allow companies to better manage the credit risk associated with doing business into today s economic climate. Argos Risk s flagship product, Argos Risk Online, is the first proprietary software service that provides affordable financial and business health credit risk information for small to medium-sized businesses. With access to information on over 8 million business entities, Argos Risk Online allows subscribers to continuously monitor a list of their customers, vendors, suppliers, prospects, and competitors for changes in their business and financial health. This web-based solution delivers credit updates and daily alerts via the company s secure Technology Platform. The solution s visual dashboard makes it quick and easy for a company of any size to spot upward or downward trends that may require attention. In today s fast-paced economy, Argos Risk Online enables businesses to find all the pertinent information they need in order to evaluate both old and new relationships and to stay on top of rapidly changing credit health W 77th Street, Suite 375 Edina, MN info@argosrisk.com P: 877-RISK-4 or