Don t Originate in the Dark: Shine Some Light on Your Third-Party Senders and Their Originators

Transcription

1 Don t Originate in the Dark: Shine Some Light on Your Third-Party Senders and Their Originators This ACH risk management white paper examines the risks related to ACH transactions processed by Third-Party Senders. It provides a general overview of how to evaluate and monitor both Third-Party Senders and their originator customers. By Steven M. Foster Founder and Chairman, Argos Risk

2 Executive Summary Financial institutions that process Automated Clearing House (ACH) transactions are faced with multiple levels of risk. Considered to be one of the safest payment systems in the world 1, the ACH Network provides an extremely reliable and efficient service for the electronic transfer of funds. Although the system itself is secure, the relationships between the parties involved in the processing of these types of transactions are inherently risky. Because an Originating Depository Financial Institution (ODFI) is responsible for all the entries it originates 2, it must be aware of and monitor the three levels of risk associated with its relationships with Third-Party Senders and the Third- Party Sender Originators. The Problem Serving as an intermediary between an ODFI and an Originator, the Third-Party Sender provides ACH origination services to its customers, the Originators. Third-Party Sender services were commonly utilized by payment processors in the mid-2000s, and in 2004, the Third-Party Sender role was officially recognized by NACHA. 3 NACHA s official rule change to the NACHA Operating Rules & Guidelines provided financial institutions and Third-Party Senders themselves with an established structure regarding the definition of these entities and their responsibilities as members of the ACH payments system. The Third-Party Sender is a rather unique entity because it is allowed to create ACH entries on behalf of its customers, the Originators. In this scenario, the Third-Party Sender enters into separate agreements with the ODFI and with the Originator. However, Figure 1. Knowing Third-Party Sender Originators 1 NACHA, History, (September 2013). 2 NACHA, NACHA Operating Rules & Guidelines, NACHA, The Third-Party Sender Case Studies: ODFI Best Practices to Close the Gap, 2012, com/wp-content/uploads/2012/08/thirdpartysenderwhitepaper.pdf, (September 2013). 1

3 the ODFI does not have an agreement with the Originator. As such, the Third-Party Sender creates an unintended barrier between the ODFI and the Originator. The separation caused by the Third-Party Sender between the ODFI and the Originator adds an additional element of risk to ACH entries because the ODFI does not have direct visibility as to who the Originator is or what type of business it is operating. In essence, when an ODFI enters into an agreement with a Third-Party Sender, it adds a third level of risk to its operations. Examiners and ACH auditors are focused on the risk management systems and processes associated with Third-Party Sender relationships. In essence, when an ODFI enters into an agreement with a Third-Party Sender, it adds a third level of risk to its operations. The first level is the Third-Party Sender Portfolio Risk. This level of risk focuses on the relationship between the ODFI and its Third-Party Sender customer group. For example, evaluating the aggregate risk associated with industry concentrations, geographic concentrations, and other risk factors occurring within the ODFI for the Third-Party Sender customer group. The second level of risk is the Third-Party Sender Risk. This level of risk focuses on the risks associated with each separate Third-Party Sender business and its ACH transaction activity. ODFIs need to perform initial due diligence and establish processes that will continually monitor Third-Party Sender performance. The third level of risk is the Third-Party Sender Originator Risk. Because an ODFI does not typically interact directly with the Third-Party Sender Originators, it must understand the Originator s business and monitor its ACH transaction activity. The NACHA Operating Rules state that, An ODFI is responsible for all Entries originated through the ODFI, whether by an Originator or through a Third-Party Sender. 4 All ACH entries that are processed by an ODFI regardless if the ODFI holds an agreement with the entity it is processing for are its responsibility. Furthermore, in September 2013, NACHA added the ACH Security Framework Amendment the NACHA Operating Rules. This amendment makes the verification of Third-Party Senders and Originators using a commercially reasonable method an obligation where before it was only warranty. 5 The amendment states: The Security Framework replaces [the former] warranty with a new prerequisite to origination that more broadly requires the ODFI to verify the identity of all Originators/Third-Party Senders, regardless of the manner in which the Origination Agreement was executed. The amendment makes the requirement an obligation rather than a warranty as previously used for transmissions over Unsecured Electronic Networks. 6 4 NACHA, NACHA Operating Rules & Guidelines, NACHA, Notice of Amendments to the 2012 Operating Rules Supplement #2-2012, Ibid. 2

4 Because of these requirements, it is imperative that the ODFI monitor all three levels of risk associated with its Third-Party Sender relationships. The challenge for all financial institutions is how to implement and manage these key risk processes without requiring resources disproportionate to the size of the organization. Three Levels of Risk ODFIs typically originate ACH transactions for multiple Third-Party Senders and each Third-Party Sender will originate transactions for several hundred customers, the Originators. Figure 2 diagrams the relationship between an ODFI and its Third-Party Senders and their Originators. In addition, this image identifies the different levels of risk present in the overall relationship hierarchy. Figure 2. Three Levels of Risk Level 1 Third-Party Sender Portfolio Risk Evaluating the Third-Party Sender Portfolio Risk requires the establishment of risk systems and controls within the ODFI where it can efficiently gather information on each of its Third-Party Sender relationships. The ODFI should evaluate its Third-Party Sender portfolio for the following risks: Understand which originators use multiple Third-Party Senders to initiate ACH transactions and review the Standard Entry Class (SEC) transaction codes and volume. Review ACH volume and returns by transaction type and by Third-Party Sender. 3

5 Establish a Third-Party Sender Portfolio aggregate scoring metric that will provide an easy way to identify changes in portfolio risk. Separate the Third-Party Sender Portfolio into high risk, moderate risk, and low risk classifications based upon calculated risk metrics. Evaluate Third-Party Sender geographic concentrations. Evaluate Third-Party Sender activities in other departments within the ODFI and evaluate overall entity exposure (i.e. cross channel risk). The ODFI should set up a regular review process that evaluates the Third-Party Sender Portfolio and analyzes the information gathered by the internal risk systems and controls. Level 2 Third-Party Sender Risk Historically, the Third-Party Sender Risk has been the primary focus of the ODFI. The OCC s Automated Clearing House Activities, Risk Management Guidance, describes in detail how an ODFI should approach these relationships: To effectively manage risk from Third-Party [Senders], bank management should establish procedures that allow the bank to monitor the Third- Party [Sender s] operations. The first step in this process is identifying and validating the third party and the type of business it conducts. Banks should check thoroughly the background of each Third-Party [Sender], including the principal owners, and also verify the organization s financial capacity to absorb losses. 7 The ODFI should execute a written agreement with each Third-Party Sender. Generally, these agreements should outline specific operational guidelines, such as: Detail the obligations and liabilities of the Third-Party Sender. Define the information to be provided before the Third-Party Sender can initiate transactions for a new Originator. Define who is an approved or disapproved Originator. Define what are approved and disapproved Standard Entry Class (SEC) transaction types. Determine ODFI access/audit frequency of Third-Party Sender Originator documentation. Confirm the ODFI liability for performance of the Third-Party Sender, binding the Third-Party Sender to the ACH Rules. Confirm the ODFI s right to terminate the agreement for breach of the ACH Rules. Set guidelines for risk tolerance, approval limits, permitted customer types (i.e. SIC/NACIS codes, permitted SEC transaction types). 7 Officer of the Comptroller of the Currency, OCC Automated Clearing House Activities, 2006, news-issuances/bulletins/2006/bulletin html#ftnote25, (August 2013). 4

6 Some of the key elements of the initial underwriting of Third-Party Sender entities should include:...an ODFI must investigate all Third-Party Senders as well as their Originators because the ODFI is ultimately responsible for any transaction it initiates. Background checks on the business and principals (using public databases such as Lexis Nexis, Merchants Information Services, etc.). Understanding the Third-Party Sender business and the length of time the business has been in existence. Utilize government provided high risk lists such as the Financial Crimes Enforcement Network ( FINCEN ) Money Service Business listing and the Office of Foreign Assets Control ( OFAC ) lists. Understand if the Third-Party Sender works with other areas of the bank (i.e. cross channel risk). Consider requiring that the Third-Party Sender use other services within the organization (i.e. require full banking relationships or require the Third-Party Sender be a borrowing customer and/or require minimum account balances). Determine if the Third-Party Sender processes transactions for highrisk Originators (such as telemarketing, gambling, payday lending, adult entertainment, etc.). Once the initial due diligence and underwriting process is complete for each of Third- Party Senders, an ODFI should establish credit-risk controls that set relevant peak ACH exposure limits and perform an ongoing credit analysis on each Third-Party Sender entity. Level 3 Third-Party Sender Originator Risk Originator relationships, when processing through a Third-Party Sender, are inherently more risky for an ODFI due to the struggle it faces when trying to gain a better understanding of the Originator s business. The third level of risk, Third-Party Sender Originator Risk, strongly encourages an ODFI to gather information about each Originator that processes through a Third-Party Sender. From due diligence and underwriting to monitoring and evaluating the Originator s business and ongoing creditworthiness, an ODFI must investigate all Third-Party Senders as well as their Originators because the ODFI is ultimately responsible for any transactions it initiates. The OCC has provided basic guidance regarding an ODFI s knowledge of its Third-Party Senders customers stating that: Banks that initiate ACH transactions for Third-Party Senders should know, at a minimum, for which originators they are initiating entries into the ACH network. Thus, banks should require Third-Party Senders to provide certain information on their Originator customers such as the Originator s name, taxpayer identification number, principal business activity, and geographic location. Also, before originating transactions, a bank should verify (directly or through a Third-Party Sender) that the Originator is operating a legitimate 5

7 business. 8 Ideally, ODFIs should be able to evaluate and monitor the risk associated with these entities on a real-time or near real-time basis through the use of ACH risk management technology solutions. ODFIs should carefully review the validity and creditworthiness of all Third-Party Sender Originators. When conducting the initial underwriting of an Originator that is a customer of a Third-Party Sender, an ODFI should employ a similar process to what it uses to evaluate a Third-Party Sender. The ODFI should perform a detailed evaluation of each Originator for which the Third-Party Sender initiates entries for and understand its business and operations before agreeing to process transactions. The ODFI should pay particular attention to Originators that operate high-risk businesses such as telemarketing companies, credit-repair services, mail order and telephone order companies, online gambling operations, businesses located offshore, and adult entertainment businesses. These operations are typically riskier and incidents of unauthorized returns are more common with these businesses. ODFIs may consider establishing policies prohibiting transactions with certain high-risk Originators and Third- Party Senders. The Solution When it comes to managing Third-Party Sender relationships, ODFIs are expected to understand and monitor the actions of multiple entities. This never-ending task requires the use of valuable employee and technology resources that most financial institutions cannot afford to spare. Ideally, ODFIs should be able to evaluate and monitor the risk associated with these entities on a real-time or near real-time basis through the use of ACH risk management technology solutions. Through the simple process of entering basic information on its Third-Party Senders and their Originators such as the company s name, website address, and mailing address, ODFIs should be able to view specific information on their originating companies. These technology solutions would provide access to multiple data sources that generate analytical insight on the originating companies. In addition, these technology solutions, through the use of the gathered data, would allow for the continuous evaluation of a Third-Party Sender s business and their originators, alerting ODFIs of any changes in the entity s financial health or operations. Furthermore, these technology solutions would also allow an ODFI to set specific risk tolerance levels and create measurable analytics for each business entity in order to more closely monitor its origination activities. Finally, these technology solutions would allow ODFIs to generate reports on any Third-Party Sender or any of their Originators at any given time. Conclusion ODFIs are responsible for each ACH entry it initiates. As such, it must proactively manage the multiple levels of risk associated with its Third-Party Senders and their Originators. However, in order to manage the risk according to suggested regulatory 8 Officer of the Comptroller of the Currency, OCC Automated Clearing House Activities, 2006, news-issuances/bulletins/2006/bulletin html#ftnote25, (August 2013). 6

8 specifications, ODFIs need to invest a significant amount of time and resources to monitor these originating entities. ODFIs should evaluate the use of risk management technology solutions in order to efficiently and effectively gain broader visibility of the status and performance of its Third-Party Senders and their Originators. 7

9 About Argos Risk Argos Risk specializes in the development of web-based technology solutions that enable companies to proactively manage credit and financial risk and protect against business identity fraud. Argos Risk leverages its proprietary data analysis process Argonomics and its custom-built web portal the Technology Platform to deliver up-to-the-minute credit risk information and financial health scores to subscribers. Both of the company s products Argos Risk Online and Argos Risk Defender are fully-hosted, Software-as-a-Service, subscription-based solutions that allow companies to better manage the credit risk associated with doing business into today s economic climate. Argos Risk s flagship product, Argos Risk Online, is the first proprietary software service that provides affordable financial and business health credit risk information for small to medium-sized businesses. With access to information on over 28 million business entities, Argos Risk Online allows subscribers to continuously monitor a list of their customers, vendors, suppliers, prospects, and competitors for changes in their business and financial health. This web-based solution delivers credit updates and daily alerts via the company s secure Technology Platform. The solution s visual dashboard makes it quick and easy for a company of any size to spot upward or downward trends that may require attention. In today s fast-paced economy, Argos Risk Online enables businesses to find all the pertinent information they need in order to evaluate both old and new relationships and to stay on top of rapidly changing credit health Parkdale Dr., Suite 100 Minneapolis, MN 5541 info@argosrisk.com P: 877-RISK-411 or