ACH Risk: Bring Harmony to the Chorus of Originators

Transcription

1 ACH Risk: Bring Harmony to the Chorus of Originators Kim A. Bruck, AAP Director, ACH Product Manager

2 ACH Risk: Bring Harmony to the Chorus of Originators In the world of music you want to bring harmony to the chorus. So how can you do that in the world of ACH? Managing your ACH risk of your Originators is key to harmony of the chorus of all ACH participants. ODFI s need to set file limits, exposure limits, monitor returns and more. Learn what the ODFI can do to manage their ACH risk in this session.

3 What is Risk? Expose to a chance of loss or damage* The possibility of suffering harm or loss; danger * The chance of nonpayment of a debt.* *

4 What is ACH Risk? Potential loss of funds associated with the movement of funds in the ACH network What is the risk management challenge? Identify the risks and how it is being managed Estimate the significance of the risk Assess the probability of the risk occurring Determine and outline programs, policies and procedures Future plan for your ACH program

5 Agreements Subsection ODFI Agreement with Originator, Third Party Sender or Sending Point ODFI must enter into an Origination Agreement with each of these parties including, at a minimum, each of the following: Authorization to originate entries Agree to be bound by the ACH rules Agree not to originate entries that violate the laws of the United States Any restrictions on the types of entries that may be originated Right to terminate or suspend for breach of rules Right to audit the compliance

6 Credit Risk The risk that occurs when a party to a transaction cannot provide the necessary funds, as contracted, in order for settlement to take place Exposure Dollar limit assigned by an FI to an Originator Represents the total amount of exposure across all services (cash management, lending, wire transfers, etc.) Funding Prefunding Option Credit quality of customer Underwrite your customer 3 rd Party Sender Whose ABA # is being used? Liable? Returns Debit entry risk

7 Exposure Limits Establishment, monitoring and enforcement of exposure limits are critical to successful ACH processing. The ODFI should assign exposure limits to each customer file: Develop and implement a process to monitor and track exposure limits for Originators or across multiple settlement dates Provide flexibility and establish contingency plans to accommodate the handling of exception situations Coordinate efforts between the operations and banking departments to manager this process Establish, implement and document a process for the periodic review of exposure limits

8 Exposure Limits How do you establish exposure limits? Overall customer relationship Average combined deposit balance Number of NSFs Credit relationship Financial stability of Originator Credit rating Financial statements How company is defined for exposure purposes What are the businesses and the divisions of the company Historical or predicted dollar value of files processed Reevaluate on a quarterly, bi-annual or annual basis

9 Prefunding Prefunding Allows non-rated customers to prefund their account Advantage virtually eliminates credit risk for originating ACH credit files for non-rated customers and it reduces costs to the ODFI Recommended for all originators in a bad economy Due to risk of bankruptcy

10 Credit Quality Balance sales culture with risk management Underwrite your Originator Establish or use existing credit ratings Review Review the credit risk aspects of relationship Establish or use existing credit ratings Establish procedures for ongoing monitoring credit worthiness of Originators

11 Know Your Customer What businesses are they in? Are they financially sound? Which ACH application do they use? Is the lending staff involved in the decision-making process along with operations staff? Caution sales staff in direct decision making Know your customers customer (KYCC) Third-party sender

12 Third Party Sender Agreements None between the ODFI and the Originator using the Third-Party Sender ODFI and Third-Party Sender must have agreement Subsection ODFI must enter into an Origigination Agreement with Third-Party Sender (OR4) Risk What are they sending? Do they have contracts with the originator? Are they financially sound? Who is ultimately responsible? Direct access Risk controls Registration via NACHA

13 Returns Proper Authorization Warranties of the ODFI Subsection The Entry is Authorized by the Originator and Receiver Unauthorized items that do not have proper authorization Return beyond normal 60 day time frame R05 if personal account with CCD/CTX for returning past 2 business days Effective September 2014: RDFI s will be able to request either copies of the authorizations for CCD/CTX entries or if authorizations are not available (most likely in the corporate environment) ODFIs will have to provide Originator contact information to RDFIs that request.

14 Returns Recent press reports have inaccurately stated that some Receiving Depository Financial Institutions (RDFIs) have colluded with payday lenders to enable allegedly unlawful activity when RDFIs honor ACH debits to consumer accounts. High debit return rates Know what kind of service is being offered Verify company ID following proper authorization requirements Perform credit analysis of originating company Monitor the return ratios by company R03, R04, R05, R07, R10, R29 If returns become excessive, reconsider relationship

15 Return ODFI Return Rate Reporting Subsection Upon receipt of written request by NACHA and ODFI must provide documentation within 10 banking days information on Originator or Third-Party Sender (OR31) Additional ODFI Action and Reporting When the Return Threshold is Exceeded Subsection When the Originator s or Third-Party Sender s return rate for unauthorized Entries (as calculated in ) exceeds one percent ODFI must also provide additional information within 10 banking days (OR32) ODFI Reduction of Return Rate Subsection ODFI must reduce Originator s or Third-Party Sender s return rate for unauthorized Entries to a rate below one percent within 30 days (new time frame as of 3/15/2013, used to be 60 days) after receipt of NACHA written notice (OR33)

16 NACHA Board of Directors Policy Statements Data Security Data Breach Notification Requirements Use of a Terminated Originator Database Importance of Sound Business Practices to Mitigate Corporate Account Takeover

17 Corporate Account Takeover What is CAT? Initiate funds transfers out of the compromised business account by ACH or wire transfer to the bank of account of associates within the U.S. or directly overseas Changing of the routing and account number within the ACH file or the wire transfer item Perpetrator may also be able to gain access to and review the business account details, such as account balances, activities and patterns, enabling the perpetrator to mimic the legitimate users and initiate transactions undetected NEW Not just targeting business but also FI employees

18 Corporate Account Takeover Most common methods to obtain access to banking credentials Infected document attached to an Link within an to infected website Employees visiting legitimate websites especially social networking sites and clicking on infected documents, photos or videos Employee using flash drive that is infected In each case the infected system is then exploited to obtain legitimate security credentials that can be used to access a company s corporate accounts

19 Corporate Account Takeover THE ODFI Implement systems designed to prevent and detect attempts to access a business banking credentials and actual unauthorized access to the business banking account What is your FI using? Keeping your customers informed and educated about the importance of implementing their own systems and sound business practices to protect themselves Keep customer informed of evolving risks can be effective method to combat cyber-thieves before they get access to the banking system

20 Sound Business Practices - FI Agreements & Minimum Security Procedures Dual Control for Payment File Initiation Out-of-Band Authentication and Alerts Enhancement of Account Security Offerings Exploration of Low-Tech Security Options Education (internal and corporate)

21 RDFI Suspects CAT Subsection General Rule for Availability of Credits An RDFI that reasonably suspects that a credit Entry is authorized is exempt from this requirement, subject to applicable Legal Requirements. An RDFI invoking such an exemption must promptly notify the ODFI. If you can t resolve within 1 day then let the item post

22 FFIEC Guidance Federal Financial Institutions Examination Council (FFIEC) issued a supplement June 2011 to the Authentication in an Internet Banking Environment guidance, issued in October 2005 What is the purpose? Reinforce the risk management framework in the original guidance and update the FFIEC member agencies supervisory expectations regarding customer authentication, layered security and other controls in the increasingly hostile online environment More focus on business accounts

23 FFIEC Guidance Specific Supervisory Expectations Risk Assessments Customer Authentication for High-Risk Transactions Layered Security Programs Effectiveness of Certain Authentication Techniques Customer Awareness and Education

24 FFIEC Guidance Transaction monitoring/anomaly detection software Suspicious funds transfers Out of the ordinary Patterns of behavior Not approved recipient based on routing number and account number White list Out-of-band authentication Transaction that is initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., phone) in order for the transaction to be completed Validation of the routing number & account number (aka Positive Pay)

25 Originator Watch List Designed to augment other risk assessment and decisionmaking measures used by ODFIs, the Originator Watch List identifies Originators and Third-Party Senders that meet certain risk criteria, but does not introduce or imply any prohibition on initiating entries for entities listed. Rather, ODFIs are encouraged to consider this information as a part of their broader underwriting and risk management process. The Originator Watch List is available to employees of financial institutions that utilize the ACH Network, Regional Payments Associations, and ACH Operators.

26 Terminated Originator Database The Terminated Originator Database (TOD), is a service managed by FIS, was developed by NACHA s Risk Management Advisory Group to support the due diligence and risk management processes of Originating Depository Financial Institutions (ODFIs). The Database facilitates the confidential exchange of information regarding Originators and/or Third-Party Senders terminated for cause from ACH processing by ODFIs. Use of TOD, which is supported by a NACHA Board Policy Statement, assists in the evaluation and ongoing monitoring of new and current Originators and Third-Party Senders, allowing ODFIs to benefit from other financial institutions experiences. Since its launch, participation in TOD has continued to increase. Currently, more than 60 financial institutions, have signed up to participate in the database and hundreds more have expressed their interest in this important risk management tool. To increase the value of TOD as a risk management tool for due diligence and in response to the requests of ODFIs, Third Parties, and Regional Payments Associations (RPAs), NACHA is expanding access to the database to now allow participation by select Third Parties. Third-Party Service Providers that serve as back end processors for ODFIs will be able to contribute to and search the database on behalf of the ODFIs that they support. Additionally, Third-Party Senders will be able to contribute to and search TOD at the Originator level. Contributions to the database are free.

27 National System of Fines The National System of Fines is the rules enforcement mechanism for the ACH Network, correcting violations of and ensuring compliance with the Rules through a formal system of warnings and fines. Its ultimate objective is to maintain the quality of the ACH Network through better compliance with the Rules. The National System of Fines provides participating Depository Financial Institutions with an opportunity for review, evaluation, and correction of the circumstances surrounding possible rules violations.

28 ACH Annual Audit Due Annually by December 31 st Rules-based not accounting-based audit Should be conducted by ACH certified or AAP Should not be done by the person who does the daily ACH

29 Resources NACHA Resources Corporate Account Takeover Fraud & Phishing Corporate Account Takeover Risk Management Advisory Group Risk Management Tools & Resources ACH Operator Tools vices Terminated Originator Database Confidential & Proprietary Viewpointe Archive Services, LLC. All Rights Reserved. May not be copied or distributed without the express written permission of Viewpointe.