Understanding & Managing Third Party Relationships in the ACH Network. PAYMENTS 2008 May 18, 2008 Las Vegas, NV

Understanding & Managing Third Party Relationships in the ACH Network PAYMENTS 2008 May 18, 2008 Las Vegas, NV 1

Your Presenters Stuart Williams Director, CheckFree Payment Services CheckFree now part of Fiserv Wendy Wishon, AAP Vice President Mid America Payment Exchange 2

Fiserv Is Fortune 500 company providing information management and electronic commerce systems and services to the financial and insurance industries for more than 30 years Publicly traded for more than 20 years (NASDAQ: FISV)

Key Dimensions 23,000 employees serving more than 18,000 clients in 66 countries around the world Compound average annual growth 2005 2007 Revenue: 10% Net income, continuing operations (adjusted): 7% Earnings per share (adjusted): 14% Cash flow from operations: 7% Stock price: 13%

Mid America Payment Exchange (MPX) is a not for for profit trade association responsible for providing payment systems education, support and industry leadership. MPX serves more than 2,000 financial institution and corporate members throughout Arkansas, Southern Illinois, Indiana, Southwestern Iowa, Kansas, Western Kentucky, Missouri, Nebraska, and Oklahoma. 5

Agenda Who Uses Third Parties in the ACH and Why? Financial Institutions RDFI/ODFI Corporations/Businesses Who Are the Third Parties in the ACH? Third Party Service Providers Third Party Sending Points Third Party Receiving Points Third Party Senders What Are the Participant Responsibilities in Third Party Relationships? What are the Risks in Third Party Relationships? 6

WHO USES THIRD PARTIES IN THE ACH NETWORK? 7

Understand Third Party Roles Third Party Service Provider (TPSP) A company that performs any ACH processing on behalf of an originator, ODFI or RDFI. payroll processors, payment aggregators, bill payment service providers and merchant processors, correspondent banks, corporate credit unions, FI processors Third Party Sender (TPS) A subset of Third Party Service Providers (TPSP). A company that acts as an intermediary between an originator and an ODFI when no agreement exists between the originator and ODFI. The TPS maintains direct agreements with both the originator and the ODFI. Can send transactions to the ODFI or directly to the ACH Operators. Direct access privileges are generally reserved for large volume originators with time sensitive processing schedules. General Rules A Third Party Sender (TPS) is always a Third Party Service Provider (TPSP). However, a Third Party Service Provider (TPSP) may not always serve as a Third Party Sender (TPS). 8

Third Party Service Providers An entity that performs any function of ACH processing on behalf of: ODFI Sending Point transmits entries to ACH Operator on behalf of the ODFI RDFI Receiving Point receives entries from the ACH Operator on behalf of the RDFI Originator Third Party Service Provider Third Party Sender 9

Why Use a Third Party? Financial Institutions as RDFI/ODFI Use correspondent bank, corporate credit union, commercial data processor, etc to receive and send ACH transactions No direct connection to an ACH Operator No Fed account for settlement No processing facilities or capabilities RDFI Receiving Point ODFI Sending Point 10

Why Use a Third Party? Business/Corporate Originators Outsourced business processes part of the relationship is ACH entry origination Payroll Receivables Third Party Service Provider Initiates entries on behalf of the Originator and transmits to Originator s ODFI Third Party Sender Initiates entries on behalf of the Originator and transmits to Third Party Sender s ODFI 11

ACH Flow authorization 12

Reality Third Party Processor Receiving Point Sending Point 13

WHO ARE THE THIRD PARTIES? 14

TPSP for ODFI Sending Point ODFI Responsibilities Properly identify all Sending Points in participation agreement with ACH Operator (s) Due diligence on Third Party Financial condition/processing capabilities and facilities/physical and data security processes/retention of ACH transactions and/or information/contingency planning Sending Point agreement executed between ODFI and TPSP Keep ODFI informed of ALL ACH activity transmitted to Network Annual ACH Rules compliance audit completed Responsible for ALL entries originated into the ACH Network with FI RTN in ODFI Identification Field regardless of who transmitted to ACH Operator Sending Point Responsibilities Sending Point agreement executed between ODFI and TPSP Annual audit of ACH Rules compliance ODFI is responsible for ALL entries originated into the ACH Network 15

Sending Point for ODFI Sending Point Agreement Sending Point 16

TPSP Sending Point EZCU contracts with a corporate Credit Union (BigCorpCU) for processing services including receipt of their ACH files for them using EZCU s routing number EZCU s member, Suze Sunshine, contacts Crazy Driver Insurance and authorizes them to debit her account for her insurance premiums each month Crazy Driver Insurance uses MegaBank as their ODFI 17

TPSP for RDFI Receiving Point RDFI Responsibilities Identify appropriate Receiving Point in participation agreement executed with ACH Operator (s) Agreement with Receiving Point Define responsibility, accountability and liability for handling of ACH Files Address any additional services related to processing of returns, NOCs, etc Retention of ACH transactions for six years Ensure annual ACH Rules compliance audit is completed RDFI is responsible for timely posting of debits and funds availability for credits no matter who receives the entries from the ACH Operator Receiving Point Agreement should be executed between RDFI and TPSP Annual audit of ACH Rules compliance RDFI is responsible for timely posting of debits and funds availability for credits no matter who receives the entrées from the ACH Operator 18

Receiving Point for RDFI Agreement Receiving Point 19

TPSP for Originator Part 1 Initiates entries on behalf of the Originator Originator obtains authorizations and maintains relationship with Receiver Responsible for Rules compliance related ACH Origination and as outlined in ODFI/Originator agreement TPSP sends originated transactions to Originator s ODFI for transmission to ACH Operator Originator and TPSP typically have an agreement outlining the relationship including the initiation of ACH entries Rules don t require agreement between Originator s TPSP and Originator s ODFI Highly recommended 20

TPSP for Originator Agreement for ACH Services Third Party Processor ODFI/Originator Agreement 21

TPSP for Originator Part 1 MyWidgets, Inc contracts with PayrollRUs to handle its payroll processing, including generation of payroll checks and Direct Deposits PayrollRUs formats the ACH file on behalf of MyWidgets, Inc and forwards it to MegaBank, which is MyWidgets, Inc financial institution. MyWidgets, Inc has an ODFI/Originator agreement with MegaBank for the origination of payroll credits 22

TPSP for Originator Part 2 What Looks Like An Originator; At Times Acts Like an Originator; But Doesn t Have A Direct Relationship With the Receiver??? A Third Party Sender Third Party Sender Intermediary between Originator and ODFI AND there is NO Originator/ODFI agreement in place between ODFI and Originator May perform same ACH functions for Originator as a TPSP Sends originated entries to Third Party s ODFI for transmission to ACH Operator 23

Third Party Sender Initiates entries on behalf of an Originator Originator obtains authorizations and maintains relationship with Receiver TPS sends originated transactions to Third Party Sender s ODFI for transmission to ACH Operator Originator and TPS must have an agreement outlining the relationship including the initiation of ACH entries TPS and ODFI must have a Third Party Sender Agreement executed outlining relationship and responsibilities 24

employee authorization Bestjob, Inc. TPSP agreement ABC Payroll Third Party Sender agreement MegaBank ABC Payroll s FI Bestjob Inc s entries sent out through ABC Payroll s FI MegaBank 25

TPS & Their ODFI TPS Obligations Provide ODFI with information about Originators if requested Assumes responsibilities of Originator under the ACH Rules Must make payment to ODFI no matter what ODFI Responsibilities KYC & KYCC Establish credit limits for batches and files No new Originators without prior approval Require transmittals for balancing purposes 26

Audit Requirements for TPSP ACH Rules Require Third Party Service Providers for RDFI/ODFI to conduct an annual audit Same audit requirements as Participating DFIs ACH Rules Require ODFI to audit all Originators including Third Party Senders No specific audit requirement for Third Party Senders 27

Third Party Sender authorization agreement 3rd Party Sender agreement Third Party Sender s FI Originator s entries sent out through 3 rd Party Sender s ODFI 28

WHAT ARE THE THIRD PARTY RISKS AND RESPONSIBILITIES? 29

Understand Third Party Risks Credit The ODFI always bears the credit risk in a Third Party Sender (TPS) relationship. This is because the ODFI does not have the contractual means to recover funds from the originator if a Third Party Sender fails. Operational Multiple players and services can create complex processing models with several points of failure. Compliance The ODFI is legally responsible for the safety and security of the transactions it introduces into the ACH network, even if it does not have direct control of the third party s activities. Fraud Conflicting Priorities A TPSP may desire direct access to an ACH Operator because it provides fewer points of failure. At the same time, an ODFI may be hesitant to support a direct access arrangement because it increases exposure. The introduction of fraudulent transactions can occur throughout the processing stream. 30

Managing TPSP Relationships Agreements Agreements are REQUIRED between ODFI and Third Party Sender AND Third Party Senders and Originators NACHA published sample ODFI/Third Party Sender agreement No language has been added to Rules to address Third Party Service Providers Rules previously (and still) required agreements with Third Party Sending Points/Receiving Points 31

Understand Originator Risks What makes an Originator a high risk entity? Historical association of business with criminal elements. Difficult authentication characteristics, particularly in Internet commerce. Historically high rates of unauthorized returns. Limited credit history, poor credit history or creditworthiness that is difficult to verify. Reputation or compliance risk associated with the underlying business. Regularly conducts international/cross border payments. Rapid growth in either item volumes or dollar amounts. Payment Originator is not a direct customer of the ODFI. 32

Identify Your Key Risks Determine which risk elements apply to your situation Primary Risks Credit exposure Operational Compliance Fraud Authentication Rapid growth Many clients are not direct customers of the ODFI Secondary Risks International/Cross Border Payments Unauthorized return rates Reputation Access to credit history 33

Develop a Risk Strategy Partner with your FI to create a risk mitigation strategy Credit exposure Operational Compliance BSA/AML Fraud Authentication Rapid growth Many clients are not direct customers of the ODFI 34

Implement Your Risk Strategy Employ a project methodology framework Risk Policy Team Operations Credit/Finance Relationship Management Escalation Process FI TPS Operator Test extensively or pilot new processes Phased Approach for before full ramp up Allow time for fine tuning 35

Review Your Risk Strategy Ensure the viability of your risk strategy Understand the risks for both parties. Approach the risk and benefit equation from both perspectives. Select strategies that mitigate the largest risks. Identify strategies that can be mutually beneficial. 36

Establish a Maintenance Schedule Create a maintenance plan and review it regularly Reciprocal Audit Availability Quarterly Review Meetings between Parties Transaction Activity Communication Status Scorecard Review Exception Events Annual operating risk review 37

Summary Managing Third Party Senders to the Benefit of all Resource Commitments Operational Practices Risk Management Regulatory Compliance Legal Agreements 38

Q & A 39

Name the Participants & Agreements Required Itty bitty Bank contracts with Midsize Bank for processing services including receipt and origination of their ACH files for them Itty bitty Bank s customer Local Co op Company originates vendor payments through IBB s online banking system 40

Name the Participants & Agreements Required Itty bitty Bank s customer, Sam Crash Smith, goes online to Crazy Driver Insurance Company s website and fills out an authorization for Crazy Driver Insurance to debit his account for his monthly car insurance premiums Crazy Driver Insurance uses TravelBank as an FI, and Crazy Driver Insurance goes to a website operated by ACH Software to originate their ACH transactions ACH Software sends the transaction information to MegaBank for transmission into the ACH Network 41

Name the Participants & Agreements Required A member of EZCU, Dimples Galore, belongs to Hotty Body Fitness and signs up with them to debit her account every month for her membership fees Hotty Body Fitness has a relationship with CheckFree, who processes their ACH files for them CheckFree has been assigned a routing number from SunShine Bank which gives CheckFree the ability to send the ACH Files directly to the ACH Operator 42

Name the Participants & Agreements Required Al s Accounting contracts with Mom & Pop Shop, LLC to create ACH files for Mom & Pop Shop s federal tax payments Once the file is created, Al s Accounting hands it back to the Originators (Mom & Pop Shop, LLC) Mom & Pop Shop, LLC transmits the file via online banking to their FI, Big Bank of the North, who then submits the file into the ACH Network. 43

Thank You Stuart Williams Director, CheckFree Payment Services CheckFree now part of Fiserv http://www.checkfree.com stwilliams@checkfree.com Wendy Wishon, AAP Vice President Mid America Payment Exchange www.mpx.org wendy@mpx.org 44