ACH Internal Control Questionnaire



Similar documents
ACH GENERAL

Automated Clearing House

ACH GUIDE ACH PARTICIPATION

Payment Systems and Funds Transfer Internal Control Questionnaire

QUICK GUIDE Automated Clearing House (ACH) Rules for ACH Originators

Treasury Management Services Product Terms and Conditions

This presentation was originally given by:

echeck.net Operating Procedures and User Guide

ACH Welcome Kit. Rev. 10/2014. Member FDIC Page 1 of 8

Same Day ACH Proposed Modifications to the Rules 1

Attachment E. BUSINESS DAY - A calendar day other than a Saturday, Sunday, or Federal holiday.

Identifying Key Risk Indicator

Treasury Management Guide to ACH Origination Processing and Customer Service March 2012

ACH Operations Bulletin #1-2014

O OCC BULLETIN OCC Automated Clearing House Activities. Risk Management Guidance

M&T ACH Services ACH RETURNS MANUAL

echeck.net Developer Guide

Third Party Payment Processors Job Aid

WEB ACH Primer. Receiver The person (for WEB transactions this must be a human being) who owns the bank account being debited.

Federal Financial Institutions Examination Council FFIEC. Retail Payment Systems RPS. February 2010 IT EXAMINATION HANDBOOK

ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2015

Mobile Deposit Policy

ACH Training. Automated Clearing House

echeck.net Developer Guide

Payflow ACH Payment Service Guide

ACH Transactions

ACH and Third Party Payment Processors

Funds Transfer Agreement

Federal Reserve Banks Operating Circular No. 4 AUTOMATED CLEARING HOUSE ITEMS

5500 Brooktree Road, Suite 104 Wexford, PA AN OVERVIEW OF ACH COPYRIGHT 2013, PROFITUITY, LLC

Section E Electronic Items

Electronic Check Services

Service Agreement. UltraBranch Business Edition. alaskausa.org AKUSA R 05/15

NACHA Return Codes. The available and/or cash reserve balance is not sufficient to cover the dollar value of the debit entry.

DEBIT CARD & ELECTRONIC FUNDS TRANSFER DISCLOSURE

WEB CASH MANAGER ACH PAYMENTS REFERENCE GUIDE

External ACH Settlement Day Finality Guide

Electronic Check Services

ACH SERVICES STOP PAYMENT/DELETION, REVERSAL AND RECLAIM REQUEST REFERENCE GUIDE

SERVICE RULES. Deposit Plus User Agreement. ACH Origination Services Agreement. ACH Positive Pay Services Agreement

Contact information for account assistance is listed on the last page of this brochure. Please read the following terms and conditions carefully.

Third-Party Sender Case Studies: ODFI Best Practices to Close the Gap An ACH Risk Management White Paper

ACH Operations Bulletin #2-2013

PAYROLL SERVICE AGREEMENT. On this day of, 2016, this PAYROLL SERVICE AGREEMENT. ( Agreement ) is entered into by and between ("EMPLOYER")

Know Your Customer & Know Your Customer s Customers (KYCC) BITS ACH Fraud Risk Subgroup Presented by George Thomas November 19, 2008

Understanding & Managing Third Party Relationships in the ACH Network. PAYMENTS 2008 May 18, 2008 Las Vegas, NV

Dilley State Bank RETAIL (Personal) ONLINE BANKING AGREEMENT - GENERAL TERMS AND CONDITIONS

The following information was prepared to assist you in understanding potential Electronic Value Transfer terminology.

Risk Management of Remote Deposit Capture

IAT Scenarios Simplified

1476 South Major Street, SLC, Utah Office/ Fax

BUSINESS INTERNET BANKING ENROLLMENT

CASH AND DUE FROM BANKS Section 3.4

Ease-E-Club Client Management Software by Computerease

GUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July 2014)

Vectra Bank Colorado Personal Electronic External Transfer Enrollment Form

SPECIFIC TERMS APPLICABLE TO YOUR HIGH YIELD CHECKING ACCOUNT

BANKOH BUSINESS CONNECTIONS WIRE TRANSFER GUIDE

Business-to-Business EIPP: Presentment Models and Payment Options

MASTER SERVICE AGREEMENT

Making Your ACH Bulletproof: Fraud Prevention Best Practices

DEPOSIT ACCOUNT AGREEMENT

EAST WEST BANK MOBILE REMOTE DEPOSIT SERVICES AGREEMENT

How To Pay A Bank Transfer At The University Of Central Florida

Business Merchant Capture Agreement. A. General Terms and Conditions

General Terms Applicable to Bill Payment and Transfer Services

Same-Day ACH. An Opportunity for Leadership. April 22, Independent Community Bankers of America

2015 NACHA Rules, Same Day ACH and Regulation E Changes

Government Crime Prevention Regulations. Richard Fraher VP & Counsel to the Retail Payments Office Federal Reserve Bank of Atlanta

Q2: What return codes are included in the Unauthorized Return Rate Threshold?

International ACH Transactions (IAT) Frequently Asked Questions Corporate Customers. Contents

7. You agree to grant MCB a security interest in all your property in our possession to secure payment of your obligations under this Addendum.

SALEM FIVE ONLINE BANKING AGREEMENT

NORTHPOINTE BANK. Northpointe Liquid High Yield Money Market Account

LEGACY BANK CASH MANAGEMENT AGREEMENT

VISA BUSINESS CHECK CARD APPLICATION

ACCESS TO ACCOUNTS VIA THE INTERNET.

Knowing your customers and their customers and their customers and so on and so on

International ACH Transactions (IAT) Frequently Asked Questions Corporate Customers

Bank Account Reconciliation, Bank Account Access and Automated Clearing House (ACH) Transactions Review

BUSINESS ONLINE BANKING AGREEMENT

Electronic Funds Transfer

ELECTRONIC NOTICES DISCLOSURE AND CONSENT. Please read this document before accessing Online Banking Services.

SAMPLE AUDIT REPORT. Sample Credit Union. Report on Operations. As of Audit Date

Oklahoma State University Policy and Procedures

SAMPLE REQUEST FOR PROPOSAL FOR BANKING SERVICES

ONLINE BANKING DISCLOSURE/AGREEMENT

Transcription:

ACH Internal Control Questionnaire AUTOMATED CLEARING HOUSE (ACH) Assessment of the Adequacy of Internal Controls Completed by: Date Completed: Quality of Management and Support for ACH Processing Activity 1. Does the institution adhere to NACHA and clearinghouse operating rules and regulations? 2. Review policies and procedures: Monitor originating customer balances for credit payments (e.g., payroll) Ensure payments are made against collected funds or established credit limits. 3. Are payments in excess of established credit limits properly authorized? Does the institution treat deposits resulting from ACH transmitted debits on other accounts as uncollected funds? 4. Until there is reasonable assurance debits have been paid by the institution on which they were drawn, does management: Monitor drawings against uncollected funds? Ensure they are within established guidelines? 5. Review a sample of contracts authorizing the institution to originate ACH items for customers. 6. Determine whether contracts adequately set forth responsibilities of the institution and the customer: Are contracted third-party service providers or originating customer entries also institution customers? Do agreements include recognition of all relevant NACHA requirements? 10/11 IT B9-1

Do the institution s ACH clearinghouses stipulate funding arrangements (outgoing), Expedited Funds Availability Act (Regulation CC), UCC 4A (credit transfer only), and Electronic Funds Transfers (Regulation E)? 7. Are ACH activities considered in overall business continuity plans and insurance program? 8. Does management monitor originating customers for unreasonable numbers of unauthorized ACH debits? ACH ODFI Responsibilities 1. Determine if agreements between the ODFI and originators adequately address: Liabilities and warranties? Responsibilities for processing arrangements? Other originator obligations such as security and audit requirements? 2. Determine if the ODFI has ongoing procedures to monitor creditworthiness of originator customers: Does ODFI assign credit ratings to originators? Do competent credit personnel perform monitoring, independent of ACH operations? Do written agreements with originators require submission of periodic financial information? 3. Determine if ODFI has established ACH exposure limits for originators: Is the limit based on originator s credit rating and activity levels? Is the limit reasonable relative to originator s exposure across all services (lending, cash management, foreign exchange, etc.)? Have limits been established for originators whose entries are transmitted to ACH operator by service provider? Do written agreements with originators address exposure limits? Is there a separate limit for WEB entries and other highrisk ACH transactions? B9-2 IT 10/11

4. Determine if the ODFI reviews exposure limits periodically: Does the ODFI adjust limits for changes in originator s credit rating and activity levels? Do increases in originator s ACH debit return volume trigger re-evaluation of exposure limit? Does the ODFI review limits in conjunction with review of originator s exposure limit across all services? ACH ODFI and RDFI Responsibilities 1. Determine if the ODFI has procedures to monitor ACH entries initiated by an originator relative to its exposure limit across multiple settlement dates: Is monitoring system automated? Does system accumulate entries for a period at least as long as the average ACH debit-return time (60 to 75 days)? Do entries in excess of exposure limit receive prior approval from a credit officer? Are WEB entries and other high-risk ACH transactions separately accumulated and monitored? 2. Are these entries integrated into the overall ACH transaction monitoring system? 3. Assess the RDFI s overdraft and funds availability policies and practices. 4. Determine if policies and practices adequately mitigate credit exposures to ACH transactions. 5. Determine the ODFI s practices regarding originators security audits of physical, logical, and network security: Does the ODFI receive summaries or full audit reports from originators? Are audits are adequate in scope and performed by independent and qualified personnel? Are corrective actions regarding exceptions satisfactory? 6. Determine how the ODFI or the RDFI manages its relationship with third-party service providers: 10/11 IT B9-3

Is the service provider s financial information obtained and satisfactorily analyzed? Are service-level agreements established and monitored? 7. Determine if the ODFI allows third-party service providers direct access to ACH operator. 8. Do agreements between the ODFI and service providers include: Service provider must obtain ODFI prior approval before originating ACH transactions for originators under the ODFI routing number? Establishment by the ODFI of dollar limits for files that service provider deposits with the ACH operator? Restriction on the service provider s ability to initiate corrections to files that have already been transmitted to the ACH operator? Provisions regarding warranty and liability responsibilities? Appropriate handling of files (physical and logical access controls)? ACH RDFI Responsibilities 1. Determine whether the RDFI has consumers notifications procedures regarding: Unauthorized or improperly originated entries. Entries where authorization was revoked. 2. Determine if the RDFI acts promptly on consumers stoppayment orders. 3. Determine if the RDFI has procedures that enable it to: Freeze proceeds of ACH transactions in favor of blocked parties (under OFAC sanctions). For whom the RDFI holds an account. 4. Determine if the institution considers: Volume of uncollected ACH transactions. As part of liquidity risk management practices. B9-4 IT 10/11

5. Determine if management and personnel display adequate knowledge and technical skills in managing and performing duties related to ACH transactions. 6. Review results from the institution s NACHA rule compliance audit. Determine: Independence and competence of party performing the audit. Whether board or its committee reviewed and approved audit. Whether responsibilities for high-risk entries (WEB) were included in scope. Whether corrective actions are satisfactory regarding any audit exceptions. ACH Accounting and Transaction Processing 1. Are adequate logs maintained for ACH payments received from and delivered to each customer? 2. Are balancing procedures used for all ACH payments received? 3. Do procedures include balancing to aggregate payments sent to an ACH operator? 4. Does the institution balance all payments received from an ACH operator to aggregate of payments delivered to customers? 5. Does the institution verify and authorize source of all ACH files received for processing? 6. Does the institution reconcile all general ledger accounts related to ACH on a timely basis? 7. Do ACH supervisory personnel perform reconcilement and regularly review exception items? 8. Does the institution reconcile ACH activity and pending file totals daily with ACH operator? 9. Is reconcilement with third-party processors preparing ACH transaction files effective? 10. Is there a daily reconciliation? 11. Are ACH holdover transactions effective? 10/11 IT B9-5

Does the institution adequately control them? 12. Does the accounting staff reconcile individual outgoing ACH batches before merging them with other ACH transactions? 13. Are there separate accounts to control holdovers, adjustments, return items, rejects, etc.? 14. Are these accounts periodically reconciled? 15. Does the investigation unit effectively address customer inquiries and control return items, rejected/un-posted items, differences, etc.? 16. Does unit periodically generate aging reports of outstanding items for management? 17. Does management adequately track exceptions to credit limit policies and legal contracts? 18. Assess the adequacy of separation of duties throughout the ACH process, including: Origination. Data entry. Adjustments. Internal reconcilement. Preparing general ledger entries. Posting to customer accounts. Investigations. Reconcilement with ACH operators. 19. Are adjustments to original ACH instructions received in an area that does not have access to original data files? Added payments? Stop payments? Reroutes? Reversals? 20. Are authorization controls appropriate for adjustment process? B9-6 IT 10/11

Signature verification and callbacks on telephone instructions? Does the institution maintain adequate records of individuals making requests? Logs and taping of telephone calls? 21. Assess customer profile origination and change request process: Are requests in writing or equivalent confirmation for online activities? Do requests identify originating personnel? Do requests document supervisory approval? Are requests verified by staff unable to make changes? ACH Funding and Credit 1. In assessing the process for releasing payments to an ACH operator, are assurances obtained that sufficient collected funds or credit facilities are available (on deposit or prefunded)? 2. Does the institution monitor customer intraday and interday positions based on defined thresholds? 3. For third-party processors contracted to process outgoing ACH transactions, are there procedures to monitor ACH activity and ensure that funds are collected before the institution settles with the ACH operator (collected balances, prefunding, credit lines)? 4. For prefunding arrangements in place for customers without credit lines, does management block funds (held for disposition) or maintain them in separate accounts until transaction date? 5. For non-pre-funded arrangements: Does the institution place blocks on outgoing payments to deposit accounts, apply them as reductions to credit lines, or include them in the overall funds transfer monitoring process? Does management approve payments resulting in extensions of credit lines or drawings against uncollected funds and retain supporting documentation? 10/11 IT B9-7

6. Does the institution perform credit assessments of customers originating large dollar volumes of ACH credit transactions? 7. Does the institution review credit assessments periodically to evaluate creditworthiness of customer and current economic conditions? 8. Does management treat ACH debits deposited as uncollected funds? 9. Does management monitor any draws against these funds for debits originated by high-risk customers? 10. Does management approve draws against uncollected ACH deposits? 11. Is documentation maintained to support approvals for debits originated by high-risk customers? 12. In assessing Internet and telephone ACH transaction processing procedures, are there appropriate authentication controls and procedures to ensure proper identities of parties invoking ACH transactions? 13. Does the institution assess management s risk assessment of ACH services in terms of importance of this function to overall corporate treasury services function. 14. Does the institution obtain and analyze any audit conducted by ACH service provider, pursuant to NACHA rule compliance audit requirement? WEB and Telephone-Initiated ACH Transactions 1. Has the institution adopted adequate policies and procedures regarding ACH transactions involving Internet-initiated (WEB) entries? 2. Are entries in writing and approved by the board or a designated committee? 3. Do entries adequately address the ODFI or RDFI responsibilities? 4. Do entries establish management accountability? 5. Do entries include a process to monitor policy compliance? 6. Do entries include a mechanism for periodic reviews and updates? B9-8 IT 10/11

7. Has the ODFI implemented telephone-initiated (TEL) ACH entries? Are there significant return rates for these transactions? 8. Does the institution adhere to NACHA guidelines concerning merchant management and their business practices? 9. Are written agreements in place with all originators submitting TEL transactions? 10. Do these agreements include adequate consumer (receiver) authentication and authorization? 11. Does the institution make tape recordings of all consumer oral authorizations? 12. Does the institution provide written notice to consumer prior to settlement date for the TEL entry and confirm terms of oral authorization? 13. Does the ODFI require its originator to employ commercially reasonable method to authenticate consumer/business: Is documentation of method adequate? Is frequency of review of commercially reasonable standards sufficient? 14. Does the ODFI conduct risk assessments of its originators? 15. Do risk assessments reflect a reasonable exercise of business judgment? 16. Does the risk assessment include evaluations of: Receiver authorizations? Originator s Internet security capability, including: Commercially reasonable fraudulent transaction detection systems? Routing number verification? Secure customer Internet sessions? Frequency of risk assessments? Documentation and approval standards? ACH Contingency Plans 1. Has the institution evaluated the ACH contingency plan? 10/11 IT B9-9

2. Has the institution tested it? 3. Does the contingency plan include provisions for partial or complete failure of system or communication lines between: Institution? ACH operators? Customers? Associated data centers? 4. Based on the volume and importance of ACH activity: Is the plan reasonable? Does the plan provide for a reasonable recovery period? Does the institution duplicate or retain transaction files for input reconstruction for minimum of 24 hours? (NACHA rules require retention of all entries including return and adjustment entries transmitted to and received from the ACH for a period of six years after date of transmittal.) 5. Are data and program files adequately retained and backed up at off-premises facilities? 6. Has the center established and tested procedures to recover and restore data under various contingency scenarios? 7. Are frequency and methods of testing contingency plans adequate? B9-10 IT 10/11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information