nacha s risk management strategy update n.
Skip this Video
Loading SlideShow in 5 Seconds..
NACHA’s Risk Management Strategy Update PowerPoint Presentation
Download Presentation
NACHA’s Risk Management Strategy Update

Loading in 2 Seconds...

play fullscreen
1 / 40

NACHA’s Risk Management Strategy Update - PowerPoint PPT Presentation

  • Uploaded on

NACHA’s Risk Management Strategy Update. NAFP Treasury Management Conference September 15, 2011 Barry Gideon Vice President Treasury Services. Agenda. The ACH Network NACHA Risk Management Strategy Risk Management Rules & Initiatives Network Enforcement Rule

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

NACHA’s Risk Management Strategy Update

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nacha s risk management strategy update

NACHA’s Risk Management Strategy Update

NAFP Treasury Management Conference

September 15, 2011

Barry Gideon

Vice President

Treasury Services

  • The ACH Network
  • Risk Management Strategy
  • Risk Management Rules & Initiatives
    • Network Enforcement Rule
    • Direct Access Registration Rule
    • ACH Security Framework
    • Corporate Account Takeover
    • ACH Benchmarking
    • Third Party Senders
    • Terminated Originator Database
  • How Banks Approach ACH Credit Risk Exposure
the ach network
The ACH Network
  • The ACH Network is a batch processing, store-and-forward system, governed by The NACHA Operating Rules
  • ACH payments include:
    • Direct Deposit of payroll, Social Security and other government benefits, and tax refunds
    • Direct Payment of such consumer bills as mortgages, loans, utility bills, and insurance premiums
    • Business-to-Business payments
    • e-Checks
    • e-Commerce payments
    • Federal, state, and local payments
  • NACHA supports the growth of the ACH Network by managing its development, administration, and governance
    • NACHA represents nearly 11,000 financial institutions through 17 regional payments associations and direct membership
    • Through its industry councils and forums, NACHA brings together payments system stakeholder organizations to encourage the efficient utilization of the ACH Network, and develop new ways to use the Network to benefit its diverse set of participants


  • NACHA occupies a unique role in the association world, serving as both an industry trade association and the administrator of the Automated Clearing House (ACH) Network
  • In its role of ACH Network Administrator, NACHA is responsible for four key functional areas: 
      • NACHA Operating Rules
      • Network Enforcement & Risk Management
      • Network Strategy & Outreach
    • Advanced Payment Solutions





Key NACHA Roles

Support for the industry, facilitating the balance of risk and innovation

Rules Creation

Risk Collaboration Innovation


NACHA – Enforcement & Risk Management

  • Network Enforcement & Risk Management
    • NACHA develops and implements a comprehensive, end-to-end risk management framework
    • Collectively, the strategy addresses risk and quality in the ACH Network
    • Areas of responsibility include:
      • Arbitration Board
      • National System of Fines
      • Risk Investigations & Services
      • Risk Management Advisory Group
      • Risk Management Support & Communications 
risk management as a strategic priority
Risk Management as a Strategic Priority
  • NACHA’s Risk Management Advisory Group
  • The RMAG currently consists of representation from:
      • The 2 gateway operators (Federal Reserve and EPN)
      • 15 Financial institutions
      • 6 Regional Payment Associations
    • Achievements include significant contributions to the NACHA rule making process and to Network education around the changing face of ACH payments risk
    • Advises the NACHA Board and works with staff to guide and implement the risk management strategy
    • Plays a vital role in developing and providing a comprehensive approach to Network risk management
risk quality continuum
Risk / Quality Continuum
  • Risk and quality improvements cannot be accomplished through a single effort or one all-encompassing rule change. Each initiative is a complementary piece of the entire strategy


  • ACH Security Framework
  • Data Security
  • Authentication
  • Data Breach Policy
  • Targeted Enforcement
  • Unauthorized Trigger
  • Reporting
  • Fines
  • Possible Suspension
  • Operator/NACHA Tools
  • ODFI Understanding/
  • New ODFI Training
  • FI Contact & Communications
  • Data Review
  • Data Sharing
  • Originator Watch List
  • Terminated Originator Database
  • Direct Access Registration
  • Data Review
  • Risk Management
  • Assessment & Audit
  • Compliance
  • Assessment Requirements
  • Regulatory Compliance
  • Enhanced ACH Audits
  • Sound Business Practices
  • Corporate Account Takeover
  • Third-Party Risk
  • Direct Access Credit

Risk Strength Of Initiative

  • ACH Benchmarking
  • FI to FI Peer Group
  • Industry Collaboration with ABA
  • Quality Initiatives
  • Misuse of Codes
  • WSUD/Unauthorized
  • Adjustments



Quality Strength of Initiative

ach return rates
ACH Return Rates

Industry Return Rates - 2010

risk continues to be well managed while new threats continue to emerge
Risk Continues to be Well Managed – While New Threats Continue to Emerge

Network Enforcement Rule

Company Name Rule

2010 Decline – 10.9%

network enforcement rule

Network Enforcement Rule

Network Enforcement Rule – March 2008

  • Enhanced National System of Fines
    • Sets higher fine levels
    • Establishes the authority for the ACH Rules Enforcement Panel to direct an ODFI to suspend an Originator/Third-Party Sender from originating
    • Effective December 21, 2007
  • ODFI Reporting Requirements
    • Ensures ODFI’s Originators or Third-Party Senders do not exceed a return rate of 1% for unauthorized entries
      • Requires ODFIs to reduce unauthorized return rates below threshold
    • Defines circumstances under which NACHA may initiate a rules enforcement proceeding related to unauthorized return rates above the threshold
network enforcement rule evaluation
Network Enforcement Rule Evaluation
  • Currently Evaluating the effectiveness of the Network EnforcementRule since implementation in 2008
    • Overall number of unauthorized returns are down
    • Overall percentage of unauthorized returns are down
    • Problematic rates are .50% - .99%
  • Currently, the ODFI has 60 days after receipt of NACHA’s written request to reduce their Originator’s or Third-Party Sender’s return rate for unauthorized reasons to below 1% before being subject to the National System of Fines
    • The current 1% threshold for debit entries returned as unauthorized is 33 times the 2010 unauthorized return rate for all ACH debits (0.03%)
    • Experience has shown that the 60-day time period is ineffective for risk management purposes
  • Some circumstances involve large volumes of unauthorized, which represents problematic transactions, but it does not exceed the current threshold due to high volume of transactions originated
network enforcement rule evaluation1
Network Enforcement Rule Evaluation
  • NACHA’s Rule Making Process recently issued a Request For Comment (RFC) which included a proposal to reduce the unauthorized return threshold from the existing rate of 1%, down to .75%, and then eventually to .50%
  • The Request For Comment also included proposal to modify time period before fines are possible for the over-threshold activity by reducing the 60-day period
network enforcement rule evaluation2
Network Enforcement Rule Evaluation
  • There is also an opportunity to enhance the effectiveness of the Rule by spotlighting “Invalid returns.” Invalid returns include:
      • R03 – No Account / Un-able to Locate Account
      • R04 – Invalid Account
    • Often, there is a correlation between originators who have high return rates for “unauthorized” transactions and high return rates for “invalid”
    • For instance, returns for invalid account information may occur due to phishing for valid account numbers
    • The Request For Comment included a proposal for establishing a 1% threshold on returns for invalid returns.
    • RMAG, through a white paper, is developing sound business practices surrounding the issue of returns for invalid account information and to educate on the potential correlation between “invalids” and “unauthorized” returns
direct access registration rule
Direct Access Registration Rule
  • The Direct Access Registration Rule requires all ODFIs to register their Direct Access Debit Participant status with NACHA
  • Direct Access is defined as a situation in which an Originator, Third-Party Sender, or a Third-Party Service Provider transmits credit or debit entries directly to an ACH Operator (Fed or EPN) using an ODFI’s routing number and settlement account
  • A Direct Access Debit Participant is an Originator, Third-Party Sender, or a Third-Party Service Provider with Direct Access for the origination of debit entries except: (i) a Third-Party Service Provider that transmits ACH files solely on behalf of an ODFI where that Third-Party Service Provider does not have a direct agreement with an Originator (and is not itself an Originator), or (ii) an ODFI that transmits files using another Participating DFI’s routing number and settlement account
direct access debit participant example
Direct Access Debit Participant Example
  • This is just one example of a Direct Access Debit Participant relationship
  • Direct Access can exist in many scenarios, but may not be required to be registered based on the exclusions to the definition



Third-Party using ODFI RTN

ACH Operator

  • It is incumbent on the ODFI to determine its Direct Access status and register accordingly
    • The ODFI must define its specific relationship(s) with Third-Parties and Originators


ach security framework initiative
ACH Security Framework Initiative
  • RMAG has teamed with NACHA’s Internet Council to develop a proposal for an ACH Security Framework
  • Consideration of FFIEC Guidance on Authentication in an Internet Banking Environment (2005; and supplement issued June 28, 2011)
  • Framework will ensure that the ACH Network remains high-quality
  • Framework will reflect the unique characteristics of the ACH Network
    • The intent is to ensure basic data security obligations for Network participants to protect data in their purview
      • Many, if not most, financial institutions and other ACH participants are likely to already have these practices in place
      • Rules will codify these practices and ensure they exist Network-wide
    • NACHA’s Rule Making Process recently issued a Request For Information (RFI) and is currently compiling industry responses
corporate account takeover initiative
Corporate Account Takeover Initiative
  • Corporate Account Takeover is a type of business identity theft in which a criminal entity steals a company’s valid on-line banking credentials
    • Attacks are typically perpetrated quietly, by the introduction of malware through a simple email or infected website
    • For businesses that have low resistance to such methods of attack, the malware introduced onto its system may remain undetected for weeks and even months
    • By introducing layered security processes and procedures, technological and otherwise, and other tightened security efforts, financial institutions can help protect businesses from criminals seeking to drain accounts and steal confidential information
corporate account takeover initiative1
Corporate Account Takeover Initiative

The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.

  • Have introduced a Board Policy on the Importance of Sound Business Practices to Mitigate Corporate Account Takeover:
    • ODFIs should vigilantly and proactively protect against this type of fraud in various ways, including
      • Implementing systems designed to prevent and detect attempts to access a business’ banking credentials
      • Keeping their customers informed about the importance of implementing their own systems and sound business practices to protect themselves
      • Taking a risk-based approach tailored to their individual characteristics and their customers to avoid losses and liability for themselves and other ACH participants
      • Periodically reviewing and updating customer guidance in response to developments in the methods used by cyber thieves to perpetrate Corporate Account Takeover
the importance of sound business practices for odfis
The Importance of Sound Business Practicesfor ODFIs
  • ODFIs should evaluate their risk profiles and appropriately enhance security processes and procedures to prevent and mitigate the risk of corporate account takeover
  • Sound Best Practices include:
    • Minimum Security Procedures
    • Dual Control for Payment File Initiation
    • Out-of-Band Authentication and Alerts
    • Enhancement of Account Security Offerings
    • Exploration of Low-Tech Security Options
    • Customer Education
      • Businesses
      • Third-Party Processors

The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.

the importance of sound business practices for businesses
The Importance of Sound Business Practicesfor Businesses
  • Businesses can help protect themselves with layered security processes and procedures and other tightened security efforts
  • Sound Best Practices include:
    • Computer Security
      • Staying Informed and aware
      • Using layered system security
      • Dedicated computer for online banking
    • Account Security
      • Dual control
      • Account reconcilement
      • Report suspicious activity

The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.

rules proposals to address corporate account takeover
Rules Proposals to Address Corporate Account Takeover
  • NACHA’s Rule Making Process recently issued a Request For Comment (RFC) and is currently compiling industry responses regarding the Availability Exception Rule
    • Availability Exception Rule
      • Would provide an RDFI, which reasonably suspects that a credit entry is unauthorized, with an exception to the Rules provisions requiring the RDFI to make certain credit entries
      • RDFI would promptly notify the ODFI if using this Rule
ach benchmarking initiative
ACH Benchmarking Initiative
  • RMAG has been providing input on ACH-related considerations in the American Bankers Association’s (ABA’s) Deposit Account Fraud Survey
  • Currently working with the ABA to develop benchmarks on ACH “loss” data:
    • Have developed and piloted a peer group Financial Institution benchmarking study that addresses:
      • Emerging trends
      • Measure to detect, prevent and reduce risk
      • Types of fraud
      • Losses related to unauthorized returns and Corporate Account Takeover
    • After the pilot, the ongoing Financial Institution peer group study will be made available broadly for financial institution participation
tpsp third party sender initiative
TPSP / Third Party Sender Initiative

What is a Third-Party Service Provider? Third-Party Sender?

watch who you ride with
Watch Who You Ride With
  • ODFIs can be accountable for Third-Party’s compliance with NACHA Operating Rules & regulatory requirements
  • High-risk Originators
    • Typically use Third-Party Senders
    • Operate under multiple DBAs
    • Use various techniques to mask return volume
    • Rely on multiple processors, ODFIs, & payment types
  • Increase ODFI liability exponentially beyond the fee income
odfis you must ask these questions
ODFIs: You Must Ask These Questions

Are you providing holistic risk management and oversight over your Third-Party Senders?

Are you monitoring for transaction patterning?

Can you monitor all activity behind the Third-Party?

Does ODFI policy = Third-Party policy (e.g., any restrictions on origination)

How interdependent are the Third-Party’s customers?

Are you being approached by Third-Parties out of your geography?

Can you answer these questions consistently across all lines of business or silos?

effectively managing third party risk
Effectively Managing Third-Party Risk

Rules and regulatory compliance and sound business practices are paramount

sound business practices
Sound Business Practices
  • Requirements of an ODFI (Not just sound business practices – but required in the Risk Management & Assessments Rule - June 2010)
    • Conduct due diligence on the Third-Party Sender and Originators
    • Assess the nature of the activity and the risk it presents
    • Establish procedures to monitor the TPS
    • ODFI required to address its internally-developed restrictions on origination in agreement
    • The right to suspend or terminate any Originator processed by the TPS for breach of the NACHA Operating Rules
  • Verify basic facts about the Third-Party Sender
  • Ensure ODFI’s agreement with the Third-Party Sender includes all necessary provisions

The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements.

sound business practices1
Sound Business Practices
  • Perform these procedures on a regular basis
    • Annual review of the TPS’ financial condition
    • Take a risk-based monitoring approach
    • Review the Originator list (their client list) provided by the TPS and properly evaluate it
      • Perform open source research on company names and verifying the types of businesses
      • Exercise the right to audit the TPS and its Originators’ compliance with the agreement and the NACHA Operating Rules

The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements.

terminated originator database initiative

Terminated Originator Database Initiative

--The Terminated Originator Database (TOD) went live on March 1, 2011 and is available for ODFI’s to sign up, contribute and query

  • The TOD is a risk management tool for ODFIs to share information with other ODFIs about Originators and/or Third-Party Senders that have been terminated for cause
  • The TOD is not a list of originators prohibited or disapproved by NACHA
  • ODFIs can utilize this tool as one component of their due diligence processes for underwriting and continued monitoring of Originators and Third-Party Senders
  • The process of contributing and querying the Database is similar to processes used by other electronic payment networks that gain value from consolidated information
  • The value of the Database is dependent on ODFIs of all sizes and types contributing data. The more ODFIs that contribute data, the more powerful this risk management took will be for all ODFIs
a bank s risk exposure
A Bank’s Risk Exposure

Why does my bank ask me for my company’s financial statements to originate ACH transactions?

The exposure associated with ACH Transactions is equivalent to granting an unsecured short-term loan for that period

NACHA strongly encourages Bank’s to:

Establish credit exposure limits for both ACH Debits & Credits for each customer

Underwrite the risks associated with the exposure limits that have been established

Factor ACH Credit risk as part of the customer’s overall credit exposure profile

a bank s risk exposure ach credits
A Bank’s Risk Exposure – ACH Credits

The Bank incurs exposure to credit risk for the period of time between initiation of an ACH credit file from its customer, until the company funds the account

ACH rules do not allow the bank to call back / reverse ACH credits for failure of the company to fund its account at the Bank

a bank s risk exposure ach debits
A Bank’s Risk Exposure – ACH Debits

The Bank’s risk is on the small percentage of ACH Debit items that are returned after bankruptcy. The Receiving bank can return items back to the Originating bank within the following timeframes