Agenda • The ACH Network • ACH Network Participants • Legal Framework of the ACH Network • Risk Background • Types of ACH Risk • Avoiding ACH Risk • Nature of ACH Transactions and Commiserate Risk • Additional Risk factors • Auditing Guidelines
How The ACH Network Began • Early 1970s - SCOPE (Special Committee on Paperless Entries) • 1st ACH Association began in California in 1972 • NACHA was formed in 1974 to coordinate the ACH movement nationwide • FRB became the ACH Operator, providing facilities, equipment and staff to handle the ACH transactions • One private sector ACH Operator: Electronic Payments Network (EPN)
ACH Trends ACH Risk 18,000 FI’s using ACH 145 million consumers 2005 volume up to 13.9 billion transactions Commercial use of ACH Network up by 16% in 2005 (2 billion more than 2005) Over 4.5 million Corporations
NACHA’s Mission is to promote the development of electronic solutions that improve the payments system for the benefit of its members and their customers.
ACH System Participants Authorization Receiver Originator ACH Operator RDFI ODFI
Risk Background • $31 trillion in commercial transactions was processed by the ACH Network in 2005. • This future growth coupled with the increase in the total value of ACH payments provides incentive for DFIs to increase their awareness of ACH Risk. • Concern about payment system risk among various banking groups and regulators is increasing.
Risk Background • Operational and fraud risks related to cash management services are widely understood. • Credit risk, however, is becoming more prevalent. • To date, ACH related losses have been minimal. • Continued risk management for ACH transactions will ensure that the losses remain low.
Types of ACH Risk • Credit Risk • Operational Risk • Fraud Risk
Credit Risk – ODFI Exposure Credit Origination DAY 3 DAY 1 DAY 2 Originator Deposits $3mm Direct Deposit Payroll file with the ODFI. The ODFI deposits the file to the ACH Operator by Noon. RDFI makes funds available at opening of business Receivers withdrawal funds from accounts. At 1:30pm, the Originator files for Chapter 11 protection. ODFI experiences a potential $3mm loss. ODFI’s Exposure
Credit Risk – ODFI ExposureDebit Origination DAY 1 DAY 2 DAY 3 DAY 4 ACH debit file is sent from Company A to Bank A Bank A processes the file and delivers the transactions to the ACH Operator Bank A credits Company A’s account for the total amount of the ACH debit file ACH debit is received by Bank B Bank B returns ACH debit Bank A receives ACH debit return Bank A charges back the ACH debit return to Company A ODFI EXPOSURE
Chapter 1 Credit Risk Case Study Untimely Returns On Sept. 27, an RDFI returned four ACH corporate (CCD) debits totaling $56,524.00. The original settlement date for all of these debits ranged form Sept. 14-19. The RDFI held on to the debits because the Receiver’s account was overdrawn and the RDFI wanted to see if the Receiver would fund the account. On Sept. 25, the originating company in this case filed for bankruptcy. The ODFI, faced with a potential $56,524.00 loss, filed suit against the RDFI, citing the fact that the returns were untimely. 1.) Which party is liable? Why? 2.) Name some preventive measures the RDFI (& ODFI) could have taken. 3.) Would your financial institution have sustained a loss in this case? 49
Operating Risk Operational risk is defined as the risk that the exchange of ACH transactions will not be completed accurately or on time because of an operational failure at some point in the exchange process.
Operating Risk • Examples of Operating Failure • Failure or unavailability of computer hardware and/or software • Failure of telecommunications equipment of circuits. • Power failure • Human error • Staffing problems • Disasters (explosions, fire, flood, or earthquake)
RDFI Risk: Unsubstantiated “Unauthorized Debit” For several years, an insurance company originated $45 debits to a consumer’s (Receiver) account for premiums on a $250,000 life insurance policy. One day, a telephone request to return that month’s debit as unauthorized was received at the RDFI from an individual claiming to be the consumer. Based on this telephone request, the debit entry for that month and the following month were returned. After receiving two returned debits for R10 (Consumer Advises Not Authorized), the insurance company canceled the consumer’s life insurance policy. Subsequently, the consumer died and the insurance company refused to pay the life insurance claim from the beneficiary since the policy had been canceled due to the returned debits received form the RDFI. The insurance company subsequently learned that the RDFI had failed to obtain an affidavit from the Receiver. Restitution was sought by the beneficiary which resulted in legal action against the insurance company and the RDFI. 1.) What party (or parties) are liable? Why? 2.) What preventive measures and Rules compliance should have taken place? 3.) Would your financial institution have sustained a loss in this case? Operating Risk Case Study 65
Fraud Risk Fraud risk is the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions, or the alteration of static data that controls the routing or settlement of valid ACH transactions.
ODFI Risk: Employee Fraud A programmer at an ODFI scans a file before forwarding its to the ACH Operator, and locates a large ($1 million) credit transaction destined for an RDFI, where the programmer has a checking account under a false name. The programmer alters the file by placing his account number in the $1 million transaction. The next morning, the programmer drives to his bank and wires $1 million to his account in Zurich. Later that morning, the intended Receiver realizes that the expected transaction was not posted. The Originator requests reimbursement for $1 million form the ODFI for the payment that was misappropriated by the programmer. 1.) Who is liable in this case and why? 2.) What types of preventive measures should have been taken by the ODFI and RDFI? 3.) Would your financial institution have sustained a loss in this case? Fraud Risk Case Study 79
Nature of ACH Transactions • Consumer Transactions • 60 day right of recredit • Require an authorization • Written • Similarly authenticated • Notice = Authorization • Oral authorization • Include certain Standard Entry Class Codes • PBR, PPD and CIE • The eCheck applications
Nature of ACH Transactions • Corporate Transactions • 24 hour right of recredit • Require an agreement that binds both parties to the NACHA Operating Rules • Includes certain Standard Entry Class Codes • Corporate Cross-Border Entries (CBR) • Corporate Cash Concentration and Disbursement Entries (CCD) • Corporate Trade Exchange Entries (CTX)
Additional Risk Factors • Primary ACH Risk – Most common factors affecting the successful processing of an ACH transaction. • Transaction Level Risk – Lapses in security that affect the overall integrity of a transaction. Occurs many times in spite of an Originator’s best efforts. • Originator Level Risk – Actions within the purview of the Originator’s responsibilities that lead to an ACH transaction being compromised.
Additional Risk Factors Primary Risk • Unauthorized transactions • Returns/60 Day Right of Recredit • Account Numbers • ACH Returns due to Invalid Account Numbers • Fraudulently-used Valid Account Numbers • Closed Accounts • Non-Sufficient Funds
Additional Risk Factors Transaction-Level Risk • Transport Vulnerabilities – Interception of financial data, usernames or passwords transmitted in an insecure environment. • Log-In, Username and Password Cracking – Systematic generation and testing of username and passwords designated to fraudulently authorize a financial transaction. • One-Time Theft – Identity Theft.
Additional Risk Factors Originator-Level Risk • Employee-Initiated Fraud • Employees at Online Originators • Employees at Real World Originators • Spoofing (& Phishing) • Website spoofing • Email solicitations • Originator Non-Delivery
ACH Annual Self-Audit • Rule Compliance Audit Requirements • General audit requirements • Annual audit by December 1 • Under the direction of audit committee, audit manager, senior level officer, or external examiner • Retained for 6 years and provided to NACHA upon request • Audit requirements for Participating DFIs • Includes all DFIs (RDFIs & ODFIs) & their third-party service providers • Audit requirements for ODFIs • Includes ODFIs and their third-party service providers
Resources • www.epaynetwork.com • www.nacha.org • www.fdic.gov/consumers/consumer/guard/index.html • www.usps.com/postinspectors/dvdorder.htm • www.usps.com/missingmoneyorders/security.htm • 2006 ACH Rules Book • ACH Risk Management Handbook – 3rd Edition • The ACH Compliance Manual: How to Comply with ACH-Related Rules & Regulations – 4th Edition • Risk Management for the New Generation of ACH Payments Internet, Electronic Check and Telephone • Risk Management for Consumer Internet Payments ACH, Credit Cards, Debit Cards and P2P • Understanding Internet-Initiated ACH Debits • Third Party Senders, The ACH Network: An Implementation Guide
Tim Mills, Director of Association Services • Electronic Payments Network/ The Payments University • 230 S. LaSalle, Suite 700 • Chicago, Illinois 60604 • firstname.lastname@example.org • 312-913-2597