Skip to main content
Nacha Rules Compliance
Kayla avatar
Written by Kayla
Updated over 5 months ago

Rules Compliance

Risk Management and Assessment

Risk management is every financial institution’s responsibility. There are three key types of risk affecting ACH payment processing that you should be aware of:

  • Credit Risk—the risk that a party to a transaction cannot provide funds for settlement

  • Operational Risk—the risk of loss due to unintentional error

  • Fraud Risk—the risk that a transaction may be initiated or altered in an intentional effort to misdirect or misappropriate funds

The ACH Rules require all financial institutions to perform a risk assessment of their ACH activities and to implement risk management programs based on the assessment, in accordance with the requirements of their regulator(s).

ACH Credit Risk

While credit risk is generally associated with ACH origination activities, RDFIs are also exposed to credit risk when they:

  • Post a credit entry prior to the Settlement Date, or

  • Do not return a debit entry in a timely manner.

Controlling Credit Risk

Credit risk is generally controlled by developing and implementing processing procedures, understanding compliance obligations and ensuring ACH operations staff are properly trained.

ACH Operational Risk

Operational risk represents the amount of loss related to unintentional errors, which may occur due to a hardware/software failure or clerical errors, such as untimely returns or the incorrect use of return reason codes. Any disruption in ACH processing can jeopardize the accurate and timely processing of ACH entries.

Controlling ACH Operational Risk

The evaluation of ACH operational risk and the determination of procedures to control those risks should include participation of auditors and outside professionals to ensure objectivity. Operational risk may be managed through automated security methods, as well as controlled operational procedures, which include cross-training of staff, dual controls and a contingency plan.

ACH Fraud Risk

Fraud risk represents risk that a transaction may be initiated or altered in an intentional effort to misdirect or misappropriate funds. Risks related to fraud are affected by internal as well as external factors. Fraudulent activities may be the work of dishonest employees, third-party processing personnel, originating company personnel or other outside parties.

Controlling ACH Fraud Risk

While controls related to ACH operational and credit risk may also be effective in diverting fraud, additional areas may include specific personnel practices and security.

Personnel Practices

The following are suggestions regarding practices and procedures that contribute to fraud risk management:

  • Limit use of temporary employees

  • Screen potential full-time employees

  • Segregate duties

  • Change or rotate work assignments

  • Mandate physical security (i.e., individual passwords, physical locks, etc.)

Security Practices

It is up to the financial institution to ensure that its ACH operations are secure. Sensitive operation sites, such as the area that houses the computer and communications equipment, should be kept secure. All portable data, such as CDs, USBs, reports and physical file folders, should be kept in secure areas, as well as protected from hazards such as flood or fire. Computer terminals should automatically logoff after a set period of time.

ACH processing software should be safeguarded with controls in place to ensure that only authorized changes can be undertaken. Communications software should provide security features, such as encryption or authentication to secure data during the process of transmission. In general, ACH processing security should conform to the organization’s data processing security policy.

ACH Audit

Refer to the Operating Guidelines of the ACH Rules for detailed information on the ACH Audit.

All ACH participating financial institutions and Third-Party Service Providers must conduct an audit of ACH Rules compliance annually, by December 31, in accordance with the ACH Rules. This includes both ODFIs and RDFIs and their Third-Party Service Providers (Third-Party Sender, Sending/Receiving Point). The audit may be performed externally or internally under the direction of an audit committee, audit manager or senior level officer of the participating Depository Financial Institution or the Third-Party Service Provider.

Data Security Requirements

The ACH Rules establish data security requirements for all ACH transactions, regardless of Standard Entry Class (SEC) code, transmitted or exchanged via an Unsecured Electronic Network (UEN). An example of a UEN is the Internet. Any banking information, which includes but is not limited to, an entry, entry data, routing number, account number, PIN or other identification symbol, that is transmitted or exchanged via a UEN must be either

(1) encrypted, or (2) transmitted via a secure session, in either case using commercially reasonable security that complies with applicable regulatory requirements.

TPS must also have policies, procedures and systems in place designed to protect banking information from being breached. Such policies, procedures and systems will need to ensure banking information is secured throughout the ACH payment cycle, including the initiation, processing and storage of entries until destruction.

Did this answer your question?