PURPOSE

The purpose of this bulletin is to advise national banks and examiners of three amendments to National Automated Clearing House Association (NACHA) Operating Rules that became effective in 2004. As part of an effective risk management program, banks should implement procedures to ensure compliance with these and all other NACHA Operating Rules and related Office of the Comptroller of the Currency (OCC) and Federal Financial Institutions Examination Council (FFIEC) guidance. This bulletin supplements guidance on Automated Clearing House (ACH) activities outlined in the FFIEC IT Handbook, "Retail Payment Systems," dated March 2004.

Background

The ACH network, through which electronic payments are distributed and settled, has existed since the early 1970s.¹ As the industry develops new and innovative uses for ACH, and, as both ACH activity and the number of participants in the network (including third parties) grows, risks to national banks engaged in ACH activity can be complex and not readily apparent. National banks, therefore, must have the expertise to identify ACH risks and be able to implement risk management processes to appropriately manage ACH risk.

NACHA OPERATING RULES CHANGES

Three amendments to NACHA Operating Rules became effective in 2004. The most important changes introduced by the amendments are described below.

Accounts Receivable Conversion (ARC)² Opt-out Amendment (Effective June 11, 2004)
This amendment requires originators of ARC debits to allow consumers to opt out of ARC check conversion and to establish reasonable procedures under which consumers may notify originators that their checks are not to be converted to ARC debits. While not mandated by this NACHA rule amendment, the OCC also encourages national banks that are originators of ARC debits to:

• Provide consumers with a clear and conspicuous notice of their right to opt-out;³
• Establish procedures to apply any consumer opt-out requests to all checks involving the consumer's checking account; and,
• Provide consumers with a telephone number they may call for any inquiries related to the ARC process.

Network Security Amendment (Effective September 10, 2004)
Banking information must be transmitted through a secure session or encrypted, in either case using a commercially reasonable security technology that, at a minimum, is equivalent to 128-bit RC4 encryption technology. This requirement applies to any ACH transaction, between ACH participants, regardless of Standard Entry Class Code. There is also a new requirement for ODFIs to use commercially reasonable methods to establish the identity of each originator who uses an unsecured electronic network to enter into a contractual relationship with the ODFI for the origination of ACH transactions.

Third-Party Senders⁴ Amendment (Effective December 10, 2004)
This amendment requires that a third-party sender enter into an agreement with an ODFI under which the third-party sender is bound by the NACHA rules. The amendment also requires the originator to enter into an agreement with the third-party sender under which the originator assumes its responsibilities pursuant to the NACHA rules. These agreements must include acknowledgements that entries that violate federal laws may not be initiated.

Banks should have controls in place to restrict or refuse ACH services to potential originators engaged in questionable or deceptive business practices. However, it is important to be aware that such organizations may originate ACH payments through third-party senders that originate through the bank. Where an originator that is engaged in questionable business practices uses a third party sender, the bank bears the same or increased risk as if the bank contracted directly with the originator. The lack of a direct contractual relationship between the ODFI and originator has the potential to increase the risk to the ODFI since it risks being unable to establish a claim against the originator in the event of loss.

If originators are not customers of the bank, they may fall outside the bank's know-your-customer responsibility, capability, and processes. A key risk in such a case arises from the fact that the bank may not have information about or control over these originators. To minimize credit, transaction, compliance, and reputation risk, national banks and their third-party senders should have policies and procedures in place and implemented to ensure that effective due diligence is performed on all originators. Banks must perform risk analyses on new and established relationships and must inform customers and third-party senders of their policies and procedures related to ACH exposure limits and risk management.

Exposure limits
The NACHA Operating Rules require originating depository financial institutions (ODFIs) to: establish an exposure limit for originators, have procedures to review the exposure periodically, and monitor ACH entries relative to the exposure limit across multiple settlement dates. The operating rules also require the ODFI's annual ACH audit to include verification that such requirements are being met. The amendment to the operating rules described above makes it clear that ODFIs must comply with such requirements relating to third-party senders. The OCC requires banks, in general, to set exposure limits to minimize credit and reputation risk. Exposure limits should be based upon credit-quality factors and the originator's (or third-party sender's) transaction history. Review and approval of exposure limits should be conducted at least annually by the board or a committee thereof. Banks with high-risk ACH activities should review exposure limits more frequently.⁵ Exposure limits must be monitored as a part of daily operations. Banks must ensure that they have established procedures for acting upon files that exceed exposure limits and for handling exception situations. In most cases, ACH-processing personnel should not have the authority to process an ACH file that exceeds established exposure limits.

Direct Access to the ACH Operator
The risks posed to a bank by its granting to a third-party service provider direct access to the ACH operator are discussed in OCC Bulletin 2002-2. In addition to the risk management requirements set forth in that bulletin, banks should require third-party service providers to notify the ODFI of dollar totals for each file processed so that the ODFI can reconcile activity and settlement totals with the ACH operator.

SUMMARY

ACH-related products and services provide national banks with an opportunity to retain customers and attract new business. ACH transactions, however, present significant new and unique risk management and legal liability challenges to management and boards of directors. National banks should comply with NACHA Operating Rules and follow OCC- and FFIEC-related guidance in order to meet such challenges. OCC examiners should continue to assess whether a bank's ACH risk management practices are appropriate in light of the bank's ACH activities and risks.

ADDITIONAL INFORMATION

You may direct any related questions or comments to the Operational Risk Policy Division at (202) 874-5190.

Mark L. O'Dell
Deputy Comptroller for Operational Risk