The ACH and Risk Management

1
The ACH and Risk Management
2
Agenda

• The ACH Network
• ACH Network Participants
• Legal Framework of the ACH Network
• Risk Background
• Types of ACH Risk
• Avoiding ACH Risk
• Nature of ACH Transactions and Commiserate Risk
• Additional Risk factors
• Auditing Guidelines

3
How The ACH Network Began

• Early 1970s - SCOPE (Special Committee on
  Paperless Entries)
• 1st ACH Association began in California in 1972
• NACHA was formed in 1974 to coordinate the ACH
  movement nationwide
• FRB became the ACH Operator, providing
  facilities, equipment and staff to handle the ACH
  transactions
• One private sector ACH Operator Electronic
  Payments Network (EPN)

4
ACH Trends
ACH Risk
18,000 FIs using ACH
145 million consumers
2005 volume up to 13.9 billion transactions
Commercial use of ACH Network up by 16 in 2005
(2 billion more than 2005)
Over 4.5 million Corporations
5

NACHAs Mission is to promote the development of
electronic solutions that improve the payments
system for the benefit of its members and their
customers.
6
ACH System Participants
Authorization
Receiver
Originator
ACH Operator
ODFI
RDFI
7
Risk Background

• 31 trillion in commercial transactions was
  processed by the ACH Network in 2005.
• This future growth coupled with the increase in
  the total value of ACH payments provides
  incentive for DFIs to increase their awareness of
  ACH Risk.
• Concern about payment system risk among various
  banking groups and regulators is increasing.

8
Risk Background

• Operational and fraud risks related to cash
  management services are widely understood.
• Credit risk, however, is becoming more prevalent.
• To date, ACH related losses have been minimal.
• Continued risk management for ACH transactions
  will ensure that the losses remain low.

9
Types of ACH Risk

• Credit Risk
• Operational Risk
• Fraud Risk

10
Credit Risk ODFI Exposure Credit Origination
DAY 3
DAY 1
DAY 2
Originator Deposits 3mm Direct Deposit Payroll
file with the ODFI.
The ODFI deposits the file to the ACH Operator by
Noon.
RDFI makes funds available at opening of business
Receivers withdrawal funds from accounts.
At 130pm, the Originator files for Chapter 11
protection.
ODFI experiences a potential 3mm loss.
ODFIs Exposure
11
Credit Risk ODFI ExposureDebit Origination
DAY 1 DAY 2 DAY 3 DAY 4
ACH debit file is sent from Company A to Bank
A Bank A processes the file and delivers
the transactions to the ACH Operator
Bank A credits Company As account for the total
amount of the ACH debit file ACH debit
is received by Bank B
Bank B returns ACH debit
Bank A receives ACH debit return Bank
A charges back the ACH debit return to Company A
ODFI EXPOSURE
12
Credit Risk Case Study
Chapter 1

• Untimely Returns
• On Sept. 27, an RDFI returned four ACH corporate
  (CCD) debits totaling 56,524.00. The original
  settlement date for all of these debits ranged
  form Sept. 14-19. The RDFI held on to the debits
  because the Receivers account was overdrawn and
  the RDFI wanted to see if the Receiver would fund
  the account. On Sept. 25, the originating
  company in this case filed for bankruptcy. The
  ODFI, faced with a potential 56,524.00 loss,
  filed suit against the RDFI, citing the fact that
  the returns were untimely.
• 1.) Which party is liable? Why?
• 2.) Name some preventive measures the RDFI (
  ODFI) could have taken.
• 3.) Would your financial institution have
  sustained a loss in this case?

49
13
Operating Risk

• Operational risk is defined as the risk that the
  exchange of ACH transactions will not be
  completed accurately or on time because of an
  operational failure at some point in the exchange
  process.

14
Operating Risk

• Examples of Operating Failure
• Failure or unavailability of computer hardware
  and/or software
• Failure of telecommunications equipment of
  circuits.
• Power failure
• Human error
• Staffing problems
• Disasters (explosions, fire, flood, or earthquake)

15
Operating Risk Case Study
RDFI Risk Unsubstantiated Unauthorized
Debit For several years, an insurance company
originated 45 debits to a consumers (Receiver)
account for premiums on a 250,000 life insurance
policy. One day, a telephone request to return
that months debit as unauthorized was received
at the RDFI from an individual claiming to be the
consumer. Based on this telephone request, the
debit entry for that month and the following
month were returned. After receiving two returned
debits for R10 (Consumer Advises Not Authorized),
the insurance company canceled the consumers
life insurance policy. Subsequently, the
consumer died and the insurance company refused
to pay the life insurance claim from the
beneficiary since the policy had been canceled
due to the returned debits received form the
RDFI. The insurance company subsequently learned
that the RDFI had failed to obtain an affidavit
from the Receiver. Restitution was sought by the
beneficiary which resulted in legal action
against the insurance company and the RDFI. 1.)
What party (or parties) are liable? Why? 2.)
What preventive measures and Rules compliance
should have taken place? 3.) Would your financial
institution have sustained a loss in this case?
65
16
Fraud Risk

• Fraud risk is the risk that ACH data will be
  compromised through the introduction of false
  transactions, the alteration of valid
  transactions, or the alteration of static data
  that controls the routing or settlement of valid
  ACH transactions.

17
Fraud Risk Case Study
ODFI Risk Employee Fraud A programmer at an ODFI
scans a file before forwarding its to the ACH
Operator, and locates a large (1 million) credit
transaction destined for an RDFI, where the
programmer has a checking account under a false
name. The programmer alters the file by placing
his account number in the 1 million
transaction. The next morning, the programmer
drives to his bank and wires 1 million to his
account in Zurich. Later that morning, the
intended Receiver realizes that the expected
transaction was not posted. The Originator
requests reimbursement for 1 million form the
ODFI for the payment that was misappropriated by
the programmer. 1.) Who is liable in this case
and why? 2.) What types of preventive measures
should have been taken by the ODFI and RDFI? 3.)
Would your financial institution have sustained a
loss in this case?
79
18
Nature of ACH Transactions

• Consumer Transactions
• 60 day right of recredit
• Require an authorization
• Written
• Similarly authenticated
• Notice Authorization
• Oral authorization
• Include certain Standard Entry Class Codes
• PBR, PPD and CIE
• The eCheck applications

19
Nature of ACH Transactions

• Corporate Transactions
• 24 hour right of recredit
• Require an agreement that binds both parties to
  the NACHA Operating Rules
• Includes certain Standard Entry Class Codes
• Corporate Cross-Border Entries (CBR)
• Corporate Cash Concentration and Disbursement
  Entries (CCD)
• Corporate Trade Exchange Entries (CTX)

20
Additional Risk Factors

• Primary ACH Risk Most common factors affecting
  the successful processing of an ACH transaction.
• Transaction Level Risk Lapses in security that
  affect the overall integrity of a transaction.
  Occurs many times in spite of an Originators
  best efforts.
• Originator Level Risk Actions within the
  purview of the Originators responsibilities that
  lead to an ACH transaction being compromised.

21
Additional Risk Factors

• Primary Risk
• Unauthorized transactions
• Returns/60 Day Right of Recredit
• Account Numbers
• ACH Returns due to Invalid Account Numbers
• Fraudulently-used Valid Account Numbers
• Closed Accounts
• Non-Sufficient Funds

22
Additional Risk Factors

• Transaction-Level Risk
• Transport Vulnerabilities Interception of
  financial data, usernames or passwords
  transmitted in an insecure environment.
• Log-In, Username and Password Cracking
  Systematic generation and testing of username and
  passwords designated to fraudulently authorize a
  financial transaction.
• One-Time Theft Identity Theft.

23
Additional Risk Factors

• Originator-Level Risk
• Employee-Initiated Fraud
• Employees at Online Originators
• Employees at Real World Originators
• Spoofing ( Phishing)
• Website spoofing
• Email solicitations
• Originator Non-Delivery

24
ACH Annual Self-Audit

• Rule Compliance Audit Requirements
• General audit requirements
• Annual audit by December 1
• Under the direction of audit committee, audit
  manager, senior level officer, or external
  examiner
• Retained for 6 years and provided to NACHA upon
  request
• Audit requirements for Participating DFIs
• Includes all DFIs (RDFIs ODFIs) their
  third-party service providers
• Audit requirements for ODFIs
• Includes ODFIs and their third-party service
  providers

25
Resources

• www.epaynetwork.com
• www.nacha.org
• www.fdic.gov/consumers/consumer/guard/index.html
• www.usps.com/postinspectors/dvdorder.htm
• www.usps.com/missingmoneyorders/security.htm
• 2006 ACH Rules Book
• ACH Risk Management Handbook 3rd Edition
• The ACH Compliance Manual How to Comply with
  ACH-Related Rules Regulations 4th Edition
• Risk Management for the New Generation of ACH
  Payments
• Internet, Electronic Check and Telephone
• Risk Management for Consumer Internet Payments
• ACH, Credit Cards, Debit Cards and P2P
• Understanding Internet-Initiated ACH Debits
• Third Party Senders, The ACH Network An
  Implementation Guide

26

• Tim Mills, Director of Association Services
• Electronic Payments Network/ The Payments
  University
• 230 S. LaSalle, Suite 700
• Chicago, Illinois 60604
• tim.mills_at_epaynetwork.com
• 312-913-2597

27
Questions/Comments