Regulatory Guidance
Guidance and Information Involving Payments
Payments-related regulatory guidance helps to ensure the security and efficient exchange of ACH transactions and other electronic payments. Regulatory bodies such as FinCEN, FFIEC, FDIC, OCC and others issue and update guidance regularly, and it is important that financial institutions and other ACH Network participants are aware of and understand the implications new regulations and guidance can have on their operations. While Nacha strives to keep this list up to date, always check with your regulator for the latest guidance.
Joint Statement of the OCC, Treasury, Federal Reserve Board of Governors, and FDIC
FCC
FinCEN
-
FinCEN FAQs Regarding Customer Due Diligence Requirements for Financial Institutions (April 2018)
-
FinCEN Customer Due Diligence Requirements for Financial Institutions (May 2016)
-
FinCEN Issues Guidance to Clarify BSA Expectations on Marijuana Businesses (February 2014)
-
FinCEN Regulations to Persons Administering, Exchanging, or Using Virtual Currencies (March 2013)
-
FinCEN Advisory: Risks Associated with Third-Party Payment Processors (October 2012)
FFIEC
- FFIEC Issues Cybersecurity Resource Guide for Financial Institutions (October 3, 2022)
- FFIEC Issues Guidance on Authentication and Access to Financial Institution Services and Systems (August 11, 2021)
- FFIEC Operations Booklet has been revised and renamed Architecture, Infrastructure, and Operations (June 30, 2021)
- FFIEC BSA/AML Infobase (updated June 21, 2021)
- FFIEC Issues Statement on Risk Management for Cloud Computing Services (April 30, 2020)
- FFIEC Issues Guidance on Pandemic Preparedness (March 6, 2020)
- FFIEC Cybersecurity - Institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness. These include:
- FFIEC Business Continuity Management (revised November 2019)
- FFIEC Issues Examination Procedures on Customer Due Diligence Requirements for Financial Institutions (May 11, 2018)
- FFIEC Joint Statement on Cyber Insurance and Its Potential Role in Risk Management (April 2018)
- FFIEC Information Security Booklet (revised September 2016)
- FFIEC Retail Payment System IT Examination Handbook (revised April 2016)
- FFIEC Joint Statement on Distributed Denial of Service (DDoS) Attacks, Risk Mitigation, and Additional Resources (April 2014)
- FFIEC Issues Guidance on Social Media (December 2013)
- FFIEC Supervision of Technology Service Providers (TSP Booklet) (October 2012)
- FFIEC Supplemental Guidance on Authentication in an Internet Banking Environment (June 2011)
- FAQ’s on FFIEC Guidance on Authentication in an Internet Banking Environment (August 2006)
- FFIEC Guidance on Authentication in an Internet Banking Environment (October 2005)
FDIC
- FDIC Issues Interagency Statement on Sharing Bank Secrecy Act Resources FIL-55-2018 (October 2018)
- FDIC Statement on Providing Bank Services (May 2015)
- FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors (July 2014)
- FDIC Cyber-Challenge: A Community Bank Cyber Exercise
- FDIC Issues FDIC Supervisory Approach to Payment Processing Relationships with Merchant Customers That Engage in Higher-Risk Activities (September 2013)
- Interagency Guidance on Third-Party Relationships: Risk Management FIL-23-2023 (June 2023)
FEDERAL RESERVE BOARD
CSBS
OCC
- OCC: Large Bank Supervision: Updated Controller's Handbook and Rescission OCC Bulletin 2022-6 (March 2022)
- OCC Payment Systems Safety and Soundness Handbook (October 2021)
- OCC Electronic Fund Transfer Act: Supplemental OCC Examination Procedures on Remittance Transfer Amendments; Summary of Amendments; and Rescissions (August 2021)
- OCC Issues Operational Risk: Fraud Risk Management Principles OCC Bulletin 2019-37 (July 2019)
- OCC Issues Interagency Statement on Sharing Bank Secrecy Act Resources OCC Bulletin 2018-36 (October 2018)
- OCC Issues Supplemental Examination Procedures for Third Party Relationships: Risk Management Guidance (re: OCC Bulletin 2013-29) (January 2017)
- OCC Issues Statement on Risk Management: Banking Money Services Businesses OCC 2014-58 (November 2014)
- OCC Issues Cybersecurity Assessment General Observations and Statement OCC 2014-53 (November 2014)
- OCC Issues Risk Management Guidance on Consumer Debt Sales OCC 2014-37 (August 2014)
- OCC Issues Risk Management Guidance on Third-Party Relationships OCC 2013-29 (October 2013)
- OCC Issues Guidance on Risk Management Regarding Payment Processors OCC 2008-12 (April 2008)
- OCC Issues Guidance on Managing Risks of ACH Activity OCC 2006-39 (September 2006)
OFAC
- OFAC Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (October 2020)
- OFAC FAQs for the Financial Sector
CFPB
The list on this page is not meant to be all-inclusive. Check with your regulatory agency for a complete list of updates and/or applicable guidance.