Summary

For over a decade, Nacha has been contacting financial institutions to request proof of an ACH Rules compliance audit of the financial institution and, if applicable, its Third-Party Senders, in accordance with Article One, Subsection 1.2.2 (Audits of Rules Compliance). Until now, this has been a manual process, which has limited the number of participants contacted. Beginning in October 2025, automation of this process through Nacha’s Risk Management Portal (riskmanagementportal.nacha.org) will enable Nacha to contact more financial institutions. Automated outreach and response also aligns with Nacha’s recent Operations Bulletin #2-2025, “Encouraging the Use of Secure Electronic Channels for Resolving ACH Exceptions.” Use of the Portal to facilitate the delivery of proof-of-audit requests and attestations will provide greater security for the information being exchanged. By contacting more financial institutions each quarter, and by using a secure channel for requests and responses, the process is becoming more efficient, inclusive, and accountable.
 

The rule requiring Participating Depository Financial Institutions (DFIs) and Third-Party Senders to perform an annual audit has long served as a critical tool for assuring compliance with the Nacha Operating Rules. Compliance contributes to operational soundness among financial institutions and Third-Party Senders.

Discussion

ACH Rules compliance audits are systematic reviews mandated by the Nacha Operating Rules. An annual ACH Rules compliance audit is not just a Nacha requirement; it is a fundamental practice for safeguarding operations, minimizing risk, and maintaining the reputation of institutions involved in ACH processing. The audit’s purpose is for financial institutions and Third-Party Senders to verify that they are adhering to the Rules and requirements governing ACH transactions. The scope of the audit includes, but is not limited to:

• Review of policies and procedures for processing ACH transactions.
• Evaluation of risk management practices
• Assessment of compliance with data security protocols.
• Verification of customer due diligence and onboarding procedures.
• Testing of error resolution processes.
• Review of transaction monitoring and reporting mechanisms.

Proof of audit typically includes audit reports, internal review documentation, remediation plans for any identified deficiencies, and confirmation of management oversight. In the new automated environment, the response to a request for proof of audit will consist of registered financial institution administrators attesting to their institution’s or Third-Party Sender’s compliance with the annual ACH audit requirement. Recipients of proof-of-audit requests will have 30 calendar days to complete the new automated request process. The request will direct recipients to the Portal to complete an attestation form. The form requires the institution to acknowledge either that the financial institution or Third-Party Sender has completed an annual audit and provide the date the audit was completed, or indicate that an annual audit was not completed. No further documentation will be required to fulfill the new automated request and attestation process. Responding to indicate that the obligation to complete an annual ACH compliance audit was not fulfilled by the financial institution or Third-Party Sender could result in a Rules violation, which may result in a fine.

When asked to attest to proof of audit for a Third-Party Sender customer, a financial institution administrator will face a decision: allow the Third-Party Sender to attest to the financial institution its own completion of an annual audit; or ask the Third-Party Sender to provide proof to the financial institution that the audit was completed. The way a financial institution addresses this matter may be determined by its own business policies.

Impacts of Not Performing an Annual ACH Compliance Audit

Annual ACH Rules compliance audits are vital for responsible ACH transaction processing. For financial institutions and Third-Party Senders, these audits are not simply an obligation in the Nacha Rules. They are a cornerstone of risk management, operational excellence, and customer trust. Failure to perform an audit may expose an institution to Nacha enforcement actions, monetary fines, operational vulnerabilities, reputational harm, and lost business opportunities.
Given the significant risks of non-compliance, performing an annual ACH compliance audit is indispensable for financial institutions and Third-Party Senders.

Download Operations Bulletin 3-2025 (PDF)