April 17, 2024

Considerations for Implementing the New Risk Management Rules 

Nacha Consulting group in office talking meeting

Nacha’s voting membership recently passed a set of amendments to the Nacha Operating Rules intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred. These Rules amendments fit together as a set and follow the flow of a credit-push payment to promote the detection of fraud both through the origination process (at the Originator, ODFI, and any third parties) and at the point of receipt (at the RDFI). Two of the new Rule amendments require parties to establish and implement risk-based processes and procedures to identify Entries suspected of being unauthorized or authorized under False Pretenses. This includes non-consumer Originators, third parties, ODFIs and RDFIs. 

At first glance, these Rule Amendments may be daunting to financial institutions and other parties looking to meet the effective dates. Nacha’s Risk Management Advisory Group (RMAG) discussed the opportunities and challenges of complying with the new Rules by the required dates. The following reflects a summary of RMAG’s review of these topics. 

Start Thinking About the Amendments Today 

Your organization’s approach to complying with the new Rule amendments can be risk-based. This means your organization should review the risk and take the appropriate steps to mitigate the identified risk. It does not mean that your organization deems the risk of credit-push fraud low and that no controls are needed. Stopping credit-push fraud requires that all organizations help in mitigation efforts to identify and stop this type of fraud.  

Assess Where Your Organization Is Today 

The Rules require financial institutions and third parties to conduct regular risk assessments. The risk assessment should assess the risk posed to the organization from any threat along with the likelihood of the event, the potential for compensating controls, and the residual risk to the organization after compensating controls. The specific threat the new Rule amendments address is the threat that a fraudster will use your organization to commit credit-push payment fraud.  

Reach Out to Experts Inside Your Organization 

In developing controls, we can learn from experts within our own organizations and think about how they’ve approached solutions to similar problems. The good news is that you likely have experts in-house and you’re already complying with laws on the books that have objectives and goals similar to the new Rules. Title 31 part 1020 of the Code of Federal Regulations (CFR) establishes regulatory obligations for financial institutions to implement a customer identification program (CIP) and to monitor for suspicious transactions. The BSA/AML staff at your organization are experts in monitoring suspicious transactions and are using tools to monitor items moving in and out of your organization on multiple payments rails. Talk to them about Nacha’s new monitoring requirements. You can also talk to other silos within your organization to discuss how they manage credit-push risk. This can include experts on other payments rails as well as account opening and credit underwriting experts. These individuals have expertise in identifying fraudsters trying to take advantage of your financial institution. 

Refine Your Solution 

Vendors and solution providers build a variety of transaction monitoring options into their platforms. Your ACH Operations staff is probably already using some tools to monitor for fraud. Organizations could look to see what products, tools and reports are currently used by their staff, and ask their vendors what is available that can be used to meet the new monitoring requirements. As with most processes that occur within a financial institution, look for opportunities to automate. Set up reports and tools in a way that automation can flag outlying transactions for an employee to review. And don’t overlook undocumented—but effective—practices that take place daily to recognize suspicious transactions. Documenting existing processes can offer a good first step toward developing policies and procedures to comply with the new Rules. 

We All Play a Part in Stopping Credit-Push Fraud 

All of us strive to prevent fraud at our organizations. The new ACH Rule amendments codify the work many organizations already perform to identify fraud, reduce successful fraud attempts, and aid victims in recovering funds. Assess how your organization is mitigating the threat of facilitating credit-push fraud, review the tools and reports that are part of today’s processes and procedures, and reach out to vendors and internal experts for advice in adding controls to close remaining gaps found during your risk assessment. You may find that compliance with the new Rules is easier than you think.