Fintechs, Third-Parties, and ACH Risk Management
Author
New companies make new opportunities.
In Silicon Valley, “Move fast and break things” is the motto attributed to startups looking to enter a market quickly, fill a niche, and gain market share before competitors. This could certainly be the motto of some payments fintechs.
Nacha’s Risk Management Advisory Group (RMAG) is comprised of individuals who have spent their careers managing risk as payment technologies change and adapt. RMAG members support innovation in the payments space and encourage mindful adoption that protects consumers and their financial institutions. We encourage all financial institutions to fully understand the business models of their customers and partners so they can manage risk appropriately.
“Payments fintech” can mean different things to different people and different organizations. Some payments fintechs offer platforms to financial institutions interacting with their own customers; some fintechs operate as quasi-banks, offering banking-like services directly to a consumer or business; and some fintechs offer a mix of the two where the fintech and the financial institution are jointly known to the customer.
Breaking things, though, is not a model accepted by regulators who enforce regulations and rules for safety and soundness, and to protect consumers. Each relationship has different risks, controls, management techniques, and compliance obligations that protect the financial institution and the other participants in the ACH Network. It’s important to remember that for transactions originated into the ACH Network, the Originating Depository Financial Institution (ODFI) is responsible for all entries originated through the ODFI—including those originated by fintech customers.
Onboarding a fintech customer can leave many financial institutions asking, “How do I classify this company and how do I manage this relationship?” Many fintechs think of themselves as “a fintech” or use a term related the specific niche they’re filling, and don’t consider their role in the ACH Network when describing what they do. Luckily, the Nacha Rules has defined terms for participating parties. In all cases, the fintech providing some aspect of payment processing for a financial institution is a Third-Party Service Provider and, in many cases, the fintech meets the narrower definition of a Third-Party Sender. Third parties have defined roles and responsibilities in the ACH Network and these organizations must adhere to the Nacha Rules regardless of how these entities describe themselves internally or to their customers or their financial institutions. Nacha developed the Third-Party Sender Identification Tool to help financial institutions and their ACH customers understand their roles when an intermediary is involved in some aspect of ACH payment processing.
In addition to the Rules, the Federal Financial Institution Examination Council (FFIEC) issued “Third-Party Relationships: Interagency Guidance on Risk Management” to describe sound risk management principles to consider for financial institutions with any type of third-party relationship. This guidance includes developing and implementing third-party risk management practices for fintechs using any type of third-party model. The Guidance states, “Banking organizations’ use of third parties does not remove the need for sound risk management. On the contrary, the use of third parties, especially those using new technologies, may present elevated risks to banking organizations and their customers, including operational, compliance, and strategic risks.”
With the Nacha Rules and the FFIEC regulators emphasizing the importance of risk management for third parties, it is vital that financial institutions know who they’re partnering with and what role their partner plays in the payments ecosystem and in the ACH Network. The following examples are modeled on companies that operate today.
Fintech offering “deposit-like” accounts or banking as a service
People no longer feel a need to visit their bank or credit union, and many younger people have never been inside a physical branch. Some financial institutions are now offering online-only accounts. Fintech companies have also recognized an opportunity to provide financial services directly to consumers and are offering online accounts or other financial products (often referred to as a “neobank”). These accounts include the ability to receive incoming Direct Deposits and payments and the ability to make bill payments or other outgoing ACH transactions using the same account.
In these scenarios the consumer or business may have little awareness that they’re not opening an account with a financial institution. If the consumer has a relationship with the fintech and that organization has a relationship with financial institution, this is a classic example of a Third-Party Service Provider, that might also be a Third-Party Sender if originating outbound ACH payments. If a neobank is operating as a Third-Party Sender (TPS) in the ACH Network, this triggers obligations of both the TPS and their ODFI partners within the ACH Rules.
Direct Deposit into a stored value account
Some fintechs offer stored value cards or other types of cards to meet customer needs, including those that are unbanked or under-banked. In this scenario the consumer provides the routing and account instructions to their employer to receive their Direct Deposit into an account that is accessed using a stored value card. The fintech sits between the consumer—a Receiver, in this example—and the financial institution receiving ACH files from the ACH Operation (the Receiving Depository Financial Institution, or RDFI). This type of relationship is not formally defined in the Nacha Rules, but is becoming commonly known as a “third-party receiver.” This fintech arrangement does not send ACH transactions on behalf of their customers because the funds in the stored value account are accessed using the card networks, and they do not originate outbound ACH payments. While they may not meet the definition of a TPS, these fintechs are still Third-Party Service Providers in the ACH Network and must meet the obligations of this defined party within the Nacha Rules. Furthermore, RDFIs should consider what Nacha Rules and other regulatory requirements need to be addressed with the fintech, analogous to how an ACH Origination Agreement addresses these topics in Third-Party Sender arrangements.
Services for Financial Institutions and their customers
Many smaller financial institutions and some larger institutions offer online accounts to remain competitive in today’s marketplace, but lack the ability to create an online user experience themselves. These financial institutions may partner with a fintech to build the online interface, perform compliance functions, create the Nacha formatted files, handle customer interactions or any service the two parties can dream into existence. These relationships can be complex, and determining the nature of the third party can be difficult. It is vital to the financial institution’s risk management and compliance obligations that they understand the functions of the partner and the roles and obligations of both the FI and the third party as a Third-Party Service Provider or as a Third-Party Sender.
New Apps
Developers are constantly creating new apps to solve their customers’ problems. Many of the companies behind these apps don’t consider themselves to be payments processors because they’re providing a service and they think of the payment as secondary to the service provided. Property management apps focus on finding tenants and maintaining properties for landlords, but also make it easy for landlords to collect rent from their tenants and pay contractors for work on their units. Food delivery apps focus on the restaurants and delivery of food, but also arrange payments from the hungry consumer to the restaurants. If using ACH, this might be a Third-Party Sender arrangement when payments flow through the TPS’s own financial institution to pay one party on behalf of the other party. The property management app debits the tenant and credits the landlord for monthly rent. The food delivery app debits the consumer and credits the restaurant for the food that is delivered. The app does not own the property or cook the food and isn’t due funds directly from the renter or the diner.
Gaming entity offering digital wallets
A Supreme Court ruling in 2018 opened the door for online gaming. Many states have legalized the practice. A variety of third parties are meeting the payment processing needs of online gaming sites by offering funding of online accounts, digital gaming wallets, and disbursement of winnings. These intermediaries are often Third-Party Senders and operate in a tightly regulated industry. Financial institutions need to understand the industry-specific risks involved and the complications that can arise from cross-channel payments, conversion to or from cryptocurrencies, or cross-border payments that gambling consumers may seek.
Financial Institutions are responsible for their third parties.
As the examples above show, use cases and roles for participants in the American banking system and on the ACH Network are constantly evolving to meet the demands of consumers, businesses, and financial institutions. Regulations and the Nacha Rules are changing to keep pace as new risks are presented. With these new entrants to the market, ODFIs in particular are required to know the nature of their customers’ use of the ACH Network, whether as Originators or Third-Party Senders. ODFIs are also required to know the nature of their customer’s customers, including the nature of the Third-Party Sender’s Originator’s activity, or the activity of an Originator that is separated from the ODFI by one or more Nested Third-Party Senders.
Proper agreements between the third party and the financial institution set expectations and detail the responsibilities of each party to the agreement. The Nacha Rules and other regulations are written to ensure the financial institution understands who it is doing business with, the type of entries initiated, and to keep the financial institution from offloading responsibilities onto its third-party. The ACH warranties and obligations are attached to the financial institutions, which remains responsible under the Nacha Rules regardless of the relationship and agreement with the customers. Section 2.2.2.2 of the Rules provide the minimum requirements of each Origination Agreement between the TPS and the Financial Institution. Appendix C of the Rules and Guidelines expands on issues that should be addressed to create strong agreements.
Third-party risk management expectations are larger than the Nacha Rules.
In addition to the responsibilities conveyed by the Nacha Rules, financial institutions are required by the regulators to understand how their third parties are meeting FFIEC critical activities. The FFIEC guidance states, “Importantly, the use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations”.
Financial institutions rely on their third parties to interact with the Originator customers and must ensure that the third party is performing their duties at or above the level required by the financial institution’s own policies and procedures. Policies and procedures for Know Your Customer (KYC), onboarding, and monitoring of Originators and Receivers should be vetted and the controls placed on Originators and Receivers by third parties should be understood by the financial institution. For example:
- A Third-Party Sender’s restricted and prohibited list should not allow an Originator in a market segment the financial institution would not onboard directly. The business model of the TPS should fit within the risk tolerance of the financial institution.
- A neobank’s due diligence should be as vigilant as their ODFI’s in detecting and stopping synthetic ID perpetrators and other fraudsters seeking easy access to the banking system. Frictionless onboarding is exciting, but should not come at the expense of appropriate KYC due diligence and removing valid controls used to detect potential fraudsters.
Final Thoughts
Nacha's Risk Management Advisory Group (RMAG) supports third-party innovation with appropriate risk management, agreements and controls. Third parties solve problems and make it easier for companies and individuals to use the ACH Network. Financial institutions can embrace the technologies and tools of their partners, but cannot pass their Rules and regulatory obligations or responsibilities on to these parties.
The ODFI is responsible for all entries originated through that ODFI, whether by an Originator or through a Third-Party Sender. The financial institution must utilize a commercially reasonable method to verify the identity of the Originator or TPS at the time the ODFI enters into an origination agreement. The ODFI must enter an agreement with the Originator, TPS or Sending Point and the ODFI must perform due diligence with respect to the Originator or TPS sufficient to form a reasonable belief that the Originator or TPS has the capacity to perform its obligations with the Nacha Rules. When an ODFI carries out its obligations responsibly, the fintechs it banks or works with can enhance the reach and the product offerings of the financial institution in its competitive market—without breaking anything.