Posted July 30, 2008
This policy addresses the importance of DFIs registering their direct access relationships with NACHA and following prudent risk mitigation techniques, including adherence to best practices, for the duration of these relationships. When an ODFI allows its Originators and Third Parties direct access to the ACH Operators, the ODFI and other Network participants become exposed to a variety of risks arising out of shortcomings, or even fraud, in the Originator’s or Third Party’s policies and processes. Accordingly, it is essential that an ODFI that permits direct access effectively mitigate such risks by appropriately underwriting, managing and monitoring its relationship with its customer, such as by fully utilizing ACH Operator tools that allow tracking of volume and exceptions. Regardless of the level of diligence performed by the ODFI’s direct access customers, the ODFI remains responsible for those customers and for the entities those customers introduce to the Network. NACHA is requiring registration of direct access relationships in order to better gauge the risk profile for direct access relationships in the ACH Network.
This policy is effective July 30, 2008. The Board of Directors expects that institutions will register with NACHA in order to better quantify the number of, and the risk profile for, direct access relationships. Compliance with this policy will not be enforced as a rule until NACHA has adopted a rule amendment regarding registration of direct access relationships. NACHA will work with the ACH Operators to validate that DFIs have registered all direct access relationships.
Direct Access Defined
For purposes of this policy, direct access is a situation in which an Originator or a Third Party (either a DFI’s Third Party Service Provider or an Originator’s Third Party Sender) transmits ACH files [transactions] directly to an ACH Operator using a financial institution’s routing and transit number and settlement account.
Although direct access relationships exist for debit and credit transactions, this policy statement is solely focused on direct access relationships involving ACH debit transactions.
This definition excludes: (1) DFIs that transmit files using another DFI’s routing number or settlement account (correspondent/respondent relationships), and (2) Third Parties that transmit ACH files solely on behalf of the DFI and do not have direct agreements with Originators (and are not themselves Originators).
DFIs that allow Originators or Third Parties to use their routing number for transmission of ACH debits shall register their direct access relationships with NACHA. This registration process will remain ongoing until superseded by a requirement in the Rules. DFIs are required to register current relationships beginning in August 2008 or acknowledge a statement that they do not maintain any direct access relationships. DFIs are also required to register any new relationships as they are established.
Registration includes the submission of the following information:
Updates of information provided during registration are required following a significant change in the DFI’s relationship with the direct access entity. A significant change would include noteworthy events such as new contact information for the Third Party or Originator, or if the relationship is terminated.
The following information is also requested from the DFI quarterly for their direct access relationships to assist with designing an appropriate rule amendment and determining the risk profile of direct access relationships.
The Board recommends that DFIs incorporate best practices in the following areas for their direct access relationships:
• Board Level Approval
NACHA’s Board of Directors strongly recommends that DFIs have their Board or a Board-level committee approve direct access relationships. This approval process ensures that this type of ACH activity is within the DFI’s risk parameters.
• Know Your Customer - Originators and Third Parties
DFIs should exercise due diligence to determine whether allowing a direct access relationship is appropriate with any given customer. This should include: (1) reviewing financial statements (e.g., three years worth) to check for creditworthiness, (2) obtaining and reviewing ratings from a credit service company and the Better Business Bureau,3) understanding the type of business their customer is engaged in, and (4) knowing the types of ACH transactions that are being originated.
DFIs should approve any new business introduced by Originators or Third Parties with direct access after conducting an appropriate review. For example, DFIs should perform a risk-based review of new Originators supported by a Third Party with direct access to manage risks related to changes in volume and character of transactions.
• Adherence to the Rules
DFIs should ensure their agreements with these Originators and Third Parties address all appropriate rules provisions, including proper authorization and revocation language, and otherwise adhere to the Rules.
• Utilize Operator Risk Monitoring Tools
DFIs, along with the Originators and Third Parties, should subscribe to the risk monitoring services provided by the ACH Operators.
• Monitor Volume and Act Accordingly
DFIs should monitor origination and return volume and act accordingly if they note anything out of the ordinary, including a significant increase in origination volume or dollars as well as an atypical increase in return entries, particularly if they are for unauthorized reasons.
• Follow Regulatory Guidance Regarding Third Party Relationships
Federal banking agencies have recently released guidance on the use of Third Parties in sensitive banking areas. DFIs should remain current on all compliance standards related to the use of Third Parties for ACH origination.
* * * *
Questions about this ACH Operations Bulletin should be submitted via email@example.com.
1 Registration information will be retained confidentially by NACHA and only reported in aggregate form.