November 02, 2022

Reminder: Each Third-Party Sender Must Conduct a Risk Assessment by March 31, 2023


Jordan Bennett

Jordan Bennett

Senior Director, ACH Network Risk Management


ACH Network Person background fast energetic

Nacha believes that risk management is central to maintaining a high-quality ACH Network that relies on the trust of each participant. Financial Institutions’ obligations include conducting a risk assessment and implementing a risk management program based on this assessment. This obligation extended to Third-Party Senders when the Third-Party Sender took on the role of the Originating Depository Financial Institution (ODFI), although it wasn’t expressly stated. 

The new Third-Party Sender Roles and Responsibilities Rule became effective Sept. 30, 2022. This rule explicitly states that Third-Party Senders must complete a risk assessment of their activities and implement a risk management program based on that assessment. Third-Party Senders have a six-month grace period ending on March 31, 2023, to conduct a risk assessment and implement a risk management program.

Each Third-Party Sender operates in a different space, with challenges, risks, and controls that are different than the challenges, risks, and controls faced by another Third-Party Sender. Like the ACH Rules Compliance Audit, a specific format for the risk assessment is not prescribed. Risk assessments should be risk based and cover the ACH activities that the Third-Party Sender is involved in. Broadly, the risk assessment should include operational risk, return risk, credit risk, fraud risk, compliance risk, and reputational risk. 

The Third-Party Sender should look to the ODFI Risk Management Requirements and other requirements of Articles One and Two of the Nacha Rules. For example: 

  1. performing customer due diligence; 
  2. setting and enforcing customer exposure limits; 
  3. auditing and testing Originator authorization processes and quality; 
  4. monitoring forward and return transactions volumes, dollars, and rates; 
  5. establishing data security policies, procedures, and systems with access controls, authentication, authorization, and encryption; and  
  6. SEC Code-specific risk management requirements and warranties. 


Third Party Senders should also look to requirements and guidance issued by banking regulators such as the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corp. (FDIC) on risk management expectations for ODFIs.

Finally, Third-Party Senders may not rely on the risk assessments or rules compliance audits of another party that is also required to conduct a risk assessment or audit. That means a Third-Party Sender is not covered by the audit or risk assessment conducted by their Financial Institution partner or another Third-Party Sender in their chain of origination. The risk assessment is specific to the needs of the party whose risks are assessed. It does not mean that a Third-Party Sender cannot seek help from an outside party. The Payments Associations, for example, all provide independent ACH Rules Compliance Audit and risk assessment tools and services.