When I say “risk management,” most people immediately think of preventing fraud and stopping the bad guys. While this is a big part of what we do in risk management, it isn’t the whole picture.
Risk management involves identifying and preventing many types of risks, including fraud risk, operational risk, compliance risk, credit risk, and reputational risk. Operational risk is the risk of loss resulting from inadequate or failed processes or systems that support transaction processing. Transaction processing can be affected or disrupted by technology failures, human error, staffing problems, or natural disasters.
In April, an ACH service provider accidentally reinitiated a file that was over 8 years old. The file included items for many financial institutions as ODFIs, some of which no longer had a relationship with the service provider. While this was an event that impacted many RDFIs and their consumers and businesses, similar smaller scale events caused by operational error also affect the ACH Network. Documented procedures for file processing should be followed at every organization. In addition to describing the normal processing flow, policies and procedures should include steps for recovering from accidents and communicating with the appropriate parties.
All ACH participants—Originators, ODFIs, RDFIs, Third Parties, and ACH Operators—have a stake in the successful processing and exchange of ACH transactions and should have controls in place that limit operational risks. Nacha’s Risk Management Advisory Group (RMAG), the Nacha Operating Rules, and Office of the Comptroller of the Currency (OCC) Bulletin 2006-39 all remind you to think through the operational risks your organization is exposed to when submitting ACH files to the Operator.
- Identify Operational Risks. The Nacha Rules require financial institutions and Third-Party Senders to conduct Risk Assessments. Risk identification, building controls to mitigate risk, and testing those controls is done during a Risk Assessment. The assessment should attempt to identify all risks, and not focus solely on fraud risks. Reassess risks and controls after testing to ensure controls are effective and the residual risks are acceptable to your organization.
- Document Policies and Procedures. Build procedures with appropriate controls for reviewing and processing ACH files. Employees should be trained to follow the procedures. Files should be processed with dual control with more than one individual signing off before files are sent to the Operator. Documented procedures should change when processes change or are updated.
- Use ACH File controls and standard naming conventions. The file header record identifies the source and destination of the file and when it was created. Standard naming conventions can also be used to identify when the file was intended for processing. Stale dated files should be identified and flagged. Policies and procedures should address how stale-dated files are handled.
- Follow document and data retention schedules. Financial institutions are required to keep ACH records for six years from the date of receipt or transmission. Records may be kept in hard copy or electronic form. Records are not required to be kept in the format that was used for processing. Financial institutions may have reasons for keeping records longer than is required by the Nacha Rules. Remove outdated records as outlined in your financial institution’s document retention policy.
- Identify mistakes quickly and communicate with affected parties.
- Identify in advance, by role, the organizations that may need to be notified in the event of operational error, rather than on an ad hoc basis after an incident occurs. Nacha’s ACH Contact Registry can be used to find contact information for individual financial institutions. For larger scale events, the Federal Reserve Bank has messaging tools to communicate quickly with a wide audience. The Payments Associations also have established alert processes to share and pass information to their member financial institutions.
- Reversals and Same Day ACH may be used to correct errors. Communicate with the Receiving Financial Institution that a Reversal is expected to prevent reversed items from also being returned. Stale dated files processed during the Same Day ACH windows are sent Same Day ACH. Send Reversals and correcting files via Same Day ACH to correct the error and limit the impact to affected Receivers.
- RDFIs can assist in unwinding errors before customers are impacted once notified by the ODFI that an error has occurred and that a reversal(s) is expected. Internally developed tools, tools offered by service providers, or ACH Operator tools and reports can be used to identify entries received from specific ODFIs or batches marked as reversals. These tools can be configured to view a summary of activity intraday and identify the impact to specific account holders.
We are human and will make operational mistakes during our normal course of business, technology will fail, and Mother Nature can thwart the best made plans. Assessing operational risks to our organizations and adding controls to prevent those failures from disrupting ACH Operations is good risk management that will protect your organization and the consumers and businesses we interact with. Proper controls can bring risk to an acceptable level, but risks cannot be removed entirely. As ACH payment professionals, we need to be ready to identify errors, rectify the errors, and communicate with the affected parties to make sure our consumers and businesses are impacted as little as possible.