November 17, 2021

RMAG’s Considerations for FIs Regarding Their Third-Party Senders’ Compliance with Audit and Risk Assessment Requirements


Jordan Bennett

Jordan Bennett

Senior Director, Network Risk Management


Nacha’s new Third-Party Sender Roles and Responsibilities Rule changes come into effect on September 30, 2022. The overarching purpose of the Rule change is to further clarify the roles and responsibilities of Third-Party Senders (TPSs) in the ACH Network by addressing the practice of Nested TPS Relationships. It makes explicit and clarifies the requirement that a TPS conduct a risk assessment and clarifies that a TPS cannot rely on a Rules Compliance Audit or risk assessment completed by another TPS in a chain. 

Nacha’s Risk Management Advisory Group (RMAG) provides guidance and sound practices to both Financial Institutions (FIs) and other ACH Network participants. RMAG was happy to see the Nacha Operating Rules clarifying Third-Party Sender roles and responsibilities. This group has had significant discussions on the topic and believes these changes strengthen the risk management capabilities of the ACH Network participants. These changes may not be significant for many FIs or TPSs that have always understood the Rules as requiring a TPS to conduct a Rules audit, as well as the risk assessment requirements as an obligation when a TPS assumes some of the responsibilities of an ODFI when processing ACH transactions. For other institutions, this change may be the first time some of their TPSs are required to conduct a risk assessment.  

Risk assessments are conducted regularly by organizations worldwide, large and small, to assess risk and implement compensating controls to bring risks to an acceptable level. ACH risk assessments for TPSs are no different. The ACH risk assessment requires a TPS to think through an organization’s activities, identify the risks posed to the organization, and implement a risk management program that reduces ACH risks to a level accepted by the organization and its partners. Although all risk cannot be removed, an ACH risk assessment helps the TPS organization assess their risk and make operational decisions on acceptable risks. The risk assessment required by the Nacha Rules is different than the risk assessment required by the regulator(s) of each ODFI to assess the risk posed to the ODFI by their TPS customers. 

Audits are also conducted regularly by organizations of all sizes worldwide for the purpose of making sure policies and procedures are followed by the organization and that it remains in compliance with applicable laws, regulations, or rules. Auditors should be independent of the employees that created the policies and procedures or complete the audited tasks as part of their duties. The ACH Rules Compliance Audit should be risk-based and focus on the Rules relevant to the TPS organization. Audits often look at the risk assessment as part of the scope of the audit. 

The requirements for a “proper” ACH Rules Compliance Audit and risk assessment are difficult to prescribe because the niche, size, risk tolerance, and complexity vary significantly from entity to entity. FIs have conducted due diligence on each TPS. They know their TPS customers, which puts them in a position to assist their TPS customers on questions about audit scope, independence, and finding a resolution. Institutions can also assist with questions about risk assessment scope, mitigating controls, and risk appetite. Assistance can come in many forms and vary depending on the institution’s and customer’s size, payments niche, and complexity. Some institutions have experts in-house as available resources. In contrast, others may point their customers to a Payment Association for independent experts or to the Nacha Store for publications that can assist a TPS with their risk management programs.

Institutions are taking different approaches regarding their TPSs compliance with the Nacha Rules regarding audits and risk assessments. Some institutions ask for the complete ACH Rules Compliance Audit yearly and follow up with any findings to make sure the findings are corrected and the TPS is compliant with the Nacha Operating Rules. Other institutions request the audit summary or an attestation from the TPS that the TPS is compliant. Some institutions don’t request the audit but conduct their own testing of their TPS customers’ compliance with the Nacha Rules.

The only option that isn’t acceptable is willful ignorance. The ODFI warrants every transaction and that every ACH Entry complies with the Rules. Each institution must make an individual decision on how to comply with the Nacha Rules. Testing compliance of each TPS customer at an FI does not need to be identical. A risk-based approach is used at some FIs to review a selection of complete audits and to collect attestations on other TPSs. 

Although there is no single approach that works for all FIs and all TPSs, RMAG would like to leave you with these considerations:

If your FI is asking for the complete audit:

  • Is your FI taking time to review the audit and follow up on any findings?
  • Is your FI storing the audit, and for how long?
  • Does the agreement between the FI/TPS allow for the FI to collect and hold the audit? Should it?
  • What are the legal and compliance risk for inaction if your FI is made aware of non-compliance with the Nacha Operating Rules in the TPS audit?

If your FI is asking for the audit summary, an attestation, or conducting independent testing:

  • Are you comfortable that the TPS audit is complete and the scope is sufficient? 
  • Are you comfortable that the TPS complies with the Nacha Rules?
  • Are you comfortable the TPS will remediate any findings?
  • What are the legal and compliance risk to the ODFI for inaction by the TPS customer to correct a finding from the ACH Audit even if the ODFI remains unaware?