The Nacha Rules require financial institutions and Third-Party Senders (TPSs) to conduct Rules Compliance Audits and risk assessments of their ACH activities. The Rules also state an ODFI is responsible for all Entries originated through the ODFI, whether by an Originator or through a TPS. Third-Party Senders are given significant responsibility by their financial institution partners on the ACH Network. It’s important for a financial institution to know that its TPS partners are managing that responsibility in a way that protects the financial institution and others in the ACH Network.  

One question often asked of the risk management and compliance team by sales and customer-facing staff that manage TPS relationships is, “Do we need to review our customer’s audits and risk assessments if an attestation is enough to prove that they’re being done?” This question was raised by a Payment Association member of Nacha’s Risk Management Advisory Group who wanted to know what their Payment Association peers and the financial institution members of RMAG thought on the subject. RMAG is composed of risk management and compliance experts from Payment Associations and financial institutions, so this is the right group to ask. As it turns out, RMAG members reached similar conclusions on the subject: Ask for the audit and review it.  

One RMAG member noted, “Previously, we only asked for an attestation that the audit and risk assessments were completed. When we started spot-checking, we found that many TPS customers were checking the box and attesting that they had completed an audit and risk assessment, but could not provide proof of either exercise.” Other RMAG members shared similar stories of customers who had been signing an attestation for years and then asked, “What is the ACH Rules Compliance Audit, and why do we need one?” when required to provide documentation.  

The risk management professionals from RMAG emphasized that it’s not enough to trust your customer when performing the due diligence process at onboarding or during the lifespan of the relationship. Customers may detail their services at onboarding, but often expand their business models or tweak their offerings as they gain experience. One member asked, “How do you know if there were findings if you don’t review the audit?” Another member questioned, “How do you know the audit and risk assessment are risk-based, independent, and appropriate for the TPS customer without a document review?” The Rules compliance audit and the risk assessment are two of many documents required to understand your TPS customer’s ongoing ability to manage payments and risks that are ultimately warranted by your financial institution.

The group differed on what “proof of audit” means, and determined that it is a risk-based decision for each financial institution. For lower-risk and lower-volume clients, some financial institutions felt an audit summary along with an attestation of completed audit is sufficient. Those institutions require the full audit report from higher-risk or higher-volume clients. Other financial institutions require the full audit report for all TPS clients.

Yearly Rules compliance audits and periodic risk assessments are requirements of the Nacha Operating Rules. Requesting and reviewing the yearly audit and regular risk assessment provides another opportunity to contact, understand, and build the relationship with the TPS customer. Financial institutions can use the opportunity to educate the customer on any Rule changes, discuss audit findings, and ensure those findings are resolved for the benefit of all parties.  

RMAG members agree a financial institution could invite legal or reputational risks and additional scrutiny from regulators if the financial institution requires TPSs to provide audits, but fails to review audits or take action when findings arise. Indeed, this kind of meaningful review and follow-up should be consistent with regulators' expectations for third-party risk management generally. The profitability of a particular relationship cannot insulate a TPS from the repercussions of an audit finding. Allowing a TPS to continue originating potentially improper entries puts the TPS, its Originators, and the financial institution at significant risk.

RMAG members also agree that the benefits of requiring proof of the Rules compliance audit and risk assessment outweigh the burden and mitigates the risk associated with relying on an attestation only. As with any line of business, the increased cost of risk management for TPSs must be considered against the income stream these types of relationships bring.