Managing Risk Effectively
Use NACHA's Risk Registrations, Services and Tools
NACHA strives to empower financial institutions and businesses to protect themselves from risk.
Each risk registration, service and tool helps to balance the security of the ACH Network with innovation, allowing participants to transact securely and efficiently while still expanding reach and payments capabilities to meet the needs of end users. Through Third-Party Sender Registration, Direct Access Registration, NACHA's Terminated Originator Database, the Emergency Financial Institution Contact Database, data breach reporting, and other risk mitigation initiatives, ACH Network participants can help enhance Network quality and security, fueling innovation and the continued growth of the Network.
Third-Party Sender Registration
Third-Party Sender Registration serves as a means to help improve quality in the ACH Network. Registration promotes consistent customer due diligence among all ODFIs, and serves as a tool to support NACHA’s continuing efforts to maintain ACH Network quality.
The Third-Party Sender Registration Rule requires all ODFIs to either register their Third-Party Sender (TPS) relationships or state that they do not have any. Registration is achieved through the Third-Party Sender Registration Database, which can be accessed through NACHA's Risk Management Portal. Registrations are completed through either an individual TPS upload or bulk TPS upload process. The individual upload process allows for quick registration, editing and deactivating of individual TPS relationships, while the bulk upload (available in XML, Excel, and CSV) allows for registering, editing, deactivating, and maintaining groups of TPS relationships.
NACHA provides templates that ODFIs can use to build their own internal systems to the Database specifications. The templates include a Word document outlining the specific fields for the Third-Party Sender Registration database and a description of those fields, along with a sample XML, Excel, and CSV file with the database fields included.
If you are unsure whether or not your third-party customers are also Third-Party Senders, you can learn more at www.nacha.org/thirdpartysenders, or by contacting your local Regional Payments Association or NACHA. Remember to provide your financial institution’s routing number in all communications, since this helps to identify you and your information in the database.
Direct Access Registration
To mitigate the risks posed by Direct Access, which involves a separation of control and responsibility, it’s critical that each ODFI register its status. Direct Access relationships may expose ODFIs to shortcomings, or even fraud, in the policies or practices of Originators, Third-Party Service Providers and Third-Party Senders. The ACH Network’s focus on risk management has grown as transaction volumes and product complexity have increased; your registration provides valuable information about the breadth and depth of these financial relationships.
Every ODFI is required to register its status with NACHA through the Direct Access Registration Database, which can be accessed through NACHA's Risk Management Portal. Every ODFI must either acknowledge that it has no Direct Access Debit Participants or provide specific information about each Direct Access Debit Participant. If you’re not sure whether your ODFI maintains Direct Access Debit Participant relationships with Third-Parties and/or Originators, see our definitions and example scenarios, or contact NACHA or your local Regional Payments Association (link is external) with questions. Remember to provide your financial institution’s routing number in all email communication, since this helps us to identify you in our database.
Terminated Originator Database
NACHA’s commitment to ensuring that the ACH Network maintains the highest level of safety and security for its participants includes working with the industry to employ a comprehensive Risk Management Strategy. A key component in that strategy is NACHA's Termination Originator Database (TOD) service – and as ODFIs and Third-Party Service Providers exchange information on terminated Originators or Third-Party Senders, they help to strengthen the Network.
As participants, ODFIs and Third Parties will be able to perform part of their due diligence for KYC (“Know Your Customer”) by being able to add information on, investigate new and periodically verify Originators and Third-Party Senders.
Inclusion in the NACHA TOD, after being terminated for cause, doesn’t mean an Originator or Third-Party Sender is prohibited from working with another ODFI. However, it allows educated business decisions about new Originators or Third-Party Senders.
NACHA encourages ODFIs and Third Parties to use the NACHA TOD service, which can be accessed through NACHA's Risk Management Portal, in the following ways:
Emergency Financial Institution Contact Database
Threats and fraud can be perpetuated through cyber attacks, email compromise, account takeover, social engineering, and even vendor impersonation fraud. NACHA provides an Emergency Financial Institution Contact Database, which can be accessed through NACHA's Risk Management Portal, as a vehicle for communication during a such events: financial institutions can collaborate and share information as needed to mitigate the impact these events can have on day-to-day operations. This database is designed to include contact information for the financial institution’s key personnel responsible for coordinating threat response activity.
Data Breach Reporting
Breaches of consumer accounts, transactions and other personal information continue to make headline news, attracting the scrutiny of regulators and lawmakers at all levels. Businesses and financial institutions can experience significant damage to their reputations when they’re seen as negligent or deficient in their preparedness for such data breaches.
NACHA’s Interim Policy on ACH Data Breach Requirements provides a clear means for ODFIs to report any theft or misuse of consumer-level ACH data. That reporting, in turn, increases the Network’s security and helps NACHA mitigate future data theft. The Interim Policy requires that:
- ODFIs notify NACHA of a breach of consumer-level ACH data;
- ODFIs notify RDFIs about the ACH data breach incident; and
- the ODFI make the appropriate notifications when they know, or reasonably suspect, that consumer-level ACH data has been lost, stolen or otherwise subject to unauthorized access and may be misused.