written by Chris Griesemer
Effective June 18, 2010, all depository financial institutions (DFIs) will be required by the NACHA Operating Rules to conduct an ACH risk assessment, and to implement risk management programs based on the results of the assessment.
Currently, the NACHA Rules requirements for ACH risk management is limited to establishing, reviewing and monitoring exposure limits for an originator’s ACH activity.
This new requirement adds additional risk management practices that are common in the industry and that will improve risk management in the ACH Network when used by DFIs. However, the NACHA Rules do not address the scope of these new requirements; instead they state that these actions must be “in accordance with the requirements of your regulator”. In general, the ACH risk assessment process should include assessing the types and levels of risks associated with ACH activity, customer due diligence, controls for originators, third-parties and direct-access connections, and systems to manage and mitigate risk.
Much of the actual investigative activity needed for a risk assessment has probably been completed as part of your existing risk assessment and ACH compliance self-audit program. Therefore, you may be able to use existing documentation to comply with this new ACH risk management requirement.
Please contact Tom Beisner or Chris Griesemer with any questions.