Identifying, Registering, and Auditing your Third Party Senders. Presented by Michele Barlow, AAP NCP Vice President

Transcription

1 Identifying, Registering, and Auditing your Third Party Senders Presented by Michele Barlow, AAP NCP Vice President

2 Audio Handouts Questions

3 Presented by Michele Barlow, AAP/NCP PAR/WACHA-The Premier Payments Resource or

4 Disclaimer WACHA, through its Direct Membership in NACHA, is a specially recognized and licensed provider of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA. This material is derived from collaborative work product developed by NACHA The Electronic Payments Association and its member Regional Payments Associations, and is not intended to provide any warranties or legal advice, and is intended for educational purposes only. This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only. This document could include technical inaccuracies or typographical errors and individual users are responsible for verifying any information contained herein. No part of this material may be used without the prior written permission of WACHA/PAR PAR/WACHA All rights reserved 2017

5 Agenda Level Setting Third Party Sender Overview Identifying Third Party Senders Third Party Sender Registration Rule Auditing your Third Party Senders

6 ACH Participants The originating company or individual (Originator) Originating Depository Financial Institution (ODFI) ACH Operator Federal Reserve Bank Electronic Payments Network The receiving company, employee, organization, trading partner or consumer (Receiver) Receiving Depository Financial Institution (RDFI) Third Party Service Providers (TPSP)

7 RECEIVER ACH Transaction Flow ORIGINATOR ODFI RDFI ACH OPERATOR

8 Who are the Third Parties? Third Party Service Providers Third Party Processor Third Party Sending Points Third Party Receiving Points Third Party Senders

9

10 Definition of a Third Party Sender Effective March 21, 2014, the definition of a Third-Party Sender was amended: A type of Third-Party Service Provider that acts as an intermediary in Transmitting Entries between an Originator and an ODFI, including through Direct Access, and acts on behalf of an Originator or another Third-Party Sender A Third-Party Sender must have an Origination Agreement with the ODFI of the Entry A Third-Party Sender is never the Originator for Entries it Transmits on behalf of another Organization However, a Third-Party Sender of Entries may also be an Originator of other Entries in its own right.

11 Third Party Sender (TPS) Entity that transmits entries to the ODFI on behalf of the originator Originator & ODFI do not have agreement Third Party Sender & ODFI have agreement

12 Third Party Sender ABC Company Grocery ODFI No Agreements Co/ODFI agreemen t Hardware Store Bike Shop Church Payroll Company Dry Cleaner Day Care

13 Why Use a Third Party? Business/Corporate Originators Outsourced business process-part of this being the ACH entry origination Payroll Receivables Third Party Sender Initiates entries on behalf of the Originator and transmits to the TPS s ODFI

14

15 Where Do I Start? Identify the underlying transaction that is taking place Several separate (but related) ACH Entries may be required to complete the underlying payment transaction Which parties have the underlying direct obligations to each other as part of that transaction? An ACH participant can be a Third-Party Sender for one set of Entries and an Originator for another set of Entries, including when multiple Entries are used in different stages of an overall transfer

16 Dig Deeper Understand on whose behalf the Third-Party is acting In some cases, it will be clear on whose behalf the TPSP is acting Payroll processor initiates ACH credits on behalf of an employer to complete payments to employees on behalf of the employer In some cases, it may be necessary to inquire more deeply into the relationships of the intermediary (including its activities in obtaining authorizations from different parties) to confirm its role

17 Analyze the Entry Separately analyze each leg of the ACH transaction to determine the role of the Intermediary Example Employer uses services of a payroll processor An ACH debit initiated by the payroll processor to obtain funding from the Originator (and to pay for services from the payroll processor) ACH credits initiated by the payroll processor to pay the employees on behalf of the employer

18 Scenario-Payroll Processor An Employer needs to move funds from its account at Bank A to the accounts of its Employees at numerous other financial institutions The Employer enters into an agreement with a Payroll Processor to handle the Employer s payroll In order to use the ACH to do so, the Payroll Processor has an Origination Agreement with an ODFI that allows it to process payroll transactions through the ODFI

19 Payroll Processor Scenario In most third-party payroll services, there are two separate types of transactions: 1. A funding transaction, whereby the Payroll Processor obtains the funds from the Employer with which to make payroll payments to Employees; and 2. The actual payroll payments, whereby salary or wage payments are credited to Employees accounts The amount of the funding transaction may not necessarily equal the aggregate value of all the payroll credits The timing of the funding transaction and the payroll payments might also vary, depending on the specific processing arrangements between the parties The transaction flows to follow assume that the funding transaction is done as an ACH debit and the payroll payments are done as a set of ACH credits Each could be accomplished through other means

20 Payroll Processing Scenario Funding Transac<on via an ACH Debit Employer The Employer enters into an agreement with a Payroll Processor, authorizing the Payroll Processor to debit the Employer's account at Bank A via the ACH. Payroll Processor The Payroll Processor has an OriginaDon Agreement with Bank X that allows the Payroll Processor to submit ACH debits through Bank X. The Payroll Processor is the Originator of the ACH debit for the Funding TransacDon. The ACH debit is on the Payroll Processor's own behalf. The ACH debit for this Funding TransacDon would use the CCD SEC Code, because it is an ACH transacdon from the account of one organizadon to the account of another organizadon. The Payroll Processor s name goes in the Company Name field for the batch of ACH debits. Payroll Processors Bank The Payroll Processor sends the ACH debit to Bank X, which is the ODFI of the ACH debit. ACH Operator Bank X submits the Payroll Processor's ACH debit to the ACH Operator. The ACH Operator directs the Payroll Processor's ACH debit to the Employer's bank - Bank A. Employers bank and Employer s Accounts Employer s Bank and Employee s Accounts Bank A is the RDFI of this Funding TransacDon via an ACH debit. The RDFI receives the ACH debit and posts it to the Employer's account. The RDFI displays the name of the Payroll Processor, as the party to which payment was made, on the Employer's account statement. The name comes from the Company Name field of the batch of ACH debits. The Employer is the Receiver of this ACH debit used as a Funding TransacDon.

21 Payroll Processing Scenario Funding Transac<on via an ACH Credit Employer The Employer's agreement with the Payroll Processor directs the Payroll Processor to credit employees for salary and wage payments on specified days. The Employer is the Originator of the ACH credits sent to Employees' accounts. Payroll Processor The Payroll Processor has an agreement with Bank X to originate ACH credits through Bank X. The Payroll Processor is a Third-Party Sender for the ACH credits used for Payroll Payments because it is an intermediary transmipng the ACH credits on behalf of the Employer. The ACH credits used for Payroll Payments would use the PPD SEC Code, because they are from the account of an organizadon to the accounts of consumers. The Employer's name goes in the Company Name field of the batch of ACH credits. Payroll Processors Bank The Payroll Processor sends the ACH credits to Bank X, which is the ODFI. ACH Operator Bank X submits the Payroll Processor's ACH credits to the ACH Operator. The ACH Operator directs the Payroll Processor's ACH credit files to the financial insdtudons where Employees maintain their deposit accounts. Employer s Bank and Employee s Accounts The Employees' financial insdtudons are the RDFIs of the ACH credits. The RDFIs receive the ACH credits and post them to the Employees' accounts. The Employees are the Receivers of the ACH credits for Payroll Payments. The Employees' financial insdtudons display the name of the payor on the Employees' account statements. The name comes from the Company Name field of the batch of ACH credits.

22

23 Why Register Third Party Senders? To promote ODFI s due diligence to understand whether the ODFI has Third Party sender customers For ODFI s that have identified Third Party Sender customers, to promote a minimum level of due diligence with respect to those customers Create a tool to help NACHA in monitoring ACH Network quality and quickly responding to ACH Network risk situations 23

24 Who Must Register? This rule applies to all ODFI s Every ODFI will be required to either: Register it s Third Party Senders State that is has no Third Party Senders Similar to Direct Access Registration NACHA intends to provide Direct Access Registration and Third Party Sender Registration via a single platform 24

25 Initial Registration Information An ODFI that registers a Third Party Sender will provide only the following information about the Third Party Sender Name of the Third Party Sender and it s principal location The Originating DFI Identification number(s) used in transmitting entries for the Third Party Sender Company Identification(s) of the Third Party Sender Initial Registration Timing ODFI must register the Third Party Sender within 30 days of transmitting the first entry The rule does provide a grace period for inadvertent oversights 25

26 Initial Registration-Specifications One administrator per financial institution with up to four additional users Each financial institution registers once for the Risk Management Portal Each RTN doesn t need to be claimed independently Four databases are available from a single registration Third Party Sender Registration Direct Access Debit Participation Registration Terminated Originator Database Emergency Financial Institution Contact Database Every financial institution will need to re-register their direct access participation

27 Updates to Registration Information An ODFI must update registration information within 45 calendar days following any change to the Third Party Sender relationship Includes termination of relationship This time period allows the ODFI to provide regular updates, for example once per month 27

28 Supplemental Registration Information ODFI s will be required to provide additional registration information when requested due to a risk event Financial loss to one or more Participating DFI s, Originators or Receivers Violation of the Rules or other applicable law Excessive levels of returns Additional information includes: The Third Party Sender doing-business-as name, Taxpayer ID, street address & website address The name, title, phone number, and address for a contact at the Third Party Sender The name(s) and title(s) of the principal(s) of the Third Party Sender Approximate number of Originators enrolled by the Third Party Sender Whether the Third Party Sender transmits debit, credits or both 28

29 Information to the ODFI A Third Party Sender must disclose to the ODFI whether they have any nested Third Party Sender relationships A Third Party Sender must provide the ODFI, upon their request, all information required to complete the registration Within 2 banking days of the ODFI s request 29

30 Effective Date This rule goes into effect on September 29, 2017 This is the first day the registry will be available for ODFI s to start submitting registration information A grace period will run through March 1, 2018 Allows initial registrations to be spread out over a reasonable period of time 30

31

32 Rule Compliance-Audit Requirements Appendix Eight of ACH Rules Provides the requirements for an audit of compliance with the ACH Rules Requires annual audits by FIs and Third-party Service Providers Provides minimum specifications

33 Section 8.2.C, 8.4.N ACH Rules Reference Audit Verification Verify that an audit was completed in the previous year Verify that issues raised during the previous audit were corrected Audit reviewed by board of directors?

34 Section 8.2.D ACH Rules Reference 1.7 Entries received over the internet are Commercially reasonable Procedures in place to: Detect a Data Breach Data Security Report a Data Breach applicable parties Personal Information including: Name & Social Security Number Account Number & Routing Number

35 Section 8.2.G ACH Rules Reference 1.6 ACH Data Security Participating DFI and originators/third party senders have established, implemented and updated security policies, procedures and systems

36 Binding Agreements Section 8.4.A ACH Rule Reference , , and Has an agreement been executed with each company and financial institution for whom the financial institution originates binding them to US law and the ACH Rules? Verify compliance with OFAC-enforced sanctions Third Party Senders Direct Senders Document procedures that allow the financial institution to approve every party for whom the processor sends files directly to the ACH Operator

37 ODFI Exposure Limits Section 8.4.C ACH Rule reference Review internal procedures to determine that exposure limits are established for each Originator Exposure limits should be reviewed periodically Entries initiated by Originators are to be monitored relative to the exposure limits across multiple settlement dates The restrictions on types of SEC code of originated entries need to be enforced Procedures for monitoring and what happens if established limits are exceeded

38 Return Items Section 8.4.D ACH Rule reference , , and Appendix Four Verify that the ODFI accepts return items Notify the originator or TPS Re-initiation of R01/R09 Verify that dishonored returns are transmitted with 5 banking days of the settlement date of the return entry What procedures do you have to ensure this is done correctly Are you or your originators correctly Reinitiating entries

39 Re-initiation Effective September 18, 2015 Define and establish standards for reinitiated entries Require reinitiated entries to have same Company Name, Company ID and Amount as original entry Content in other fields can be modified only to the extent necessary to correct an error or facilitate processing of an Entry. Standard use of Company Entry Description RETRY PYMT Identify practices that constitute improper re-initiation Give ACH Rules Enforcement Panel authority to determine whether a practice was improper re-initiation Improper reinitiated Entries can be returned as Unauthorized (R10)

40 Section 8.4.E Notifications of Change ACH Rules Reference , Review internal procedures to ensure that information relating to NOCs and Corrected NOCs is provided to Originator within two banking days of settlement of the NOC or Corrected NOC What method is used to deliver NOC information? What process is in place to ensure that changes are made by the Originators?

41 Request for Authorization Section 8.4.F ACH Rules Reference , , What procedures are in place to request a copy of an authorization from an Originator? If requested by the RDFI, how do you ensure it is presented within the 10 banking days? For CCD, CTX Originators, can you provide the name and contact information within 10 banking days

42 Proof of Authorization for Non- Consumer Debits Effective September 19, 2014 Provides a means for the RDFI to obtain a copy of an authorization or Originator contact information for a CCD or CTX entry Provides the Receiver more concrete evidence for disputing an entry if no authorization can be provided Requires the ODFI (upon receipt of RDFI s written request) to provide the RDFI with either: An accurate record of the Receiver s authorization, or The Originator s contact information Originator s name and phone Originator s name and address ODFI must provide within ten banking days without charge Requires the Originator to provide such information to the ODFI upon the ODFI s request Audit change for ODFI

43 Identity Verification Section 8.4.I ACH Rules Reference ODFI has utilized a commercially reasonable method to verify the identity of each Originator or Third-Party Sender that enters into an Origination Agreement with the ODFI When an ODFI has a relationship with a Third-Party Sender rather than with an Originator directly, also verify that the Third-Party Sender has utilized a commercially reasonable method to establish the identity of each Originator that enters into an Origination Agreement with the Third-Party Sender

44 Reversing File Section 8.4.J ACH Rules Reference 2.8 and 2.9 Verify that reversing entries and files are done in accordance with the requirements of the rules

45 Dishonored/Contested Reversal Issue Effective March 20, 2015 Provides an Originator/ODFI with an additional mechanism to resolve situations in which the use of the reversal process has resulted in an unintended credit to the Receiver Establishes the right of an ODFI to dishonor the Return Entry of either debit by using a new Return Reason Code R62, provided that the associated credit Entry was not also returned by the RDFI

46 Dishonored/Contested Reversal Issue Also establishes the right of an RDFI to contest this type of dishonored Return, using new Return Reason Code R77, if either of the following conditions exists: the RDFI returned both the Erroneous Entry and the related Reversal; or the RDFI is unable to recover the funds from the Receiver

47 ODFI Reporting Requirements Section 8.4.L ACH Rules Reference Verify the ODFI has reported information on each originator or TPS if you have been requested by the national association.5% Unauthorized Return Rate ( ) Are you tracking returns?

48 Unauthorized Return Rate Thresholds Effective Date: September 18, 2015 Reduce the existing Return Rate threshold for unauthorized debits from 1.0% to 0.5% R05, R07, R10, R29 & R51 Establishes a preliminary inquiry process to evaluate and research outlier cases in which an Originator s administrative returns exceed 3% return rate level R02, R03, R04 Establishes a preliminary inquiry process to evaluate and research outlier cases in which an Originator s overall returns exceed 15% return rate level excludes RCK

49 Section 8.4.N Originator Obligations Authorization Requirements Originators are Obtaining Proper Authorization for ALL Entries Authorizations MUST be in writing, signed by the customer, or similarly authenticated 10 day rule for varying amount of debit 7 day rule for varying date of debit Retain for 2 years after last transaction Revocation language Copy of authorization to consumer

50 Prenotifications Originator Obligations Prenotes are initiated three days prior to settlement date of first live entry If returns relating to prenotifications received ensure that related entries are not initiated. Upon receipt of Notifications of Change, requested changes made prior to the initiation of the next entry

51 Originator Obligations Correct Use of Standard Entry Class Code New Credit WEB-P2P entry Correct usage of Company Name Field

52 Originator Obligations POP Obligations Receipt Provided Source Document Stamped VOID Returned to Receiver Required information captured via a reading device Routing number, account number and check number

53 Originator Obligations TEL Obligations Verify for TEL entries the Originator is complying with: Authorization requirements Verification of identity of receiver Verification of routing numbers Single vs Recurring Single: Recording or Notice Recurring: Recording AND Notice

54 Originator Obligations ARC Obligations Notice requirement MICR reading device to capture routing, account and check serial numbers Secure storage of source documents & banking information RCK Obligations Provided the required notice in a clear and conspicuous manner

55 Originator Obligations WEB Obligations Outside originator vs FI doing WEB via internet banking system Authentication vs authorization Fraudulent detection Routing number validation Annual Audit 55

56 Third-Party Sender Effective January 1, 2015 Explicitly apply certain risk management and Originator transaction monitoring requirements to a Third-Party Sender Should be monitoring, assessing and enforcing limitations on their customers origination and return activities in the manner intended by the Rules Require third-parties to provide proof of completion of a Rules compliance audit to its Participating DFI to fulfill request from NACHA

57 Common Findings ACH security requirements Lack of Agreements Not knowing the underlying customers for TPS Incorrect name in the company name field Lack of Tracking Incorrect SEC Codes

58 QUESTIONS 58

59 AAP Continuing Education Credits This session is worth 1.8 credits

60 Resources WACHA- The Premier Payments Resource PAR- Payment Advisory Resource HELP DESK Phone: Toll Free: Fax:

61 Michele Barlow, AAP, NCP Upcoming WACHA events with CBANC Education: Advanced Reg E Series Communication of ACH Rules Same Day ACH Phase II T/Th 8/8 and 8/10 at 1pm CT/2pm ET Thurs 8/17 at 1pm CT/2pm ET Thurs 8/24 at 11am CT/12pm ET