Publications ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017 Price: $250 Member Price: $125 (Publication #505-17) A new approach to payments advising SM
ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits For NACHA Operating Rules Compliance Reflecting Latest Rules Changes Required for 2017 Audits Price: $399 Member Price: $199 (505-17) Revised: 8/2017
Introduction Contents ACH Audit Workbook Overview 2 Getting Started 4 Document Preparation 5 General Audit Requirements 7 Audit Requirements for All Participating DFIs 9 Record Retention... 9 Electronic Records... 12 Previous Year Audit... 14 Encryption... 16 Risk Assessment... 19 Security of Protected Information... 21 Audit Requirements for Origination 23 Originator Agreements... 23 Originator Company Name... 26 Exposure Limits... 28 Return Entries and Extended Return Entries... 31 Notification of Change... 34 Request for Authorization... 36 UCC Article 4A... 38 Verification of Originator Identity... 40 Reversing Entries and Reversing Files... 43 BOC (Back Office Conversion) Entries... 46 Return Rate Information... 48 Keeping Originators Informed... 50 Appendix 53 Appendix A: Summary of Possible Origination Notices... 53 Appendix B: ACH Return Codes... 54 Appendix C: Common SEC Codes... 60 Appendix D: NOC Codes... 61 ACH Audit Management Report Section II 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 1
Introduction ACH Audit Workbook Overview WesPay has produced this workbook to assist Third-Party Senders in complying with annual audits required by the NACHA Operating Rules: What is a Third-Party Sender? The NACHA Operating Rules define a Third-Party Sender as a type of Third-Party Service Provider that acts as an intermediary in Transmitting Entries between an Originator and an Originating Depository Financial Institution (ODFI), including through Direct Access, and acts on behalf of an Originator or another Third-Party Sender. A Third-Party Sender must have an Origination Agreement with the ODFI of the Entry. A Third-Party Sender is never the Originator for Entries it Transmits on behalf of another Organization. However, a Third-Party Sender of Entries may also be an Originator of other Entries in its own right. If you have questions about whether your organization falls under this definition, please contact WesPay. How do I use this document? The NACHA Operating Rules audit provisions do not define procedures to complete the audit. This interactive workbook is designed to help you or your auditor walk through key compliance areas within the NACHA Operating Rules that are applicable to Third-Party Senders. This guidebook is designed to be a working document, which when completed may be filed with other internal audit documentation and used for updates when individual non-compliance issues are resolved. In addition, this interactive workbook automatically generates a management report providing a summary of the findings of your audit that can be submitted to management for review. This workbook may be used for completion of a Third-Party Sender ACH Audit. Components: Introduction and General Guidelines: This section provides a simple outline of best practices for conducting an ACH Third-Party Sender Audit. Throughout the document the following icons may be used to indicate types of content: Editorial Notes Issues that require special attention or consideration Check lists of items you may want to verify to complete the audit 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 2
General Audit Requirements General Audit Requirements Appendix 8 Part 8.1 of the NACHA Operating Rules and Guidelines Each Participating DFI, Third-Party Service Provider and Third-Party Sender must, in accordance with the standard auditing procedures, conduct an internal or external audit of compliance with the provisions of the ACH Rules in accordance with the requirements of this Appendix Eight. These audit provisions do not prescribe a specific methodology to be used for the completion of an audit but identify key rule provisions that should be examined during the audit process. 1. The Rules require Third-Party Service Providers that perform any functions of a Depository Financial Institution under NACHA Operating Rules to meet the audit requirements that are applicable to the ODFI. Additional key areas to include in your audit: 2. The terms Originating Financial Institution (ODFI) or Depository Financial Institution (DFI) stated within this ACH Audit Guide and the referenced ACH Rules herein, will also mean and apply to Third-Party Senders (TPS). For example, when an ACH Rules reference is made to an ODFI it shall also mean TPS. Documented policies and procedures associated with ACH processing. OFAC-related procedures and compliance with all associated regulations (if applicable). Adequate inclusion of ACH within your Organization s business continuity planning. Risk Management policies and procedures. Documented ACH training process and results for relevant personnel. Documented policies and procedures for protecting confidential information associated with ACH Entries 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 7
General Audit Requirements Name: Date of Audit: Audit Committee: Audit Manager: ACH Manager: Senior Officer: 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 8
Audit Requirements for All Participants Audit Requirements for All Participating DFIs Record Retention Appendix 8 Part 8.2.a of the NACHA Operating Rules and Guidelines Verify that a Record of each Entry is retained for six years from the date the Entry was Transmitted, except as otherwise expressly provided in these Rules. Verify that a printout or reproduction of the information relating to the Entry can be provided, if requested by the Participating DFI s customer or any other Participating DFI or ACH Operator that originated, Transmitted, or received the Entry. (Article One, Subsection 1.4.1 and 1.4.2) 1. NACHA Operating Rules require that financial institutions retain records of Entries for six years from the date the Entry is transmitted and that a printout or reproduction be able to be provided to the financial institution s customer or any other financial institution or ACH Operator that originated, transmitted or received the Entry. DFIs are required to verify that they are retaining and are able to provide records of Entries in compliance with the Rules. Audit Test and Documentation 2. The Rules do not specify the media in which the Record must be kept. Therefore, both physical and electronic media are compliant including paper storage, microfiche, cloud, optical storage, etc. Verify that the appropriate records as listed in the Document Preparation section can be accessed in the medium in which they are archived. Procedures should be developed to ensure all ACH records, paper and electronic, be stored in a secure manner with limited access. Document destruction procedures should include ACH records as well. 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 9
Audit Requirements for All Participants Sound Practices: For records maintained in physical form, ensure that storage location is secure, with limited access and security controls, and in a fire-proof area. If not present, recommend a written policy that all ACH Entry records (originated files, returns, NOCs, etc.) will be maintained for a minimum of six years from the settlement date of the Entry. Ensure that written policies and procedures address your organization s data destruction policy how and when you will securely destroy ACH Entry records, or other documents related to ACH processing. For documents requiring signatures that are stored electronically, the written signature requirements of the NACHA Operating Rules can be met by compliance with the Electronic Signatures in Global and National Commerce Act (E-Sign Act). For electronic records requiring authentication, the authentication method must evidence both the signer s identity and their assent to the terms of the record. Records can also be similarly authenticated using the same authentication methods currently prescribed for consumer debit authorizations i.e. the record may be similarly authenticated via the internet through the use of a digital signature, PIN, password, shared secret, etc. or a hard copy record may be authenticated via the telephone by recording the consumer s speaking or key entering a code identifying the signer. Keep copies of all ACH authorization agreements for a minimum of two years from the termination of the authorization. Note: ACH participants should be aware that other ACH participants may also utilize electronic methods to obtain and retain records of ACH documents. In such cases, the participants can expect to receive electronic versions, rather than hard copies, of documents that they request from other ACH participants. 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 10
Audit Requirements for All Participants Record Retention Finding: Action Items / Exceptions / Concerns Auditor s Notes / Test Procedure 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 11