ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017

Similar documents
ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2018

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2016

ACH Rules Compliance Audit Requirements Request for Comment

NOTICE OF AMENDMENT TO THE 2014 NACHA OPERATING RULES SUPPLEMENT #1-2014

Direct Access Registration

June 30, Phyllis Schneider, AAP, Director, Network Rules ᅳ Rules Development & Technical Support

Table of Contents. PCI Information Security Policy

Identifying, Registering, and Auditing your Third Party Senders. Presented by Michele Barlow, AAP NCP Vice President

ACH Rules Update for Originating Companies

Timber Products Inspection, Inc.

ACH Rules Update for Originating Companies

2018 ACH RULE CHANGES AND UPDATES. Jessica Lelii & Jill Lamb, AAP EFT Specialist, MY CU Services, LLC. Disclaimer

RECORDS AND INFORMATION MANAGEMENT AND RETENTION

KNOWLEDGE BURST - NACHA

Employee Security Awareness Training Program

NACHA S Risk Management Portal Instruction Manual for Financial Institutions

Battery Program Management Document

Australian Standard. Records Management. Part 1: General AS ISO ISO

2017 National ACH Association Rules

ACH Message Entries: Automating Exception Processing via ACH. Request for Comment Proposed Modifications to the Rules March 12, 2018

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Red Flags/Identity Theft Prevention Policy: Purpose

SECURITY & PRIVACY DOCUMENTATION

ISO INTERNATIONAL STANDARD. Information and documentation Records management Part 1: General

2017 NACHA Third-Party Sender Initiatives

Chapter 9 Section 3. Digital Imaging (Scanned) And Electronic (Born-Digital) Records Process And Formats

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NSDA ANTI-SPAM POLICY

Regulatory Notice 09-64

Part 11 Compliance SOP

Ashford Board of Education Ashford, Connecticut POLICY REGARDING RETENTION OF ELECTRONIC RECORDS AND INFORMATION

Mobile ACH Payments Request for Comment

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Use of data processor (external business unit)

LVTS RULE 11 CHANGE MANAGEMENT, TESTING AND CERTIFICATION 2018 CANADIAN PAYMENTS ASSOCIATION

David Jenkins (QSA CISA) Director of PCI and Payment Services

National Wood Products, Inc. FSC Chain of Custody NWP CENTRAL OFFICE Standard Operating Procedure REVIEW DATE: August 17, 2013

Privacy Breach Policy

GENERAL PRIVACY POLICY

Adobe Sign and 21 CFR Part 11

You are signing up to use the Middlesex Savings Bank Person to Person Service powered by Acculynk that allows you to send funds to another person.

Farmingdale State College Records Management Training PRESENTED BY DOROTHY HUGHES INTERNAL CONTROL OFFICER AND RECORDS MANAGEMENT OFFICER

CIP Cyber Security Personnel & Training

Just-Property Ltd GDPR Client Data Register

NOC S (NOTIFICATION OF CHANGES) FOR ORIGINATORS

CIP Cyber Security Systems Security Management

White Paper Assessment of Veriteq viewlinc Environmental Monitoring System Compliance to 21 CFR Part 11Requirements

IDENTITY THEFT PREVENTION Policy Statement

Data Processing Clauses

Data Protection Policy

Development Authority of the North Country Governance Policies

Minimum Requirements For The Operation of Management System Certification Bodies

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Assessment of Vaisala Veriteq viewlinc Continuous Monitoring System Compliance to 21 CFR Part 11 Requirements

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Schedule Identity Services

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Auditing in an Automated Environment: Appendix E: System Design, Development, and Maintenance

Version 1/2018. GDPR Processor Security Controls

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

INFORMATION. Guidance on the use of the SM1000 and SM2000 Videographic Recorders for Electronic Record Keeping in FDA Approved Processes

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

CIP Cyber Security Personnel & Training

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration

WHITE PAPER AGILOFT COMPLIANCE WITH CFR 21 PART 11

CERTIFICATION CONDITIONS

Standard Development Timeline

Standard COM-002-2a Communications and Coordination

Electronic Signature Policy

Cyber Security Reliability Standards CIP V5 Transition Guidance:

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

ALLIANCE BENEFIT GROUP of Houston, Inc.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Compliance Matrix for 21 CFR Part 11: Electronic Records

COMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy

Audit Report. The Prince s Trust. 27 September 2017

Introduction To IS Auditing

Management: A Guide For Harvard Administrators

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Self-Assessment Questionnaire A

Access to University Data Policy

ACH: Now and Next. Andrée E. Ortega, AAP, CTP VP, ACH Product Manager, Wells Fargo. April 19 & 20, 2018

4.2 Electronic Mail Policy

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Site Builder Privacy and Data Protection Policy

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Data Processing Agreement

EUROPEAN MEDICINES AGENCY (EMA) CONSULTATION

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

Standard CIP Cyber Security Critical Cyber Asset Identification

Transcription:

Publications ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017 Price: $250 Member Price: $125 (Publication #505-17) A new approach to payments advising SM

ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits For NACHA Operating Rules Compliance Reflecting Latest Rules Changes Required for 2017 Audits Price: $399 Member Price: $199 (505-17) Revised: 8/2017

Introduction Contents ACH Audit Workbook Overview 2 Getting Started 4 Document Preparation 5 General Audit Requirements 7 Audit Requirements for All Participating DFIs 9 Record Retention... 9 Electronic Records... 12 Previous Year Audit... 14 Encryption... 16 Risk Assessment... 19 Security of Protected Information... 21 Audit Requirements for Origination 23 Originator Agreements... 23 Originator Company Name... 26 Exposure Limits... 28 Return Entries and Extended Return Entries... 31 Notification of Change... 34 Request for Authorization... 36 UCC Article 4A... 38 Verification of Originator Identity... 40 Reversing Entries and Reversing Files... 43 BOC (Back Office Conversion) Entries... 46 Return Rate Information... 48 Keeping Originators Informed... 50 Appendix 53 Appendix A: Summary of Possible Origination Notices... 53 Appendix B: ACH Return Codes... 54 Appendix C: Common SEC Codes... 60 Appendix D: NOC Codes... 61 ACH Audit Management Report Section II 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 1

Introduction ACH Audit Workbook Overview WesPay has produced this workbook to assist Third-Party Senders in complying with annual audits required by the NACHA Operating Rules: What is a Third-Party Sender? The NACHA Operating Rules define a Third-Party Sender as a type of Third-Party Service Provider that acts as an intermediary in Transmitting Entries between an Originator and an Originating Depository Financial Institution (ODFI), including through Direct Access, and acts on behalf of an Originator or another Third-Party Sender. A Third-Party Sender must have an Origination Agreement with the ODFI of the Entry. A Third-Party Sender is never the Originator for Entries it Transmits on behalf of another Organization. However, a Third-Party Sender of Entries may also be an Originator of other Entries in its own right. If you have questions about whether your organization falls under this definition, please contact WesPay. How do I use this document? The NACHA Operating Rules audit provisions do not define procedures to complete the audit. This interactive workbook is designed to help you or your auditor walk through key compliance areas within the NACHA Operating Rules that are applicable to Third-Party Senders. This guidebook is designed to be a working document, which when completed may be filed with other internal audit documentation and used for updates when individual non-compliance issues are resolved. In addition, this interactive workbook automatically generates a management report providing a summary of the findings of your audit that can be submitted to management for review. This workbook may be used for completion of a Third-Party Sender ACH Audit. Components: Introduction and General Guidelines: This section provides a simple outline of best practices for conducting an ACH Third-Party Sender Audit. Throughout the document the following icons may be used to indicate types of content: Editorial Notes Issues that require special attention or consideration Check lists of items you may want to verify to complete the audit 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 2

General Audit Requirements General Audit Requirements Appendix 8 Part 8.1 of the NACHA Operating Rules and Guidelines Each Participating DFI, Third-Party Service Provider and Third-Party Sender must, in accordance with the standard auditing procedures, conduct an internal or external audit of compliance with the provisions of the ACH Rules in accordance with the requirements of this Appendix Eight. These audit provisions do not prescribe a specific methodology to be used for the completion of an audit but identify key rule provisions that should be examined during the audit process. 1. The Rules require Third-Party Service Providers that perform any functions of a Depository Financial Institution under NACHA Operating Rules to meet the audit requirements that are applicable to the ODFI. Additional key areas to include in your audit: 2. The terms Originating Financial Institution (ODFI) or Depository Financial Institution (DFI) stated within this ACH Audit Guide and the referenced ACH Rules herein, will also mean and apply to Third-Party Senders (TPS). For example, when an ACH Rules reference is made to an ODFI it shall also mean TPS. Documented policies and procedures associated with ACH processing. OFAC-related procedures and compliance with all associated regulations (if applicable). Adequate inclusion of ACH within your Organization s business continuity planning. Risk Management policies and procedures. Documented ACH training process and results for relevant personnel. Documented policies and procedures for protecting confidential information associated with ACH Entries 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 7

General Audit Requirements Name: Date of Audit: Audit Committee: Audit Manager: ACH Manager: Senior Officer: 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 8

Audit Requirements for All Participants Audit Requirements for All Participating DFIs Record Retention Appendix 8 Part 8.2.a of the NACHA Operating Rules and Guidelines Verify that a Record of each Entry is retained for six years from the date the Entry was Transmitted, except as otherwise expressly provided in these Rules. Verify that a printout or reproduction of the information relating to the Entry can be provided, if requested by the Participating DFI s customer or any other Participating DFI or ACH Operator that originated, Transmitted, or received the Entry. (Article One, Subsection 1.4.1 and 1.4.2) 1. NACHA Operating Rules require that financial institutions retain records of Entries for six years from the date the Entry is transmitted and that a printout or reproduction be able to be provided to the financial institution s customer or any other financial institution or ACH Operator that originated, transmitted or received the Entry. DFIs are required to verify that they are retaining and are able to provide records of Entries in compliance with the Rules. Audit Test and Documentation 2. The Rules do not specify the media in which the Record must be kept. Therefore, both physical and electronic media are compliant including paper storage, microfiche, cloud, optical storage, etc. Verify that the appropriate records as listed in the Document Preparation section can be accessed in the medium in which they are archived. Procedures should be developed to ensure all ACH records, paper and electronic, be stored in a secure manner with limited access. Document destruction procedures should include ACH records as well. 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 9

Audit Requirements for All Participants Sound Practices: For records maintained in physical form, ensure that storage location is secure, with limited access and security controls, and in a fire-proof area. If not present, recommend a written policy that all ACH Entry records (originated files, returns, NOCs, etc.) will be maintained for a minimum of six years from the settlement date of the Entry. Ensure that written policies and procedures address your organization s data destruction policy how and when you will securely destroy ACH Entry records, or other documents related to ACH processing. For documents requiring signatures that are stored electronically, the written signature requirements of the NACHA Operating Rules can be met by compliance with the Electronic Signatures in Global and National Commerce Act (E-Sign Act). For electronic records requiring authentication, the authentication method must evidence both the signer s identity and their assent to the terms of the record. Records can also be similarly authenticated using the same authentication methods currently prescribed for consumer debit authorizations i.e. the record may be similarly authenticated via the internet through the use of a digital signature, PIN, password, shared secret, etc. or a hard copy record may be authenticated via the telephone by recording the consumer s speaking or key entering a code identifying the signer. Keep copies of all ACH authorization agreements for a minimum of two years from the termination of the authorization. Note: ACH participants should be aware that other ACH participants may also utilize electronic methods to obtain and retain records of ACH documents. In such cases, the participants can expect to receive electronic versions, rather than hard copies, of documents that they request from other ACH participants. 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 10

Audit Requirements for All Participants Record Retention Finding: Action Items / Exceptions / Concerns Auditor s Notes / Test Procedure 2017 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback