ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2018

Similar documents
ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017

ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2016

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

ACH Rules Compliance Audit Requirements Request for Comment

NOTICE OF AMENDMENT TO THE 2014 NACHA OPERATING RULES SUPPLEMENT #1-2014

Direct Access Registration

ACH Message Entries: Automating Exception Processing via ACH. Request for Comment Proposed Modifications to the Rules March 12, 2018

2018 ACH RULE CHANGES AND UPDATES. Jessica Lelii & Jill Lamb, AAP EFT Specialist, MY CU Services, LLC. Disclaimer

ACH Rules Update for Originating Companies

Identifying, Registering, and Auditing your Third Party Senders. Presented by Michele Barlow, AAP NCP Vice President

ACH Rules Update for Originating Companies

2017 National ACH Association Rules

June 30, Phyllis Schneider, AAP, Director, Network Rules ᅳ Rules Development & Technical Support

FedEDI REPORTING GUIDE

3. Which SEC Code requires seven mandatory Addenda Records a. BOC b. ARC c. IAT d. ENR

FedEDI REPORTING GUIDE

NACHA S Risk Management Portal Instruction Manual for Financial Institutions

NOC S (NOTIFICATION OF CHANGES) FOR ORIGINATORS

Jordan Morell, AAP, NCP Tim Thorson, AAP, CTP

FedPayments Reporter Service Overview

Internet Banking Cash Management Training Customer Documentation

Timber Products Inspection, Inc.

Mobile ACH Payments Request for Comment

Needham Bank Business Online Banking

Red Flags/Identity Theft Prevention Policy: Purpose

Table of Contents. PCI Information Security Policy

2017 NACHA Third-Party Sender Initiatives

Employee Security Awareness Training Program

Client Resource Guide. NACHA File Format FORMATTING GUIDE 8/31/17

By accessing your Congressional Federal Credit Union account(s) electronically with the use of Online Banking through a personal computer or any other

ACH: Now and Next. Andrée E. Ortega, AAP, CTP VP, ACH Product Manager, Wells Fargo. April 19 & 20, 2018

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

KNOWLEDGE BURST - NACHA

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

FedACH Risk Origination Monitoring Service

Version 1/2018. GDPR Processor Security Controls

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Schedule Identity Services

ONLINE TREASURY MANAGER ACH USER MANUAL

JHA Payment Solutions. MASTER Site Funds Verification jxchange. Client Training Guide. ipay Solutions December 2016

Seattle University Identity Theft Prevention Program. Purpose. Definitions

CLIENT RESOURCE - Member FDIC - 1/7/2018

You are signing up to use the Middlesex Savings Bank Person to Person Service powered by Acculynk that allows you to send funds to another person.

RECORDS AND INFORMATION MANAGEMENT AND RETENTION

Australian Standard. Records Management. Part 1: General AS ISO ISO

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

ISO INTERNATIONAL STANDARD. Information and documentation Records management Part 1: General

CPD ACTIVITY GUIDELINES AND REQUIREMENTS

ACH INFORMATION PACKAGE Updated 8/2017

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

OVERVIEW TIMING AND DEADLINES PERMISSIONS, LIMITS, AND APPROVALS PROCEDURES REPORTS STOP PAYMENTS PROCEDURES...

huntington Business security suite user guide

SYSTEM LOGIN/PASSWORD SUPPORT

This product is the proprietary material of CheckCare Enterprises, LLC. And is not to be distributed or copyrighted without written permission from

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Privacy Breach Policy

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

General Data Protection Regulation

IDENTITY THEFT PREVENTION Policy Statement

Sparta Systems TrackWise Digital Solution

Telecommunications Equipment Certification Scheme FEBRUARY 2017

BUSINESS ACH. ibanking

Mile Privacy Policy. Ticket payment platform with Blockchain. Airline mileage system utilizing Ethereum platform. Mileico.com

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

CERTIFICATION CONDITIONS

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

CONNECT TRANSIT CARD Pilot Program - Privacy Policy Effective Date: April 18, 2014

MNsure Privacy Program Strategic Plan FY

HORIZON ACH, EFT and integrated Card Management

Criteria for Temporary License as Merit Assessor

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

LVTS RULE 11 CHANGE MANAGEMENT, TESTING AND CERTIFICATION 2018 CANADIAN PAYMENTS ASSOCIATION

PINACLE. ACH Bulk Load Tip Card USING ACH BULK LOAD STEP 1 - CREATING A NACHA FILE TREASURY MANAGEMENT

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Prevention of Identity Theft in Student Financial Transactions AP 5800

Lusitania Savings Bank Retail Internet Banking Terms and Conditions

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

LCU Privacy Breach Response Plan

POLICY TITLE: Record Retention and Destruction POLICY NO: 277 PAGE 1 of 6

This procedure sets out the usage of mobile CCTV units within Arhag.

Farmingdale State College Records Management Training PRESENTED BY DOROTHY HUGHES INTERNAL CONTROL OFFICER AND RECORDS MANAGEMENT OFFICER

As an IIA certified professional, the member is responsible for ensuring that the CPD information reported is accurate.

Part 11 Compliance SOP

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

Freedom of Information and Protection of Privacy (FOIPOP)

Privacy Policy. Overview:

Sparta Systems Stratas Solution

SECURITY & PRIVACY DOCUMENTATION

Checklist: Credit Union Information Security and Privacy Policies

GENERAL PRIVACY POLICY

Battery Program Management Document

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

David Jenkins (QSA CISA) Director of PCI and Payment Services

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Best Practices Guide to Electronic Banking

Electronic Signature Policy

Chapter 1. Purpose, definitions and application

Transcription:

Publications ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2018 Price: $399 Member Price: $199 (Publication #500-18) A new approach to payments advising SM

ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits For NACHA Operating Rules Compliance Reflecting Latest Rules Changes Required for 2018 Audits Price: $399 Member Price: $199 (500-18) Revised: 2/2018

Introduction Contents ACH Audit Workbook Overview 3 Getting Started 5 Document Preparation 6 General Audit Requirements 11 Audit Requirements for All Participating DFIs 13 Record Retention... 13 Electronic Records... 16 Previous Year Audit... 18 Encryption... 20 National Association Fees... 23 Risk Assessment... 25 Security of Protected Information... 27 Audit Requirements for RDFIs 29 Prenotifications (i.e., Prenotes)... 29 Notifications of Change (NOCs)... 31 ACH Entries Accepted... 33 Funds Availability... 35 Statement Information... 38 Return Entries (for all Entries except RCK)... 41 RCK Return Entries... 44 Return Credit Entries... 46 Stop Payment on Consumer Entries... 48 Written Statements of Unauthorized Debits... 51 UCC Article 4A Notice... 54 CCD, CIE, CTX, IAT Payment Information... 57 Federal Government Payments... 60 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 1

Introduction Audit Requirements for ODFIs 62 Originator Agreements... 62 Sending Point Agreements... 65 Exposure Limits... 67 Return Entries and Extended Return Entries... 70 Notification of Change... 73 Request for Authorization... 76 Permissible Return Entries... 78 UCC Article 4A... 80 Verification of Originator or Third-Party Sender Identity... 82 Reversing Entries and Reversing Files... 85 BOC (Back Office Conversion) Entries... 87 Return Rate Information... 89 Direct Access... 91 Third Party Sender Registration... 93 Keeping Originators and Third-Party Senders Informed... 95 Appendix 98 Appendix A: Summary of Possible RDFI Notices to Receivers... 98 Appendix B: Summary of Possible ODFI Notices... 99 Appendix C: Sample Stop Payment Form... 100 Appendix D: Sample WSUD Debt Form... 101 Appendix E: Reg E Statement Requirements... 102 Appendix F: EFTA Error Resolution Flow Chart... 104 Appendix G: ACH Return Codes... 105 Appendix H: Common SEC Codes... 111 Appendix I: NOC Codes... 112 Appendix J: WesPay Advisors ACH Services... 113 ACH Audit Management Report 1 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 2

Introduction ACH Audit Workbook Overview WesPay has produced this workbook to assist financial institutions in complying with annual audits required by the NACHA Operating Rules: How do I use this document? The NACHA Operating Rules audit provisions do not define procedures to complete the audit. This interactive workbook is designed to help you or your auditor walk through key compliance areas within the NACHA Operating Rules. This guidebook is designed to be a working document, which when completed may be filed with other internal audit documentation and used for updates when individual non-compliance issues are resolved. In addition, this interactive workbook automatically generates a management report providing a summary of the findings of your audit that can be submitted to management for review. This workbook may be used for completion of any ACH Audit. Components: Introduction and General Guidelines: This section provides a simple outline of best practices for conducting your ACH Audit in-house. This is also a good guide to prepare materials if you have an independent auditor or your audit department conduct your annual ACH Audit. Throughout the document the following icons may be used to indicate types of content: Editorial Notes Issues that require special attention or consideration Check lists of items you may want to verify to complete the audit 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 3

Introduction Audit Workbook: For each area of rules compliance to be verified, we provide the following tools for you to conduct your audit, each identified with a unique icon: 1. Summary of Rules requirement. New in 2018 2. Indication if rule has or will change. 3. Audit Finding This is a pull-down menu that provides the range of findings you can record for each point. This item will be included in the Management Report. 4. Test Procedures In this field, input the procedure you used to test this audit point. For instance, dates covered, documents reviewed, policies reviewed, etc. 5. Action Items & Comments In this field, input the items that need follow-up or general concerns raised by the audit test. This item will be included in the Management Report. 6. Discussion on Rules compliance point. (Note: the concepts discussed are thoughts developed by WesPay regarding particular approaches to auditing for specific functions, but are not audit requirements.) 7. Recommendations for test procedure and documentation. 8. Sound Practices. Management Report: This interactive document automatically creates a management report based on the Findings and Action Items you have entered in the body of the workbook. This report can be used for management review or as documentation for regulators to verify completion of the audit. NOTE: If you exceed the allowable space on one of the audit reports to document the Exceptions, Actions or Concerns, you can use the Additional Comments section at the end of the management report to add additional copy. 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 4

Introduction Getting Started This workbook is an interactive document. We will walk you through each step of the audit process and you can enter the essential data as you go along. First, input the basic information about your institution and management. Separation of Duties It is very important that the person conducting the audit is not the same person who is responsible for your ACH activities. If you have a small staff, we recommend that you split the audit points for the most independent review possible. Audit Time Frame The time frame over which you conduct the audit is up to you and/or your auditor. You may wish to limit the audit time period to the most recent three months. In most cases you should be able to pull a sample that is statistically representative. This will allow you to concentrate on using ACH reports and statements from the period chosen. Within that three-month period, select one month as the focal period and one week within that month as the focal week. Adjust accordingly if you wish to choose a different time frame. In some cases you may need to look at entries to test beyond the month(s) chosen, especially if a particular class of entries is uncommon and entries are not available in the testing period to provide a reasonable assurance of proper controls and compliance. Input your ACH Audit time frames here: Target three month period: Focal month: Focal week: 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 5

General Audit Requirements General Audit Requirements 1. All Participating Depository Financial Institutions (DFIs) warrant that any Third-Party Service Providers or Third-Party Senders that perform ACH processing functions on their behalf have completed an annual ACH rules compliance audit. DFIs should validate any agreements with Third-Parties include a Rules compliance audit provision. 2. The Rules require Third-Party Service Providers that perform any functions of a Depository Financial Institution under NACHA Operating Rules to meet the audit requirements that are applicable to the ODFI. Additional key areas to include in your audit: Written policies and procedures. OFAC-related procedures and compliance with all associated regulations, from both an ODFI (if applicable) and RDFI perspective. Adequate inclusion of ACH within your Organization s business continuity planning Risk Management policies and procedures, again from both an ODFI (if applicable) and an RDFI perspective. Documented ACH training process and results for relevant personnel. Management control of key processes where account numbers can be compromised, such as posting of exceptions and initiation of NOCs. 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 11

General Audit Requirements Institution Name: RTN: Date of Audit: RDFI ODFI Audit Committee: Audit Manager: ACH Manager: Senior Officer: Third-Party Provider(s): Verification of Audit 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 12

Audit Requirements for All Participating DFIs Audit Requirements for All Participating DFIs Record Retention Appendix 8 Part 8.2.a of the NACHA Operating Rules and Guidelines Verify that a Record of each Entry is retained for six years from the date the Entry was Transmitted, except as otherwise expressly provided in these Rules. Verify that a printout or reproduction of the information relating to the Entry can be provided, if requested by the Participating DFI s customer or any other Participating DFI or ACH Operator that originated, Transmitted, or received the Entry. (Article One, Subsection 1.4.1 and 1.4.2) 1. NACHA Operating Rules require that financial institutions retain records of entries for six years from the date the entry is transmitted and that a printout or reproduction be able to be provided to the financial institution s customer or any other financial institution or ACH Operator that originated, transmitted or received the entry. DFIs are required to verify that they are retaining and are able to provide records of entries in compliance with the Rules. 2. The Rules do not specify the media in which the Record must be kept. Therefore, both physical and electronic media are compliant including paper storage, microfiche, cloud, optical storage, etc. 3. Although not required by the Rules, WesPay recommends retaining WSUDs and ACH stop payment requests for six years, in conjunction with other ACH records. Audit Test and Documentation Verify that the appropriate records as listed in the Document Preparation section can be accessed in the medium in which they are archived. It is recommended that procedures be developed to ensure all ACH records, paper and electronic, be stored in a secure manner with limited access. Document destruction procedures should include ACH records as well. 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 13

Audit Requirements for All Participating DFIs Sound Practices: For records maintained in physical form, ensure that storage location is secure, with limited access and security controls, and in a fire-proof area. If not present, recommend a written policy that all ACH entry records (received files, originated files, returns, NOCs, etc.) will be maintained for a minimum of six years from the settlement date of the entry. Ensure that written policies and procedures address your institution s data destruction policy how and when you will securely destroy ACH entry records, or other documents related to ACH processing. For documents requiring signatures that are stored electronically, the written signature requirements of the NACHA Operating Rules can be met by compliance with the Electronic Signatures in Global and National Commerce Act (E-Sign Act). For electronic records requiring authentication, the authentication method must evidence both the signer s identity and their assent to the terms of the record. Records can also be similarly authenticated using the same authentication methods currently prescribed for consumer debit authorizations i.e., the record may be similarly authenticated via the internet through the use of a digital signature, PIN, password, shared secret, etc. or a hard copy record may be authenticated via the telephone by recording the consumer s speaking or key entering a code identifying the signer. Keep any records related to Regulation E Error Resolution proceedings for a minimum of two years from the conclusion of the error investigation. Keep copies of all ACH authorization agreements for a minimum of two years from the termination of the authorization. Keep originals of ODFI-Originator Service Agreements for a minimum of five years from termination of the service agreement (in lines with guidelines for CIP compliance). Note: ACH participants should be aware that other ACH participants may also utilize electronic methods to obtain and retain records of ACH documents. In such cases, the participants can expect to receive electronic versions, rather than hard copies, of documents that they request from other ACH participants. 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 14

Audit Requirements for All Participating DFIs Record Retention Finding: Action Items / Exceptions / Concerns Auditor s Notes / Test Procedure 2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted Page 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback