Risk Management and Assessment Proposal Rules Compliance Audit Proposal

1
Risk Management and Assessment ProposalRules
Compliance Audit Proposal
January 4, 2008
2
Request for Comment

• Two proposals, issued simultaneously
• Risk Management and Assessment
• Rules Compliance Audit
• Both are components of comprehensive risk
  management strategy for the ACH Network
• Comments due February 19, 2008

3
Risk Management and Assessment

• All DFIs would annually assess risks of their ACH
  activities
• Scaled to nature and complexity of activity
• Additional ODFI risk management practices prior
  to origination
• ODFIs to address certain topics in Originator and
  Third-Party Sender agreements
• ODFIs to conduct additional risk management
  practices prior to originating ACH entries

4
Risk Management

• To be addressed in ODFI agreements with
  Originators and Third-Party Senders
• restrictions on lines of business
• specific Originator or Third-Party Sender
  requirements
• the right of an ODFI to terminate or suspend the
  agreement for breach of Rules
• the right of an ODFI to terminate or suspend an
  Originator of a Third-Party Sender for breach of
  Rules
• the right of an ODFI to audit the Originators
  compliance with the agreement and the Rules
• the Originators or Third-Party Senders
  reporting and record-keeping requirements

5
Risk Management

• ODFI risk management practices prior to
  origination
• Perform financial and operational due diligence
  of Originators and Third-Party Senders
• Identify the line(s) of business of the
  Originator or Originators of the Third-Party
  Sender
• Assess the nature of the Originators or
  Third-Party Senders ACH activity and the risk it
  presents
• Establish an exposure limit for the Originator or
  Third-Party Sender that is related to the nature
  of its ACH activity and related risks
• Establish procedures and controls to monitor and
  enforce limits on the Originators or Third-Party
  Senders origination activity, return activity,
  and exposure across multiple settlement dates
• Implement procedures to periodically review the
  practices outlined above

6
Risk Assessments

• Scaled to complexity of ACH activity
• RDFIs to annually conduct a Level 1 Risk
  Assessment
• ODFIs to annually conduct a Level 2 Risk
  Assessment
• ODFIs that meet certain criteria to annually
  conduct a Level 3 Risk Assessment
• Assessments to be performed by December 1 of each
  year

7
Risk Assessments

• Conditions requiring ODFI Level 3 Risk
  Assessment
• Has an agreement with a Third-Party Sender
• Allows direct access to ACH Operator
• Has Originator with unauthorized return rate
  exceeding one percent
• The value of debit entries originated on any
  business day exceeds a to-be-determined
  percentage or multiple (i.e., 10 percent, 25
  percent, 100 percent, 2 times, etc.) of its
  risk-based capital
• Originators business lines include money
  services, money transmission, or online payments
  processing
• Originators business lines include those
  published by NACHA as having high rates of return
• the ODFI has been subject to a Class 2 or Class 3
  rules enforcement action by NACHA

8
Justification

• Recent attention to ACH risk management and
  quality
• Regulatory guidance OCC 2006-39
• Currently, Rules provisions on risk management
  are limited, such as the establishment of
  exposure limits
• Codifying many industry risk management practices

9
Impact

• All DFIs would be impacted by Risk Assessment
  requirement
• ODFIs would be further impacted by
• more extensive Risk Assessments,
• additional risk management practices, and
• modifications to Originator agreements
• Impact lessened to the extent DFIs already
  perform these activities
• Information related to impact will be gathered in
  ACH Participant Survey

10
Rules Framework and Implementation

• Includes revisions to Articles One and Two
• Modifications to Appendix Eight
• Creates new Appendix Nine Risk Assessments
• Proposed implementation is December 19, 2008 with
  first Risk Assessments completed prior to
  December 1, 2009

11
Rules Compliance Audit

• Clarify existing Rules compliance audit
  obligations
• Provide additional compliance guidance for ODFIs,
  RDFIs and third-party service providers
• Reference several industry best practices related
  to ACH transaction quality

12
Justification

• Improve ACH Network quality through broader
  reviews of Rules compliance

13
Impact

• All DFIs currently required to audit Rules
  compliance
• Some DFIs may expand the scope of their audits
• Information will be gathered in ACH Participant
  Survey

14
Rules Framework and Implementation

• Reorganizes Appendix Eight
• Audit requirements applicable to all
  Participating DFIs and third-party service
  providers.
• Expands the scope of audit coverage for RDFIs
• Expands the scope of audit coverage for ODFIs
• Proposed implementation is December 19, 2008,
  applicable to audits completed prior to December
  1, 2009