• 
  
  • About ALACHA
  • What is ACH?
  • Member Benefits
  • Our Members
  • Our Affiliates
  • Board of Directors
  • ALACHA Bylaws
  • Join ALACHA
  • Refer a Member
  • Contact Us

• 
  
  • ACH Products
  • New Products
  • ACH Marketing
  • Agreements, Policies
    & Procedures
  • Computer Based
    References
  • Education & Training
  • Forms
  • Pubs, Guides
    & Handbooks
  • Reference Materials
  • Search Store
  • Store Help

• 
  
  • Member Services
  • NEW! Banking Legal Service
  • ACH Auditing
  • ACH Education
  • Rules Supplements

• 
  
  • ACH Education
  • FREE! Power Hours
  • Live Workshops
  • Online Webinars
  • Telephone Seminars
  • Custom Training

• 
  
  • Resource Center
  • NEW! Banking Legal Service
  • Rules Supplements
  • ACH Network
    Statistics
  • ACH Pubs & Forms
  • Online Resources
  • Create Account
  • Login Members' Area
  • Retrieve Password

• 
  
  • Industry News
  • What's New?
  • ACH Alerts
  • ALACHA Newsletters

• 
  
  • Coming Events
  • ALACHA Annual
    Conference

Risk Management and Assessment Rule
Effective June 18, 2010

The Risk Management and Assessment rule requires that all Participating DFIs conduct a risk assessment of their ACH activities and implement risk management programs based on the results of such assessments, in accordance with the requirements of their regulator(s). Generally, regulators stress the importance of assessing the nature of risks associated with ACH activity, performing appropriate know-yourcustomer due diligence, establishing controls for Originators, third parties and Direct Access relationships and having adequate management, information and reporting systems to monitor and mitigate risk.

The rule, effective June 18, 2010, impacts all Participating DFIs by the requirement to perform a risk assessment. The impact is lessened by the number of DFIs that already conduct a risk assessment.

ODFIs are also impacted by the requirements to conduct additional risk management practices prior to originating ACH entries and cover specific topics in their Originator and Third-Party Sender agreements. The impact depends on the nature and complexity of each ODFI's ACH activity. ODFIs that do not conduct similar risk management practices or those that need to revise their Originator agreements will be the most affected. Requirements to modify Originator and Third-Party Sender agreements apply to those entered into or renewed after June 18, 2010. There is no requirement to modify agreements in place before June 18, 2010.

This rule provision outlines certain rights that ODFIs have related to their Originators and Third-Party Senders including:

• the right to terminate or suspend an Originator, or any Originator of a Third-Party Sender, or the Third-Party Sender for breach of the Rules; and
• the right to audit an Originator's, or Third-Party Sender's and its Originators', compliance with their agreement with the ODFI and the Rules.

ODFIs are required to address their rights to terminate or suspend, audit, and place restrictions on ACH origination activity within any new or renewed agreement with their Originator or Third-Party Sender. There are no new restrictions on origination activity prescribed in this rule provision. Each ODFI is required to address its internally-developed restrictions on origination, if any, within its Originator and Third-Party Sender agreements so as to highlight the importance, and improve the enforcement, of such restrictions.

ODFIs are required to perform a more comprehensive set of risk management practices in addition to the current Rules on exposure limits. These requirements include performing due diligence with respect to Originators and Third-Party Senders sufficient to form a belief that the party has the capacity to perform its obligation in conformance with the Rules, assessing the nature of the Originator's or Third-Party Sender's ACH activity and the risks it presents, establishing procedures to monitor the Originator's or Third-Party Sender's origination volume and return activity, relative to its exposure limit, across multiple settlement dates and enforce the exposure limit, and establishing procedures to enforce restrictions on the types of ACH transactions that may be originated.

Current requirements for ODFI risk management are limited in the NACHA Operating Rules (Rules) to establishing, reviewing, and modifying exposure limits for an Originator's activities. New requirements reflect ACH industry best practices, send a strong message to the industry on the importance of risk management, ensure that all ODFIs perform know-your-customer due diligence and establish procedures, systems and controls to manage the risks of their Originator's and Third-Party Sender's ACH activities.

Examples of recent risk management requirements and guidance by regulators include:

• FFIEC Retail Payment Systems IT Examination Handbook, February 2010
  
  
• OCC Bulletin 2006-39, Automated Clearing House Activities, September 1, 2006
  
  
• OCC Bulletin 2008-12, Payment Processors, April 24, 2008
  
  
• FDIC Financial Institution Letter 127-2008, Payment Processor Relationships, November 7, 2008
  
  
• FFIEC Guidance on Risk Management of Remote Deposit Capture, January 14, 2009