Freed Maxick Cybersecurity Team
Understanding Roles in the Automated Clearing House (ACH) Network and How to Achieve Compliance
The National Automated Clearing House Association (NACHA) is the organization responsible for managing the development, administration, and governance of the Automated Clearing House (ACH) Network. It is is the foundation for the electronic movement of money and its related data in the United States.
NACHA requires Participating Depository Financial Institutions (DFI) to annually conduct, or have conducted, an audit of compliance against NACHA Operating Rules. Any Third-Party Service Provider or Third-Party Sender that has an agreement with a Participating DFI is also required to conduct, or have conducted, an audit of compliance against the NACHA Operating Rules.
These compliance audits must be performed under the direction of an organization’s audit committee, audit manager, senior level officer, or independent examiner.
NACHA Operating Rules
The NACHA Operating Rules provide the legal framework for the ACH Network and is required to be followed by all parties involved. Organizations can be involved in the ACH Network in different capacities, which means that different organizations have different requirements that should be considered when developing an ACH program.
Whether acting as an Originator, a Receiver, an Originating Depository Financial Institution (ODFI), a Receiving Depository Financial Institution (RDFI), or a Third-Party Service Provider, each organization involved has responsibilities and requirements that must be followed to ensure the integrity of the system. Violations of these rules could lead to penalties and fines, ranging from a one-time $1,000 fine for a Class 1 infraction, all the way up to a $500,000 per month fine for a Class 3 infraction.
In order to ensure compliance with the rules, it is important for an organization to understand how they are involved in the ACH Network, what requirements apply, and what controls or procedures should be implemented within their ACH program.
Parties Involved in NACHA
Organizations as well as individuals can be involved in the ACH Network as Originators or Receivers.
- An Originator agrees to initiate ACH entries into the payment system based on an arrangement with a Receiver.
An example of this would be an organization directing a transfer of funds to another organization for payment of supplies, or to their employees for compensation. An individual would act as an Originator in the instance of transferring his or her own funds through the payment system to another party.
- A Receiver is an organization or consumer who has authorized an Originator to initiate an ACH entry to their account through their RDFI.
- The ODFI is the institution that receives payment instructions from Originators and submits entries to the ACH Operator.
- The ACH Operator is a central clearing facility that receives entries from ODFIs, and distributes these entries to appropriate RDFIs. The ACH Operator also performs settlement functions for the financial institutions.
- The RDFI is the institution that receives entries from the ACH Operator and posts them to the accounts of its Receivers.
- Third-Party Service Providers are organizations that perform any ACH function on behalf of an Originator, an ODFI, or an RDFI. A specific type of Third-Party Service Provider is a Third-Party Sender, which acts on behalf of an Originator when there is no agreement between the ODFI and Originator for ACH origination services.
NACHA Requirements
An Originator must authorize the ODFI to originate entries on their behalf to Receivers’ accounts through an Origination Agreement, which will contain restrictions on types of entries permitted along with legal terms and conditions. Originators must agree to not originate any entries that violate the laws of the United States.
Receivers must give authorization to the RDFI prior to any funds being transferred into their accounts. The agreement between a Receiver and their RDFI will include any restrictions on entries that the RDFI will not process along with legal terms and conditions.
(The requirements for ODFIs, RDFIs, and Third-Party Service Providers are best summarized within Article One, Section 1.2.2 (Audits of Rules Compliance) of the NACHA Operating Rules.)
These organizations must retain evidence that they have completed an audit of compliance in accordance with the rules for a period of six years from the date of the audit. Upon the National Association’s request, an organization must provide this evidence within ten banking days. Failure to provide this evidence of completion of a compliance audit could lead to the determination by the National Association of a Class 2 rule violation; which can carry a fine of up to $100,000 per month until the matter is resolved.
The specific requirements for ODFIs, RDFIs, and Third-Party Service Providers cover several areas of focus within the ACH process.
There are Know-Your-Client (KYC) requirements that must occur prior to beginning services for an organization. These requirements are designed to meet the Office of Foreign Assets Control (OFAC) guidelines; which ensures parties within the ACH Network are aware of who they are performing services for, in order to avoid or block transactions from criminal or terrorist organizations, and any individuals closely associated with such organizations.
There are requirements regarding the record retention of ACH entries, which includes maintaining records for six years from the date the entry was transmitted. Transmission of banking information relevant to ACH transactions are required to be sent using encryption or a secure session to prevent unauthorized access.
Other areas of focus include requirements for handling specific types of entries, to ensure that the integrity of the data being processed is not compromised.
Engaging Freed Maxick to Perform Your NACHA Rules Compliance Audit
Our team of ACH experts can work with you and your organization to review your overall compliance with the NACHA Operating Rules. Freed Maxick can act in the function of an independent examiner that can complete the required annual NACHA audit. By conducting a thorough examination of your organization’s ACH program, we can help you identify weak areas in your current processes and advise you on the most effective and efficient ways to achieve and maintain compliance.
For more information regarding how Freed Maxick can complete an audit of compliance for NACHA Operating Rules, contact Philip.Stolarski@freedmaxick.com, connect with me here, or call 716.847.2651.