Common ACH Audit Findings
Published on April 12, 2024
AUTHOR
Jamie Herbert, AAP, APRP, NCP
Director of Compliance Services
I recently read a statement from someone who said, “completing an audit is like trying to make friends at a tax seminar – nobody's lining up for the opportunity!” Of course, we greatly appreciate all our tax professional friends and the work they do!
While ACH Audits may not be top of mind for everyone, the ACH rules are clear that all financial institutions, Third-Party Senders (including Nested Third-Party Senders), and Third-Party Service Providers that process Entries for a financial institution or Third-Party Sender must conduct, or have conducted, an audit of its compliance with the Nacha Operating Rules no later than December 31st of each year. An organization's ACH Audit must be performed under the direction of the audit committee, audit manager, senior level officer, or independent (external) examiner or auditor of that organization.
UMACHA’s Compliance Services team conducts hundreds of ACH Audits each year for various participants in the ACH Network, such as financial institutions of all shapes and sizes (including both banks and credit unions), Third-Party Senders, Nested Third-Party Senders, and various types of Third-Party Service Providers, including Sending Points and Receiving Points. Throughout these audits, our team has identified several common audit findings we would like to share with you so that you can avoid these common issues when it comes time for your audit.
ACH Contact Registry
Impacts: Originating Depository Financial Institutions (“ODFIs”) and Receiving Depository Financial Institutions (“RDFIs”)Finding: The financial institution either has not input ‘ACH operations’ and/or ‘fraud and/or risk management’ contacts in the ACH Contact Registry within Nacha’s Risk Management Portal (off-site), or the individuals or departments listed are no longer the correct points of contacts for these types of inquiries.
Nacha Operating Rule Requirement: Article One, Section 1.14 states, "A Participating DFI must register with the National Association specific contact information for personnel or departments responsible for: (a) ACH operations; and (b) fraud and/or risk management. A Participating DFI may register contacts for additional personnel or departments, at its discretion." Furthermore, the Rule goes on to state, “A Participating DFI must update the registration information within 45 days following any change to the information previously provided and must verify all registration information at least annually.”
ACH Origination Agreements
Impacts: ODFIs and Third-Party Senders (including Nested Third-Party Senders)Finding: The ACH Origination Agreement executed between a financial institution and its Originator or Third-Party Sender does not contain the minimum required provisions, or the ACH Origination Agreement executed between a Third-Party Sender and its Originator or subsequent Nested Third-Party Sender does not contain the minimum required provisions.
Nacha Operating Rule Requirement: Article Two, Subsection 2.2.2 explains that ACH Origination Agreements must be executed prior to allowing an Originator or a Third-Party Sender to originate ACH Entries. Depending on the type of arrangement (e.g. between an ODFI and an Originator or between an ODFI and a Third-Party Sender), the Nacha Operating Rules have separate provisions that must be included within the scope of the agreement.
Authorizations
Impacts: ODFIs and potentially Third-Party Senders (and their Originators)Finding: The financial institution or its Originator either does not obtain proper authorization prior to initiating ACH Entries, or they are unable to furnish adequate proof of authorization for originated ACH Entries, including for Micro-Entries. Similarly, the financial institution is unable to furnish proof of authorization for ACH Entries processed through its online banking to facilitate consumer external transfers.
Nacha Operating Rule Requirement: Article Two, Section 2.3 sets forth the requirements related to authorizations. Specifically, Subsection 2.3.1 states, “An Originator must obtain authorization from the Receiver to originate one or more Entries to the Receiver’s account, except for credit Entries for which the Originator and Receiver are both natural Persons.”
The Nacha Operating Rules go on to set forth specific requirements for authorizations to debit the account of a consumer Receiver in Article Two, Subsection 2.3.2.2, while specific requirements to debit the account of a non-consumer Receiver are set forth in Article Two, Subsection 2.3.3.
It is also important to understand that Micro-Entries, which are small-dollar transactions used for the purpose of account validation, must also be authorized in accordance with the Nacha Operating Rules. The financial institution must be able to furnish proof of authorization upon request for all consumer debits, which may include Micro-Entries, in accordance with the Nacha Operating Rules.
Notifications of Change
Impacts: ODFIs and Third-Party Senders (and their Originators)Finding: The financial institution, Third-Party Sender, or its Originator does not make the necessary corrections specified in a Notification of Change (“NOC”). Additionally, the financial institution or Third-Party Sender does not provide the required information to its Originators or Third-Party Senders when an NOC is received.
Nacha Operating Rule Requirement: Aside from the exceptions set forth in Article Two, Subsection 2.12.1, the Originator must make the changes specified in the NOC or corrected NOC within six banking days of receipt of the NOC information or prior to initiating another Entry to the Receiver’s account, whichever is later.
In accordance with Article Two, Subsection 2.12.1, “For each NOC or corrected NOC it receives, an ODFI must provide the Originator with the following minimum information within two Banking Days of the Settlement Date of the NOC or corrected NOC: (a) Company Name; (b) Company Identification; (c) Company Entry Description; (d) Effective Entry Date; (e) DFI Account Number; (f) Individual Name/Receiving Company Name; (g) Individual Identification Number/Identification Number; (h) Change Code; (i) Original Entry Trace Number; (j) Original RDFI Identification; and (k) Corrected Data.”
Stop Payments
Impacts: RDFIsFinding: The financial institution is not properly handling its stop payment requests. Errors observed vary and include incorrect Return Reason Code usage, incorrect effective periods for stop payment requests, and incomplete or incorrect information listed on stop payment request forms.
Nacha Operating Rule Requirement: The R08 (Payment Stopped) return reason code should be used for most stop payment requests. Additional Return Reason Codes that may be used, depending on the circumstances, include R38 (Stop Payment on Source Document), and R52 (Stop Payment on Item Related to RCK Entry).
For consumer accounts, Article Three, Subsection 3.7.1.4 of the Nacha Operating Rules states, “A stop payment order will remain in effect until the earlier of: (a) the withdrawal of the stop payment order by the Receiver; or (b) the return of the debit Entry, or, where a stop payment order applies to more than one debit Entry relating to a specific authorization involving a specific Originator, the return of all such debit Entries.” The effective period for non-consumer accounts, which is different from consumer accounts, can be found in Article Three, Subsection 3.7.2.1.
While the Nacha Operating Rules do not require the completion of a stop payment request form, financial institutions that choose to utilize forms should ensure the forms are completed properly and completely.
Written Statements of Unauthorized Debit
Impacts: RDFIsFinding: The financial institution is not properly handling Written Statements of Unauthorized Debit (“WSUDs”). Errors observed vary and include incorrect Return Reason Code usage, untimely returns, returns due to a dispute over goods or services, and incomplete or incorrect information listed on the WSUD.
Nacha Operating Rule Requirement: The requirements associated with WSUDs can be found in Article Three, Section 3.12. It is important to understand in what circumstances a WSUD should be completed, what the return time frames are, and that each WSUD has been properly completed and contains all required provisions described in Article Three, Subsection 3.12.4 prior to processing an extended return Entry.
While separate from the Nacha Operating Rules, it is important to ensure financial institutions understand and are properly complying with the error resolution obligations and procedures set forth in 12 CFR Part 1005 - Regulation E (off-site).
* Two revisions to the Nacha Operating Rules related to WSUDs and the corresponding return process have been approved and become effective October 1, 2024. One revision will allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver (either by posting to the account or by notice of a pending transaction), even if the debit has not yet been posted to the account. The other revision requires that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth banking day following the completion of its review of the consumer’s signed WSUD. This does not prolong the extended return period.
UMACHA is Here to Help
While this is by no means an exhaustive list of ACH Audit findings, it represents several of the most observed findings by our Compliance Services team. UMACHA offers a range of compliance services to assist with ACH Audits:- Financial Institution ACH Audits (banks and credit unions)
- Third-Party Sender ACH Audits
- Third-Party Service Provider ACH Audits
Learn more about our Compliance Services or request a no-obligation quote for compliance services. Discounted compliance services pricing is a perk of your UMACHA membership, and we would love to work with you on your compliance needs.
Stay connected with Jamie Herbert and UMACHA on LinkedIn!