Navigating ACH Risk in a Third-Party World: An Expert Interview
Published on February 27, 2025
In the evolving world of payments, risk management is a top priority for financial institutions navigating the complexities of the ACH Network. UMACHA’s Director of Member Support and Operations, Sara Hentges, plays an active role in Nacha’s Risk Management Advisory Group (RMAG), which brings together industry experts to discuss emerging risks, trends, and best practices that impact ACH participants nationwide.
UMACHA’s Eric Wester recently had the opportunity to sit down with Sara to discuss her role in RMAG and how she represents UMACHA’s membership. In this interview, she shares insights into RMAG’s work, the risks associated with third parties in the ACH Network, and the essential controls financial institutions should have in place when working with Third-Party Senders and other Third-Party Service Providers. She also highlights key risk considerations, red flags to watch for, and the importance of annual ACH audits.
Whether you're responsible for payments risk management or simply looking to stay informed, this conversation provides valuable guidance on safeguarding ACH transactions.
Q&A with Sara Hentges
Q: Can you describe what Nacha’s Risk Management Advisory Group (RMAG) is?
Nacha’s Risk Management Advisory Group (RMAG) is a collaboration of industry peers, including representatives from Nacha, financial institutions, the ACH Operators, and Payment Associations. The group focuses on risk management within the ACH Network and serves in an advisory capacity to Nacha’s executive management team. Additionally, insights from RMAG are shared with Nacha’s Rules and Operations Committee. Many of Nacha’s fraud and risk-based Operating Rules have originated from discussions within RMAG.
Q: How does your participation in RMAG help represent the interests of UMACHA’s financial institution and affiliate members?
As a Payment Association representative, I bring the voice of small to mid-sized financial institutions to RMAG discussions, which can sometimes be driven by larger institutions. Having worked at a community bank and audited financial institutions of all sizes, I ensure our members’ interests are considered in discussions on rules, compliance, and risk management. My role is to advocate for the operational realities our members face and assess how proposed changes will impact them.
Q: What are some key risk-related topics that RMAG has been focused on recently?
RMAG’s focus over the last few years has been credit push fraud. What started as A New Risk Management Framework for the Era of Credit Push Fraud (off-site) resulted in the implementation of several new Nacha Operating Rules.
RMAG is also monitoring FinTechs, specifically those that provide consumers or businesses with accounts used to receive ACH transactions. There is currently no formal definition of these complex relationships within the Nacha Rules (other than possibly Third-Party Service Provider), but RMAG has released some considerations for RDFIs with FinTech relationships (off-site). As these types of relationships become more prominent within the ACH Network, RMAG will continue to monitor the risks associated with this business model and provide guidance as needed.
Most recently, RMAG discussed whether a financial institution should require its Third-Party Sender to provide an attestation that an annual ACH audit had been completed or the actual audit report. The conclusion was that a financial institution should request a copy of the audit, as a best practice, to ensure not only that an audit had been completed, but also that any findings or recommendations from the audit could be addressed. You can read a blog post about it here (off-site).
Q: What are some of the most common risks associated with Third-Party Sender involvement in payments?
Credit and compliance risks are the most common risks we make recommendations on related to Third-Party Senders. For example, we have seen financial institutions that allow payroll processors to debit funding for payroll from their clients and send out payroll on the same day. What happens if the funding entry is returned, and payroll has already been processed? The Nacha Operating Rules state that in this scenario, a reversal of the credit entries is not allowed. Can the Third-Party Sender cover the cost of their client’s payroll?
Compliance risk often stems from a lack of understanding of the Nacha Operating Rules and/or audit and risk assessment requirements. It’s important for financial institutions to educate their Third-Party Senders on ACH compliance and the requirements to conduct an ACH audit and ACH risk assessment. UMACHA conducts audits and risk assessments that often serve as educational tools, helping Third-Party Senders improve compliance in areas such as origination agreements, authorization language, and proper use of SEC Codes.
Q: What are some key risk controls that financial institutions should have in place when working with third parties in ACH transactions?
A financial institution should have a comprehensive agreement with their Third-Party Sender that includes required provisions per the Nacha Operating Rules, details on Nested Third-Party Senders, risk management, security procedures, and defined warranties and liabilities.
The institution should assess the Third-Party Sender’s credit risk, assign an appropriate exposure limit, and review it periodically—at least annually, given the higher risk. Pre-funding should also be considered.
Understanding the Third-Party Sender’s business model is crucial to ensure compliance with authorizations and SEC Codes. Returns and NOCs should be closely monitored, as high volumes could signal issues.
The institution should approve new Originators before the Third-Party Sender originates on their behalf and maintain a list of the Third-Party Sender’s Originators with key details, such as business name, address, Tax ID, line of business, and exposure limit. This prevents the onboarding of prohibited businesses.
Third-Party risk management should be incorporated into ACH, credit risk, and vendor management policies.
Q: Are there specific red flags that financial institutions should be looking for when assessing the risk of a Third-Party Sender?
One significant red flag that financial institutions should watch for when reviewing a prospective Third-Party Sender is urgency to be onboarded. If a Third-Party Sender is rushing the process because they lost a prior banking relationship, it may signal compliance or financial instability issues. Another red flag is a refusal to provide a copy of an ACH audit and/or ACH risk assessment, which could indicate non-compliance or a lack of awareness of Nacha Operating Rules requirements. If a Third-Party Sender is unwilling to provide transparency regarding its Originators, it could suggest fraud or BSA/AML concerns. These are just a few red flags and are not all-inclusive.
Financial institutions should maintain an open and transparent relationship with each of their Third-Party Senders. In my experience, a strong partnership between financial institutions and Third-Party Senders fosters compliance with the Nacha Operating Rules and risk mitigation. Institutions that actively review audits and risk assessments create an environment where Third-Party Senders are more proactive about compliance and risk.
Q: What are the consequences if a Third-Party Sender fails to provide adequate proof of their ACH audit?
If Nacha contacts an ODFI and requests a copy of a Third-Party Sender's proof of audit, but the ODFI is unable to provide it, failure to supply proof of an ACH audit constitutes a Class 2 Rules Violation. This can result in fines of up to $100,000 per month until resolved. Nacha fines the financial institution, not the Third-Party Sender, meaning the institution bears the risk. While some institutions rely on agreements to pass fines to the Third-Party Sender, this assumes the Third-Party Sender has the financial capability to cover the costs—an assumption that may not hold.
UMACHA is Here to Help
At UMACHA, we understand the challenges financial institutions face and offer a variety of compliance resources to help. This includes on-site and remote ACH Audits and ACH Risk Assessments tailored for financial institutions, Third-Party Senders, and Third-Party Service Providers, as well as resources to assist organizations that conduct these services internally. These tools not only help ensure compliance with the Nacha Operating Rules but also support proactive risk management.
For more information on how UMACHA can assist with your compliance needs, learn more about our compliance offerings, request a no-obligation quote for compliance services, or reach out to us today at info@umacha.org.
Stay connected with Sara Hentges and UMACHA on LinkedIn!