Are You in Compliance With Your ACH Audit Requirements?

Originating Depository Financial Institutions (ODFIs) and Third-Party Service Providers and Senders

John Rizzo, Risk & Business Advisory Manager
June 2019

The efficiency and increased ease of access to paperless transactions has caused a significant growth in the use of ACH transactions as a method of exchanging funds. Many companies turn to their banks or other financial institutions, who can serve as Originating Depository Financial Institutions (ODFIs), to gain access to the ACH network. As a means to ensure the integrity of ACH activity, the National Automated Clearing House Association (NACHA) has implemented a Third-Party Service Providers registration requirement, which was issued on September 29, 2017. This requirement requires ODFIs to register their Third-Party Sender customers with NACHA no later than March 1, 2018. NACHA Rules also require proof be provided within 10 days of the request of evidence of their annual ACH Audit by December 31 of each year. As a result of the registration rule, there has been heightened awareness regarding ACH Audit requirements of Third-Party Senders and Services Providers. Recently we have experienced additional inquiries from our clients (and their clients) needing our help with ACH audits.

Are you a Third-Party Sender?

Third-Party Senders, which can take a number of forms, are the ODFI’s direct customers, that submit ACH transactions through the ODFI. In many cases, a Third-Party Sender provides a service to businesses who need to originate ACH payments but do not have a direct relationship with an ODFI. This arrangement results in an indirect relationship between the ACH Originator and the financial institution serving as the ODFI. The ACH audit requirements, which include separate requirements for ODFIs, Third-Party Senders, and Originators, respectively, have been implemented to monitor compliance with the NACHA requirements.

How Do I Know If I’ve Been Registered?

As part of the registration process, ODFIs will provide basic demographic information about Third-Party Senders. If ODFIs believes they have no relationships with Third-Party Senders they must attest to accordingly.

Regardless of the nature and related Third-Party Sender relationships, ODFIs have the ultimate responsibility for payments processed through both their direct and indirect Third-Party Sender relationships. For that reason, it is important that financial institutions understand the nature of their customers and for any that are a Third-Party Senders, whether they are in compliance with NACHA Rules. Third-Party Senders are common in ACH use cases such as payroll processing, bill payment, and e-commerce.

What should I do?

If you are an ODFI, you should make sure that you have identified your third-party senders. They could be professional services firms, payroll companies, or maybe some other type of management company that processes ACH transactions. As an ODFI, you should ensure that you have registered them with NACHA and determine whether they have completed their necessary ACH rules compliance audits and related assessments.

As a Third-Party Sender you should ensure that you have conducted your annual ACH rules compliance audit and your annual risk assessment, including confirming that you have the necessary documentation for merchant and related relationships and that you have appropriate merchant monitoring activities in place.

Staying compliant can be challenging. BNN can assist with ACH audits and audits of your Third-Party Senders and Service Providers. We can also evaluate your risk assessment and due diligence process to ensure it is meeting your objectives.

For more information or a discussion on how this may impact you, please contact John Rizzo or your BNN advisor at 800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.