Ask Mary: ACH Rules Change Impact on Our Annual Audit?

Ask Mary: I understand that NACHA recently passed new ACH rules related to the annual ACH Rules Compliance Audit. Is it true that Appendix Eight is going away? What does that mean for our annual audit?

On November 4, 2018, the NACHA membership voted and approved an ACH Rules change that allows greater flexibility for financial institutions and Third-Party Service Providers when conducting annual ACH Rules Compliance Audits. The effective date of this rule change is January 1, 2019, and it will apply to all audits due December 31, 2019.

This new Rules amendment does not alter the current requirements for an annual ACH Rules Compliance Audit to be conducted by December 31st each year by all participating financial institutions and third-party service providers that originate and receive ACH entries. The structure of the audit requirements within the ACH Rules will change, however, consolidating the rules for the annual audit into one section and removing redundant material within other sections of the ACH Rules.

Currently, Article One, Section 1.2.2, Audits of Rules Compliance, of the ACH Rules states that Participating DFIs and Third-Party Service Providers or Third-Party Senders must conduct an annual ACH audit of Rules compliance in accordance with Appendix Eight, which contains the audit requirements. There are additional Rules references in Article Two that specifically address Third-Party Service Provider requirements for the annual ACH audit, including addressing the ACH activities that would require a Third-Party Service Provider audit and providing proof that an annual ACH audit was completed as required. Other ACH Rules requirements for the annual ACH Rules Compliance Audit such as the timing for conducting the audit, retention requirements and provision of audit results when requested by NACHA are included in the current Appendix Eight, along with the detailed audit criteria to assist with conducting the annual ACH Rules Compliance Audit. All those requirements, with the exception of the specific Audit criteria from Appendix Eight, will be included in Article One beginning January 1, 2019. New subsections will be added to Subsection 1.2.2 to address all Rules requirements that pertain to any ACH participant’s audit responsibilities. Appendix Eight will be eliminated from the ACH Rules.

Appendix Eight has been the guide used by most ACH Network participants to conduct their annual ACH audit since the audit requirement was implemented in 1999. Most ACH audit workbooks available today follow the criteria in Appendix Eight, and the scope of an ACH Rules Compliance Audit normally has not ventured beyond those requirements. In fact, in the early 2000s, the criteria in Appendix Eight covered most of the Rules requirements in effect. However, as the ACH Network has changed over the years, the requirements in Appendix Eight have not been updated to reflect many of the new ACH Rules, which has created a gap and frustration for participants. Because the detailed audit requirements were contained in an Appendix of the Rules, changes to the requirements required comment periods and voting by the NACHA membership. And, most notably, Appendix Eight was never intended to be the ‘guide’ for conducting the ACH audit, even though the wording of the criteria would lead us to believe it was our guide since it used words like - ‘verify’, ‘review’, etc. If you have been involved in the ACH audit process or looked at the requirements in Appendix Eight recently, you are certainly aware that those requirements don’t cover all aspects of ACH Rules compliance.

In summary, Appendix Eight is going away, but the requirement to conduct an annual audit of compliance with the ACH Rules is not. You still must complete an audit; however, beginning in 2019, you will have the flexibility to conduct an ACH Rules compliance audit that reflects your organization’s ACH program and activities. The information currently in Appendix Eight will instead be included in the ACH Rules Guidelines and presented as suggested areas of compliance you may want to audit, and the Guidelines will include suggestions on additional ACH Rules areas as well.

As an ACH Network participant, you agree to comply with all the ACH Rules, and your ACH Rules Compliance Audit is an opportunity to ensure your compliance with all Rules and identify areas that may expose your institution to unnecessary risk. The new audit compliance rule provides participants with the ability to ensure they are limiting the risks associated with their ACH activities through the ACH audit process. Your organization will want to review your current ACH program and ensure compliance with all relevant ACH Rules. Can you continue to conduct your ACH audit as you have in the past? Of course, but I encourage you to leverage the flexibility of the ‘new’ audit requirements and consider how you can use the ACH audit to further reduce your risk.

Finally, we have been receiving many questions about whether we will continue to offer the EPCOR ACH Audit Workbook. The short answer is yes, we will offer an ACH Audit Workbook for 2019. The rule change is new to us too, so we are currently evaluating how to best leverage the new rule. Stay tuned for more information on the 2019 Audit Workbook soon. And, if you want to hear about ALL the 2019 ACH Rules changes, make plans now to attend a Payment Systems Update seminar in your area.