EPCOR Auditor Report on New Policy Trend

Amy Donaghue

By: Amy Donaghue, AAP, APRP, Senior Manager, Audit Services

The EPCOR audit team is exposed to many different financial institution’s policies while conducting audits and risk assessments. Most of these policies have been in place for several years and, unless there has been a change in the operating environment, services provided or updates due to regulatory requirements, they typically will remain a static document with limited annual changes.

Over the past few years, we have come across a new concept with the creation of an overarching payments policy. This policy addresses all payment activities that a financial institution is engaged in (i.e. ACH, RDC, wire transfers, payroll cards, credit cards, mobile deposits, etc.). With the creation of this policy, overlapping processes or systems and cross-channel risk appear to be addressed in a more effective manner. This helps ensure that the implementation of a new service or product will be done with the sanctification of the Board of Directors or a designated committee who is responsible for ensuring that the various payment offerings do not expose the financial institution to excessive risks.

Additionally, instead of having a multitude of individual policies to maintain (i.e. review, update and approve) there is now only one. The policy should still clearly define objectives, a well-developed business strategy and clear risk parameters for each of the payment types the financial institution is engaged in but not as a “siloed” concept.

Also, with regards to a single payments policy and those payments generally affecting other departments (credit, operations, treasury services) within the financial institution, those specific departments should know what the policy states. If the departments have ownership in any of the functions to support the various payment types, there should be written procedures that provide the detail of those functions as well as information identifying responsible parties to complete the process.

Whatever path you choose with your financial policies and procedures for the processing of payments, both the policies and the procedures should be reviewed, updated if needed and approved on an annual basis. Staff members should know and understand what are in the policies and procedures and these documents should be a foundation for when audits and risk assessments are being conducted during the coming year. And remember, not having a formal policy is bad, but not following what’s an existing policy is even worse.

A Note From Our Audit Team:

With this year’s ACH Rules Compliance Audit changes, now is a great time to bring in our expert audit team of AAPs, NCPs and APRPs! PLUS, you can save up to 15% by booking your audit before May 15th and having it conducted before June 29th.  Reach out to Member Support at 800.500.0100 or email audit@epcor.org to get on our calendar now and save!