Establishing, Implementing & Reviewing ACH Exposure Limits

Amy Donaghue

Emily Hays, AAP, NCP, Manager, Audit Services

A financial institution’s ACH program should include an ongoing process that evaluates whether ACH activities are conducted within the risk parameters established by its Board of Directors. This process should also determine whether existing policies, procedures and controls effectively address all aspects of the financial institution’s ACH activities, but especially origination activity.

Exposure limits are a required control every Originating Depository Financial Institution (ODFI) must have in place for each Originator. The 2019 ACH Rules state, “An ODFI must perform due diligence with respect to the Originator or Third-Party Sender sufficient to form a reasonable belief that the Originator or Third-Party Sender has the capacity to perform its obligation in conformance with these Rules. In addition, the ODFI must: (b) ESTABLISH, IMPLEMENT and periodically REVIEW an exposure limit for the Originator or Third-Party Sender.” (Subsection 2.2.3 ODFI Risk Management; pg. OR6)

So, how can your financial institution ESTABLISH, IMPLEMENT and periodically REVIEW exposure limits so that you meet this ACH Rules requirement and ensure those limits meet the risk parameters established by your institution? Here are our recommendations.

Step 1) ESTABLISH an exposure limit for the Originator or Third-Party Sender.

  • Communicate with the Originator. Discuss their business needs to find what ACH origination services will work best for their type of business;
  • Require evaluation of the Originator's creditworthiness, including a comprehensive financial analysis (similar to that performed on other potential unsecured borrowers) by lending personnel;
  • Exposure limits should be established per Settlement Date, not transmission date. Educate the Originator on the proper use of the Effective Date field, especially if you offer Same Day ACH services.
  • Maintain a credit file on the originator that will include the types of ACH transactions that are authorized;
  • Exercise standard review methods when establishing exposure limits. This review process may consider:
    • Calculating the estimated dollar value and frequency of files, as indicated by the Originator. The values they provide should make sense for the type of origination they are conducting;
    • Exposure across Treasury Management services (if that is required in your policies. Examples include wire transfer, remote deposit capture, etc.);
    • Credit review;
    • Looking over financial statements;
    • Reviewing the account history;
    • The overall relationship with the institution; and/or
    • Prefunding/collateral conditions.

Step 2) IMPLEMENT an exposure limit for the Originator or Third-Party Sender.

  • Set limits and obtain appropriate internal approvals before allowing ACH transactions to be initiated. This can be done via ACH software or by manual review.
  • Implement a process to ensure that approvals of over-limit transactions are well controlled and consistent with the financial institution policies for extending unsecured credit.
  • Document temporary and permanent changes to each Originator’s exposure limit to monitor and track for the annual review process

Step 3) REVIEW the exposure limit for the Originator or Third-Party Sender.

  • Develop and document the review process with specific dates and deadlines for all personnel involved in the process.
  • Require credit/lending and ACH operations personnel to consult with one another at least annually, or more often if necessary, to confirm that the Originator's financial condition has not changed.
  • Monitor and review trends.

An ODFI should not just set an exposure limit and decide that this action alone ensures compliance with the Rules. Additionally, the Rules require that an ODFI must proactively measure exposure limits for each Originator or Third-Party Sender. Failure to implement appropriate controls is considered an unsafe and unsound practice that could result in increased credit, compliance, reputation, and strategic and transaction risks. This could also result in a compliance issue for your ACH audit.

Calling All Procrastinators – The Deadline is Approaching!

All financial institutions are required to conduct an ACH Rules Compliance Audit by December 31st of each calendar year, but there’s no need to stress! Our expert Audit Services team still has a few spots open on our calendar. Email audit@epcor.org to get on our calendar today! Or, if you’re going the DIY route, our 2019 ACH Audit & ACH Risk Assessment Workbook will help streamline the process.