Do Your ACH Procedures Follow Your Policy?

Amy Donaghue

By: Amy Donaghue, AAP, APRP, NCP, Director, Advisory Services

Imagine that it’s been your daily duty to send out Notifications of Change (NOC) for over a year now. Everything is going well. ACH Entries are being fixed and exception items are decreasing. Then an auditor or examiner comes in and reprimands you because your ACH Management Policy states that your institution will not send out NOC Entries. You’re thinking “ugh, but wasn’t I doing something good?!” It’s time to revise and rethink your procedures and policies.

The process of conducting an audit or risk assessment typically begins with the review of the current policies within the financial institution. Policies should represent the institution’s current business practices, address compliance with required rules and regulations and establish comprehensive risk tolerance limits. Once a policy has been established and implemented, it is recommended the policy be reviewed at least annually. During the annual policy review, determine if updates need to be made due to changes within the operating environment governed by the policy, or due to regulatory changes/updates. Additionally, staff responsible for the outlined tasks should be familiar with what is contained within the policy.

After the review of policies, current processes should be reviewed to validate written procedures and verify staff has implemented the processes as established by the institution’s policies. Staff members who will touch the covered processes should also be involved with the development of written operational procedures. The procedures should reflect and support the content contained within the policy. Also, as recommended with the policy, written procedures should be reviewed periodically to determine if updates need to be made.

Below are some common issues EPCOR auditors and consultants have encountered during our reviews related to ACH policies and procedures:

  • Policy or procedures are outdated and do not represent current operations.
  • Policy or procedures do not cover all aspects of the operating environment.
  • ACH department staff members are not familiar with what is contained in the policy.
  • Revisions to the policies are not tracked or dated to identify the most current version of the policy or procedures.
  • Procedures are not detailed and are limited in scope.
  • Procedures are not updated when new systems or software are implemented.
  • Documents of policies and procedures are not managed in a way that assists with examiner or auditor review.
  • Staff operates from their own “notes” rather than the official procedure documents.
  • Actual practices do not reflect the approved policies or procedures.
  • Backup staff is not familiar with approved policies or procedures.
  • Current policy and procedure documents are not available when working off-site, such as for disaster recovery/business resumption events or remote working arrangements.

If you are having challenges with developing your ACH policy or ensuring existing procedures are fully in compliance with payments rules, regulations and your financial institution’s policies, contact EPCOR’s Advisory team (advisoryservices@epcor.org) for a thorough and comprehensive Policy, Procedures and Agreements review. In addition to providing a comprehensive review with a detailed report of the findings, we will provide helpful guidance to help you mitigate risk and improve your processes. Let the payments experts provide you with the assistance you need to ensure your organization has current policies and procedures that ensure compliance with the rules and regulations and help you reduce risk in your payment operations. Reach out today!