NOCs - No One Cares?

Amy Donaghue

By: Amy Donaghue, AAP, APRP, Senior Manager, Audit Services

As required by the ACH Rules, one of the responsibilities of an Originator is to ensure they respond to incoming Notifications of Change or NOCs in accordance with the Rules. This information can be found in Article Two, Section 2.11, Notifications of Change (NOC), pg. OR 29. Specifically, the Rules state “the Originator must make the changes specified in the NOC or corrected NOC within six Banking Days of the receipt of the NOC information or prior to initiating another Entry to the Receiver’s account, whichever is later.” The Rule is very clear regarding the Originator’s responsibility. So, why is it that NOCs remain the most common reason that a Rules violation is filed, year after year?

While conducting ACH Rules Compliance Audits or ACH Risk Assessments, our audit team is exposed to the inner workings of an Originating Depository Financial Institution (ODFI), including its processes and procedures as it relates to incoming NOCs. So, what are some of the common findings we see when out in the field?

Let’s start at the beginning of the incoming NOC process. The responsibility of the ODFI is to notify the Originator of the receipt of an NOC. The Rules state this information must be provided to the Originator within two Banking Days of the Settlement Date of the NOC. Rarely do we see that an ODFI is not providing this information to the Originator; however, we sometimes see a system generated report being provided that even financial institution staff find difficult to interpret. We also encounter system generated reports that include information for multiple Originators in which financial institution staff have used a sharpie to black out protected information that belongs to another Originator. Another shortcoming often found in the notification process is sending NOC information via an unsecure email session. So, what does your financial institution do to ensure your process is clear and easy for Originators to understand?

Here are some Notification of Change process best practices:

  • Ensure Originator(s) receive information that clearly explains what information needs updating
  • If verbally contacting an Originator with the change information, be sure to document when and to whom the information was provided
  • If you send system generated reports that contain multiple Originators’ NOC activity, transfer the information for individual Originators into a separate document; otherwise you are at risk of providing protected information to an outsider
  • Never provide NOC information via an unsecure delivery method
  • Staff responsible for the Information Security program be aware of the method of delivery of this information so that it can be addressed in your Information Security Risk Assessment

Once the information is provided to your Originator(s) in a secure manner that clearly states the information that needs to be changed, is your obligation complete? Not yet. An ODFI is not only required to provide the change information in a timely manner but must also ensure the Originator makes the requested changes. Again, we see many different methods ODFIs use when monitoring incoming NOC activity.

Smaller and midsize financial institutions who receive limited incoming NOC activity may find it reasonable to rely on an excel spreadsheet to monitor the activity. If this is the case, the monitoring process should overlap prior months of activity to pinpoint any issues of non-response by Originators processing monthly Origination files. Additionally, if there are recurrences of receipt of NOC activity, there should be a written procedure developed as to how the situation will be addressed. Is the Originator going to be contacted by someone in your operations area or treasury services or perhaps the account officer assigned to the Originator? And how will that process be documented?

As for larger institutions, the process typically becomes more automated. Analytical systems may be in use that alert financial institution staff of Entries being initiated prior to responding to the information provided in an NOC. Also, we have seen ODFIs create “swap tables” within their processing systems that will update the information during the processing of the Origination file. These systems may also provide reports on individual Originators NOC activity.

However, if a financial institution chooses to monitor NOC activity, it must be done in a proactive manner. Not doing so heightens the ODFI’s risk of receiving an ACH Rules violation and creates unnecessary work for the Receiving Depository Financial Institution (RDFI).

Is it really that “No One Cares (NOC),” or is it simply that Originators are not aware of their responsibilities or are unable to determine what changes need to be made? Further, could it be the issue being compounded because ODFIs just aren’t monitoring Originator responses?

If you need help evaluating or finding ways to improve your NOC process, please reach out by contacting Member Support at 800.500.0100 or memserve@epcor.org. Our staff of payments experts is always happy to hear from you, and our Advisory Services might be just what you are looking for.