Risky Busines: Payments Edition

Amy Donaghue

By: Jennifer Kline, AAP, APRP, NCP, Director, Audit Services

“Risk comes from not knowing what you're doing.” – Warren Buffett

Financial institutions are in the business of managing risk, just like many other businesses. Additionally, all business activities have elements of risk associated with daily operations, which is why every financial institution needs to conduct risk assessments.

You may be asking – what exactly is involved in conducting a risk assessment? Doesn’t our annual ACH Compliance Audit already verify our compliance with the ACH Rules? Why do we need a risk assessment too? Should risk assessments be conducted for other payment systems outside of ACH?

We’re asked these questions often. Let’s start with the difference between an audit and a risk assessment. The simplest way to differentiate these two important tools is to understand that while your annual audit looks to the past, a risk assessment looks forward. ACH audits can shine light on areas to concentrate such as staff education, processes and written procedures. Risk assessments help define elements of weakness that need to be addressed, in areas such as policies, system enhancements and board/management reporting. The ACH Rules currently require that financial institutions conduct ACH risk assessments. And, effective September 30, 2022, Subsection 1.2.4 Risk Assessments of the ACH Rules will require Third-Party Senders to conduct risk assessments of their ACH activities.

However, risk assessments shouldn’t only be used for an organization’s ACH functions, but other systems as well. So, when is a good time to complete a risk assessment? Here are just a few examples of when a risk assessment would be beneficial to your organization:

  • Before rolling out a new payment offering, like Zelle, a P2P service, RTP® or FedNow SM
  • Before merging with another financial institution
  • Before onboarding with a new core processor
  • Before partnering with a new Third-Party Service Provider/Vendor
  • After critical staff turnover impacting your payments area
  • After significant changes to key policies, processes, procedures and practices
  • If it’s been more than 24 months since your last one

If you’re interested in completing a risk assessment, reach out to EPCOR’s experts, who have the accreditations that are most relevant and impactful in the payments industry, such as AAP, APRP, NCP, CPA, CRCM and CIA. We’ve been acknowledged by examiners for our thorough reporting, and our risk-based approach goes above and beyond a bare-bones assessment. We leave you with best practices and actionable guidance to help you mitigate risks. And, our expertise is always only a phone call away – before and after your service! For a free, no-obligation quote fill out our service request form. Or if you have questions feel free to reach out via email at advisory@epcor.org or call our Member Support team at 800.500.0100.