ODFI Risk Management: Exposure Limits and Prefunding

Liz Cone

by Liz Cone, AAP, APRP, Manager, Audit Services

Each ODFI takes on quite a bit of risk when offering ACH origination services to its account holders. Whether you’ve offered this service for years and have thousands of Originators or Third-Party Senders utilizing this service, or if you are only considering offering the service to your clients or members, it’s always good to review what the ACH Rules say about risk and how to mitigate risk.

Article Two, Subsection 2.2.3 of the ACH Rules requires ODFIs (as well as Third-Party Senders) to establish, implement, enforce and periodically review an exposure limit for each Originator. You might say, “But Liz, we require prefunding for our credit Originators, so we don’t have to establish an exposure limit.” While prefunding is an effective tool to use to ensure the funds will be available for the offsetting settlement and managing the risk of originating ACH Entries, the ACH Rules do not allow for an exception to exposure limit requirements.

Establishing an Exposure Limit

In order to establish an appropriate exposure limit for each Originator, there should be clear policies and procedures in place for staff to follow. Many financial institutions establish exposure limits by mirroring the criteria for granting an unsecured loan within the Credit/Loan Policy. This is a common practice, but it never hurts to make sure there is language addressing ACH exposure limits within the Credit/Loan Policy. A financial institution or Third-Party Sender’s policy for establishing exposure limits may also be found within the ACH Management Policy. Regardless of which policy addresses exposure limits, the method used to determine the limit should be included.

An ODFI or Third-Party Sender should consider the aggregate exposure across all cash management products (i.e., ACH, wire, RDC, etc.) when establishing an exposure limit. It’s also important to keep in mind that the exposure limit should be commensurate with the ACH activity for each Originator. In other words, an Originator that only sends credit Entries into the ACH Network that do not exceed $5,000.00 a month should not have a $50,000.00 monthly limit, nor should the Originator be granted debit authority.

Monitoring and Reviewing Exposure Limits

Ok, the exposure limit has been established, now what do you do? The ACH Rules require the ODFI or Third-Party Sender to actively measure or monitor exposure limits as a part of daily operations when processing ACH Files on behalf of its Originators. This means there should also be procedures in place for handling situations when the Originator has submitted an ACH File that exceeds the established limit. As a best practice, exceptions should be documented along with the action taken. If an exception has been approved, the name of the approver should be documented as well.

The exposure limit for each Originator or Third-Party Sender should be reviewed periodically. The ACH Rules do not define “periodically,” since it can vary for each ODFI. As a best practice, an ODFI or Third-Party Sender with fewer than 200 Originators should be reviewing the established limits on an annual basis. ODFIs and Third-Party Senders with greater than 200 Originators could probably get away with reviewing established limits every 18-24 months.

When reviewing the established limits, it is considered an industry best practice to consider the number of times the Originator or Third-Party Sender exceeded the limit since the last review was conducted (this is when the previously mentioned documentation of the exception will come in handy), whether the amount of the submitted ACH Files is approaching the established limit or if the limit may be set too high, as well as the Return Rates for that particular Originator or Third-Party Sender.

Placing a Hold on the Funds vs. True Prefunding

Now that you have established appropriate exposure limits and procedures are in place for monitoring and reviewing the established exposure limits, let’s discuss prefunding in a little more depth. Let’s say you notice there are a couple of your Originators or Third-Party Senders submitting ACH credit Files whose offsetting debit cannot settle because the funds are not available in the funding account. This has happened on multiple instances, and you need to come up with a plan to help mitigate some of the credit risk.

Prefunding is a technique that is often used by ODFIs and Third-Party Senders. As mentioned previously, prefunding is a risk mitigation tool that can be used by ODFIs to limit the credit risk associated with ACH origination by debiting the Originator’s or Third-Party Sender’s funding account prior to releasing ACH credits. Often, an ODFI may place a hold on the funding account for the amount of the credit File. However, this is not considered a true prefunding situation. To truly utilize prefunding the way it was intended, the funds would be debited from the Originator’s or Third-Party Sender’s funding account and held in the ODFI’s settlement account prior to the credit File being approved and released by the ODFI.

While ACH Origination is a service offered to your account holders and has the potential to generate a profit for the ODFI, it also poses increased risk to the ODFI and Third-Party Sender. Although certain risk management protocols are required by the ACH Rules, ODFIs and Third-Party Senders should implement controls to mitigate the risks each Originator presents, which always includes establishing exposure limits and may include requiring prefunding.

Need to Borrow a Fresh Set of 👀 Eyeballs 👀?

Sometimes it’s hard to see what’s right in front of you! Call on our accredited payments experts to take a fresh look at your Origination services and the risks that may be lurking within. We can help by conducting your ACH Compliance Audit or ACH Risk Assessment or provide more hands-on consulting services to take a deeper look into a specific area such as your Origination agreements and exposure limits! Contact us for a no-obligation quote.