Advice from an Auditor: Originator Risk Reviews

Amy Donaghue

By: Amy Donaghue, AAP, APRP, NCP, Director, Advisory Services – Risk & Third-Party Services

We all know the expectations of the ACH Rules to establish, implement and periodically review an Originator or Third-Party Sender’s exposure limit. But, does the expectation end there as it relates to ODFI Risk Management? The answer is no. These actions are only a portion of the intent of Article Two, Subsection 2.2.3, ODFI Risk Management of the ACH Rules. The Rule further states the ODFI is required to perform due diligence sufficient to form a reasonable belief that the Originator or Third-Party Sender can perform their obligations to comply with the Rules.

This process should include assessing the nature of the Originator or Third-Party Sender’s ACH activity and the risks it presents. Here are a few things to take into consideration.

The Type of Participant: Originator or Third-Party Sender

Several different risk management practices should be considered depending on the type of participant to whom the ODFI is providing origination services. By nature, the structure of a Third-Party Sender relationship adds additional risk factors. The primary difference between this type of relationship and the typical ODFI/Origination relationship is that the ODFI does not have a relationship with the underlying Originator that the Third-Party Sender is servicing. Although the ODFI has heightened risk by providing services to a Third-Party Sender, the relationship can be pleasant and primarily uneventful from onset, if the ODFI develops sound risk management practices.

Standard Entry Class (SEC) Codes Being Used

More advanced SEC codes have additional warranties, such as record retention requirements, special authorizations and Originator disclosure requirements.

The Purpose of the Origination Activities

The value of a transaction to the Receiver is a driving force behind the potential for the entry to be posted by the RDFI and then accepted by a Receiver. An RDFI will go to greater lengths to post credit entries prior to debit entries, or to determine a valid account number if the credit entry rejects during the non-post process. Receivers are less apt to claim their utility bill is unauthorized versus a debit entry from a payday lender.

Transaction Types: Credit and/or Debit

Credit risk concerns vary depending on whether transactions are credit entries or debit entries. The type of transaction impacts the length of time the ODFI will be exposed to credit risk.

Receiver Relationship: Consumer or Corporate

Different rules and regulations will apply depending on the type of Receiver.

Please know this is not an all-inclusive list of what should be taken into consideration as you conduct Originator Risk Reviews. However, these items will help you get a better understanding of your relationship with the Originator or Third-Party Sender and the associated risk. A one-size-fits-all approach to a financial institution’s ODFI Risk Management program is not sufficient for an effective risk management process. The ACH Rules expect more, and the examiners certainly expect more.

ODFIs must ensure that they have thoroughly evaluated the risks and potential liabilities or Originator relationships and have a robust Originator Risk Management program that takes the added complexities of individual Originators or Third-Party Senders into consideration. To reduce and manage risk to the financial institution and to protect all parties, the financial institution should take the necessary steps to ensure it has adequate processes and controls in place to minimize the risks. The ODFI will need to determine the level of sophistication necessary for controls to implement based on the ACH origination program and including consideration of the Origination or Third-Party Sender receiving services.

Want another set of eyes on your risk management or any other area of your organization? Consider booking a service with our Advisory team for 2022! Whether you need an Audit, Risk Assessment, Third-Party Service or anything else on your list, our payments experts are extremely knowledgeable and ready to assist your organization in anything you need to succeed. Or, if you still need to cross your audit or risk assessment off your list for 2021, consider utilizing our ACH Audit Workbook or ACH Risk Assessment Workbook (which are also available in a discounted bundle) to assist you through the process.