Don’t Get Left on the Hook for TPS Non-Compliance

Amy Donaghue

By: Tricia Longo, AAP, NCP, Senior Manager, Audit Services


As EPCOR auditors conduct annual ACH compliance audits, Third-Party Senders (TPS) are sometimes discovered that the financial institution doesn’t even know about. Whether your financial institution has identified the TPSs yourself, or an auditor has identified them, Originating Depository Financial Institutions (ODFIs) are required to register with Nacha whether they do or do not have any TPSs. But is that the end of the story? Do you think your TPSs fully understand the role they play in the ACH Network?

You are encouraged to educate your TPSs to ensure compliance with ACH Rules and applicable payments-related laws and regulations; after all, the Rules state ODFIs warrant that “each entry transmitted by the ODFI to an ACH Operator is in accordance with proper authorization provided by the Originator and the Receiver.” This warranty is intended to impose strict liability on the ODFI if a debit entry is unauthorized or otherwise outside of Rules compliance. In other words, YOU’RE the one on the hook if your TPSs don’t fully understand the role they play in the ACH Network.

Third-Party Sender Acts as an ODFI

Every TPS takes on a limited role and acts like an ODFI. Because of this, there are requirements that each TPS should be meeting to comply with the Rules. Here a few questions you should be getting answers to:

  • Has an annual ACH Rules Compliance Audit been conducted for each of the last six years and can proof of completion be provided for each audit?
  • What kind of due diligence is the TPS conducting to identify Originators? Does this comply with your financial institution’s standards? Are there types of businesses your financial institution has identified as high risk that your TPS has accepted as Originators? Are any of the TPSs’ clients also TPSs? How is OFAC screening of the Originators being completed and documented by the TPS?
  • Has an agreement been executed between the TPS and the Originator that binds the Originator to the Rules? And does the TPS/Originator agreement contain all of the provisions of Subsection (ODFI Must Enter Into Origination Agreement with Originator)?
  • What kind of education does the TPS provide to Originators regarding their obligations? And does the TPS educate their Originators regarding ACH Rules changes that impact them?
  • Has the TPS reviewed Authorization forms and Notices used by their Originators to confirm compliance with the Rules? And has the TPS confirmed that the Originators can provide copies of Authorization timely upon request?
  • Has the TPS established exposure limits and SEC Code processing limitations with each Originator?
  • Are returns and NOCs being monitored for each Originator?

Are staff employed by the TPS knowledgeable about ACH processing and understand the risks involved with ACH transactions? What about security?

Third-Party Senders must make sure all personal banking information received is stored securely.

  • How does your TPS receive and store personal banking information?
  • How are Originators providing ACH Files to the Third-Party Sender? Are they being transmitted via a secure connection?
  • How are Receiver authorizations being obtained and stored?
  • Are computers that are being used for ACH processing updated regularly with anti-virus protection and checked regularly for malware?
  • Does the TPS verify that Originators meet the enhanced data security requirements and encrypt data at rest when required by the Rules?
  • How does the TPS ensure compliance with any other security regulations where applicable (i.e. HIPAA)?
  • Does the TPS verify that a WEB security audit was conducted by Originators that process WEB Entries?

Having TPSs doesn’t have to be a scary adventure. By having appropriate staff in place, utilizing proper due diligence methods and educating your TPSs and staff, your financial institution can manage these relationships and the risks they represent successfully.

Maintaining Your Third-Party Sender Relationships

TPS registration serves as a means to help improve quality in the ACH Network. Registration will promote consistent client due diligence among all ODFIs and serve as a tool to support Nacha’s continuing efforts to maintain ACH Network quality. Maintaining these relationships is just as important. Using the same way they were initially registered, through Nacha’s Risk Management Portal, you would need to update any changes including termination of any TPS relationship.

Remember that EPCOR is your resource in all things payments compliance related. Staff from our Member Support and Advisory teams are all on hand to answer your questions and help you navigate the risk management process. Check out our Third-Party Sender Services and Resources or, if you’re ready to get your service on our calendar, or you are curious on what service is right for your organization, email us at advisory@epcor.org today.