A Deeper Examination of Automated Clearing House Exam Findings

All banks and credit unions are required to complete an annual Automated Clearing House (ACH) exam by the end of the calendar year. The exam includes a review of the institution’s adherence to the  National Automated Clearing House Association’s (NACHA) ACH rules and guidelines. 

In this blog article, the experts at The Whitlock Co. review the top findings for ACH exams and how they can impact your business. 

Related Post: Risk Management With Third-Party Vendors

Risk Management and Origination 

When financial institutions allow the origination of ACH Entries and act as an originating depository financial institution (ODFI), there is inherently a greater level of credit risk associated. 

A few of the typical  findings we have noted in this area relate to: 

  • Origination agreements are missing specific required language, missing signatures, or the agreement is missing entirely. 
  • Exposure limits are not being formally established and reviewed. 
  • Exposure limits are not consistent throughout all origination materials (agreement, annual review, and online banking system). 
  • Process and procedures in place for the monitoring of ACH activity (origination totals and returns) across multiple settlement dates. 

The Origination Agreement is acting as the contract between the financial institution and the customer,  so these findings not only are in violation of NACHA Operating Rules Subsection 2.2.2, but they also open the bank up to unnecessary loss allowing a customer to originate into the ACH network without a valid contract on file. Because of the effect offering origination services has on an institution’s credit risk, it is also very important for banks to adhere to NACHA Operating Rules Subsection 2.2.3 as it relates to exposure limits and monitoring origination activity. 

Stop Payments and Written Statements of Unauthorized Debits 

Each year most financial institutions have findings related to stop payments, Written Statements of  Unauthorized Debit (WSUD) forms, and proper return codes being utilized. This is typically due to system capabilities and limitations, human error of employees, and overall training and reinforcement of the specific NACHA Operating Rules that govern these areas. 

Typical findings we note are outlined below: 

  • Consumer stop payments expiring earlier than prescribed by NACHA Operating Rules. 
  • Non-consumer stop payment forms not accurately reflecting the expiration date when signed by the customer. 
  • One-time stop payments are not being removed from the system timely after the payment has been returned. 
  • WSUD forms are not being obtained prior to sending an unauthorized return. 
  • Inaccurate or incomplete WSUD forms are being accepted. 
  • Incorrect return reason codes being utilized for unauthorized returns: 
    • R10 Authorization Revoked return utilized when the R05 Unauthorized Debit to a  Consumer Account using a Corporate SEC code would have been appropriate. 
    • R05 Unauthorized Debit to a Consumer Account using a Corporate SEC code or R10  Authorization Revoked return code utilized when the R29 Corporate Customer Advises Not Authorized return code should have been used.
    • General improper use of the newly repurposed return code R11 Customer Advises Entry  Not in Accordance With the Terms of the Authorization. 

Although the Rules do not require the Return Reason Codes to be listed on the WSUD, it is generally considered best practice to include them. There is a high correlation between the incorrect Return  Reason Code being utilized and whether the codes are outlined on the form. 

Consistently year after year, most of our findings come in these areas. We highly encourage every financial institution to invest in employee training, specifically in this area. 

Return of Federal Government Payments 

Another area of emphasis for financial institutions should be the effectiveness of their processes and procedures surrounding notation, monitoring, and returning post-death benefit payments as soon as they are aware of the recipient’s death. While most banks have procedures in place related to death notifications and post-death benefit returns, we have noted many findings related to a breakdown of  

the bank’s typical process. 

We have noted banks missing a flag or notation on the customer’s account, not properly reviewing the account, or failing to monitor the account in the months following the notification of death. Promptly returning post-death payments once notified of a recipient’s death is incredibly important in limiting the bank’s risk of loss. 

Recent Rule Updates 

It is increasingly important to have all ACH personnel up to date on their NACHA training each year, especially as it relates to new and upcoming rule changes.  

  • Is your financial institution adhering to the Meaningful Modernization Rules that took effect on  September 17, 2021? 
    • Has the bank reviewed their internal debit authorization forms for ACH entries processed on their own behalf to ensure they have all the required language? 
    • Has the bank trained and educated originators on the new debit authorization requirements and performed tests to ensure they are meeting the requirements?
  • Third-Party Senders Roles and Responsibilities: 
    • Has the bank evaluated its originators and third-party senders to ensure they do not meet the definition of a nested third-party sender? 
    • Has the bank discussed with third-party senders the new requirement regarding annual risk assessments? 

Related Post: Cybersecurity Statistics & Risks for Banks

Contact Our Accounting Firm for Help With Your Community Bank

It can be difficult to know what to review in an ACH exam, as well as navigating the complex and ever-changing NACHA rules. Take the pressure off and contact the community banking experts at The  Whitlock Co. and request a consultation for your ACH exam needs today. Expect more from your advisor.


Filter by Category