ach risk management findings from the field risk management findings from the field jen wasmund,...
TRANSCRIPT
ACH Risk Management
Findings from the Field
Jen Wasmund, AAP, CTP, NCPVice President, Education & Consulting
UMACHA
Andy Barlow, AAP, NCPExecutive Vice President
WACHA
Disclaimer
o Regional Payments Associations, through their Direct Membership in NACHA, are specially recognized and licensed providers of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program.
o NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA.
o This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice.
o You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature.
Navigating Payments 2017 2
Agenda
o ACH Risk Management in General• What do we have to do?
• How do we get there?
o Real-life Scenarios from the Field
o Wrap-up
o Questions
Navigating Payments 2017 3
How Do We Get There?
o Know what your pain points are• Financial loss or fines
• Exam exceptions
• Reputation damage
o Evaluate the risk vs. reward payoff and probabilities
o Build an ongoing management program to close gaps where the risk is too great for your FI’s appetite
Navigating Payments 2017 6
How Do We Get There?
o ACH Policy• Approved by the Board of Directors
• Framework of overall program
o Procedures• Daily operational guides
• Promotes consistency within risk tolerances
o Reporting• Results requested by Board of Directors
• Anomalies, exceptions, losses
Navigating Payments 2017 7
How Do We Get There?
o Risk-based audit programs• Established risk tolerances and policies may
provide guidance for a more targeted ACH audit program
• With the large number of Rules which should be audited, a risk-based audit program can help determine appropriate focus and scope
• Ongoing discussions with NACHA and the RPAs on how to improve the ACH Audit model
Navigating Payments 2017 8
Real-Life Scenarios from the Field
Navigating Payments 2017 11
Board Reporting
Do we have to?
Board Reporting
Do we have to?
RDC Risks
Not ACH, but close
enough…
RDC Risks
Not ACH, but close
enough…
Cross-Channel Risk
It’s a bird, it’s a
plane, it’s…
what is it?
Cross-Channel Risk
It’s a bird, it’s a
plane, it’s…
what is it?
Policy and Procedures
Where am I supposed to
start?
Policy and Procedures
Where am I supposed to
start?
Regulatory Alphabet
Soup
What letters keep
floating to the top?
Regulatory Alphabet
Soup
What letters keep
floating to the top?
Strategic Planning
What would you say you
do here?
Strategic Planning
What would you say you
do here?
Faster Payments
What’s the plan?
Faster Payments
What’s the plan?
Board Reporting—do we have to?
o In short…yes, you do
o However, not required by the NACHA Operating Rules
o Regulatory guidance says yes, this should occur
o What, how much and how often is entirely up to your organization
Navigating Payments 2017 12
Board Reporting: Risk and Controls
o Strategic risk
o Operational risk• Errors in processing
• Losses incurred
o Credit risk• Changes in volumes
or velocity
o Ask them what they want
o Determine frequency and audience; may be a committee appointed by Board
o Revisit on occasion
o Ensure accurate and consistent information to spot trends over time
Navigating Payments 2017 13
RDC Risks—not ACH but close enough…
o Not ACH, but an important part of your overall payments programs
o Over how many different products or channels do you use a remote deposit capture function?• Who owns these at your organization?
• Do you handle mobile versus desktop channels differently – if so, does the left hand talk to the right hand?
Navigating Payments 2017 14
RDC: Risks and Controls
o Compliance/Legal risk• Regulation CC
o Strategic risk
o Cross-channel risk
o Fraud risks
o Operational risk
o RDC Risk Assessments
o Limits
o Policies and procedures
o Underwriting or user approval standards
o Training and agreements
o Duplicate detection
Navigating Payments 2017 15
Cross-Channel Risk—it’s a bird, it’s a plane…what is it?
o Are you watching for changes in activity and patterns across multiple payment systems?• ACH
• RDC / image exchange, including differences between mobile and traditional
• Remotely Created Checks
• Wires
o Forward and return volumes may tell you a lot
Navigating Payments 2017 16
Cross-Channel: Risks and Controls
o Credit risk• Are changes
indicators of new financial condition?
o Fraud risk• Access to data or
payments
o Strategic risk
o Is there a manual process?
o Automated tools (look at what BSA is doing)
o Activity review schedules – can they be combined?
Navigating Payments 2017 17
Policy and Procedures—where am I supposed to start?
o Rules do not require a policy or procedures• Regulators quite likely will
o May take time to do right
o Policy = framework for Board of Directors, procedures = day-to-day details
o Frequency of review or update?
Navigating Payments 2017 18
Policy and Procedures: Risks and Controls
o Operational risk• Business continuity
• Training
o Reputational risk
o Compliance risk
o Say what you do and do what you say
o Document policy exceptions
o Test procedures
o Build process to update procedures as needed
Navigating Payments 2017 19
Strategic Planning—what would you say you do here?
o Does your organization have a strategic plan?• Does it include payments?
• If not, do you want to keep driving through ACH and payments without a roadmap?
o Strategies can start small and grow with the FI as needs change
Navigating Payments 2017 20
Strategic Planning: Risks and Controls
o Strategic risk
o Reputational risk
o Compliance/legal risk
o Proactive vs. reactive
o Know your market(s)
o May drive pricing
o Could tie back to board reporting and help shape important metrics to track
Navigating Payments 2017 21
Regulatory Alphabet Soup—what letters keep floating to the top?
o You cannot comply with what you do not know
o How do you know what applies to your ACH and payments program?• How are you staying aware of changes to these
sources at the federal, state and/or private sector levels?
Navigating Payments 2017 22
Regulations: Risks and Controls
o Compliance/Legal risk• Non-compliance
with Rules or regulations
o Reputational risk
o Operational risk
o Training, training, training
o Monitor regulatory notices
o Determine what downstream impacts may exist (operations, account or product agreements, etc.)
Navigating Payments 2017 23
Faster Payments—what’s the plan?
o So much information – when do I need to get in the game, if at all?
o How can you know if faster payments options are right for you without that strategic planning function?
Navigating Payments 2017 24
Faster Payments: Risks and Controls
o Strategic risk• Don’t get left behind
o Fraud risk
o Operational risk
oCompliance/Legal risk• Systems may have
their own new rules
o Start the conversation now
o Talk to your service providers
o Know the differences between products and the new RTP rail
o Space for all systems
Navigating Payments 2017 25