ach risk management findings from the field risk management findings from the field jen wasmund,...

ACH Risk Management

Findings from the Field

Jen Wasmund, AAP, CTP, NCPVice President, Education & Consulting

UMACHA

Andy Barlow, AAP, NCPExecutive Vice President

WACHA

Disclaimer

o Regional Payments Associations, through their Direct Membership in NACHA, are specially recognized and licensed providers of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program.

o NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA.

o This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice.

o You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature.

Navigating Payments 2017 2

Agenda

o ACH Risk Management in General• What do we have to do?

• How do we get there?

o Real-life Scenarios from the Field

o Wrap-up

o Questions


ACH Risk ManagementGeneral Overview


What Do We Have to Do?

o Determine your risk tolerance and appetite


How Do We Get There?

o Know what your pain points are• Financial loss or fines

• Exam exceptions

• Reputation damage

o Evaluate the risk vs. reward payoff and probabilities

o Build an ongoing management program to close gaps where the risk is too great for your FI’s appetite



o ACH Policy• Approved by the Board of Directors

• Framework of overall program

o Procedures• Daily operational guides

• Promotes consistency within risk tolerances

o Reporting• Results requested by Board of Directors

• Anomalies, exceptions, losses



o Risk-based audit programs• Established risk tolerances and policies may

provide guidance for a more targeted ACH audit program

• With the large number of Rules which should be audited, a risk-based audit program can help determine appropriate focus and scope

• Ongoing discussions with NACHA and the RPAs on how to improve the ACH Audit model


Where does your organization fall?REW

ARD

RISK


Real-Life ScenariosHow Each Organization Creates a Different Approach


Real-Life Scenarios from the Field


Board Reporting

Do we have to?

Board Reporting

Do we have to?

RDC Risks

Not ACH, but close

enough…

RDC Risks

Not ACH, but close

enough…

Cross-Channel Risk

It’s a bird, it’s a

plane, it’s…

what is it?

Cross-Channel Risk

It’s a bird, it’s a

plane, it’s…

what is it?

Policy and Procedures

Where am I supposed to

start?

Policy and Procedures

Where am I supposed to

start?

Regulatory Alphabet

Soup

What letters keep

floating to the top?

Regulatory Alphabet

Soup

What letters keep

floating to the top?

Strategic Planning

What would you say you

do here?

Strategic Planning

What would you say you

do here?

Faster Payments

What’s the plan?

Faster Payments

What’s the plan?

Board Reporting—do we have to?

o In short…yes, you do

o However, not required by the NACHA Operating Rules

o Regulatory guidance says yes, this should occur

o What, how much and how often is entirely up to your organization


Board Reporting: Risk and Controls

o Strategic risk

o Operational risk• Errors in processing

• Losses incurred

o Credit risk• Changes in volumes

or velocity

o Ask them what they want

o Determine frequency and audience; may be a committee appointed by Board

o Revisit on occasion

o Ensure accurate and consistent information to spot trends over time


RDC Risks—not ACH but close enough…

o Not ACH, but an important part of your overall payments programs

o Over how many different products or channels do you use a remote deposit capture function?• Who owns these at your organization?

• Do you handle mobile versus desktop channels differently – if so, does the left hand talk to the right hand?


RDC: Risks and Controls

o Compliance/Legal risk• Regulation CC

o Strategic risk

o Cross-channel risk

o Fraud risks

o Operational risk

o RDC Risk Assessments

o Limits

o Policies and procedures

o Underwriting or user approval standards

o Training and agreements

o Duplicate detection


Cross-Channel Risk—it’s a bird, it’s a plane…what is it?

o Are you watching for changes in activity and patterns across multiple payment systems?• ACH

• RDC / image exchange, including differences between mobile and traditional

• Remotely Created Checks

• Wires

o Forward and return volumes may tell you a lot


Cross-Channel: Risks and Controls

o Credit risk• Are changes

indicators of new financial condition?

o Fraud risk• Access to data or

payments

o Strategic risk

o Is there a manual process?

o Automated tools (look at what BSA is doing)

o Activity review schedules – can they be combined?


Policy and Procedures—where am I supposed to start?

o Rules do not require a policy or procedures• Regulators quite likely will

o May take time to do right

o Policy = framework for Board of Directors, procedures = day-to-day details

o Frequency of review or update?


Policy and Procedures: Risks and Controls

o Operational risk• Business continuity

• Training

o Reputational risk

o Compliance risk

o Say what you do and do what you say

o Document policy exceptions

o Test procedures

o Build process to update procedures as needed


Strategic Planning—what would you say you do here?

o Does your organization have a strategic plan?• Does it include payments?

• If not, do you want to keep driving through ACH and payments without a roadmap?

o Strategies can start small and grow with the FI as needs change


Strategic Planning: Risks and Controls

o Strategic risk

o Reputational risk

o Compliance/legal risk

o Proactive vs. reactive

o Know your market(s)

o May drive pricing

o Could tie back to board reporting and help shape important metrics to track


Regulatory Alphabet Soup—what letters keep floating to the top?

o You cannot comply with what you do not know

o How do you know what applies to your ACH and payments program?• How are you staying aware of changes to these

sources at the federal, state and/or private sector levels?


Regulations: Risks and Controls

o Compliance/Legal risk• Non-compliance

with Rules or regulations

o Reputational risk

o Operational risk

o Training, training, training

o Monitor regulatory notices

o Determine what downstream impacts may exist (operations, account or product agreements, etc.)


Faster Payments—what’s the plan?

o So much information – when do I need to get in the game, if at all?

o How can you know if faster payments options are right for you without that strategic planning function?


Faster Payments: Risks and Controls

o Strategic risk• Don’t get left behind

o Fraud risk

o Operational risk

oCompliance/Legal risk• Systems may have

their own new rules

o Start the conversation now

o Talk to your service providers

o Know the differences between products and the new RTP rail

o Space for all systems


Where does your organization fall?REW

ARD

RISK


Questions?

Thank you!


ach risk management findings from the field risk management findings from the field jen wasmund,...

Documents