Resource Documents Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency Office of Thrift Supervision Financial Crimes Enforcement Network Office of Foreign Assets Control

Examination Procedures Core Procedures Expanded Procedures

Bank Secrecy Act Anti-Money Laundering Examination Manual

Backward | Table of Contents | Forward

Automated Clearing House Transactions—Overview

 

Objective. Assess the adequacy of the bank’s systems to manage the risks associated with automated clearing house (ACH) transactions and management’s ability to implement effective monitoring and reporting systems.

The use of the ACH is growing rapidly due to the increased volume of electronic check conversion¹⁶⁸ and one-time ACH debits, reflecting the lower cost of ACH processing relative to check processing.¹⁶⁹ Check conversion transactions, as well as one-time ACH debits, are primarily low-dollar value, consumer transactions for the purchases of goods and services or the payment of consumer bills. The Federal Reserve Banks’ FedACH system¹⁷⁰ is almost exclusively used for domestic payments, but can accommodate cross-border payments to Canada, Mexico, and some countries in Europe.

In September 2006, the Office of the Comptroller of the Currency issued guidance titled Automated Clearinghouse Activities — Risk Management Guidance. The document provides guidance on managing the risks of ACH activity. Banks may be exposed to a variety of risks when originating, receiving, or processing ACH transactions, or outsourcing these activities to a third party.¹⁷¹

ACH Payment Systems

Traditionally, the ACH system has been used for the direct deposit of payroll and government benefit payments and for the direct payment of mortgages and loans. As noted earlier, the ACH has been expanding to include one-time debits and check conversion. ACH transactions are payment instructions to either credit or debit a deposit account. Examples of credit payment transactions include payroll direct deposit, Social Security, dividends, and interest payments. Examples of debit transactions include mortgage, loan, insurance premium, and a variety of other consumer payments initiated through merchants or businesses.

In general, an ACH transaction is a batch-processed, value-dated, electronic funds transfer between an originating and a receiving bank. An ACH credit transaction is originated by the accountholder sending funds (payer), while an ACH debit transaction is originated by the accountholder receiving funds (payee). Within the ACH system, these participants and users are known by the following terms:

• Originator. An organization or person that initiates an ACH transaction either as a debit or credit.
• Originating Depository Financial Institution (ODFI). The Originator’s depository financial institution that forwards the ACH transaction into the national ACH network through an ACH Operator.
• ACH Operator. An ACH Operator processes all ACH transactions that flow between different depository financial institutions. An ACH Operator serves as a central clearing facility that receives entries from the ODFIs and distributes the entries to the appropriate Receiving Depository Financial Institution. There are currently two ACH Operators: FedACH and Electronic Payments Network (EPN).
• Receiving Depository Financial Institution (RDFI). The Receiver’s depository institution that receives the ACH transaction from the ACH Operators and credits or debits funds from their receivers’ accounts.
• Receiver. An organization or person that authorizes the Originator to initiate an ACH transaction, either as a debit or credit to an account.

Third-Party Service Providers

A third-party service provider (TPSP) is an entity other than an Originator, ODFI, or RDFI that performs any functions on behalf of the Originator, the ODFI, or the RDFI with respect to the processing of ACH entries.¹⁷² The National Automated Clearing House Association – The Electronic Payments Association (NACHA) Operating Rules define TPSPs and relevant subsets of TPSPs that include "Third-Party Senders" and "Sending Points."¹⁷³ The functions of these TPSPs can include, but are not limited to, the creation of ACH files on behalf of the Originator or ODFI, or acting as a sending point of an ODFI (or receiving point on behalf of an RDFI).

Risk Factors

The ACH system was designed to transfer a high volume of low-dollar domestic transactions, which pose lower BSA/AML risks. Nevertheless, the ability to send high-dollar and international transactions through the ACH may expose banks to higher BSA/AML risks. Banks without a robust BSA/AML monitoring system may be exposed to additional risk particularly when accounts are opened over the Internet without face-to-face contact.

ACH transactions that are originated through a TPSP (that is, where the Originator is not a direct customer of the ODFI) may increase BSA/AML risks, therefore making it difficult for an ODFI to underwrite and review Originator transactions for compliance with BSA/AML rules.¹⁷⁴ Risks are heightened when neither the TPSP nor the ODFI performs due diligence on the companies for whom they are originating payments.

Certain ACH transactions, such as those originated through the Internet or the telephone, may be susceptible to manipulation and fraudulent use. Certain practices associated with how the banking industry processes ACH transactions may expose banks to BSA/AML risks. These practices include:

• An ODFI authorizing a TPSP to send ACH files directly to an ACH Operator, in essence bypassing the ODFI.
• ODFIs and RDFIs relying on each other to perform adequate due diligence on their customers.
• Because ACH processing is highly efficient and more automated than individual funds transfers, there are fewer opportunities for human review of individual transactions.

Risk Mitigation

The BSA requires banks to have BSA/AML compliance programs and appropriate policies, procedures, and processes in place to monitor and identify unusual activity, including ACH transactions. Obtaining customer due diligence (CDD) information is an important mitigant of BSA/AML risk in ACH transactions. Because of the nature of ACH transactions and the reliance that ODFIs and RDFIs place on each other for OFAC reviews and other necessary due diligence information, it is essential that all parties have a strong CDD program for regular ACH customers. For relationships with TPSPs, CDD on the TPSP can be supplemented with due diligence on the principals associated with the TPSP and, as necessary, on the originators. Adequate and effective CDD policies, procedures, and processes are critical in detecting a pattern of unusual and suspicious activities because the individual ACH transactions are typically not reviewed. Equally important is an effective risk-based suspicious activity monitoring and reporting system. In cases where a bank is heavily reliant upon the TPSP, a bank may want to review the TPSP’s suspicious activity monitoring and reporting program, either through its own or an independent inspection. The ODFI may establish an agreement with the TPSP, which delineates general TPSP guidelines, such as compliance with ACH operating requirements and responsibilities and meeting other applicable state and federal regulations. Banks may need to consider controls to restrict or refuse ACH services to potential originators engaged in questionable or deceptive business practices.

ACH transactions can be used in the layering and integration stages of money laundering. Detecting unusual activity in the layering and integration stages can be a difficult task, because ACH may be used to legitimize frequent and recurring transactions. Banks should consider the layering and integration stages of money laundering when evaluating or assessing the ACH transaction risks of a particular customer.

The ODFI may need to more closely scrutinize transaction details for international ACH. The ODFI, if frequently involved in international ACH, may develop a separate process for reviewing international ACH transactions that minimizes disruption to general ACH processing, reconcilement, and settlement.

OFAC Screening

All parties to an ACH transaction are subject to the requirements of OFAC. (Refer to core overview section, "Office of Foreign Assets Control," page 137, for additional guidance.) OFAC has clarified the application of its rules for domestic and cross-border ACH transactions and is working with industry to provide more detailed guidance on cross-border ACH.¹⁷⁵

With respect to domestic ACH transactions, the ODFI is responsible for verifying that the Originator is not a blocked party and making a good faith effort to ascertain that the Originator is not transmitting blocked funds. The RDFI similarly is responsible for verifying that the Receiver is not a blocked party. In this way, the ODFI and the RDFI are relying on each other for compliance with OFAC policies. If an ODFI receives ACH transactions that its customer has already batched, the ODFI is not responsible for unbatching those transactions to ensure that no transactions violate OFAC’s regulations.

If an ODFI unbatches a file originally received from the Originator in order to process "on-us" transactions, that ODFI is responsible for the OFAC compliance for the on-us transactions because it is acting as both the ODFI and the RDFI for those transactions. ODFIs acting in this capacity should already know their customers for the purposes of OFAC and other regulatory requirements. For the residual unbatched transactions in the file that are not "on-us," as well as those situations where banks deal with unbatched ACH records for reasons other than to strip out the on-us transactions, banks should determine the level of their OFAC risk and develop appropriate policies, procedures, and processes to address the associated risks. Such mitigating policies might involve screening each unbatched ACH record. Similarly, banks that have relationships with third-party service providers should assess the nature of those relationships and their related ACH transactions to ascertain the bank’s level of OFAC risk and to develop appropriate policies, procedures, and processes to mitigate that risk.

With respect to OFAC screening, similar but somewhat more stringent OFAC obligations hold for cross-border ACH transactions. In the case of inbound cross-border ACH transactions, an RDFI is responsible for compliance with OFAC requirements. For outbound cross-border ACH transactions, however, the ODFI cannot rely on OFAC screening by an RDFI outside of the United States. In these situations, the ODFI must exercise increased diligence to ensure that illegal transactions are not processed. Additional information on the types of retail payment systems (ACH payment systems) is available in the FFIEC Information Technology Examination Handbook.¹⁷⁶

 

 

 

Backward | Table of Contents | Forward