Bank Secrecy Act |
EXAMINATION PROCEDURES
Automated Clearing House Transactions
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with automated clearing house (ACH) transactions, and management’s ability to implement effective monitoring and reporting systems.
1. Review the policies, procedures, and processes related to ACH transactions. Evaluate the adequacy of the policies, procedures, and processes given the bank’s ACH transactions and the risks they present. Assess whether the controls are adequate to reasonably protect the bank from money laundering and terrorist financing.
2. From review of management information systems (MIS) and internal risk rating factors, determine whether the bank effectively identifies and monitors high-risk customers using ACH transactions.
3. Evaluate the bank’s risks related to ACH transactions by analyzing the frequency and dollar volume and types of ACH transactions in relation to the bank’s size, its location, and the nature of its customer account relationships.
4. Determine whether the bank’s system for monitoring customers, including third-party service providers (TPSP), using ACH transactions for suspicious activities, and for reporting of suspicious activities, is adequate given the bank’s size, complexity, location, and types of customer relationships. Determine whether suspicious activity monitoring and reporting systems include:
- Identifying customers with frequent and large ACH transactions.
- Monitoring ACH detail activity when the batch-processed transactions are separated for other purposes (e.g., processing errors).
- Applying increased due diligence for international ACH transactions, including domestic transactions when the Originator is based in a foreign country or that are initiated by an international messaging system.
- Identifying ACH transactions that the bank originates to foreign financial institutions, particularly to high-risk geographic locations.
- Using methods to track, review, and investigate customer complaints regarding fraudulent or duplicate ACH transactions.
5. If appropriate, refer to the core examination procedures, “Office of Foreign Assets Control,” for guidance.
Transaction Testing
6. On the basis of the bank’s risk assessment of customers with ACH transactions, as well as prior examination and audit reports, select a sample of high-risk customers, including TPSPs, with ACH transactions, which may include the following:
- ACH transactions originating from or received by international parties.
- ACH transactions originating from the Internet or via telephone, particularly those accounts opened on the Internet or via the telephone without face-to-face interaction.
- Customers whose business or occupation does not warrant the volume or nature of ACH activity.
- Customers who have been involved in the origination or receipt of duplicate or fraudulent ACH transactions.
- Customers or originators (clients of customers) that are generating a high rate or high volume of invalid account returns, consumer unauthorized returns, or other unauthorized transactions.
7. From the sample selected, analyze ACH transactions to determine whether the amounts, frequency, and jurisdictions of origin or destination are consistent with the nature of the business or occupation of the customer. A review of the account opening documentation, including Customer Identification Program (CIP) documentation, may be necessary in making these determinations. Identify any suspicious or unusual activity.
8. On the basis of examination procedures completed, including transaction testing, form a conclusion about the adequacy of policies, procedures, and processes associated with ACH transactions.
