Dynamic Due Diligence Requirements for ODFIs
Saturday, February 2, 2019
During the past ten years bank regulatory agencies have been issuing guidelines on steps financial institutions need to take to reduce their risk when processing ACH transactions. The regulatory guidance has been updated on a require basis. Each update requires FIs to implement more sophisticated and complex tools to measure and control risk. In the past an ODFI could rely on taking snapshots throughout a period of time of the credit worthiness and the transaction activity of its ACH originators and make risk decisions based on this “static” information. Obtaining “snapshot” information, in my view, does not meet the new requirements of the bank regulatory agencies. Banks need to conduct their “due diligence” of their ACH originators on a “dynamic” basis by constantly evaluating the riskiness of the originator.
The current version of the FFIEC Examiners Handbook for retail payment systems (The FFIEC classifies the ACH Network as a retail payment system) includes the following summary:
“Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks.
Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and logical information security, business continuity planning, vendor management, operational controls, and legal measures.
Risk management strategies should reflect the nature and complexity of the institution’s participation in retail payment systems, including any support they offer to clearing and settlement systems. Management should develop risk management processes that capture operational risks, but also credit, liquidity, strategic, reputational, legal, and compliance risks, particularly as they engage in new retail payment products and systems. Management should also develop an enterprise wide view of retail payment activities due to cross-channel risk. These risk management processes should consider the risks posed by third-party service providers.”
I have discussed the above statement with bank regulatory officials and with representatives of banks that have been recently examined. The purpose of these discussions was to determine what is expected of ODFI’s to satisfy bank regulatory agencies during an examination. Based on those discussions I have prepared list of three basic requirements that I believe would help a bank satisfy bank regulatory examiners during future examinations of a banks ACH origination business.
1. ACH Transactional Monitoring
ODFIs are expected to monitor all ACH credit entries on a “real time” basis before the entries are sent to the ACH Operator. For each customer the monitoring must compare the value of the entries to the available balance and line of credit of the customer. ODFI’s must also compare key elements in every ACH credit, such as amount, the RDFIs routing number, the receiver’s account number, etc., to previous ACH credit entries received from that customer. In addition, the monitoring should include SEC codes and “day of the week” comparisons.
The ODFIs monitoring system should send alerts to the appropriate people within the bank when anomalies are detected and risk decisions need to be made before the entries are sent to the ACH operator. In addition, all ACH debt entries must be monitored both on a real time basis and on an “ex-post” basis. The purpose of the real-time monitoring is to make the type of comparisons discussed above. If significant anomalies are detected the ODFI would need to take appropriate action before the entries are sent to the ACH operator.
The purpose of the “ex-post” monitoring is to analyze ACH debit returns. The analyses needs to include a comparison of “actual” return rates against two thresholds. The first threshold is the one established by the ODFI and the second one is contained in the ACH Rules. The later comparison is important because examiners may focus on how ODFI’s are ensuring that their originators have return rates below the thresholds. NACHA allows the ODFI to calculate return rates using two different methodologies. The first is very simplistic and may understate the “real” return rate. For example, the first methodology permits the ODFI to simply divide the number of returns each month by the number of entries originated. The problem with this methodology is that if the volume of entries originated increases each month the denominator (the number of entries originated) increases faster than the numerator (the number of returns), which could result in an “artificial” low return rate.
The methodology that should be used by ODFIs to determine the “real” return rate would be to track each entry over a rolling 63-day period (63 days is the maximum number of days after settlement that a debit entry can be returned unpaid to the ODFI). The originators return rate should be determined each day by dividing the number of returns by the number of entries originated.
2. Multi-Channel Monitoring
The FFIEC statement above envisions banks performing multi-channel risk monitoring. The two most important channels to monitor at the same time and in real-time are wire transactions and ACH credit entries. Both types of transactions have the same basic characteristic from a risk management standpoint. Once the transaction is sent to the operator it cannot be recalled.
Wires and ACH transactions are in many respects interchangeable and once Same Day ACH is implemented this interchangeability will increase. The FBI has reported that when hackers have compromised bank online credentials of a company the hackers will determine, based on reviewing past account activity, whether a fraudulent wire of ACH credit will be less likely to be detected by the bank. Once the determination is made the hacker will instruct the bank to send out the wire or ACH credit.
The type of real-time monitoring discussed above for ACH credits must also be performed for Wires. In addition, the bank needs to evaluate its exposure by including both Wires and ACH credit entries in its real-time analysis.
3. Customer Reputation and Credit Risk Monitoring
Many banks monitor the credit worthiness and the potential risk to the bank’s reputation of their ACH business customers in a “static” and “passive” mode, which, generally, is far less robust than the way some banks monitor their credit and debit card merchants. For example, many ACH operations and treasury management departments rely on their credit departments to send them information on the creditworthiness of their ACH business customers. In many banks the credit information is not updated on a regular basis. The updates generally occur only under certain circumstances, such as when a customer applies for a new loan or defaults on an existing loan, or adverse information about the customer becomes public. This same process also is used in many cases to determine if the customer will harm the reputation of the bank.
In contrast, several banks that provide merchant acquiring services for their debit and credit card merchant customers subscribe to services that regularly monitor creditworthiness and potential reputation risk. In many cases these services will alert the bank when there is a significant change in the merchant’s creditworthiness or the merchant may cause an adverse impact on the bank’s reputation.
Laru Technologies is currently working with companies that provide this critical information to banks to determine if this “dynamic due diligence” information will help ODFIs comply with FFIEC expectations. The plan calls for both the Vision and Clarity reports to include creditworthiness and reputation risk information. Including this information will make it easier for ODFIs to make the right decisions to reduce risk and to comply with regulatory expectations.
Regulatory agencies also expect ODFIs that originate ACH debits to perform “peer” analysis. The most important aspects of this analysis is to compare return rates against industry averages and against a selection ODFIs that have similar characteristics, such as asset size, volume of transactions, etc. Laru Technologies is developing “peer” group reports to help ODFIs meet this regulatory requirement. As the industry evolves we want to ensure our customers stay informed and prepared with the changes of today and the future.