Share
Explore
Straddle 101 - Internal
The purpose of the ACH Quick Reference Guide is to provide instruction to financial institution personnel involved in the day-to-day activities associated with receiving commercial ACH transactions. It is ideal for training personnel on ACH procedures and as a quick reference for ACH questions. The Guide contains an appendix with sample reports, Return and Notification of Change codes, and a glossary of ACH terminology.
This user-friendly guide is based on the 2022 Nacha Operating Rules (referred to as the ACH Rules), Regulation E and the Uniform Commercial Code Article 4A (UCC 4A) and supplements more extensive resource materials. It references various in- depth resource materials and is not intended as a substitute for referencing and complying with the rule requirements published in the ACH Rules. Procedures for handling federal government entries are not covered in this guide. Although many procedures may be similar, federal government entries are also subject to Title 31 Code of Federal Regulations Part 210 (31 CFR Part 210), which are outlined in the Green Book.
ACH Basics
What is the ACH Network?
The Automated Clearing House (ACH) Network is an electronic payments network used by individuals, businesses, financial institutions and government organizations. It allows funds to be electronically debited or credited to a checking account, savings account, financial institution general ledger account or credited to a loan account.
The ACH Network is the backbone for the electronic movement of money and other related data, providing a safe, secure, reliable network for direct consumer, business and government payments. Large and small financial institutions of all kinds jointly govern and utilize the ACH Network, facilitating billions of payments such as Direct Deposit via ACH and Direct Payment via ACH.
The ACH Network is a same day, batch processing, store-and- forward system. Transactions are stored by financial institutions throughout the day and processed at specified times in a batch mode.
The ACH Network exchanges funds and payment-related information throughout the United States, its territories and internationally.
Who are the ACH Participants?
There are five key participants that contribute to the successful completion of an ACH transaction. As each participant is discussed, the financial institution should better understand the role it plays in the system.
The Originator is the company/business that has been authorized by the Receiver to either credit or debit an account. When a company initiates a credit transaction to their employee’s account for payroll or to a business customer’s account for payment of goods and services, it is considered the Originator. Originators may also initiate debit transactions to a consumer or business account for payment of goods or services.
The Receiver can be either an individual or a company that has authorized the Originator (company) to credit or debit their account. The employee is the Receiver if his/her employer is initiating a Direct Deposit payroll credit. A business partner is the Receiver if the Originator is sending a credit to pay for goods or services. The Originator can also be a Receiver, in situations where another party is initiating credits or debits to their account.
The authorization is a key component of an ACH transaction, as it gives the Originator the authority to send credit or debit transactions to the Receiver’s account. The manner in which the authorization may be obtained varies based on the type of transaction and is discussed in greater detail in the Authorization section of this Guide.
The Originating Depository Financial Institution (ODFI) is the financial institution with which the Originator (company) has a contractual relationship for ACH services and is responsible for sending ACH entries into the ACH Network on behalf of the Originator. Through the warranties outlined in the ACH Rules, the ODFI has the greatest liability of all the participants in the ACH Network. The contractual relationship between the Originator and the ODFI outlines the rights and responsibilities of the two parties with respect to the ACH transactions being originated and provides the ODFI with a mechanism to pass some appropriate liabilities to the Originator (company).
An example of this relates to authorizations. The ODFI warrants to all the other Network participants that transactions are properly authorized; and yet, the Originator obtains and maintains this authorization. Hence, the agreement between the Originator and ODFI must address the Originator’s responsibilities regarding authorizations.
The ACH Operator is the central clearing facility for ACH transactions. The ACH Operator is responsible for accepting files of ACH entries from ODFIs, which are then sorted, batched and forwarded to the Receiver’s financial institution. The ACH Operator also performs some editing functions, ensuring that mandatory information required in ACH records is included. There are currently two ACH Operators, the Federal Reserve Bank and EPN (Electronic Payments Network).
The Receiving Depository Financial Institution (RDFI) is a financial institution with which the Receiver has an account relationship. Credit or debit entries sent to a Receiver’s account will be received by the RDFI from the ACH Operator and then posted to the Receiver’s account.
The RDFI’s primary responsibilities are to:
There are two other Network participants that may be involved in the flow of transactions, Third-Party Service Providers and Third-Party Senders.
A Third-Party Service Provider is a party which performs an ACH processing function on behalf of the Originator, ODFI or RDFI. A payroll processor is a common example of a Third-Party Service Provider used by Originators.
A Third-Party Sender (TPS) (Straddle) is an entity that has a contractual relationship with an ODFI to transmit debits or credits to the account of a Receiver on behalf of the Originator.
More specifically, a Third-Party Service Provider is a Third-Party Sender when there is a contractual relationship between the Originator and the Third-Party and there is NOT an agreement between the Originator and the ODFI.
Again, referencing the payroll processor example, if the Originator has an agreement with an ODFI for ACH origination and they use a payroll processor to create the ACH file on their behalf, the payroll processor is a Third-Party Service Provider. If the Originator has a contractual relationship with the payroll processor and the payroll processor sends the ACH file to the payroll processor’s financial institution for introduction into the ACH Network, the payroll processor is considered a Third-Party Sender.
How Does the ACH Network Function?
The Originator obtains authorization to initiate a transaction to the Receiver’s account or provides notice to the Receiver that a transaction will be initiated to the Receiver’s account.
The Originator initiates a file of ACH transactions and presents the file to its ODFI.
The ODFI collects ACH files from Originators with which it has contractual relationships, verifies the validity of these files and at specified times, transmits these files to the ACH Operator. The ODFI may consolidate these individual files as batches into a larger file that is then transmitted to the ACH Operator. The ODFI may retain entries within these files that are intended for account holders at its institution. These entries are known as on-us entries.
The ACH Operator receives ACH files from the ODFI, edits the files to make sure they are formatted properly and distributes files of entries to the RDFI.
The RDFI receives files of entries from the ACH Operator for its account holders. Entries are posted based upon the Settlement Date and account number. Periodic statements are provided to the Receiver with descriptive information about the ACH transaction, including the date of the transaction, dollar amount, Originator name and transaction description (e.g., payroll, water bill, internet purchase).
How are ACH Funds Settled?
Settlement is the actual transfer of funds between financial institutions to complete the payment instructions of an ACH entry. ACH settlement can only occur on banking days. The Federal Reserve Bank provides settlement services for ACH entries, for both the Federal Reserve ACH Operator and any private sector ACH Operator (currently only EPN). The Federal Reserve Bank calculates the net debit and credit positions of financial institutions and applies those debits or credits to the account of the financial institution or to the account of its correspondent financial institution.
The timing of settlement is based upon the Effective Entry Date indicated by the Originator on the ACH file and the time of its delivery to the ACH Operator. The Effective Entry Date is the date the Originator intends for the entries to post to the accounts of the Receivers (employees or customers).
When the ACH Operator processes an ACH file, the Effective Entry Date is read and a Settlement Date is assigned. Entries are settled by the ACH Operator on the Settlement Date.
In most cases, the Settlement Date is the same as the Effective Entry Date, but it is possible that the Settlement Date could be after the Effective Entry Date. For example, if the ACH Operator cannot settle on the Effective Entry Date due to untimely file delivery, a stale date, weekend or holiday, the ACH Operator will apply the next possible Settlement Date.
Since its inception, the ACH Network’s standard settlement period has been one to two business days after processing (i.e., debit entries are allowed to be sent one day in advance of the Effective Entry Date and credits up to two days in advance). While this processing environment will continue to be available, Originators now have same day processing and settlement of eligible ACH credit and debit payments.
ACH Network Management
Operations and compliance are two key aspects in the management of the ACH Network. ACH Operators facilitate the operations for transaction processing, while compliance is the primary focus of financial institutions, Payments Associations (PAs) and Nacha.
Nacha is a not-for-profit association that represents financial institutions through direct memberships and a network of PAs. Nacha develops operating rules and business practices for the ACH Network and for electronic payments in the areas of Internet commerce, electronic bill and invoice presentment and payment (EBPP, EIPP), electronic check conversions (e-checks), financial electronic data interchange (FEDI), international payments and electronic benefits services (EBS).
PAs provide access to the ACH Rules and guidelines for the efficient operation of the ACH Network as well as provide education to their members. PA members include financial institutions, companies and other interested parties. With the contributions of their members, PAs help create the ACH Rules.
ACH Rules and Regulations
There are many rules and regulations governing the transmission of ACH entries. Details on the rules and regulations having the most impact on the financial institution follow:
ACH Rules
The ACH Rules serve as the primary source for rules and regulations for the Commercial ACH Network and are contract law that is made binding by agreements. Commercial ACH entries are originated by the private sector, which includes individuals, companies and state and local governments.
The ACH Rules define the obligations and liabilities of each financial institution, including a provision to perform an annual audit, and provide a mechanism for a receiving institution to return an entry to the sending institution. The ACH Rules help reduce risk in the Network and protect financial institutions from potential loss.
Office of Foreign Assets Control (OFAC)
The U.S. Department of the Treasury, Office of Foreign Assets Control, administers economic sanctions and embargo programs that require assets and transactions involving interests of targeted countries, targeted country nationals and other specifically identified companies and individuals to be frozen. OFAC maintains a list of Specially Designated Nationals and Blocked Persons (SDN List) to assist financial institutions in identifying blocked parties.
All U.S. participants in the ACH Network need to be aware that they may be held accountable for sanction violations and must understand their compliance obligations. As an RDFI, the financial institution should have a process in place to determine whether any of its account holders are identified as a blocked party on a current SDN List. Financial institutions are strongly encouraged to obtain a current SDN List and other compliance information directly from OFAC.
Regulation E and Electronic Fund Transfer Act (EFTA)
Regulation E carries out the purpose of the EFTA, which establishes the basic rights, liabilities and responsibilities of consumers who use electronic fund transfer services. The primary objective of this act and regulation is the protection of individual consumers engaging in electronic fund transfer services. Regulation E also addresses the responsibilities of financial institutions regarding disclosures, stop payments and unauthorized debit transactions to consumer accounts and defines the process for resolving errors.
State Law
Some state laws may impact ACH transactions if the law is more restrictive or provides greater consumer protection than other prevailing rules or regulations. For instance, some states allow companies to mandate employees to be paid by Direct Deposit; however, most state labor codes restrict companies from offering only Direct Deposit. Many states have mandated state taxes paid by businesses and corporations be initiated through the ACH. The states’ Attorneys General Offices can provide specifics.
Title 31 Code of Federal Regulation Part 210 (31 CFR Part 210)
31 CFR Part 210 provides the regulatory foundation for the use of the ACH Network for federal government agencies. It defines the rights and liabilities of agencies, Federal Reserve Banks, financial institutions and the public in connection with ACH entries. The Green Book is the procedures manual for financial institutions processing federal government payments. Among the procedures covered by the Green Book are the handling of federal government reclamations and enrollment in federal government benefit payment programs. By accepting a federal government benefit payment, a financial institution agrees to be bound to 31 CFR Part 210, and therefore, must adhere to these procedures.
Uniform Commercial Code Article 4A (UCC 4A)
Uniform Commercial Code (UCC) is a series of state laws that govern commercial transactions. Article 4A of the UCC governs corporate ACH transactions that are referred to as “corporate wholesale credit entries.” RDFIs may identify these transactions by Standard Entry Class Codes CCD or CTX. UCC 4A also addresses the ‘commercially reasonable security procedures’ that must be in place for ACH Origination to occur.
USA PATRIOT Act
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 establishes a wide variety of ways to combat international terrorism. Title III—International Money Laundering Abatement and Anti-Terrorist Financing, which contains provisions relating to money laundering and terrorist access to the financial system in our country is the section of the Act that affects financial institutions with regard to information sharing and customer identification programs (CIPs).
CIPs require financial institutions to complete the following prior to opening a new account:
RULE OF THUMB: When conflicts are found among these various rules and regulations, the most restrictive rule or regulation applies. In other words, the one that benefits or provides the most protection to the consumer would be applied. Over the years, consumer and corporate customers have become more and more aware of the advantages of the electronic payments network. As a result, customers are more demanding and financially savvy. The ACH Network provides the ability to directly deposit employee payroll, permits automated bill payment services, allows for purchases online and can be used by companies to perform cash concentration and make corporate-to-corporate payments.
As migration from paper to electronic payment continues, the cost-effective ACH Network will grow and enable innovation that strengthens the industry with creative payment solutions.
ACH Transactions
Types of ACH Transactions
In general, there are two types of ACH transactions sent through the ACH Network:
Commercial ACH entries can further be classified as follows:
Increasingly, companies are realizing the benefits of Direct Payment for business-to-business payments. These payments reduce check preparation and distribution expenses, eliminate postage costs, improve cash flow and cash forecasting, can improve payment discounts and simplify account reconciliation. Additionally, payments can accommodate payment-related information in addenda records in standard electronic data interchange (EDI) formats or in Nacha-endorsed banking conventions.
The ACH Network can also be used by consumers and businesses to exchange funds and payment-related information internationally. In the international payment environment, a new participant, the Gateway, acts as the contact point for a financial institution. The Gateway assumes responsibility for foreign exchange conversion and settlement, format mapping and translation of data.
Transaction Codes
The ACH Network supports a number of different credit and debit applications. A Transaction Code identifies an entry as a debit or credit, and indicates the type of account to which the transaction is intended, i.e. checking, savings, financial institution general ledger or loan account. Only credit entries can be transmitted to loan accounts. Commonly used Transaction Codes are listed:
Demand Credit Records
21 Automated Return or NOC for a Demand Credit 22 Demand Credit 23 Prenote for a Demand Credit 24 Zero Dollar Entries w/Remittance Data (for CCD and CTX Entries Only)
Demand Debit Records
26 Automated Return or NOC for a Demand Debit 27 Demand Debit 28 Prenote for Demand Debit 29 Zero Dollar Entries w/Remittance Data (for CCD and CTX Entries Only)
Savings Account Credit Records
31 Automated Return or NOC for a Savings Credit 32 Savings Credit 33 Prenote for a Savings Credit 34 Zero Dollar Entries w/Remittance Data (for CCD and CTX Entries Only)
Savings Account Debit Records
36 Automated Return or NOC for a Savings Debit 37 Savings Debit 38 Prenote for a Savings Debit 39 Zero Dollar Entries w/Remittance Data (for CCD and CTX Entries Only)
Standard Entry Class (SEC) Codes
Each application has a unique Standard Entry Class (SEC) code which identifies:
It is important to know the SEC code of the ACH entry as it will define posting and return procedures. This is of utmost importance to the financial institution as proper handling of entries will mitigate any potential losses associated with human error. Commonly used SEC codes are listed below with their use.
SEC CODE
SEC CODE DESCRIPTION
APPLICATION USE
ARC
Accounts Receivable Entry
The Accounts Receivable (ARC) Entry provides billers the opportunity to initiate single-entry ACH debits to customer accounts by converting checks at the point of receipt through the U.S. mail, ata drop box location or in-person for payment of a bill at a manned location. The biller is required to provide the customer with notice prior to the acceptance of the check that states the receipt of the customer’s check will be deemed as the authorization for an ARC debit entry to the customer’s account. The provision of the notice and the receipt of the check together constitute authorization for the ARC entry. The customer’s check will solely be used as a source document to obtain the routing number, account number and check serial number.
BOC
Back Office Conversion
Back Office Conversion (BOC) allows retailers/billers, and ODFIs acting as Originators, to electronically convert checks received at the point-of-purchase as well as at a manned bill payment location into a single-entry ACH debit. The authorization to convert the check will be obtained through a notice at the checkout or manned bill payment location (e.g., loan payment at financial institution’s teller window) and the receipt of the Receiver’s check. The decision to process the check item as an ACH debit will be made in the “back office” instead of at the point-of-purchase. The customer’s check will solely be used as a source document to obtain the routing number, account number and check serial number.
CCD
Corporate Credit or Debit
The Corporate Credit or Debit (CCD) application provides a way for companies to receive cash rapidly, manage funds and control cash disbursements. Companies that operate several branches or sales outlets may consolidate funds quickly and eliminate the difficulties associated with transferring funds to a central corporate account. This application enhances the ability to predict funds availability and improve a company’s total cash management capability. The CCD applicationcan also be used to transfer funds among corporate entities in payment of goods or services, and can support a limited amount of payment-related data (e.g., invoice number, discounts taken, purchase order number, etc.) with the funds transfer.
CIE
Customer-Initiated Entry
A credit entry initiated by consumers through a bill payment service provider to pay bills, including bill payment services submitted through a telephone, ATM or online.
CTX
Corporate Trade Exchange
The Corporate Trade Exchange (CTX) application provides the ability to collect and disburse funds and information between companies. Generally it is used by businesses paying one another for goods or services. These payments replace checks with an electronic process of debiting and crediting invoices between the financial institutions of participating companies.
IAT
International ACH Transaction
An IAT entry is a credit or debit ACH entry that is part of a payment transaction involving a financial agency’s office (i.e., depository financial institution or business issuing money orders) that is not located in the territorial jurisdiction of the United States. IAT entries can be made to or from a corporate or consumer account and must be accompanied by seven (7) mandatory addenda records identifying the name and physical address of the Originator, name and physical address of the Receiver, Receiver’s account number, Receiver’s bank identity and reason for the payment.
POP
Point-of-Purchase Entry
The Point-of-Purchase (POP) application provides businesses the opportunity to create a debit entry to a Receiver’s account for a purchase made in-person at the point-of-sale or a manned bill payment location. After providing the proper notice, the Originator (merchant/retailer) accepts a source document, a paper check/sharedraft, from the Receiver, which is then inserted into a check-reading device to capture the account information (routing number, account number and check serial number) from the MICR lineof the check. The dollar amount of the transaction is manually key-entered by the sales clerk. The check/ sharedraft is then voided and returned to the Receiver along with an authorization form. The Receiver then authorizes the Originator to convert it into a one-time electronic debit to the Receiver’s account.
POS
Point-of-Sale
Point-of-Sale Entries (POS) are ACH debit entries typically initiated by the use of a merchant-issued plastic card to pay an obligation at the point-of-sale. Much like a financial institution issued debit card, the merchant-issued debit card is swiped at the point-of-sale and approved for use; however, the authorization only verifies the card is open, active and within the card’s limits—it does not verify the Receiver’s account balance or debit the account at the time of the purchase. Settlement of the transaction moves from the card network to the ACH Network through the creation of a POS entry by the card issuer to debit the Receiver’s account.
PPD
Prearranged Payment and Deposit
Prearranged Payments and Deposits (PPDs) can be either credit or debit entries and represent either single or recurring payments. PPD transactions are more widely known as Direct Deposit and Direct Payment. The Direct Deposit application provides the ability to disburse funds to consumer accounts. The Direct Payment application provides the ability to collect funds from consumer accounts. PPD can also be used for Return Fee Entries. If a company is allowed by law to collect a fee for a debit entry (ACH or check) that is returned as NSF or UCF, it would use the PPD Standard Entry Class code to do so as long as proper notice is provided.
RCK
Re-presented Check Entry
The Re-presented Check (RCK) Entry provides businesses the ability to collect funds from paper checks that have been processed through the check collection system and returned NSF or UCF. A consumer’s paper check that has been returned insufficient or uncollected funds may be submitted as an ACH debit entry through the ACH Network, as long as the proper notice is provided.
TEL
Telephone-Initiated Entry
The Telephone-Initiated (TEL) Entry provides businesses the opportunity to initiate ACH debits to consumer accounts for the purchase of goods and services pursuant to an oral authorization obtained over the telephone. TEL entries can be either set up for one specific payment (Single-Entry) or to occur at regular intervals (Recurring). A TEL entry may be transmitted only in circumstances in which (1) there is an existing relationship between the Originator and the consumer, or (2) there is not an existing relationship between the Originator and the consumer, but the consumer has initiated the telephone call to the Originator.
WEB
Internet-Initiated/ Mobile Entry
The Internet-Initiated/Mobile (WEB) Entry can be either a debit or credit entry and represents either single or recurring payments. A WEB debit entry provides companies the opportunity to initiate a debit entry to consumer accounts for the purchase of goods or services pursuant to an authorization obtained over the Internet or a Wireless Network. A WEB credit entry is initiated on behalf of a consumer to pay another person or to transfer monies from a consumer’s account at one financial institution to his/her account at another institution. The payment instructions may be communicated via the Internet, Wireless Network or in-person at the financial institution.
There are no rows in this table
Authorization
Originators must obtain authorization from or provide notification to a Receiver prior to initiating ACH transactions. Authorization requirements differ among the types of ACH transactions, also known as SEC codes. The Originator must keep copies of authorizations for two years from the termination or revocation of the authorization. For example, the Originator of a single-entry TEL must keep the original or copy of the oral authorization for two years from the date of the authorization. The table below identifies the authorization requirements of the more commonly initiated SEC codes.
Authorizations must be readily identifiable as an ACH credit or debit authorization and must contain terms that are clear and readily understandable. For recurring payments only, revocation language must also be included.
Authorizations may limit an Originator to debit or credit entries and may specify a fixed or variable amount. ACH authorizations should include language requiring consumers to acknowledge that ACH entries must comply with provisions of the laws of the United States.
SEC CODE
ENTRY TYPE
AUTHORIZATION REQUIREMENT
Accounts Receivable Entry (ARC)(Corporate to Consumer/Corporate to Corporate)
Debits
Notification is required prior to acceptance of the check.
Back Office Conversion (BOC)(Corporate to Consumer/Corporate to Corporate)
Debits
Notification prior to acceptance of the check and written authorization required.
Corporate Credit or Debit (CCD) (Corporate to Corporate)
Debits/ Credits
Agreement required for transfers between companies; written authorization implied.
Customer-Initiated Entry (CIE) (Consumer to Corporate)
Credits
Presumed agreement between consumer and company or paying agent.
Corporate Trade Exchange (CTX) (Corporate to Corporate)
Debits/ Credits
Agreement required for transfers between companies; written authorization implied.
International ACH Transaction (IAT)(Corporate to Corporate/Corporate to Consumer/ Consumer to Consumer)
Debits/ Credits
Agreement required for transfers between companies; credit entries to consumer accounts require authorization be provided orally or by non- written means; debit entries to consumer accounts require a written, signed or Similarly Authenticated* authorization.
Point-of-Purchase Entry (POP)(Corporate to Consumer/Corporate to Corporate)
Debits
Notification prior to acceptance of the check and written or signed or similarly authenticated authorization required.
Prearranged Payment & Deposit (PPD) (Corporate to Consumer)
Credits
Authorization required. Oral or non-written means (i.e., voided check) accepted.
Prearranged Payment & Deposit (PPD) (Corporate to Consumer)
Debits
Authorization required. Written, signed or Similarly Authenticated.* Authorization for Return Fee Entries may be obtained by providing notice to the consumer when the original debit is presented for payment.
Re-presented Check Entry (RCK) (Corporate to Consumer)
Debits
Notification is required prior to acceptance of the check.
Telephone-Initiated Entry (TEL) (Corporate to Consumer)
Debits
For Single Entry, recorded oral authorization or written notice provided to the consumer confirming the oral authorization*. For Recurring, a copy of the authorization must be provided to the consumer.
Internet-Initiated/Mobile Entry (WEB) (Corporate to Consumer)
Debits
Similarly Authenticated authorization required due to the nature of the Internet.*
Internet-Initiated/Mobile Entry (WEB) (Consumer to Consumer)
Credits
No authorization required.
Point-of-Sale (POS)
Debit/ Credit
Written and signed or similarly authenticated
There are no rows in this table
*Revised Regulation E (2001) and the Electronic Signatures in Global and National Commerce Act (E-Sign Act) qualify electronic signatures as valid for consumer debit authorizations. This refers to authentication of the authorizing party by digital signature such as a unique PIN number.
Rules Compliance
Risk Management and Assessment
Risk management is every financial institution’s responsibility. There are three key types of risk affecting ACH payment processing that you should be aware of:
The ACH Rules require all financial institutions to perform a risk assessment of their ACH activities and to implement risk management programs based on the assessment, in accordance with the requirements of their regulator(s).
ACH Credit Risk
While credit risk is generally associated with ACH origination activities, RDFIs are also exposed to credit risk when they:
Controlling Credit Risk
Credit risk is generally controlled by developing and implementing processing procedures, understanding compliance obligations and ensuring ACH operations staff are properly trained.
ACH Operational Risk
Operational risk represents the amount of loss related to unintentional errors, which may occur due to a hardware/software failure or clerical errors, such as untimely returns or the incorrect use of return reason codes. Any disruption in ACH processing can jeopardize the accurate and timely processing of ACH entries.
Controlling ACH Operational Risk
The evaluation of ACH operational risk and the determination of procedures to control those risks should include participation of auditors and outside professionals to ensure objectivity. Operational risk may be managed through automated security methods, as well as controlled operational procedures, which include cross-training of staff, dual controls and a contingency plan.
ACH Fraud Risk
Fraud risk represents risk that a transaction may be initiated or altered in an intentional effort to misdirect or misappropriate funds. Risks related to fraud are affected by internal as well as external factors. Fraudulent activities may be the work of dishonest employees, third-party processing personnel, originating company personnel or other outside parties.
Controlling ACH Fraud Risk
While controls related to ACH operational and credit risk may also be effective in diverting fraud, additional areas may include specific personnel practices and security.
Personnel Practices
The following are suggestions regarding practices and procedures that contribute to fraud risk management:
Security Practices
It is up to the financial institution to ensure that its ACH operations are secure. Sensitive operation sites, such as the area that houses the computer and communications equipment, should be kept secure. All portable data, such as CDs, USBs, reports and physical file folders, should be kept in secure areas, as well as protected from hazards such as flood or fire. Computer terminals should automatically logoff after a set period of time.
ACH processing software should be safeguarded with controls in place to ensure that only authorized changes can be undertaken. Communications software should provide security features, such as encryption or authentication to secure data during the process of transmission. In general, ACH processing security should conform to the organization’s data processing security policy.
ACH Audit
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.