In the payments world, third-party risk management identifies and mitigates the risk associated with using a Third-Party Service Provider (TPSP) or Third-Party Sender (TPS). Nacha has been incrementally addressing third-party risk management with changes to their Operating Rules and Guidelines like the Third-Party Sender Registration rule and the Third-Party Senders Roles and Responsibilities rule, to require that ODFIs know the nature of their customers’ use of the ACH Network, whether as Originators, Third-Party Senders, or other types of intermediaries.
One of the trickier aspects of being an ODFI is recognizing and understanding Third-Party Senders, the complexities and unique risks they present, and how to thoroughly mitigate those risks to protect your institution. Do you know if any of your Originators are acting in this role, and if so, how do you ensure they are compliant with the rules and requirements that Third-Party Senders are subject to?
ePayAdvisors™ has kept pace with services to help Originating Depository Financial Institutions (ODFIs) and their Third-Party Service Providers and Third-Party Senders remain compliant. There is a lot for your team to consider to limit your exposure:
- What tools or resources do you have to accurately identify Third-Party Senders and Nested Third-Party Senders?
- What departments should you involve in the identification and risk evaluation process?
- Once identified, have you registered your Third-Party Senders in Nacha’s Risk Management Portal, as required by the ACH Rules?
- Have you granted Direct Access to any Third-Party Senders, that is, the authority to transmit entries directly to the ACH Operator using your institution’s routing number and settlement account, and if so, are they properly registered in Nacha’s Risk Management Portal?
- How do you track whether Third-Party Senders are fulfilling their obligation under the ACH Rules to complete an audit and risk assessment each year?
- Does your agreement with Third-Party Senders adequately address these obligations and other necessary risk controls?
This list may seem daunting, but ePayAdvisors can help you tackle it:
Consulting and Customized Education
- We can review and analyze your operational processes and Originators to identify those that serve as Third-Party Senders
- We can create customized education for your staff to explain identifying Third-Party Senders, managing the relationships, and mitigating the risks.
Third-Party Sender Audits and Risk Assessment
- We can perform the annual audits and risk assessments specific to Third-Party Senders as required by the ACH Rules.
Regulatory changes, new payment applications, evolving technologies, and increasing threats from fraud all contribute to a heightened risk environment. Effectively managing ACH processing risk is critical to an organization’s bottom line and the health of the payments system; an accurate, thorough assessment of risk is the crucial first step. Each Third-Party Sender has a unique ACH processing environment, and the risk assessment should be based on the complexity of that environment.
Prior to your institution’s risk assessment, whether conducted in house or by an outside organization like ePayAdvisors, it is recommended that you understand the main risk categories outlined in the FFIEC BSA/AML Examination Manual. ePayAdvisors’ risk assessment is also built around the OCC ACH Risk Management Guidance, and we assess controls across the ACH delivery channel as they relate to sound risk management practices for the specific roles of Originators, Third-Party Senders, and Third-Party Service Providers. We provide a detailed report on inherent risk, implemented controls, and residual risks, along with recommendations for further risk mitigation and operational efficiency. Our process includes risk considerations and controls related to five main categories:
- Governance – Board and management oversight
- Operations – General controls, TPSP vendor management, business continuity
- Customer Due Diligence – Underwriting, exposure, credit, funding and settlement, returns
- Compliance – OFAC, BSA/AML, ACH Rules, Regulation E
- Systems Access Management – Business email compromise, corporate account takeover, information security, protected information
Ready to learn more? Visit epayadvisors.com or call ePayAdvisors at 800-475-0585, Option 5, to learn more about our Third-Party services, or any of our services designed to empower you to be informed, compliant, and competitive in payments!