Top 5 ACH Audit Findings

ANALYSIS:  This Compliance Courier was prepared by one of The League’s Compliance Specialists – Laura Nelson. She and several other specialists are Accredited ACH Professionals (AAPs). To learn more about how the Compliance Specialist program could help your credit union, contact  Paul Guttormsson.

It is Automated Clearing House (ACH) audit season. In addition to having an ACH compliance audit completed by December 31, credit unions must understand their responsibilities under the National ACH Association (Nacha) Rules. Below we have outlined our top five ACH audit findings to help your credit union avoid getting caught in a compliance trap.

1. Originating for business entities without an agreement or risk management

There is risk in ACH origination, so it is important for credit unions to have compliant, up-to-date Origination Agreements in place.  It is best practice to periodically review your agreements and obtain legal advice to draft initial agreements and any amendments or changes to the agreement.  

Not having an Origination Agreement with an Originator violates the Nacha Rules. Under Nacha Rule Article 2, Subsection 2.2.2.1, an Originating Depository Financial Institution (ODFI), i.e., the credit union, “must enter into an Origination Agreement with each Originator for which the ODFI will originate Entries. The Origination Agreement must include, at a minimum, each of the following:

1. The Originator must authorize the ODFI to originate Entries on behalf of the Originator to Receivers’ accounts;
2. The Originator must agree to be bound by these Rules;
3. The Originator must agree not to originate Entries that violate the laws of the United States;
4. Any restrictions on the types of Entries that may be originated;
5. The right of the ODFI to terminate or suspend the agreement for breach of these Rules in a manner that permits the ODFI to comply with these Rules; and
6. The right of the ODFI to audit the Originator’s compliance with the Origination Agreement and these Rules.”

These types of origination transactions could include, for example, the credit union sending a monthly stipend payment on behalf of ABC Church to Pastor Jim; or Landlord Mary has the credit union pulling rent payments from Jane Smith’s account at another financial institution; or “On the Road Trucking Company” sending deposits to the owners.

Beyond having an origination agreement, subsection 2.2.3 of the Rules goes on to say:

An ODFI must perform due diligence with respect to the Originator sufficient to form a reasonable belief that the Originator has the capacity to perform its obligations in conformance with these Rules. In addition, the ODFI must:

1. assess the nature of the Originator’s ACH activity and the risks it presents;
2. establish, implement, and periodically review an exposure limit for the Originator; and
3. establish and implement procedures to:
   • monitor the Originator’s origination and return activity across multiple Settlement Dates;
   • enforce restrictions on the types of Entries that may be originated; and
   • enforce the exposure limit.

Why is an Agreement important?

First, Article 2, Section 2.1 of the Nacha Rules states that an ODFI is responsible for all entries originated through the ODFI, and an ODFI is responsible for its originators’ compliance with the Rules.

In addition, Subsection 2.4.5.1 says that an ODFI indemnifies every Receiving Depository Financial Institution (RDFI) and ACH Operator from and against any and all claims, demands, losses, liabilities, and expenses, including attorneys’ fees and costs, that result directly from:

1. the breach of any warranty made to such party by the ODFI under these Rules, or
2. the debiting or crediting of an Entry to a Receiver’s account in accordance with the terms of the Entry, including any claims, demands, losses, liabilities, or expenses, and/or attorneys’ fees and costs that result, either directly or indirectly, from the return of one or more items or Entries of the Receiver due to insufficient funds caused by a debit Entry.

If a credit union is originating for business entities without an agreement, it should be concerned with the following:

• What if the transaction is not funded by the Originator?
• If a debit entry is properly returned, can the credit union charge it back to the originator’s account? Then, what if the originator’s account does not have sufficient funds or is closed?
• If the credit union’s name appears on the on the receiver’s statement instead of the company name, this could cause confusion, as well as returns for unauthorized entries.
• How would the credit union respond to an RDFI’s request for proof of authorization?
• Does the credit union know that the proper standard entry class (SEC) code is being used?
• If there is no agreement on security procedures, how does the credit union obtain instructions for entries, how does the credit union handle changes to files, and how does it know this is actually coming from the true originator?
• The ODFI is responsible for indemnifying the RDFI for their expenses from an error entry. If there is an originator error, the ODFI should be able to pass any fees on to the originator, but most likely only with an agreement in place. Without an agreement, who’s liable for an entry error: The originator or the credit union that is entering the data?
• What are the responsibilities for each party for stopping or preventing an unauthorized entry from being originated?
• What is the deadline for changes?
• All notifications of change must be handled by the credit union.
• What if the entry causes a Nacha Rules violation?
• Business Email Compromise – An originator unknowingly gets a fraudulent email from a vendor with new account information to be used for payments to that vendor going forward. Who is liable for that transaction when the originator directs the credit union to originate transactions to the new fraudulent account?
• Business originations usually provide fee income to financial institutions. However, many credit unions seem to provide business originations for no fee even though they are warranting the entries, indemnifying all parties, creating files, updating files, handling exceptions and notifications for incoming returns and notifications of change, and more.

2. RDFI disclosing an expiration date for ACH stop payments for consumer accounts

Under Nacha Rules, a consumer ACH stop payment order does not “expire.”  Instead, Article 3, subsection 3.7.1.4 of the Nacha Rules states:

A consumer stop payment order will remain in effect until the earlier of:

1. the withdrawal of the stop payment order by the Receiver; or
2. the return of the debit Entry, or, where a stop payment order applies to more than one debit Entry relating to a specific authorization involving a specific Originator, the return of all such debit Entries.

However, different Rules apply to a non-consumer stop payment, see Subsection 3.7.2.1 of the Rules:

A non-consumer stop payment order will remain in effect until the earlier of:

1. the withdrawal of the stop payment order by the Receiver; or
2. the return of the debit Entry
3. six months from the date of the stop payment order, unless it is renewed in writing.

Why is this important?

It is important that a credit union reviews its Stop Payment Order disclosures to ensure that the language follows the Nacha Rules and complies with Regulation E.

3. Inaccurate Written Statements of Unauthorized Debit (WSUD)  

Inaccurate WSUDs are likely the most common area for ACH audit exceptions. Under the Rules, credit unions must obtain a WSUD from the member to recredit the member’s account and transmit the return entries for an extended time. The returned entry is to be received by the Originator by the opening of business on the Banking Day following the sixtieth (60th) calendar day following the settlement date of the original entry.

Article 3, Subsection 3.12.4 of the Rules is very specific on the minimum items required to be on the WSUD:

1. Receiver’s printed name and signature;
2. Receiver’s account number;
3. identity of the party (i.e., the payee) debiting the account, as provided to the Receiver, and, if different, the name of the intended third-party payee;
4. date the Entry was posted to the account;
5. dollar amount of Entry;
6. reason for return;
7. signature date;
8. Receiver assertion that the Written Statement of Unauthorized Debit is true and correct; and
9. Receiver assertion that the Receiver is an authorized signer or has corporate authority to act on the account.

In addition:

• The WSUD must be dated on or after the Settlement Date of the Entry(ies) for which recredit is requested.
• More than one unauthorized debit Entry from a single Originator may be documented on a WSUD, provided that all of the information detailed above is provided for each debit Entry for which the Receiver is seeking recredit.
• Effective September 17, 2021 – WSUDs may be obtained with wet ink and paper, electronically signed, or obtained orally

Why is this important?

The Nacha Rules state that when a RDFI accepts a WSUD, it is warranting that prior to initiating the extended return entry it has obtained a WSUD with the required items.

Nacha Rules also provide that within one year of the settlement date of the extended return entry, an ODFI has the right to request a copy of the completed WSUD. An RDFI must provide that proof within ten (10) Banking Days after receiving the written request from the ODFI. When a WSUD is not completed accurately the credit union could potentially have some liability.

4. Credit union not having a rules-based ACH audit completed

Effective January 1, 2019, the Nacha Rules were amended to remove Appendix Eight, which previously outlined what many believed was an ACH audit template.Although Appendix Eight was removed, the Nacha Rules (Subsection 1.2.2.1) did not change their requirement to conduct an annual ACH rules-based audit. An audit may be conducted anytime throughout the year, but no later than December 31st.

Why is this important?

The Nacha Rules state that proof of completion of an audit must be retained along with documentation supporting the completion for six years from the date of the audit.

Nacha may contact financial institutions requesting proof of the completion of an ACH audit, and a credit union must respond to a request within ten (10) Banking Days. Failure to provide proof of completion of its own audit, or its third-party service providers’ audit may automatically be considered a Class 2 rule violation.

5. Improper federal government benefit payment handling after beneficiary is deceased

Credit unions must properly handle federal government benefit payments as required in The Green Book. It is also important for credit unions to understand that this “book” is modified periodically. On January 29, 2021,  the Green Book was  updated, which impacts how credit unions handle federal government benefit payments after knowledge of death.

Some areas of concern identified in recent reviews were:

• Not knowing where to find Death Notification Entries (DNEs), or not looking at DNEs;
• Returning state SSI, pension, insurance payments, and tax refunds that are not required to be returned under the Rules;
• Not properly researching all the member’s accounts for federal government benefit payments in order to return the payments promptly; and
• Not returning the benefit payments promptly so the funds were withdrawn prior to receipt of a reclamation.

Once a credit union has knowledge of death, it must monitor all accounts held by the decedent from the date it obtained knowledge and going forward for the following federal benefit payments for the decedent:

• Social Security benefit or disability (SSA),
• Supplemental Security Income (SSI),
• Black Lung disability (Dept. of Labor),
• Military and Coast Guard retirement, including allotments from military retired pay (DFAS),
• Civil Service annuity (OPM),
• Veterans Administration benefits (VA),
• Railroad Retirement Board (RRB) annuity,
• US Coast Guard, Worker’s compensation (FECA),
• DC Pensions, Compensation Act (Dept. of Labor), or
• Any other federal retirement or annuity.

Why is this important?

The credit union may be held liable for federal benefit payments it was required to return to the paying agency.

The Green Book (Chapter 5, Section 2) states:

A Credit Union will have full liability for ALL benefit payments received after the death or legal incapacity of a recipient or death of a beneficiary if the RDFI cannot limit its liability (below). If the RDFI fails to meet the qualifications for limiting its liability, the RDFI will be held liable for all post-death benefit payments received after the death or legal incapacity of a recipient or death of a beneficiary. The RDFI will be debited for the full amount of the reclamation. This debit action will be final. Note: If no post-death benefit payment has been received at the time the RDFI learns of the death, the RDFI may also contact the paying agency.

An RDFI may qualify to limit its liability if it:

• certifies it did not have actual or constructive knowledge* of the recipient’s death or incapacity at the time of the deposit of any post-death benefit payments,
• returns all post-death benefit payments it receives after it learns of the recipient’s death (but not post-death benefit payments it received before it learned of the death), and
• responds to the Fiscal Service Form FS Form 133, “Notice of Reclamation” completely and adequately, so that it is received by the government disbursing office within 60 calendar days from the date of the notice.

*Note: In this chapter “constructive knowledge” of the death means that the RDFI would have learned of the death if it had followed commercially reasonable business practices. “Actual or constructive knowledge” is defined in Treasury’s regulations at 31 CFR § 210.2(b).

Exception to Liability Rule

An RDFI will not be held liable for post-death benefit payments sent to a recipient acting as a representative payee or fiduciary on behalf of a beneficiary in the event that the beneficiary dies. In this situation, the paying agency will not initiate a reclamation but will instead pursue recovery of any post-death benefit payments from the representative payee.

Requirement to Return Post-Death Benefit Payments

It is important to understand that once a payment has been credited to payee’s account, it becomes the property of the account holder. In the case of post-death payments, the payments become property of the joint account holder or decedent’s estate. The government cannot legally authorize or direct an RDFI to take funds already credited to an account and send them to the government. This is the reason that RDFIs are directed only to return post-death payments that they receive after they become aware of the payee’s death, using an R14 or R15 code. Such returns are legally permissible because the payments have not been credited to the recipient’s account and therefore have not become property of the joint account holder or decedent’s estate. It is up to each RDFI to consider its policy as an institution as to what steps it may wish to take, if any, upon learning of the death of a recipient in order to preserve funds in the account pending receipt of a Notice of Reclamation (NOR). Some RDFIs, upon becoming aware of an account holder’s death, perform an account analysis before receiving an NOR and voluntarily return post-death payments that were credited to the account before the RDFI learned of the death. RDFIs are cautioned that Fiscal Service does not authorize or direct RDFIs to debit or otherwise affect the account of a recipient, including to return post-death payments already credited to an account. However, Fiscal Service will accept pre-NOR returns of post-death payments provided that they are made electronically using an R14 or R15 code.