Commercial Insights

Third-party senders: What to know about an annual ACH audit

There are requirements for completing an annual ACH compliance audit, including what the audit must cover and what auditors typically look for.

This training, conducted by Nacha and furnished by Regions Bank, can help ACH participants prepare for their annual ACH audit, in order to help them remain in compliance with Nacha requirements.

Why should a third-party sender complete an annual ACH audit?

An annual ACH audit is mandatory, and if a third-party sender does not comply, there may be operational, contractual and network-level consequences, including the loss of ACH origination privileges due to bank enforcement.

Who is subject to an annual ACH audit?

The following ACH participants must conduct an audit of their compliance with Nacha Operating Rules by December 31 of the calendar year:

• Originating Depository Financial Institution (ODFI)
• Receiving Depository Financial Institution (RDFI)
• Third-Party Service Provider (TPSP)
• Third-Party Sender (TPS)

An audit of compliance with the Nacha Operating Rules must be performed under the direction of an audit Committee, Audit Manager, Senior level Officer, or an independent external examiner or auditor of the participating depository, financial institution, third-party service provider or third-party sender. Proof of completion of the audit must be retained for six years and provided to Nacha upon request.

How should a third-party sender prepare for an annual ACH audit?

1. Make a list of all the ACH functions your organization performs under the Nacha Operating Rules. You can use the list of functions in this training as a starting point.
2. Before the audit, identify all the policies and procedures related to your ACH functions and have them ready for the auditor. This includes a sample of copies of authorizations from Originators your ACH Origination Agreements and your Risk Assessment.
3. Include your OFAC and BSA/AML Policy and Procedures.
4. Pull copies of your ACH Return Rate by Originator and SEC Code reports.
5. If you received any ACH Rules Violations during the year, pull those and the documentation on how you remediated the issue.
6. Determine who will perform your ACH Annual Audit – internal audit, a Payments Association, or another external auditor.

What items are third-party senders required to include in an annual ACH audit?

A third-party center must audit the following items that a third-party sender is responsible for if they apply to their processing:

• Verification of Originator Identity before entering into an ACH Origination Agreement
• ACH TPS/Originator ACH Origination Agreements
• Establishing, implementing, and periodically reviewing an exposure limit for the Originator
• Monitoring the Originator’s origination and return activity across multiple settlement dates
• Enforcing restrictions on the types of entries that may be originated
• Enforcing the exposure limits
• Authorizations for each SEC Code and compliance with the E-Sign Act for signatures
• Provision of UCC4A notice to Originators of credit entries (typically in the ACH Origination Agreement)
• Provision of Proof of Authorizations to Regions Bank
• How the Third-Party Sender stays informed on Nacha Rule Changes 
• How the TPS informs its Originators of Nacha Rules Changes
• Prenotifications – enforcing the waiting period
• Micro-Entries, including commercially reasonable fraud detection for forward and return volumes
• Reversals – only for Erroneous Entries
• Reclamations
• Notification of Changes
• File formats
• Return Entries, including return rate monitoring reports by Originator and SEC Code
• Reinitiation of Returned Entries
• Correction of Entries Returned as R11
• Dishonored Returns
• Late Returns
• Refusal of Acknowledgements (ACK and ATX)
• Return Fee Entries
• Obligations of Third-Party Senders (Subsection 2.16.1)
• Provision of any changes to the Third-Party Sender registration data to Regions Bank
• Has the Third-Party Sender received any Possible Rules Violations during the year?
• Any fraud related to Originators the Third-Party Sender processes on behalf of?

Who should perform the annual ACH audit?

Although it is not required under the Nacha Rules, it is recommended that a Third-Party Sender utilize one of the Payment Associations that conduct audits, as they are very familiar with the Nacha Operating Rules and the requirements. Regions Bank can provide a list of the Payment Associates for the Third-Party Sender to contact directly.

Ready to help

Regions can help with Treasury Management solutions to improve cash flow, streamline payables, and mitigate unnecessary risk exposure. Learn more.

Training is conducted by Nacha and furnished by Regions for informational purposes only, and should not be construed as legal advice or a legal opinion from Regions.