OCC 2004-58                            
OCC BULLETIN 
Subject: Automated Clearing House
Description: NACHA Rule Changes

Date:  December 20, 2004                                  
                                                       
TO:  Chief Executive Officers and Compliance Officers of All
   National Banks, Federal Branches and Agencies, Technology
   Service Providers, Department and Division Heads, and All
   Examining Personnel


PURPOSE

The purpose of this bulletin is to advise national banks and
examiners of three amendments to National Automated Clearing
House Association (NACHA) Operating Rules that became effective
in 2004.  As part of an effective risk management program, banks
should implement procedures to ensure compliance with these and
all other NACHA Operating Rules and related Office of the
Comptroller of the Currency (OCC) and Federal Financial
Institutions Examination Council (FFIEC) guidance.  This bulletin
supplements guidance on Automated Clearing House (ACH) activities
outlined in the FFIEC IT Handbook, "Retail Payment Systems,"
dated March 2004.

BACKGROUND

The ACH network, through which electronic payments are
distributed and settled, has existed since the early 1970s.[1]  As
the industry develops new and innovative uses for ACH, and, as
both ACH activity and the number of participants in the network
(including third parties) grows, risks to national banks engaged
in ACH activity can be complex and not readily apparent.
National banks, therefore, must have the expertise to identify
ACH risks and be able to implement risk management processes to
appropriately manage ACH risk.

NACHA OPERATING RULES CHANGES

Three amendments to NACHA Operating Rules became effective in
2004.  The most important changes introduced by the amendments
are described below.

Accounts Receivable Conversion (ARC)[2] Opt-out Amendment
(Effective June 11, 2004)
This amendment requires originators of ARC debits to allow
consumers to opt out of ARC check conversion and to establish
reasonable procedures under which consumers may notify
originators that their checks are not to be converted to ARC
debits.  While not mandated by this NACHA rule amendment, the OCC
also encourages national banks that are originators of ARC debits
to:

* Provide consumers with a clear and conspicuous notice of
  their right to opt-out;[3]
* Establish procedures to apply any consumer opt-out requests
  to all checks involving the consumer's checking account; and,
* Provide consumers with a telephone number they may call for
  any inquiries related to the ARC process.

Network Security Amendment (Effective September 10, 2004)
Banking information must be transmitted through a secure session
or encrypted, in either case using a commercially reasonable
security technology that, at a minimum, is equivalent to 128-bit
RC4 encryption technology.  This requirement applies to any ACH
transaction, between ACH participants, regardless of Standard
Entry Class Code.  There is also a new requirement for ODFIs to
use commercially reasonable methods to establish the identity of
each originator who uses an unsecured electronic network to enter
into a contractual relationship with the ODFI for the origination
of ACH transactions.

Third-Party Senders[4] Amendment (Effective December 10, 2004)
This amendment requires that a third-party sender enter into an
agreement with an ODFI under which the third-party sender is
bound by the NACHA rules.  The amendment also requires the
originator to enter into an agreement with the third-party sender
under which the originator assumes its responsibilities pursuant
to the NACHA rules.  These agreements must include
acknowledgements that entries that violate federal laws may not
be initiated.

Banks should have controls in place to restrict or refuse ACH
services to potential originators engaged in questionable or
deceptive business practices.  However, it is important to be
aware that such organizations may originate ACH payments through
third-party senders that originate through the bank.  Where an
originator that is engaged in questionable business practices
uses a third party sender, the bank bears the same or increased
risk as if the bank contracted directly with the originator.  The
lack of a direct contractual relationship between the ODFI and
originator has the potential to increase the risk to the ODFI
since it risks being unable to establish a claim against the
originator in the event of loss.

If originators are not customers of the bank, they may fall
outside the bank's know-your-customer responsibility, capability,
and processes.  A key risk in such a case arises from the fact
that the bank may not have information about or control over
these originators.  To minimize credit, transaction, compliance,
and reputation risk, national banks and their third-party senders
should have policies and procedures in place and implemented to
ensure that effective due diligence is performed on all
originators.  Banks must perform risk analyses on new and
established relationships and must inform customers and third-
party senders of their policies and procedures related to ACH
exposure limits and risk management.

Exposure limits
The NACHA Operating Rules require originating depository
financial institutions (ODFIs) to: establish an exposure limit
for originators, have procedures to review the exposure
periodically, and monitor ACH entries relative to the exposure
limit across multiple settlement dates.  The operating rules also
require the ODFI's annual ACH audit to include verification that
such requirements are being met.  The amendment to the operating
rules described above makes it clear that ODFIs must comply with
such requirements relating to third-party senders.  The OCC
requires banks, in general, to set exposure limits to minimize
credit and reputation risk.  Exposure limits should be based upon
credit-quality factors and the originator's (or third-party
sender's) transaction history.  Review and approval of exposure
limits should be conducted at least annually by the board or a
committee thereof.  Banks with high-risk ACH activities should
review exposure limits more frequently.[5] Exposure limits must be
monitored as a part of daily operations.  Banks must ensure that
they have established procedures for acting upon files that
exceed exposure limits and for handling exception situations.  In
most cases, ACH-processing personnel should not have the
authority to process an ACH file that exceeds established
exposure limits.

Direct Access to the ACH Operator
The risks posed to a bank by its granting to a third-party
service provider direct access to the ACH operator are discussed
in OCC Bulletin 2002-2.  In addition to the risk management
requirements set forth in that bulletin, banks should require
third-party service providers to notify the ODFI of dollar totals
for each file processed so that the ODFI can reconcile activity
and settlement totals with the ACH operator.

SUMMARY

ACH-related products and services provide national banks with an
opportunity to retain customers and attract new business.  ACH
transactions, however, present significant new and unique risk
management and legal liability challenges to management and
boards of directors.  National banks should comply with NACHA
Operating Rules and follow OCC- and FFIEC-related guidance in
order to meet such challenges.  OCC examiners should continue to
assess whether a bank's ACH risk management practices are
appropriate in light of the bank's ACH activities and risks.

ADDITIONAL INFORMATION

You may direct any related questions or comments to the
Operational Risk Policy Division at (202) 874-5190.



______________________________
Mark L. O'Dell
Deputy Comptroller for Operational Risk
_______________________________
1 For more information on the ACH Network, see Appendix A of OCC
Bulletin 2002-2 (Jan. 14, 2002) (ACH Transactions Involving the
Internet: Guidance and Examination Procedures) and the glossary
of ACH terms in the bulletin.
2 Where the national bank acts as the originating bank for an
originator of ARC debits, the bank should encourage its
originators to take these measures.
3 Notice of the opt-out right could simply be included within the
notice required by the NACHA rule that advises consumers that
their checks may be used as the source document for an ACH entry.
4 It is increasingly common for a third party to act as an
intermediary between an originator and an ODFI.  Such a third
party is known as a third-party sender.  Third-party senders are
a type (or subset) of third-party service provider.
5 Characteristics of high-risk ACH originations include
unauthorized returns in excess of 1 percent of transaction
volume, lack of a direct relationship between the ODFI and the
originator, or direct access by a third party to the ACH
operator.