Resource Documents Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency Office of Thrift Supervision Financial Crimes Enforcement Network Office of Foreign Assets Control

Examination Procedures Core Procedures Expanded Procedures

Bank Secrecy Act Anti-Money Laundering Examination Manual

Backward | Table of Contents | Forward

Automated Clearing House Transactions—Overview

Objective.  Assess the adequacy of the bank’s systems to manage the risks associated with automated clearing house (ACH) transactions, and management’s ability to implement effective monitoring and reporting systems.

The ACH system is a nationwide electronic payments system used by more than 20,000 participating financial institutions, four million corporations, and 145 million consumers.¹⁶²  Based on data compiled by The National Automated Clearing House Association — The Electronic Payments Association (NACHA), ACH payment volumes have doubled in the last five years.¹⁶³  The use of the ACH is growing rapidly due to the increased volume of electronic check conversion and one-time ACH debits, reflecting the lower cost of ACH processing relative to check processing.  Check conversion transactions, as well as one-time ACH debits, are primarily low-dollar value, consumer transactions for the purchases of goods and services or the payment of consumer bills.  The Federal Reserve Banks’ FedACH system¹⁶⁴ is almost exclusively used for domestic payments, but can accommodate cross-border payments to Canada, Mexico, and some countries in Europe.

ACH Payment Systems

Traditionally, the ACH system has been used for the direct deposit of payroll and government benefit payments and for the direct payment of mortgages and loans.  As noted earlier, the ACH has been expanding to include one-time debits and check conversion.  ACH transactions are payment instructions to either credit or debit a deposit account.  Examples of credit payment transactions include payroll direct deposit, Social Security, dividends, and interest payments.  Examples of debit transactions include mortgage, loan, insurance premium, and a variety of other consumer payments initiated through merchants or businesses.

In general, an ACH transaction is a batch-processed, value-dated, electronic funds transfer between an originating and a receiving bank.  An ACH credit transaction is originated by the accountholder sending funds (payer), while an ACH debit transaction is originated by the accountholder receiving funds (payee).  Within the ACH system, these participants and users are known by the following terms:

• Originator.  An organization or person that initiates an ACH transaction either as a debit or credit.
• Originating Depository Financial Institution (ODFI).  The Originator’s depository financial institution that forwards the ACH transaction into the national ACH network through an ACH Operator.
• ACH Operator.  An ACH Operator processes all ACH transactions that flow between different depository financial institutions.  An ACH Operator serves as a central clearing facility that receives entries from the ODFIs and distributes the entries to the appropriate Receiving Depository Financial Institution.  There are currently two ACH Operators: FedACH and Electronic Payments Network (EPN).
• Receiving Depository Financial Institution (RDFI).  The Receiver’s depository institution that receives the ACH transaction from the ACH Operators and credits or debits funds from their receivers’ accounts.
• Receiver.  An organization or person that authorizes the Originator to initiate an ACH transaction, either as a debit or credit to an account.

Third-Party Service Providers

A third-party service provider (TPSP) is an entity other than an Originator, ODFI, or RDFI that performs any functions on behalf of the Originator, the ODFI, or the RDFI with respect to the processing of ACH entries.¹⁶⁵  NACHA Operating Rules define TPSPs and relevant subsets of TPSPs that include “Third-Party Senders” and “Sending Points.”¹⁶⁶  The functions of these TPSPs can include, but are not limited to, the creation of ACH files on behalf of the Originator or ODFI, or acting as a sending point of an ODFI (or receiving point on behalf of an RDFI).

Risk Factors

The ACH system was designed to transfer a high volume of low-dollar transactions, thereby not posing significant BSA/AML risks.  Nevertheless, the ability to send high-dollar transactions through the ACH may expose banks to BSA/AML risks.  Banks without a robust BSA/AML monitoring system may be exposed to additional risk particularly when accounts are opened over the Internet without face-to-face contact.

ACH transactions that are originated through a TPSP (that is, where the Originator is not a direct customer of the ODFI) may increase BSA/AML risks, therefore making it difficult for an ODFI to underwrite and review Originator transactions for compliance with BSA/AML rules.¹⁶⁷  Risks are heightened when neither the TPSP nor the ODFI performs due diligence on the companies for whom they are originating payments.

Certain ACH transactions, such as those originated through the Internet or the telephone, may be susceptible to manipulation and fraudulent use. Certain practices associated with how the banking industry processes ACH transactions may expose banks to BSA/AML risks.  These practices include:

• An ODFI authorizing a TPSP to send ACH files directly to an ACH Operator, in essence bypassing the ODFI.
• ODFIs and RDFIs relying on each other to perform adequate due diligence on their customers.
• Because ACH processing is highly efficient and more automated than individual funds transfers, there are fewer opportunities for human review of individual transactions.

Risk Mitigation

The BSA requires banks to have BSA/AML compliance programs and appropriate policies, procedures, and processes in place to monitor and identify unusual activity, including ACH transactions.  Obtaining customer due diligence (CDD) information is an important mitigant of BSA/AML risk in ACH transactions.  Because of the nature of ACH transactions and the reliance that ODFIs and RDFIs place on each other for OFAC reviews and other necessary due diligence information, it is essential that all parties have a strong CDD program for regular ACH customers.  For relationships with TPSPs, CDD on the TPSP can be supplemented with due diligence on the principals associated with the TPSP and, as necessary, on the originators.  Adequate and effective CDD policies, procedures, and processes are critical in detecting a pattern of unusual and suspicious activities because the individual ACH transactions are typically not reviewed.  Equally important is an effective risk-based suspicious activity monitoring and reporting system.  In cases where a bank is heavily reliant upon the TPSP, a bank may want to review the TPSP’s suspicious activity monitoring and reporting program, either through its own or an independent inspection.  The ODFI may establish an agreement with the TPSP, which delineates general TPSP guidelines, such as compliance with ACH operating requirements and responsibilities and meeting other applicable state and federal regulations.  Banks may need to consider controls to restrict or refuse ACH services to potential originators engaged in questionable or deceptive business practices.

ACH transactions can be used in the layering and integration stages of money laundering.  Detecting unusual activity in the layering and integration stages can be a difficult task, because ACH may be used to legitimize frequent and recurring transactions.  Banks should consider the layering and integration stages of money laundering when evaluating or assessing the ACH transaction risks of a particular customer.

The ODFI may need to more closely scrutinize transaction details for international ACH.  The ODFI, if frequently involved in international ACH, may develop a separate process for reviewing international ACH transactions that minimizes disruption to general ACH processing, reconcilement, and settlement.

OFAC Screening

All parties to an ACH transaction are subject to the requirements of OFAC.  (Refer to core overview section, “Office of Foreign Assets Control,” for additional guidance.)  OFAC has clarified the application of its rules for domestic and cross-border ACH transactions and is working with industry to provide more detailed guidance on cross-border ACH.¹⁶⁸ 

With respect to domestic ACH transactions, the Originating Depository Financial Institution (ODFI) is responsible for verifying that the Originator is not a blocked party and making a good faith effort to determine that the Originator is not transmitting blocked funds.  The Receiving Depository Financial Institution (RDFI) similarly is responsible for verifying that the Receiver is not a blocked party.  In this way, the ODFI and the RDFI are relying on each other for compliance with OFAC policies.  ODFIs are not responsible for unbatching transactions and ensuring that they do not process transactions in violation of OFAC’s regulations if they receive those transactions already batched from their customers.  If the ODFI unbatches the transactions it received from its customers, then the ODFI is responsible for screening as though it had done the initial batching.

With respect to OFAC screening, these same obligations hold for cross-border ACH transactions.  For outbound cross-border ACH transactions, however, the ODFI cannot rely on OFAC screening by the RDFI outside of the United States.  In the case of inbound ACH transactions, the RDFI is responsible for compliance with OFAC requirements.

Additional information on the types of retail payment systems (ACH payment systems) is available in the FFIEC Information Technology Examination Handbook.¹⁶⁹

 

 

 

Backward | Table of Contents | Forward