© 2011 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA

© 2011 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties, legal advice, or professional assistance of any kind.


NACHA’s Risk Management

Strategy Update

NAFP Treasury Management ConferenceSeptember 15, 2011

Barry GideonVice President

Treasury Services


2

Agenda• The ACH Network• NACHA• Risk Management Strategy• Risk Management Rules & Initiatives

–Network Enforcement Rule–Direct Access Registration Rule–ACH Security Framework–Corporate Account Takeover–ACH Benchmarking–Third Party Senders–Terminated Originator Database

• How Banks Approach ACH Credit Risk Exposure


3

The ACH Network• The ACH Network is a batch processing, store-and-forward system,

governed by The NACHA Operating Rules

• ACH payments include:– Direct Deposit of payroll, Social Security and other government

benefits, and tax refunds – Direct Payment of such consumer bills as mortgages, loans,

utility bills, and insurance premiums– Business-to-Business payments– e-Checks– e-Commerce payments– Federal, state, and local payments


4

ACH Network Volume(billions)

0

2

4

6

8

10

12

14

16

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010


2010 Growth of Selected ACH Applications

ACH Application

Growth / Decline Description of Application

ARC -8.5% Conversion of Checks to ACH in a Lockbox Environment

BOC 12.9% Conversion of Checks to ACH in a Back Office Environment

CCD 3.4% Corporate Credit or Debit – Primarily B2B Transactions

CIE 15.6.% Customer Initiated Entries– ACH Credits initiated by Consumers for Bill Payments

CTX 11.1% Corporate Trade Exchange – Primarily B2B Transactions

POP 6.8% Point of Purchase – Conversion of Checks to ACH at the Point of Purchase

PPD 3.1% Pre-Authorized Consumer Payments such as Insurance & Health Club Dues

RCK -28.2% Conversion of Deposited Insufficient Funds Items from Check to ACH

TEL 3.1% ACH Transaction Initiated by Oral Authorization provided over the Telephone

WEB 7.4% ACH Transaction Initiated by an Authorization Provided via the Internet

Overall 3.4% Overall ACH Network Growth


ACH Volume and Value by SEC Code - 2010

ARC14%

PPD48%

TEL2%

Other4%

CCD13%

POP3%

WEB16%

CCD57%

CTX9%

PPD28%

Other1%

ARC2%

WEB3%

Volume

Value


7

NACHA• NACHA supports the growth of the ACH Network by managing

its development, administration, and governance

– NACHA represents nearly 11,000 financial institutions through 17 regional payments associations and direct membership

– Through its industry councils and forums, NACHA brings together payments system stakeholder organizations to encourage the efficient utilization of the ACH Network, and develop new ways to use the Network to benefit its diverse set of participants


8

NACHA• NACHA occupies a unique role in the association world, serving

as both an industry trade association and the administrator of the Automated Clearing House (ACH) Network

• In its role of ACH Network Administrator, NACHA is responsible for four key functional areas:

– NACHA Operating Rules– Network Enforcement & Risk Management– Network Strategy & Outreach– Advanced Payment Solutions


9

Dialogue

Education

Advocacy

Enforcement

Rules Creation

Risk Collaboration Innovation

Key NACHA Roles

Support for the industry, facilitating the balance of risk and innovation


10

NACHA – Enforcement & Risk Management

• Network Enforcement & Risk Management

– NACHA develops and implements a comprehensive, end-to-end risk management framework

– Collectively, the strategy addresses risk and quality in the ACH Network

– Areas of responsibility include: Arbitration Board National System of Fines Risk Investigations & Services Risk Management Advisory Group Risk Management Support & Communications


11

Risk Management as a Strategic Priority

• NACHA’s Risk Management Advisory Group • The RMAG currently consists of representation from:

• The 2 gateway operators (Federal Reserve and EPN)• 15 Financial institutions• 6 Regional Payment Associations

– Achievements include significant contributions to the NACHA rule making process and to Network education around the changing face of ACH payments risk

– Advises the NACHA Board and works with staff to guide and implement the risk management strategy

– Plays a vital role in developing and providing a comprehensive approach to Network risk management


Risk / Quality Continuum

ACH Security Framework• Data Security• Authentication • Data Breach Policy R

isk Stren

gth

Of In

itiative

Quality Strength of Initiative

Risk ManagementAssessment & Audit Compliance• Assessment Requirements • Regulatory Compliance• Enhanced ACH Audits

Operator/NACHA Tools• ODFI Understanding/ New ODFI Training• FI Contact & Communications• Data Review

Data Sharing• Originator Watch List• Terminated Originator Database• Direct Access Registration• Data Review

Targeted Enforcement• Unauthorized Trigger• Reporting• Fines• Possible Suspension

Sound Business Practices• Corporate Account Takeover• Third-Party Risk• Direct Access Credit

Quality Initiatives• Misuse of Codes• WSUD/Unauthorized• Adjustments

Low

High

High

ACH Benchmarking• FI to FI Peer Group• Industry Collaboration

with ABA

• Risk and quality improvements cannot be accomplished through a single effort or one all-encompassing rule change. Each initiative is a complementary piece of the entire strategy


ACH Return Rates

Industry Return Rates - 2010

13

Total NSF Invalid Un-authorized

ACH Network 1.00% 0.64% 0.18% 0.02%

Credits – All SEC’s 0.20% 0.00% 0.12% 0.00%

Debits – All SEC’s 1.56% 1.07% 0.23% 0.03%

PPD Credits 0.23% 0.00% 0.15% 0.00%

PPD Debits 2.26% 1.62% 0.23% 0.04%

ARC 0.31% 0.18% 0.10% 0.00%

BOC 1.45% 1.03% 0.21% 0.01%

POP 0.96% 0.75% 0.10% 0.02%

RCK 60.88% 49.81% 1.87% 0.07%

TEL 5.74% 3.93% 1.21% 0.11%

WEB 1.33% 0.87% 0.24% 0.03%


Risk Continues to be Well Managed – While New Threats Continue to Emerge

600,000

650,000

700,000

750,000

800,000

850,000

900,000

950,000

1,000,000

2Q06

3Q06

4Q06

1Q07

2Q07

3Q07

4Q07

1Q08

2Q08

3Q08

4Q08

1Q09

2Q09

3Q09

4Q09

1Q10

2Q10

3Q10

4Q10

1Q11

Nu

mb

er o

f U

nau

tho

rize

d D

ebit

s

Network Enforcement Rule

Company Name Rule

2010 Decline – 10.9%


15

Network Enforcement Rule

Network Enforcement Rule – March 2008– Enhanced National System of Fines

Sets higher fine levels Establishes the authority for the ACH Rules Enforcement Panel to

direct an ODFI to suspend an Originator/Third-Party Sender from originating

Effective December 21, 2007

– ODFI Reporting Requirements Ensures ODFI’s Originators or Third-Party Senders do not exceed

a return rate of 1% for unauthorized entries– Requires ODFIs to reduce unauthorized return rates below

threshold Defines circumstances under which NACHA may initiate a rules

enforcement proceeding related to unauthorized return rates above the threshold


16

Network Enforcement Rule Evaluation

• Currently Evaluating the effectiveness of the Network Enforcement Rule since implementation in 2008– Overall number of unauthorized returns are down

– Overall percentage of unauthorized returns are down

– Problematic rates are .50% - .99%

• Currently, the ODFI has 60 days after receipt of NACHA’s written request to reduce their Originator’s or Third-Party Sender’s return rate for unauthorized reasons to below 1% before being subject to the National System of Fines

– The current 1% threshold for debit entries returned as unauthorized is 33 times the 2010 unauthorized return rate for all ACH debits (0.03%)

– Experience has shown that the 60-day time period is ineffective for risk management purposes

• Some circumstances involve large volumes of unauthorized, which represents problematic transactions, but it does not exceed the current threshold due to high volume of transactions originated



• NACHA’s Rule Making Process recently issued a Request For Comment (RFC) which included a proposal to reduce the unauthorized return threshold from the existing rate of 1%, down to .75%, and then eventually to .50%

• The Request For Comment also included proposal to modify time period before fines are possible for the over-threshold activity by reducing the 60-day period

17



• There is also an opportunity to enhance the effectiveness of the Rule by spotlighting “Invalid returns.” Invalid returns include:

• R03 – No Account / Un-able to Locate Account• R04 – Invalid Account

– Often, there is a correlation between originators who have high return rates for “unauthorized” transactions and high return rates for “invalid”

– For instance, returns for invalid account information may occur due to phishing for valid account numbers

– The Request For Comment included a proposal for establishing a 1% threshold on returns for invalid returns.

– RMAG, through a white paper, is developing sound business practices surrounding the issue of returns for invalid account information and to educate on the potential correlation between “invalids” and “unauthorized” returns

18


19

Direct Access Registration Rule• The Direct Access Registration Rule requires all ODFIs to register their

Direct Access Debit Participant status with NACHA

• Direct Access is defined as a situation in which an Originator, Third-Party Sender, or a Third-Party Service Provider transmits credit or debit entries directly to an ACH Operator (Fed or EPN) using an ODFI’s routing number and settlement account

• A Direct Access Debit Participant is an Originator, Third-Party Sender, or a Third-Party Service Provider with Direct Access for the origination of debit entries except: (i) a Third-Party Service Provider that transmits ACH files solely on behalf of an ODFI where that Third-Party Service Provider does not have a direct agreement with an Originator (and is not itself an Originator), or (ii) an ODFI that transmits files using another Participating DFI’s routing number and settlement account

© 2011 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties, legal advice, or professional assistance of any kind. 20

Direct Access Debit Participant Example

ACH OperatorThird-Party using

ODFI RTN

Originators

ODFI

• This is just one example of a Direct Access Debit Participant relationship

• It is incumbent on the ODFI to determine its Direct Access status and register accordingly

– The ODFI must define its specific relationship(s) with Third-Parties and Originators

• Direct Access can exist in many scenarios, but may not be required to be registered based on the exclusions to the definition


21

ACH Security Framework Initiative

• RMAG has teamed with NACHA’s Internet Council to develop a proposal for an ACH Security Framework

• Consideration of FFIEC Guidance on Authentication in an Internet Banking Environment (2005; and supplement issued June 28, 2011)

• Framework will ensure that the ACH Network remains high-quality• Framework will reflect the unique characteristics of the ACH Network

– The intent is to ensure basic data security obligations for Network participants to protect data in their purview

Many, if not most, financial institutions and other ACH participants are likely to already have these practices in place

Rules will codify these practices and ensure they exist Network-wide– NACHA’s Rule Making Process recently issued a Request For

Information (RFI) and is currently compiling industry responses


22

Corporate Account Takeover Initiative• Corporate Account Takeover is a type of business identity theft in which

a criminal entity steals a company’s valid on-line banking credentials

– Attacks are typically perpetrated quietly, by the introduction of malware through a simple email or infected website

– For businesses that have low resistance to such methods of attack, the malware introduced onto its system may remain undetected for weeks and even months

– By introducing layered security processes and procedures, technological and otherwise, and other tightened security efforts, financial institutions can help protect businesses from criminals seeking to drain accounts and steal confidential information


23

Corporate Account Takeover Initiative

• Have introduced a Board Policy on the Importance of Sound Business Practices to Mitigate Corporate Account Takeover:

– ODFIs should vigilantly and proactively protect against this type of fraud in various ways, including

Implementing systems designed to prevent and detect attempts to access a business’ banking credentials

Keeping their customers informed about the importance of implementing their own systems and sound business practices to protect themselves

Taking a risk-based approach tailored to their individual characteristics and their customers to avoid losses and liability for themselves and other ACH participants

Periodically reviewing and updating customer guidance in response to developments in the methods used by cyber thieves to perpetrate Corporate Account Takeover

The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.


The Importance of Sound Business Practicesfor ODFIs

• ODFIs should evaluate their risk profiles and appropriately enhance security processes and procedures to prevent and mitigate the risk of corporate account takeover

• Sound Best Practices include:

– Minimum Security Procedures

– Dual Control for Payment File Initiation

– Out-of-Band Authentication and Alerts

– Enhancement of Account Security Offerings

– Exploration of Low-Tech Security Options

– Customer Education Businesses Third-Party Processors

The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.


The Importance of Sound Business Practicesfor Businesses

• Businesses can help protect themselves with layered security processes and procedures and other tightened security efforts

• Sound Best Practices include:

– Computer Security

Staying Informed and aware

Using layered system security

Dedicated computer for online banking

– Account Security

Dual control

Account reconcilement

Report suspicious activityThe sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements. No single security measure is likely to be effective in preventing or mitigating the risks associated with Corporate Account Takeover.


26

Rules Proposals to Address Corporate Account Takeover

• NACHA’s Rule Making Process recently issued a Request For Comment (RFC) and is currently compiling industry responses regarding the Availability Exception Rule

– Availability Exception Rule

Would provide an RDFI, which reasonably suspects that a credit entry is unauthorized, with an exception to the Rules provisions requiring the RDFI to make certain credit entries

RDFI would promptly notify the ODFI if using this Rule


27

ACH Benchmarking Initiative

• RMAG has been providing input on ACH-related considerations in the American Bankers Association’s (ABA’s) Deposit Account Fraud Survey

• Currently working with the ABA to develop benchmarks on ACH “loss” data:– Have developed and piloted a peer group Financial Institution

benchmarking study that addresses: Emerging trends Measure to detect, prevent and reduce risk Types of fraud Losses related to unauthorized returns and Corporate Account

Takeover– After the pilot, the ongoing Financial Institution peer group study will

be made available broadly for financial institution participation


TPSP / Third Party Sender Initiative

Third Party Service Provider Third Party Senders•Originates ACH Transactions on behalf of an ODFI’s customer (Originator)

•Originate ACH transactions on behalf of the Third-Party Sender’s own customers (Originators)

•ACH Origination agreement exists between the ODFI and its customer (the Originator)

•ACH Agreement exists between the ODFI & the Third-Party Sender, not the Third Party Sender’s customers (Originators)

•ACH Settlement / funding takes place in the ODFI’s customer’s account (Originator)

•ACH settlement / funding takes place in the Third Party Sender’s account at the ODFI

•Returned items are charged to the customer’s account (Originator)

•Returns are charged to the Third Party Sender’s account

•ACH Processing exposure = The dollars of ACH transactions that the ODFI’s customer is originating through the TPSP in a given period

•ACH Processing exposure = the aggregate dollars of the many, many originators whose funds are flowing into and out of the Third Party Sender’s account at the ODFI

What is a Third-Party Service Provider? Third-Party Sender?


TPSP / Third Party Sender Initiative

Examples:

Third Party Service Providers Third Party Senders

•CPA firm that processes payroll & Direct Deposit on the behalf of its clients •Property Management Companies

•ADP Payroll Solutions •Collection Agencies

•Billing Service Providers

•Payment engines for Internet Retailers


Watch Who You Ride With

• ODFIs can be accountable for Third-Party’s compliance with NACHA Operating Rules & regulatory requirements

• High-risk Originators – Typically use Third-Party Senders– Operate under multiple DBAs– Use various techniques to mask

return volume– Rely on multiple processors,

ODFIs, & payment types– Increase ODFI liability exponentially beyond the fee income


31

ODFIs: You Must Ask These Questions

• Are you providing holistic risk management and oversight over your Third-Party Senders?– Are you monitoring for transaction patterning?– Can you monitor all activity behind the Third-Party?– Does ODFI policy = Third-Party policy (e.g., any restrictions on

origination)– How interdependent are the Third-Party’s customers? – Are you being approached by Third-Parties out of your

geography?

• Can you answer these questions consistently across all lines of business or silos?


32

Effectively Managing Third-Party Risk

Rules and regulatory compliance and sound business practices are

paramount


33

Sound Business Practices

• Requirements of an ODFI (Not just sound business practices – but required in the Risk Management & Assessments Rule - June 2010)

– Conduct due diligence on the Third-Party Sender and Originators

– Assess the nature of the activity and the risk it presents

– Establish procedures to monitor the TPS

– ODFI required to address its internally-developed restrictions on origination in agreement

– The right to suspend or terminate any Originator processed by the TPS for breach of the NACHA Operating Rules

• Verify basic facts about the Third-Party Sender

• Ensure ODFI’s agreement with the Third-Party Sender includes all necessary provisions

The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements.


34

Sound Business Practices

• Perform these procedures on a regular basis

– Annual review of the TPS’ financial condition

– Take a risk-based monitoring approach

– Review the Originator list (their client list) provided by the TPS and properly evaluate it

Perform open source research on company names and verifying the types of businesses

Exercise the right to audit the TPS and its Originators’ compliance with the agreement and the NACHA Operating Rules

The sound business practices mentioned in this presentation are not meant to be exclusive approaches nor are they meant to be mandatory requirements.


35

Terminated Originator Database Initiative

-- The Terminated Originator Database (TOD) went live on March 1, 2011 and is available for ODFI’s to sign up, contribute and query

– The TOD is a risk management tool for ODFIs to share information with other ODFIs about Originators and/or Third-Party Senders that have been terminated for cause

– The TOD is not a list of originators prohibited or disapproved by NACHA

– ODFIs can utilize this tool as one component of their due diligence processes for underwriting and continued monitoring of Originators and Third-Party Senders

– The process of contributing and querying the Database is similar to processes used by other electronic payment networks that gain value from consolidated information

– The value of the Database is dependent on ODFIs of all sizes and types contributing data. The more ODFIs that contribute data, the more powerful this risk management took will be for all ODFIs


HOW BANKS APPROACH ACH CREDIT RISK EXPOSURE


A Bank’s Risk Exposure

Why does my bank ask me for my company’s financial statements to originate ACH transactions?

• The exposure associated with ACH Transactions is equivalent to granting an unsecured short-term loan for that period

• NACHA strongly encourages Bank’s to:– Establish credit exposure limits for both ACH Debits &

Credits for each customer– Underwrite the risks associated with the exposure limits

that have been established– Factor ACH Credit risk as part of the customer’s overall

credit exposure profile


A Bank’s Risk Exposure – ACH Credits

• The Bank incurs exposure to credit risk for the period of time between initiation of an ACH credit file from its customer, until the company funds the account

• ACH rules do not allow the bank to call back / reverse ACH credits for failure of the company to fund its account at the Bank

File Transmission Date Settlement Date

•ACH Credit file is transmitted from Company A to Bank A

•Bank A’s account is charged by the Federal Reserve

•Entries are effective on the next banking day

•Company A declares bankruptcy

•Bank A processes the file and delivers transactions to the ACH Operator

•Bank A has an unsecured claim against Company A for the entire amount of the ACH credit file


A Bank’s Risk Exposure – ACH Debits

File Transmission Date Settlement Date

•ACH Debit file is transmitted from Company A to Bank A

•Bank A’s account is credited by the Federal Reserve

•Entries are effective on the next banking day

•Company A declares bankruptcy

The Bank’s risk is on the small percentage of ACH Debit items that are returned after bankruptcy. The Receiving bank can return items back to the Originating bank within the following timeframes

Traditional Returns 2 Days from Effective Date

Unauthorized Returns 60 Days from Effective Date


Documents

© 2011 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA