I got to attend Nacha’s Smarter Faster Payments conference this month with fellow members of the ePayAdvisors team to ensure we have the latest industry and regulatory insight to support your payments compliance, risk management, and consulting needs. Here are some quick key takeaways I brought back to share with you!
Session: Funds Transfer Case Update - An Overview Related to Funds Transfer Fraud and Other Funds Transfer
- If a customer refuses commercially reasonable security procedure and the refusal is in writing, the courts will likely side with the bank in cases of fraud (such as refusing dual control, tokens, etc.)
- Key takeaway: Make sure ACH and Wire agreements include an opt-out for the customer to sign.
- In Experi-Metal v. Comerica, a phishing link sent to an EMI employee resulted in $1.9M in wires sent after hours, causing a $5M in overdraft. The bank stopped new wire sessions, but failed to stop current sessions, allowing additional fraudulent transfers.
- Key takeaway: Train employees on Business Email Compromise and ensure controls are understood to lock down all aspects of the session when fraud is detected.
- In Sarrouf Law v. First Republic Bank, check deposits were used to fund a wire transfer. The wire was sent and the check was returned.
- Key takeaways: Make sure you establish robust procedures to ensure checks are collected before wires are sent. Also, think about the liability for the BOFD for altered or forged endorsement that could result in a loss. Ask questions before sending wires!
Session: Exploring Federal Banking Regulators’ Guidance on Third-Party Risk Management
- Key takeaways:
- Your Board of Directors should approve every third-party relationship initially and then annually.
- Ensure that meeting minutes document these reviews.
- Document your staff training.
- Ensure that your agreements are strong, especially regarding the bank’s right to terminate.
- Common things missing from agreements:
- Providing and receiving information
- Right to audit
- Compliance with laws
- Subcontracting
- Insurance (cybersecurity)
- Nested Third-Party Senders
- To identify risks, banks are required to monitor returns. If there is an increase in returns, the bank should ask for authorizations to make sure the TPS is acting in accordance with the Nacha Operating Rules.
You can read more about Third Party risk management in the recent blog article from Tracy Merritt, SVP, ePayAdvisors. If you have questions about any of these items or would like to chat about how ePayAdvisors can support your compliance, risk management, or instant payments initiatives, please don't hesitate to reach out to me at cterry@epayadvisors.com or 800-475-0585, ext. 1605. I look forward to talking with you!