In the payments world, third-party risk management identifies and mitigates the risk associated with using a Third-Party Service Provider (TPSP) or Third-Party Sender (TPS). Nacha has been incrementally addressing third-party risk management with changes to their Operating Rules and Guidelines over the last five years, and ePayAdvisors has kept pace with services to help Originating Depository Financial Institutions (ODFIs) and their Third-Party Service Providers and Third-Party Senders remain compliant.
The Third-Party Sender Registration rule, effective September 2017 with a deadline for initial registration of March 2018, required ODFIs to identify and register their Third-Party Sender customers. The registration process promotes consistent customer due diligence among all ODFIs and serves as a tool to support Nacha’s continuing efforts to maintain ACH Network quality.
Effective September 30, 2022, the Third-Party Senders Roles and Responsibilities Rule provides clarity and removes confusion surrounding the roles and responsibilities of parties to a Nested Third-Party Sender relationship and promotes a culture of risk management and compliance by Third-Party Senders using the ACH Network. The rule defines Nested Third-Party Senders; requires their relationships be addressed in ACH Origination Agreements; and required ODFIs to identify all Third-Party Senders allowing Nested Third-Party Sender relationships in Nacha’s Risk Management Portal. The rule also explicitly states that a Third-Party Sender, whether nested or not, must conduct a Risk Assessment of its ACH activities.
Nacha gave ODFIs that were ready a two-month head start on compliance with this new rule, allowing the ability to make those identifications in the Risk Management Portal as of August 1, 2022. On that date Nacha sent an explanatory email with complete instructions to all ODFIs that have registered Third-Party Senders in the Risk Management Portal. While the Rules are effective Sept. 30, 2022, changes would apply to ACH Origination Agreements entered into on or after that date. For updating Risk Management Portal registrations and completing Risk Assessments there is a six-month grace period, until March 31, 2023.
Regulatory changes, new payment applications, evolving technologies, and increasing threats from fraud all contribute to a heightened risk environment. Effectively managing ACH processing risk is critical to an organization’s bottom line and the health of the payments system; an accurate, thorough assessment of risk is the crucial first step. Each Third-Party Sender has a unique ACH processing environment, and the risk assessment should be based on the complexity of that environment
Prior to your institution’s risk assessment, whether conducted in house or by an outside organization like ePayAdvisors, it is recommended that you understand the main risk categories outlined in the FFIEC BSA/AML Examination Manual. ePayAdvisors’ risk assessment is also built around the OCC ACH Risk Management Guidance, and we assess controls across the ACH delivery channel as they relate to sound risk management practices for the specific roles of Originators, Third-Party Senders, and Third-Party Service Providers. We provide a detailed report on inherent risk, implemented controls, and residual risks, along with recommendations for further risk mitigation and operational efficiency. Our process includes risk considerations and controls related to five main categories:
- Governance – Board and management oversight
- Operations – TPSP vendor management, business continuity
- Compliance – OFAC, BSA/AML, OFAC, ACH
- Customer Due Diligence – Underwriting, exposure, credit, funding and settlement, returns
- Systems Access Management – Business email compromise, corporate account takeover, social engineering, information security, protected information
Visit epayadvisors.com or call ePayAdvisors at 800-475-0585, Option 5, to learn more about our Third-Party services, or any of our services designed to empower you to be informed, compliant, and competitive in payments!