Brandi B. Reynolds, CAMS-Audit, CCI, CCCE
This is a brief story in four parts with a message on improving corporate governance. It includes advice to an auditor on reviewing governance.
You’re a compliance or risk officer of a small financial institution or fintech (the entity). The entity is still in the process of building out its governance structure and procedures. The only management-level committee for any of the risk areas is the MERC (Management Enterprise Risk Committee) which is still in its infancy. The MERC committee meets informally and there is no mention of “escalation” in the charter.
As a compliance officer, your scope of responsibility includes Consumer Regulatory Compliance, AML, Vendor Management, and Fraud. During a conversation with an operations analyst, you learn that the entity is still not compliant with a new NACHA operating rule that was effective on March 19, 2021. Your noncompliance has been caused by a third-party vendor that didn’t reach compliance by the effective date. Your entity relies upon the third-party vendor.
The new NACHA rule is “Supplementing Fraud Detection Standards for WEB Debits” a/k/a the “Account Validation Rule.” It’s an important rule in that it should help to prevent some ACH fraud. Under NACHA rules, ACH Originators of WEB debit entries must use a “commercially reasonable fraudulent transaction detection system” to screen WEB debits for fraud. The new rule supplements this existing screening requirement to make explicit that “account validation” is part of a “commercially reasonable fraudulent transaction detection system.” The supplemental requirement applies to the first use of an account number, or changes to the account number.
The operations analyst went on to say that NACHA issued an extension, and it was OK that the vendor wasn’t compliant, yet. You ask the analyst when the vendor will be compliant, and the analyst shrugs and mentions that the vendor doesn’t know yet.
Your concern grows because the level of ACH fraud losses (especially returns) has been increasing, and there hasn’t been a lot of attention on this. You get the sense that customers are making payments on their accounts via ACHs from accounts that aren’t really theirs. Or those customers fund their accounts with ACHs from accounts that aren’t really theirs. In either case, the real owner of the account notices, says the ACH wasn’t authorized, and the entity takes the loss because by the time this all happens, the money is gone. The level of these returns is known only in the business unit.
You do some research and realize that NACHA did not issue an extension. All NACHA did was communicate no-enforcement for 1 year, but that the effective date of the rule remained at March 19, 2021. So technically, the third-party vendor (and thus the entity) missed an effective date. During your research, however, you realize that NACHA isn’t requiring the validation of account ownership, just a determination that the account is real and accepts ACH transactions. However, NACHA advises that an entity’s own risk management program may require more. Before diving into that, however, you analyze what you learned from the analyst.
You ask “What are the two main issues with this missed effective date?”
- How did the entity miss complying with the effective date?
The operations analyst has been communicating throughout the entity that the March 19, 2021 effective date of the rule was “extended,” and the analyst’s messaging led others to believe there really was an extension. In reality, all NACHA did was communicate that they would not enforce the new rule for 1 year. That is different from an extension. Because of this, the analyst did not believe the entity needed to report to any committee that the effective date was missed.
- How does the entity steer the vendor into compliance with the effective date?
Given that the vendor is already past the effective date, the least that the entity should expect from the vendor is a robust project plan with an expected completion date. To be several months past an effective date without even having an expected compliance date from the vendor is concerning.
How to Respond?
You turn your attention back to the increasing level of ACH Returns that the entity is experiencing. You discuss with the analyst the ways the vendor could attain compliance. NACHA doesn’t specify any particular way, but “commercially reasonable” could include: the use of a Prenotification Entry; ACH micro-transaction verification; use of a commercially available validation service provided by either an ODFI or third-party; use of account validation capabilities or services enabled by APIs; and even use of a third-party that provides scoring information on the account status. The analyst mentions that they haven’t discussed the various options with the vendor, yet.
Good governance procedures would have many issues being communicated at the existing MERC committee. First, a compliance effective date was missed. That is worthy of reporting. Second, the vendor does not know when they’ll be compliant. That is worthy of escalation to the committee. Third, the entity’s increasing level of returns hasn’t been reported anywhere, and that is also worthy of escalation. Were any of this reporting to actually happen, the MERC committee would become a valuable part of the entity’s governance. Via this committee, the missed effective date and the vendor’s non-compliance can be communicated and documented. Most importantly, committee members can provide guidance to the analyst on how to proceed.
The take-away is to ensure that the charter for your committee specifically discusses “escalation,” of compliance matters to the committee.
The Risk of Audit Findings
In this scenario, an auditor could cite five items:
- The entity missed an effective date
- A vendor cannot provide a completion date to reach compliance
- The entity failed to manage the vendor
- The entity lacked reporting to any governance committee on the increasing ACH returns
- The MERC Charter does not include language about “escalation.”
Advice to Compliance & Risk Officers
It’s best to avoid audit findings. Make a roadmap today that focuses on reporting and escalation through the governance channels. And be sure you understand the difference between an extension of an effective date and forbearance of enforcement.
For more information on how CorCom can assist with your compliance needs, please contact email@example.com.