Bank Secrecy Act
Automated Clearing House Transactions—Overview
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with automated clearing house (ACH) and international ACH transactions (IAT) and management’s ability to implement effective monitoring and reporting systems.
The use of the ACH has grown markedly over the last several years due to the increased volume of electronic check conversion184 and one-time ACH debits, reflecting the lower cost of ACH processing relative to check processing.185 Check conversion transactions, as well as one-time ACH debits, are primarily low-dollar value, consumer transactions for the purchases of goods and services or the payment of consumer bills. ACH is primarily used for domestic payments, but the Federal Reserve Banks’ FedGlobal system186 can currently accommodate cross-border payments to several countries around the world.
In September 2006, the Office of the Comptroller of the Currency issued guidance titled Automated Clearinghouse Activities — Risk Management Guidance. The document provides guidance on managing the risks of ACH activity. Banks may be exposed to a variety of risks when originating, receiving, or processing ACH transactions, or outsourcing these activities to a third party.187
ACH Payment Systems
Traditionally, the ACH system has been used for the direct deposit of payroll and government benefit payments and for the direct payment of mortgages and loans. As noted earlier, the ACH has been expanding to include one-time debits and check conversion. ACH transactions are payment instructions to either credit or debit a deposit account. Examples of credit payment transactions include payroll direct deposit, Social Security, dividends, and interest payments. Examples of debit transactions include mortgage, loan, insurance premium, and a variety of other consumer payments initiated through merchants or businesses.
In general, an ACH transaction is a batch-processed, value-dated, electronic funds transfer between an originating and a receiving bank. An ACH credit transaction is originated by the accountholder sending funds (payer), while an ACH debit transaction is originated by the accountholder receiving funds (payee). Within the ACH system, these participants and users are known by the following terms:
- Originator. An organization or person that initiates an ACH transaction to an account either as a debit or credit.
- Originating Depository Financial Institution (ODFI). The Originator’s depository financial institution that forwards the ACH transaction into the national ACH network through an ACH Operator.
- ACH Operator. An ACH Operator processes all ACH transactions that flow between different depository financial institutions. An ACH Operator serves as a central clearing facility that receives entries from the ODFIs and distributes the entries to the appropriate Receiving Depository Financial Institution. There are currently two ACH Operators: FedACH and Electronic Payments Network (EPN).
- Receiving Depository Financial Institution (RDFI). The Receiver’s depository institution that receives the ACH transaction from the ACH Operators and credits or debits funds from their receivers’ accounts.
- Receiver. An organization or person that authorizes the Originator to initiate an ACH transaction, either as a debit or credit to an account.
- Gateway Operator (GO). A financial institution, ACH Operator, or ODFI that acts as an entry or exit point to or from the United States. A formal declaration of status as a Gateway Operator is not required. ACH operators and ODFIs acting in the role of Gateway Operators have specific warranties and obligations related to certain international entries. A financial institution acting as a Gateway Operator generally may process inbound and outbound debit and credit transactions. ACH Operators acting as Gateway Operators may process outbound debit and credit entries, but can limit inbound entries to credit entries only and reversals.
NACHA — The Electronic Payments Association (NACHA) issued International ACH Transaction (IAT) operating rules and formats that became effective on September 18, 2009.188 The IAT is a new Standard Entry Class code for ACH payments that enables financial institutions to identify and monitor international ACH payments, and perform screening as required by OFAC. The rules require Gateway Operators to classify payments that are transmitted to or received from a financial agency189 outside the territorial jurisdiction of the United States as IATs. The classification will depend on where the financial agency that handles the payment transaction (movement of funds) is located and not the location of any other party to the transaction (e.g., the Originator or Receiver).
Under NACHA operating rules, all U.S. financial institutions that participate in the ACH Network must be able to utilize the IAT format.Definition of IAT
An IAT is an ACH entry that is part of a payment transaction involving a financial agency’s office that is not located in the territorial jurisdiction of the United States. An office of a financial agency is involved in the payment transaction if one or more of the following conditions are met:
- Holds an account that is credited or debited as part of a payment transaction; or
- Receives funds directly from a person or makes payment directly to a person as part of a payment transaction; or
- Serves as an intermediary in the settlement of any part of a payment transaction.
IAT Defined Terms
An “inbound entry” originates in another country and is transmitted to the United States. For example, an inbound entry could be funding for a company payroll. Each subsequent IAT used for direct deposit would be an inbound IAT entry.
An “outbound entry” originates in the United States and is transmitted to another country. For example, IAT pension payments going from a U.S. ODFI to a U.S. RDFI in which the funds are then transferred to an account in another country would be outbound IAT entries.
Payment Transaction Guidance
A payment transaction is:
- An instruction of a sender to a bank to pay, or to obtain payment of, or to cause another bank to pay or to obtain payment of, a fixed or determinate amount of money that is to be paid to, or obtained from, a Receiver, and
- Any and all settlements, accounting entries, or disbursements that are necessary or appropriate to carry out the instruction.
Identification of IAT Parties
The NACHA operating rules define new parties as part of an IAT entry:
- Foreign Correspondent Bank: A participating depository financial institution (DFI) that holds deposits owned by other financial institutions and provides payment and other services to those financial institutions.
- Foreign Gateway Operator (FGO): A Gateway Operator that acts as an entry point to or exit point from a foreign country.
The new IAT format increases the amount of originator and beneficiary data that will be available to banks. This additional data may assist banks in their OFAC, anti-money laundering, and monitoring efforts.190 Examples of information now available to banks under the new IAT format include:
- Originator name and address.
- Receiver name and address.
- Originator and Receiver account numbers.
- ODFI name (inbound IAT, foreign DFI), identification number, and branch country code.
- RDFI name (outbound IAT, foreign DFI), identification number, and branch country code.
- Country code.
- Currency code.
- Foreign Exchange indicator.
Refer to www.nacha.org for more information on additional data available to banks under the new IAT format.Third-Party Service Providers
A third-party service provider (TPSP) is an entity other than an Originator, ODFI, or RDFI that performs any functions on behalf of the Originator, the ODFI, or the RDFI with respect to the processing of ACH entries.191 NACHA operating rules define TPSPs and relevant subsets of TPSPs that include "Third-Party Senders" and "Sending Points."192 The functions of these TPSPs can include, but are not limited to, the creation of ACH files on behalf of the Originator or ODFI, or acting as a sending point of an ODFI (or receiving point on behalf of an RDFI).
The ACH system was designed to transfer a high volume of low-dollar domestic transactions, which pose lower BSA/AML risks. Nevertheless, the ability to send high-dollar and international transactions through the ACH may expose banks to higher BSA/AML risks. Banks without a robust BSA/AML monitoring system may be exposed to additional risk particularly when accounts are opened over the Internet without face-to-face contact.
ACH transactions that are originated through a TPSP (that is, when the Originator is not a direct customer of the ODFI) may increase BSA/AML risks, therefore making it difficult for an ODFI to underwrite and review Originator transactions for compliance with BSA/AML rules.193 Risks are heightened when neither the TPSP nor the ODFI performs due diligence on the companies for whom they are originating payments.
Certain ACH transactions, such as those originated through the Internet or the telephone, may be susceptible to manipulation and fraudulent use. Certain practices associated with how the banking industry processes ACH transactions may expose banks to BSA/AML risks. These practices include:
- An ODFI authorizing a TPSP to send ACH files directly to an ACH Operator, in essence bypassing the ODFI.
- ODFIs and RDFIs relying on each other to perform adequate due diligence on their customers.
- Batch processing that obscures the identities of originators.
- Lack of sharing of information on or about originators and receivers inhibits a bank’s ability to appropriately assess and manage the risk associated with correspondent and ACH processing operations, monitor for suspicious activity, and screen for OFAC compliance.
The BSA requires banks to have BSA/AML compliance programs and appropriate policies, procedures, and processes in place to monitor and identify unusual activity, including ACH transactions. Obtaining CDD information in all operations is an important mitigant of BSA/AML risk in ACH transactions. Because of the nature of ACH transactions and the reliance that ODFIs and RDFIs place on each other for OFAC reviews and other necessary due diligence information, it is essential that all parties have a strong CDD program for regular ACH customers. For relationships with TPSPs, CDD on the TPSP can be supplemented with due diligence on the principals associated with the TPSP and, as necessary, on the originators. Adequate and effective CDD policies, procedures, and processes are critical in detecting a pattern of unusual and suspicious activities because the individual ACH transactions are typically not reviewed. Equally important is an effective risk-based suspicious activity monitoring and reporting system. In cases where a bank is heavily reliant upon the TPSP, a bank may want to review the TPSP’s suspicious activity monitoring and reporting program, either through its own or an independent inspection. The ODFI may establish an agreement with the TPSP, which delineates general TPSP guidelines, such as compliance with ACH operating requirements and responsibilities and meeting other applicable state and federal regulations. Banks may need to consider controls to restrict or refuse ACH services to potential originators and receivers engaged in questionable or deceptive business practices.
ACH transactions can be used in the layering and integration stages of money laundering. Detecting unusual activity in the layering and integration stages can be a difficult task, because ACH may be used to legitimize frequent and recurring transactions. Banks should consider the layering and integration stages of money laundering when evaluating or assessing the ACH transaction risks of a particular customer.
The ODFI should be aware of IAT activity and evaluate the activity using a risk-based approach in order to ensure that suspicious activity is identified and monitored. The ODFI, if frequently involved in IATs, may develop a separate process, which may be automated, for reviewing IATs that minimizes disruption to general ACH processing, reconcilement, and settlement.
The potentially higher risk inherent in IATs should be considered in the bank’s ACH policies, procedures, and processes. The bank should consider its current and potential roles and responsibilities when developing internal controls to monitor and mitigate the risk associated with IATs and to comply with the bank’s suspicious activity reporting obligations.
In processing IATs, banks should consider the following:
- Customers and transactions types and volume.
- Third-party payment processor relationships.
- Responsibilities, obligations, and risks of becoming a GO.
- CIP, CDD, and EDD standards and practices.
- Suspicious activity monitoring and reporting.
- Appropriate MIS, including the potential necessity for systems upgrades or changes.
- Processing procedures (e.g., identifying and handling IATs, resolving OFAC hits, and handling noncompliant and rejected messages).
- Training programs for appropriate bank personnel (e.g., ACH personnel, operations, compliance audit, customer service, etc.).
- Legal agreements, including those with customers, third-party processors, and vendors, and whether those agreements need to be upgraded or modified.
All parties to an ACH transaction are subject to the requirements of OFAC. (Refer to core overview section, "Office of Foreign Assets Control," pages 147 to 156, for additional guidance.) OFAC has clarified the application of its rules for domestic and cross-border ACH transactions and provided more detailed guidance on cross-border ACH.194
With respect to domestic ACH transactions, the ODFI is responsible for verifying that the Originator is not a blocked party and making a good faith effort to ascertain that the Originator is not transmitting blocked funds. The RDFI similarly is responsible for verifying that the Receiver is not a blocked party. In this way, the ODFI and the RDFI are relying on each other for compliance with OFAC regulations.
If an ODFI receives domestic ACH transactions that its customer has already batched, the ODFI is not responsible for unbatching those transactions to ensure that no transactions violate OFAC’s regulations. If an ODFI unbatches a file originally received from the Originator in order to process “on-us” transactions, that ODFI is responsible for the OFAC compliance for the on-us transactions because it is acting as both the ODFI and the RDFI for those transactions. ODFIs acting in this capacity should already know their customers for the purpose of OFAC and other regulatory requirements. For the residual unbatched transactions in the file that are not "on-us," as well as those situations where banks deal with unbatched ACH records for reasons other than to strip out the on-us transactions, banks should determine the level of their OFAC risk and develop appropriate policies, procedures, and processes to address the associated risks. Such policies might involve screening each unbatched ACH record. Similarly, banks that have relationships with third-party service providers should assess the nature of those relationships and their related ACH transactions to ascertain the bank’s level of OFAC risk and to develop appropriate policies, procedures, and processes to mitigate that risk.
With respect to cross-border screening, similar but somewhat more stringent OFAC obligations hold for IATs. In the case of inbound IATs, and regardless of whether the OFAC flag in the IAT is set, an RDFI is responsible for compliance with OFAC requirements. For outbound IATs,, the ODFI cannot rely on OFAC screening by an RDFI outside of the United States. In these situations, the ODFI must exercise increased diligence to ensure that illegal transactions are not processed.
Due diligence for an inbound or outbound IAT may include screening the parties to a transaction, as well as reviewing the details of the payment field information for an indication of a sanctions violation, investigating the resulting hits, if any, and ultimately blocking or rejecting the transaction, as appropriate. Refer to the core overview section, “Office of Foreign Asset Control,” pages 147 to 156, for additional guidance.
In guidance issued on March 10, 2009, OFAC authorized institutions in the United States when they are acting as an ODFI/GO for inbound IAT debits to reject transactions that appear to involve blockable property or property interests.195 The guidance further stated that to the extent that an ODFI/GO screens inbound IAT debits for possible OFAC violations prior to execution and in the course of such screening discovers a potential OFAC violation, the suspect transaction is to be removed from the batch for further investigation. If the ODFI/GO determines that the transaction does appear to violate OFAC regulations, the ODFI/GO should refuse to process the transfer. The procedure applies to transactions that would normally be blocked as well as to transactions that would normally be rejected for OFAC purposes based on the information in the payments.
Additional information on the types of retail payment systems (ACH payment systems) is available in the FFIEC Information Technology Examination Handbook.196