Bank Secrecy Act
Automated Clearing House Transactions
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with automated clearing house (ACH) and international ACH transactions (IAT) and management’s ability to implement effective monitoring and reporting systems.
1. Review the policies, procedures, and processes related to ACH transactions, including IATs. Evaluate the adequacy of the policies, procedures, and processes given the bank’s ACH transactions, including IATs, and the risks they present. Assess whether the controls are adequate to reasonably protect the bank from money laundering and terrorist financing.
2. From review of MIS and internal risk rating factors, determine whether the bank effectively identifies and monitors higher-risk customers using ACH transactions, including IATs.
3. Evaluate the bank’s risks related to ACH transactions, including IATs, by analyzing the frequency and dollar volume and types of ACH transactions in relation to the bank’s size, its location, the nature of its customer account relationships, and the location of the origin or destination of IATs relative to the bank’s location.
4. Determine whether the bank’s system for monitoring customers, including third-party service providers (TPSP), using ACH transactions and IATs for suspicious activities, and for reporting of suspicious activities, is adequate given the bank’s size, complexity, location, and types of customer relationships. Determine whether internal control systems include:
- Identifying customers with frequent and large ACH transactions or IATs.
- Monitoring ACH detail activity when the batch-processed transactions are separated for other purposes (e.g., processing errors).
- As appropriate, identifying and applying increased due diligence to higher-risk customers who originate or receive IATs, particularly when a party to the transaction is located in a higher-risk geographic location.
- Using methods to track, review, and investigate customer complaints or unauthorized returns regarding possible fraudulent or duplicate ACH transactions, including IATs.
5. If appropriate, refer to the core examination procedures, “Office of Foreign Assets Control,” pages 157 to 159, for guidance.
6. On the basis of the bank’s risk assessment of customers with ACH transactions as well as prior examination and audit reports, select a sample of higher-risk customers, including TPSPs, with ACH transactions or IATs, which may include the following:
- Customers initiating ACH transactions, including IATs, from the Internet or via telephone, particularly from an account opened on the Internet or via the telephone without face-to-face interaction.
- Customers whose business or occupation does not warrant the volume or nature of ACH or IAT activity.
- Customers who have been involved in the origination or receipt of duplicate or fraudulent ACH transactions or IATs.
- Customers or originators (clients of customers) that are generating a high rate or high volume of invalid account returns, consumer unauthorized returns, or other unauthorized transactions.
7. From the sample selected, analyze ACH transactions, including IATs, to determine whether the amounts, frequency, and jurisdictions of origin or destination are consistent with the nature of the business or occupation of the customer. A review of the account opening documentation, including CIP documentation, may be necessary in making these determinations. Identify any suspicious or unusual activity.
8. On the basis of examination procedures completed, including transaction testing, form a conclusion about the adequacy of policies, procedures, and processes associated with ACH transactions and IATs.