To Your Credit – Working to Understand ACH Credit Risk

Posted on

One question we’re often asked regarding ACH risk isWhat types of risks are associated with originating ACH transactions?”  This is an important question for you as an originating depository financial institution (ODFI) to be able to answer, because you are responsible for settling payments originated into the ACH network using your routing transit number (RTN), regardless of which customer originates through you. The types of risk associated with originating ACH transactions fall into three basic categories:

  • Operational – the risk of loss due to human error or computer mishap that may delay or alter an ACH transaction
  • Credit – the risk that a party to a transaction cannot provide funds for settlement
  • Fraud – the risk that a transaction may be initiated or altered in a dishonest or criminal attempt to misdirect or misappropriate funds.

Let’s examine the most fundamental of the three  -  credit risk  -  in a bit more detail.

One of an ODFI’s primary responsibilities is to control the initiation of ACH transactions into the network.  This is because the ODFI assumes responsibility for all transactions initiated using its RTN.  The amount of credit risk undertaken by initiating the transactions is a function of whether the transaction initiated is a credit or a debit.

With credit transactions, the originator is crediting the receiver’s account and will be debited for that amount on the settlement date.  The ODFI incurs credit risk at the time the transaction is initiated until the time its customer funds the account at settlement to cover the corresponding debit. While this all takes place within a relatively short period of time, the ODFI needs to be confident the originator has the funds.

With debit transactions, the originator is debiting the receiver’s account and will be credited for the amount on the settlement date.  The ODFI is susceptible to credit risk due to the possibility of returns from the time it makes funds available to the originator until the time the receiving depository financial institution (RDFI) can no longer return the debit.  While most returned transactions are received within a few days, some may take considerably longer.  Since receivers can have up to 61 days to return debits because they were unauthorized or the authorization was revoked or improper, the timeframe during which an ODFI might need to charge back the originator’s account can be lengthy.  Again, the ODFI needs to be reasonably confident the originator will still be positioned to cover the returned debits.

The Federal Reserve Banks’ suite of FedACH Risk® Management Services and their FedEDI® Plus Service strive to provide tools to help you monitor for all three types of risk.

Posted in FedACH, Risk | Tagged , , |

The Three Types of ACH Risk and How to Mitigate Them

Posted on

The value of ACH payment services to financial institutions and their customers is undeniable. The growing popularity of ACH is evident in the numbers: From 2001 to 2011, ACH payment volume grew from about 8 billion to more than 20 billion payments per year.1

However, with that explosive growth in adoption come risks in many forms. For example, according to the 2013 AFP Payments Fraud and Control Survey, 8 percent of organizations were affected by payments fraud via ACH in 2012, up from 5 percent the year before.2

For your organization to get the most out of ACH, you need to understand the nature of these inherent risks and how to proactively mitigate them.

The Three Types of ACH Risk

1.       Operational Risk. The risk that a human error or computer mishap may delay or alter an ACH transaction.

Mitigation considerations:

  • Quickly identify and act upon anomalies at the customer level.
  • Establish clear communication protocols when an error is detected.
  • Strive for efficient notifications in the event of cap breaches.
  • Offer originators the ability to self-monitor ACH transactions.
  • Maintain access to ACH activity with contemporary software.

 

2.       Credit Risk. The risk that an ACH originator may not have the necessary funds on the settlement date.

Mitigation considerations:

  • Place credit and debit caps on originators.
  • Systematically monitor ACH activity of originators.
  • Require pre-funding from high risk originators.
  • Receive alerts when caps are exceeded.

 

3.       Fraud Risk. The risk that dishonest or criminal attempts may be made to misappropriate funds.

Mitigation considerations:

  • Place limits on the dollar amount an originator is authorized to originate.
  • Systematically monitor the limits placed on originators.
  • Confirm control totals with someone at the originator other than the person who initiated the transactions.
  • Rotate origination and communication responsibilities among employees.
  • Authorize and document all changes made to payments.
  • Maintain strong physical security over computers, communications, and operations areas.
  • Implement stringent data security procedures.

 

Empower Your Organization

Constant and consistent monitoring is the one thing your institution can do to stay on top of any ACH anomalies. To learn more, view FedACH Risk Management Services.

http://www.frbservices.org/serviceofferings/fedach/

 

1The statistics include commercial inter-bank and government transactions, but not “on-us” transactions.

22013 AFP Payments Fraud and Control Survey. http://www.afponline.org/fraud/.

Posted in FedACH, Risk | Tagged , |

Risk Education and Training

Posted on

At financial institutions, education and training for risk management and fraud detection is not simply a good idea, it’s an essential activity that can help prevent major financial losses and significant reputational harm.

As a case in point, a fraud alert from the FBI, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3) underscores the importance of risk and fraud training throughout all levels of a financial institution.

The alert reports that “cyber criminal actors are using spam and phishing e-mails, keystroke loggers and remote access Trojans (RAT) to compromise financial institution networks and obtain employee login credentials.”  The organizations warn that stolen credentials can quickly lead to unauthorized funds transfers and manipulation of account settings to enable further fraudulent activity.

Showing up at the top of the group’s list of recommendations to financial institutions is educating employees on the dangers associated with opening attachments or clicking on links in suspicious emails. (For additional details and the rest of the list, read, “Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud.”)

Other education and training steps for institutions to consider include:

  • Review internal policies, procedures, and controls to ensure that they are detailed enough to identify threats and preventive actions.
  • Require completion of security and risk awareness training to promote a culture of security and risk management throughout the organization.
  • Follow up to awareness training with education on specific procedures tailored to individual jobs, such as security procedures for wire-initiation staff or identification requirements for tellers.
  • Ensure that staffing is adequate to supervise key daily risk management practices.
  • Evaluate prior training and education initiatives and make sure that they are adequate and that they achieve real risk-management results.

That last point aligns with what should be an organization’s strategic requirement to define risk management and security as critical business functions. As such, a financial institution would strive to develop measurable risk-management goals, even if they relate to prevention as opposed to the more typical objectives of decreasing costs or increasing revenue.

Risk management education must take place at all levels of the financial institution, with an emphasis on the amount of risk management that is appropriate at each level. Executives, officers, and board members, for instance, need to not only understand their personal roles in defending against cyber threats but to also understand all risk and security issues at a high level so that they can craft effective policy and interpret risk and compliance reports for proper action. Junior officers, especially if they have compliance duties, need training and education resources to adequately supervise line staff and to judge risk levels accurately.

Finally, remember that you can’t provide education and training once a year and expect that the risk management and security boxes on the compliance check list are done. If you have high teller turnover, for instance, you need to make sure security procedure training is ongoing.

Please consider including Federal Reserve Financial Services resources in your education efforts.  We offer an ongoing series of teleseminars and webinars to acquaint financial institutions with how our service offerings can assist them in their risk monitoring efforts, and we encourage you to make regular visits to this Risk Radar resource center for updated perspectives, tools and opportunities.

 

This article is not intended to provide an exhaustive list of current or potential risk topics nor is it intended to provide specific risk management or regulatory advice to financial institutions. We encourage financial institutions to remain informed about current and potential risks and to seek appropriate counsel as needed.

Posted in FedACH, Industry News, Risk | Tagged , , |

Keeping a close eye on fraud

Posted on

Here at the Federal Reserve, we care a great deal about risk management, monitoring and mitigation.  A recent example of our focus on fraud prevention was our sponsorship of the 2012 Payments Fraud survey, designed to help all of us keep our eye on the ever morphing faces of fraud and fraudsters.

 The Federal Reserve Bank of Minneapolis’ Payments Information and Outreach Office conducted the 2012 Payments Fraud Survey, which was part of a broader effort sponsored by the Federal Reserve Banks of Minneapolis, Boston, Dallas and Richmond and the Independent Community Bankers of America (ICBA). As with many studies, recruiting for participation in the survey was not purely at random, and those who responded may not be representative of the organizations located in the Ninth Federal Reserve District or the sponsoring associations’ memberships. Consolidated results with links to individual Federal Reserve Bank results are also available.

 We know you care about risk mitigation too, so here are just a few of the key findings from the Minneapolis Ninth District 2012 Payments Fraud Survey.

  • Payments-related fraud remains a significant concern of financial institutions and other corporations in the region, including very small organizations. Nearly all respondents experienced some number of payments fraud attempts (94 percent) and most incurred payments fraud losses (91 percent).
  • Two-thirds of the respondents that reduced their fraud losses in 2011 attributed at least part of the reduction to changes they made to enhance fraud monitoring systems and employee education and training. Organizations interested in reducing fraud losses should consider implementing such measures.
  • Cost is the primary barrier cited by the majority of respondents that prevents them from investing in additional options for mitigating payments fraud. Similar results were reported in 2010 and 2009. This may be short sighted in view of reports that for some payment types fraud losses exceed the cost of investments in fraud prevention.

 Get up to speed on fraud trends by reviewing all the survey results as presented on the Minneapolis Federal Reserve Bank’s website.

 

Posted in Risk | Tagged , , |

A Directors’ Handbook

Posted on

Risk and compliance issues matter to us, naturally.  We know they matter to you too, so we strive to provide resources on the topic.  One resource that is available is a handbook for bank directors titled Basics for Bank Directors. The 5th edition of this handbook is available on the Federal Reserve Bank of Kansas City’s public website. 

You’ll find information relating to directors’ responsibilities for overseeing bank operations, bank sensitivity to market risk, ideas directors might find useful in judging the condition and performance of their banks, and additional resources available to directors to help them build more detailed knowledge on bank performance matters.

We hope you’ll find it informative.  Please check it out at http://www.kansascityfed.org/publications/banking/basics/index.cfm

Posted in Compliance, Risk | Tagged , , |