The Bank Secrecy Act requires banks to manage risks associated with automated clearinghouse (ACH) and international ACH transactions (IAT), which results in a need for effective risk mitigation strategies and monitoring processes. The sheer volume of ACH activity makes the task seem impossible. TCA’s BSA Action Team (BAT) can help evaluate the effectiveness of a BSA program regarding ACH risk.
The Board must ensure the ACH services which are offered fit into the bank’s overall business strategy. The risk assessment is the first step in making this determination and helping the Board establish appropriate controls and risk limits.
Risk Assessment and Developing Controls
ACH risk is divided into two categories: Receiving Depository Financial Institution (RDFI) and Originating Depository Financial Institution (ODFI). The ODFI category will require expanded policies and procedures if you allow customers to originate ACH transactions. In some cases, the controls you put in place to mitigate credit and transaction risks will also mitigate BSA risk. Below we explore the BSA risk of each category.
As a Receiving Depository Institution (RDFI), the bank posts ACH debit and credit entries to customer accounts. The credit risks associated with receiving ACH entries include crediting the customer’s account prior to settlement or allowing a debit to overdraw a customer’s account. Controls such as ACH Policies and Procedures designed to limit dollar amount exposure, Customer Identification Program, Customer Due Diligence (assessing individual customer risk based on expected activity), and account monitoring can mitigate risks associated with receiving ACH entries. Because ACH moves funds quickly through the financial system, it is an attractive option for the layering stage of money laundering. The increase in the use of virtual wallets (e.g., Venmo, PayPal, Google) and virtual currency (e.g., Bitcoin, Litecoin) make transaction monitoring more difficult because the bank cannot identify the sender or receiver of the funds. For customers with a large number of anonymous transactions, the bank must rely on its knowledge and understanding of the anticipated use of the account and the reasonableness of the volume and velocity of activity.
As an Originating Depository Institution (ODFI), the bank originates ACH entries on behalf of the bank and its customers. The credit risk associated with originating ACH entries is ensuring funds are available in the customer’s account at the time of settlement. Beyond credit risk, for BSA purposes the bank must ensure that the ACH system is not being used for illicit purposes. This risk is higher when the bank allows customers to originate their own ACH transactions, and controls are needed to ensure that the customer‐originated transactions meet all of the same requirements as bank‐originated transactions. The same controls in place as an RDFI (Policies and Procedures, CIP, CDD, account monitoring) are used to mitigate origination risks. In addition, credit underwriting policies and procedures should be part of the process of approving customers for ACH origination services.
For customers who are approved for origination services, additional controls should include establishing dollar and volume limits based on each customer’s needs and risk profile. Originator Agreements with each customer originator should include the following:
- that the customer is responsible for adhering to the ACH (NACHA) Rules and laws of the United States;
- the Standard Entry Code transaction types that the customer may originate, including whether they may originate international (IAT) transactions;
- that the bank may suspend processing of a transaction to comply with OFAC regulations, and that this action may affect settlement or availability; and
- and that any fines the bank may receive for OFAC violations may be passed on to the customer/originator.
Traditionally, ACH entries were low‐dollar domestic transactions, such as payroll, social security, dividends, or interest payments. With the growth in consumer‐initiated transactions, such as WEB (Internet) and ARC (converting checks to ACH), there is increased opportunity for participants to use the ACH system for money laundering or other illicit purposes. To mitigate this risk, the bank’s monitoring processes should, at a minimum, be able to identify any customers whose ACH activity includes the following:
- an unusually high volume of ACH transactions for an individual or for a business as compared to other similar individual or business accounts;
- higher‐risk ACH transactions such as those originated over the Internet (WEB) or by telephone (TEL);
- high dollar ACH transactions;
- anonymous ACH activity through virtual wallets or virtual currency
Any of these activities could be indicators of possible money laundering, terrorist financing or other illicit activity and should be evaluated on a case‐by‐case basis. Through this type of monitoring, the bank can determine if the activities are commensurate with the customer’s risk profile or are suspicious and take appropriate action.
Banks with automated monitoring systems should have parameters, rules, or thresholds established to identify the above ACH activities which are outside of what is considered normal customer behavior, and review alerts and reports for possible suspicious activity. Banks without automated monitoring systems may use report writer features to create ACH transaction reports or monitor system‐generated reports based on established parameters to identify customers who fall outside what is normal for other customers within various categories of risk.
All parties to ACH transactions, whether sent or received by the bank, should be screened for Office of Foreign Assets Control (OFAC) compliance. Just as you review your customer database screening reports, potential OFAC matches on ACH transactions should be reviewed and the resolution of any potential matches should be documented.
If the bank receives an ACH credit entry that has a true OFAC match, the RDFI should post the credit, ensure the account and funds are frozen and report the transaction to OFAC. If an unlawful ACH debit is received, the RDFI should ensure the account is frozen, report the transaction to OFAC, and return the debit using Return Reason Code R16 (Account Frozen).
As an ODFI, the bank is responsible for OFAC compliance on all ACH files sent, including those sent by customer originators. For that reason, OFAC compliance should be addressed in your customer agreements and the responsibility placed on the customer originator. The bank must ensure that systems are designed to screen account holders, including originators, to identify blocked parties. If the ODFI encounters a transaction that would violate OFAC sanctions, the bank is required to comply with OFAC policies. For this reason, the bank’s agreements with originators should allow the bank to suspend processing of a transaction to comply with OFAC regulations.
Look at your BSA program and make sure that appropriate ACH controls and monitoring are in place based on your bank’s ACH products and services.
The Bank Secrecy Act requires banks to have BSA/AML compliance programs and appropriate policies, procedures and processes in place to monitor ACH activity.
TCA continues to be your source for assistance in implementing changes to your Compliance or BSA Programs. Contact us at [email protected] or (800) 934‐7347.