ACH Transactions Involving the Internet
by Mary Beth Guard
The OCC has issued OCC 2002-2 to highlight the risks associated with ACH transactions that involve the use of the Internet and provide guidance for managing those risks. This lengthy new bulletin incorporates and replaces OCC Advisory Letter 2001-3, and it applies to originating depository institutions (ODFIs), receiving depository institutions (RDFIs), and even third party service providers acting on behalf of ODFIs or RDFIs.
If you participate in the ACH Network you need to have well-established risk management practices governing ACH activities, and those practices should be reviewed by management to ensure that risk exposures from ACH transactions involving the Internet are identified and appropriately managed.
The main body of the new Bulletin focuses on risk assessment, but you will also find the appendices on the ACH Network and NACHA requirements for WEB entries informative.
Compliance officers will also derive benefit from the Examination Procedures section. The examiners are being asked to look at policies, processes, personnel, and controls. With respect to Internet-initiated ACH transactions, the examiners will focus on everything from whether you act promptly on consumers' stop-payment orders to the issue of whether management and personnel display adequate knowledge and technical skills in managing and performing duties related to ACH transactions.
They will also want to determine your practices as an ODFI regarding originators' annual security audits of physical, logical, and network security. Examiners are told to consider whether:
- The ODFI receives summaries or full audit reports from the originators.
- The audits are adequate in scope and performed by independent and qualified personnel.
- Corrective actions regarding exceptions are satisfactory.
If your institution is involved in these transaction as an ODFI or RDFI, pull out this guidance and become thoroughly familiar with regulatory expectations for your policies, processes, personnel, and controls.
The original version appeared in the January/February 2002 edition of the Oklahoma Bankers Association Compliance Informer.
First published on BankersOnline.com 5/27/02
First published on 05/27/2002