Looking for advice and guidance please.
My bank has no ACH policy - we never had one. Examiners and auditors recommended we create one. We do not originate, we only receive ACH's. How do I create a policy and what topics do I need to cover? I would assume I need to cover basics like how we handle ACH returns, ACH stop payments, and disputes. What other major topics and how specific should I make our policy? Management would like to keep it as vague/generic as possible while still satisfying regulators. I have no background or experience with ACH's and don't really know where to start.
Also, my bank has done no preparing yet for the 9/18/9 changes for International ACH Transactions. I don't know what needs to be done other than contacting my software provider (we are outsourced/data center with Jack Henry) to be sure they are rady to format the IATs and schedule a test. I confess I do not fully understand the changes - do we need to manually check OFAC for each ACH? How can we possibly accomplish this? I have just started reading some threads here at BOL and reading on the Federal Reserve IAT website.
We've never conducted an ACH audit, and I believe we are required to audit yearly, right? What does the audit need to do, where can I find guidance on what to audit?
We also had commentary from an auditor that our Incident Response policy should specifically address ACH breach situations. What reg or law would govern what language should be added to our Incident Response policy?
I know this is a lot of questions, but I was just handed this entire situation late yesterday and I'm feeling very overwhelmed. Ideally, my bank needs to address all of this and be ready by 9/18/9, so I'm looking at long hours ahead to try to straighten out this severe lack of planning.
I would greatly appreciate any guidance, templates, policy language examples, website links for more education, or advice anyone can offer me to help me know how to begin my Herculean task. Thanks in advance.