Ask Mary: What Are Your Auditors Seeing?!

Dear Mary: Do the EPCOR auditors have any tips they can share from their experience in the field?

We actually get this question a lot! And, as the 2020 audit season begins, it’s a great time to reflect on the notable exceptions or areas of concern we noted in the 2019 audit year. The EPCOR auditors conducted over 200 services in 2019 for a variety of financial institutions and Third-Party Senders.

Below are some of the most common exceptions our team noted:

The Exception: Written Statements - Still? Yes, forms and the process are still a challenge for financial institutions. Big or small, bank or credit union. The forms are often not completed correctly or are missing required information. Often, the incorrect return reason code is used and does not correspond with what the consumer states as the reason for the dispute. And, speaking of consumers, this process should only be used when a consumer account is affected or when an Originator sends a consumer entry type to a corporate account.

The Recommendation: Train, train and train again staff members who are responsible for assisting account holders with the completion of the form. Create a process where a secondary staff member or department is responsible for reviewing the form obtained and completed correctly prior to returning the entry or entries. And, ensure the staff members responsible for processing the return entry are trained as well. Some institutions also provide return reference materials, such as a cheat sheet of what the return reason codes are and how/when are they to be used. Consider making our ACH Quick Reference Cards for Financial Institutions your go-to reference.

The Exception: Prenotes - An RDFI that receives a Prenotification Entry must verify the Prenotification is for a valid account. If it does not contain a valid account number or if otherwise unable to be processed, the RDFI must either:

a) Process a Notification of Change to the ODFI, OR
b) Return the Entry back to the ODFI.

Doing nothing with the rejected prenote is not an option.

The Recommendation: Ensure staff are aware of the requirement that they must act on a rejected prenotification. Also, ensure staff are aware of what report the processing system generates that contains rejected prenotifications. Additionally, your financial institution should have written procedures for this process.

The Exception: Written Procedures - Each year, the number of financial institutions that do not have written procedures is very troubling. Written procedures are one of the most important resources to have in any department of your financial institution. This provides staff with valuable, step-by-step information that is essential to their daily job duties. It is also a very valuable tool when training new staff or cross-training other staff members within a department. Having written procedures also reduces operational risk and promotes consistency when completing tasks.

The Recommendation: If you do not have any written procedures, start the process of creating them! This doesn’t have to be a monumental undertaking. Assign the responsibility to create a written procedure to a staff member with the most knowledge of the process or task. Set a timeframe in which the written procedure should be completed. If you do have written procedures, review them at least annually to determine if there have been any changes that require updating.

The Exception:Social Security Number Use - An Originator is using a client’s social security number in the Individual ID field of the ACH File. We see this several times throughout the year as well. Why is this an issue? The individual ID field within an ACH Entry will appear on that client’s account statement. This is a data security issue.

The Recommendation: Review Originators Files on occasion to determine what is contained in this field. If Originators are using social security numbers, reach out and inform them of the risk associated with doing so. When setting up new Originators, training should be provided, and this issue should be part of that training. If new Originators are going to provide a test file, it’s the perfect time to determine if this is going to be an issue and address it at that point.

Hopefully this information has provided some insight to help you address these areas before they become an issue or show up on your 2020 audit. Obviously, the common theme of these exceptions is training and education. Management should take steps to ensure that staff responsible for daily operations are receiving the necessary training to avoid having these findings on your next ACH Compliance Audit.

Conducting a thorough audit helps mitigate risk by bringing important information and issues such as these to light. Our team of skilled auditing experts are prepared and ready to conduct your audit services. And, our team is prepared to conduct remote audits as long as travel restrictions are in place. Reach out to audit@epcor.org to book your service today!