During the scheduling process for EPCOR’s Audits, Risk Assessments and Advisory Services, one of the primary questions often asked is “are you an ODFI?” This is a very basic question and typically the answer is “yes we are.” However, on occasion, we get the response of “no, we are only an RDFI.” When we receive this response, EPCOR auditors and consultants have determined further investigative questions are necessary. Follow up questions may include:
- Do you allow clients to make their loan payments from an external account and your financial institution debits the external account? And, are they also allowed to call and make the loan payment?
- Do you allow new accounts to be funded via ACH? If so, is your financial institution’s ABA number being used?
- Do you allow a third-party to take credit card payments from your account holders on your behalf? If so, is your financial institution’s ABA number being used?
- Do you allow clients to send CD interest to an external account? If so, is your financial institution’s ABA number being used?
If your financial institution allows any of the above types of activities and the Entries are being sent via ACH utilizing your financial institutions ABA number, then you are not just an RDFI. It is a common misconception that because the origination activity is not being done by a corporate client that a financial institution is not considered to be an ODFI.
With this thought in mind, and if you have determined “Yes, we are an ODFI,” you may be wondering what to do with this new knowledge and how will it affect your financial institution.
Below are some areas that will need to be addressed:
- Are the proper authorization forms being obtained?
- Is a copy of the authorization form provided to the account holder?
- For how long and where are the forms being stored?
- Does your ACH Management Policy address the processing of these internal origination activities?
- Is the internal origination taken into consideration within your written procedures?
- Are internal origination Return and Notice of Change (NOC) volumes monitored?
- Is internal origination included within your ACH audit scope?
- Is internal origination included in your ACH risk assessment?
- Is internal origination considered within your AML/BSA functions?
- Is internal origination included within the Data Security risk assessment?
It is imperative that financial institutions realize internal ACH origination is still considered an ACH Origination Service being provided to account holders. Your financial institution can still receive a Rules violation for its own origination activities and, unfortunately, some financial institutions have felt the sting of receiving a Rules violation first-hand.
Also, unfortunately, it very often comes to light during Advisory Services that clients are not aware of where all the various ACH origination activities are being generated. Many financial institutions have added additional vendors over the last few years to provide additional services to their clients. To stay competitive and relevant to clients, this often becomes a fast-paced process with the various vendors having the ability to provide APIs or turn-key systems. The downfall of the process is that sometimes the backend processing of the activity is not fully understood by those who are in the position to approve a new system or application.
The moral of this story is if you do internal ACH origination, you are an ODFI. And, if you are not sure what systems generate ACH Entries using your financial institutions ABA number, it is time to do some investigation. It’s also super important to review ODFI obligations when conducting your annual ACH Rules Compliance Audit. If you’d like some assistance during this process, reach out to our team at [email protected] for a no-obligation quote on an Audit or Advisory Service. Our expert team is ready and eager to assist you along the way! |
