Do I Need an ACH Audit?

12/14/2022 - By Sallie O'Brien, AAP, APRP

We often get the question. “Do I need an ACH audit?” The general requirement per the Nacha Operating Rules is that a bank or credit union (DFI) must conduct, or have conducted, an audit of its compliance with these Rules annually. However, other parties involved in processing ACH transactions need an ACH audit, too.

The Parties in ACH

DFIs often contract with Third-Party Service Providers (TPSP)¹ or Third-Party Senders (TPS)² to process entries. In that case, those third parties must also audit their compliance with the Rules annually.

Some examples of ACH processing functions that a TPSP/TPS, or even a Nested Third-Party Sender³ might perform on behalf of an Originating DFI (ODFI) or another TPS could include the following:

• Creating ACH files
• Monitoring Originators’ origination and return activity
• Enforcing restrictions on the types of entries originated
• Acting as a sending point for the ODFI’s forward entries⁴ 
• Acting as a receiving point for the ODFI’s returns and NOCs⁵ 

Some examples of ACH processing functions that a Third-Party Service Provider might perform on behalf of an RDFI could include:

• Acting as a sending or receiving point for the RDFI
• Posting entries
• Processing returns and/or NOCs

What does an ACH Audit require?

An annual audit must be conducted under these Rule Compliance Audit Requirements (Subsection 1.2.2)  no later than December 31st of each year. The ACH audit must be performed under the direction of an audit committee, audit manager, senior-level officer or independent (external) examiner or auditor of the Participating DFI, TPSP or TPS. The Rules do not prescribe the manner or method for completing the audit. For instance, it can be conducted by an internal or an external party.

There are different Rules that apply to the parties. For a TPSP, the audit requirements apply only to the functions of ACH processing that it performs on behalf of a DFI or a TPS. For a Third-Party Sender, the audit requirements apply to the performance of any obligations of an ODFI.

The requirement to conduct an audit relates solely to compliance with these Rules – it does not necessarily address other audit considerations, such as the DFI or TPSP or TPS policies, procedures or regulatory compliance (such as Regulation E or Uniform Commercial Code). As these requirements do pose risks, it might be a good enhancement to add these to the scope of your overall audit program. 

¹ Third-Party Service Provider: An Organization that performs any functions on behalf of the Originator, the TPS, the ODFI, or the RDFI related to the processing of entries.

² Third-Party Sender: A type of Third-Party Service Provider that acts as an intermediary in Transmitting entries between an Originator and an ODFI

³ Nested Third-Party Sender: A Third-Party Sender that has an agreement with another Third-Party      Sender to act on behalf of an Originator and does not have a direct agreement with the ODFI.

⁴ Receiving Point is an Organization that receives entries from an ACH Operator on behalf of an RDFI.

⁵ Sending Point is an Organization that transmits entries to an ACH Operator on behalf of an ODFI. 

Questions? 

Please call me or reach out to our Financial Institution Consulting practice if you have any questions or need a Nacha compliance review or consulting.

Are you looking for more information on ACH? Check out this recent webinar hosted by Sallie O'Brien, AAP, APRP.

About the Author | Sallie O’Brien, AAP, APRP

Sallie is a senior consultant in the Financial Institution Advisory Group at Saltmarsh, Cleaveland & Gund. She has over 19 years of experience working with financial institutions. Sallie specializes in risk-based Nacha compliance audits and provides ACH-consulting services to the firm’s financial institution industry clients. Prior to joining Saltmarsh, Sallie was a senior director of education at a regional consulting firm where she provided payment education and Nacha compliance programming for third-party providers.

Related Posts

• Safeguarding Against ACH Fraud: Ten Essential Steps for Financial Institutions and Businesses
• ICYMI: An Important Reminder About the CRA Public File, and More
• Understanding ACH Risk Assessments: A Crucial Requirement of the Nacha Rules
• Nacha's Updated Written Statement of Unauthorized Debit: Should You Update Your WSUD Forms?
• Saltmarsh Hosts 18th Annual BankTalk
• Jay Newsome Joins Financial Institution Consulting Group & Expands Firm's Alabama Market Presence
• Best Practice Ideas from the Asset-Liability Management Trenches
• Managing Risk: Fraud Deterrence Is Always a Priority
• Webinar on Demand: Getting to Know FedNow, Now
• Nacha's 2023 Rules Updates: Are You Affected?
• Do I Need an ACH Audit?
• Webinar Recording: Top 8 ACH Audit Findings You Should Be Aware Of
• Think CECL Is Only for Banks? Not So Fast!
• Saltmarsh Hosts 17th Annual Community BankTalk Event
• Preparing for $500 Million in Assets
• Secure Exchange of Standardized Letters of Indemnity
• Best Practice Suggestions for Back-Testing Asset-Liability Management (ALM) Models for Accuracy
• Words to Live By
• Webinar Materials: The New ACH Rules on Micro-Entries
• Nacha Micro Entry-Rule
• Elder Financial Exploitation by the Numbers
• CECL: What About Credit Losses on Debt Securities?
• Supplementing Data Security Requirements Rule Phase 2
• Webinar Materials: ODFIs - How Do You Keep Your ACH Clients Informed?
• Webinar Materials: CFO Symposium Update
• View All Articles

• Blog
  • Audit & Assurance
  • Construction
  • Employee Benefits
  • Financial Institutions
  • Healthcare
  • Human Resources
  • Information Technology
  • Investment Advisory
  • Legal
  • Manufacturing
  • Not For Profit
  • Tax & Accounting
  • What's Happening At Saltmarsh
• Tools & Resources
• Videos