Third-Party Sender Roles and Responsibilities

The Rule is effective September 30, 2022, with a 6-month grace period for certain aspects of each topic.

Details

Nested Third-Party Senders

• Defines a Nested Third-Party Sender
• Updates the requirements of Origination Agreements for a Nested TPS relationship
• Establishes the “chain of agreements” and responsibilities in a Nested TPS arrangement
• Updates existing TPS registration to denote whether a TPS has Nested TPS relationships

Third-Party Senders and Risk Assessments

• Makes explicit that a Third-Party Sender, whether Nested or not, must complete a Risk Assessment of its ACH activities
• Clarifies that a Third-Party Sender cannot rely on a Rules Compliance Audit or a Risk Assessment completed by another TPS in a chain; it must conduct its own

Technical

Nested Third-Party Sender

This rule defines a Nested Third-Party Sender, and provides for the “chain of agreements” and responsibilities in Nested TPS arrangements.

• A “Nested Third-Party Sender” will be defined as a Third-Party Sender that has an agreement with another Third-Party Sender to act on behalf of an Originator, and does not have a direct agreement with the ODFI.
• Nested TPSs will be addressed in ACH Origination Agreements

An ODFI Origination Agreement with a TPS will address whether the TPS can have Nested TPSs, and if so, “push down” the requirement for an Origination Agreement to exist between a TPS and a Nested TPS.

An Origination Agreement will exist between a TPS and a Nested TPS

Changes to ACH Origination Agreements will be applicable on a going-forward basis from the effective date of September 30, 2022.

• Other TPS obligations and warranties will be updated to identify and cover Nested TPSs.
• This rule amendment does not address or limit the number of levels in a Nested Third-Party Sender arrangement.

This rule will further provide that:

• An ODFI will identify in Nacha’s Risk Management Portal all Third-Party Senders that allow Nested Third-Party Sender relationships.
• Upon request, an ODFI will provide Nacha with the Nested TPS relationships for any TPS.
• Identification of TPSs with Nested Third-Party Senders in the Risk Management Portal will follow the same time frames as registering TPS in the Portal:
• TPS with Nested TPS will be registered as such within the later of 30 days of Transmitting the first Entry, or within 10 days of the ODFI becoming aware of the Nested TPS.
• Registration information will be updated within 45 days of any change to the information previously provided.

TPS Risk Assessments

Risk Assessments are already defined and required in the Nacha Rules for Financial Institutions and, by extension, for Third-Party Senders under their obligations to perform and warrant ODFI obligations, however, the Risk Assessment obligation for TPS is not expressly stated.

The proposed rule will expressly state that a Third-Party Sender, whether or not it is Nested, is required to conduct a Risk Assessment. As with other parties that conduct Risk Assessments, a Third-Party Sender must implement, or have implemented, a risk management program based on their Risk Assessment.

The obligation to perform a Risk Assessment, as well as the required Rules Compliance audit, cannot be passed onto another party; i.e., each participant will conduct or have conducted its own. This rule amendment does not prescribe a specific methodology or list of topics for a TPS Risk Assessment. Risk assessments for TPS should not be one-size-fits-all.

Each TPS operates in a different space, with challenges, risks, and controls that will be different than the challenges, risk and controls faced by another TPS. Attempting to prescribe the exact topics and methods for a TPS risk assessment will likely over-prescribe risk and controls for some TPSs, and fail to identify risk and controls for others.

For the same reason, Rules Compliance Audit requirements were recently removed from the Rules (Appendix 8). Assistance in understanding and performing Risk Assessments is widely available in the marketplace, through Payment Associations, Nacha publications, and many other organizations.

Nevertheless, a TPS risk assessment will likely cover many of the same types of risk as do assessments performed by other parties in the ACH Network, or by the TPS as required for other payment systems when the TPS acts as a TPPP. Broad risk categories include Operational Risk, Return Risk, Credit Risk, Fraud Risk, Compliance Risk, and Reputational Risk.

TPS will look to the ODFI Risk Management Requirements and other requirements of Articles One and Two of the Rules; for example: 1) performing customer due diligence; 2) setting and enforcing customer exposure limits; 3) auditing and testing Originator authorization processes and quality; 4) monitoring forward and return transactions volumes, dollars, and rates; 5) establishing data security policies, procedures, and systems with access controls, authentication, authorization, and encryption; and 6) SEC Code-specific risk management requirements and warranties. TPSs will also look to requirements and guidance issued by banking regulators (such as the OCC and the FDIC) on risk management expectations for ODFIs.

Impact

Benefits

Nested Third-Party Sender

The rule will provide clarity and remove confusion about roles and responsibilities of parties involved in a Nested Third-Party Sender relationship

• Defines a Nested Third-Party Sender, and provides clarity on agreements and obligations of defined parties
• Further encourages a culture of compliance and risk management in ACH, especially regarding TPS relationships
• Reasonably expands ODFIs’ due diligence to know whether TPS customers have Nested Third-Party Sender relationships

ODFIs should understand that risk may increase with additional levels of removal from the Originator. Ultimately, better clarity and knowledge by ACH participants about the roles and responsibilities of parties should help improve ACH quality

TPS Risk Assessments

Risk Assessments are vital to managing risk for any party in the ACH Network; clarifying this requirement will promote active risk management by Third-Party Senders

• Encourages a culture of risk management and compliance in ACH processing
• Aligns the ACH Network with the wider payments industry
• Improves the quality of ACH payments by elevating the prominence of risk assessment among additional ACH Network participants

Impacts

Nested Third-Party Sender

To the extent that ODFIs and Third-Party Senders do not already address Nested TPSs in their agreements, they will need to:

• Modify Origination Agreements for future use (i.e., going-forward after the effective date)
• Expand due diligence on TPS customers regarding Nested TPS relationships

ODFIs with Third-Party Sender relationships will need to update their registrations in the Risk Management Portal to denote which TPSs have Nested TPS relationships

ODFIs that have TPS with Nested TPS relationships must be able to provide Nacha with such information, upon request

ODFIs remain responsible for provision of required information to RDFIs (e.g. proof of authorization), regardless of the number of TPS involved in the transaction

TPS Risk Assessments

• Third-Party Senders that have not previously conducted an ACH Risk Assessment would have to do so
• Third-Party Senders that have relied on other TPSs’ Risk Assessments or Rules Compliance Audits would need to conduct their own
• ODFIs would not be required to review TPS Risk Assessments, but may choose to institute policies to encourage TPS compliance

Changes to ACH Origination Agreements would be effective on a going-forward basis – i.e., applicable to agreements entered into on or after the effective date

ODFIs will notify TPSs of new Rules, even if not required to “re-paper” existing agreements, to ensure knowledge of and compliance with these Rules

A six-month grace period, to March 31, 2023, would be provided for:

• ODFIs to update TPS registrations to denote whether or not a TPS has Nested TPSs
• TPSs that have not conducted a Risk Assessment to do so
• A TPS need not wait for passage of this rule, or its effective date, to conduct a Risk Assessment