Third-Party Sender Roles and Responsibilities

The Rule is effective September 30, 2022, with a 6-month grace period for certain aspects of each topic.

Details

Nested Third-Party Senders

Third-Party Senders and Risk Assessments

Technical

Nested Third-Party Sender

This rule defines a Nested Third-Party Sender, and provides for the “chain of agreements” and responsibilities in Nested TPS arrangements.

An ODFI Origination Agreement with a TPS will address whether the TPS can have Nested TPSs, and if so, “push down” the requirement for an Origination Agreement to exist between a TPS and a Nested TPS.

An Origination Agreement will exist between a TPS and a Nested TPS

Changes to ACH Origination Agreements will be applicable on a going-forward basis from the effective date of September 30, 2022.

This rule will further provide that:

TPS Risk Assessments

Risk Assessments are already defined and required in the Nacha Rules for Financial Institutions and, by extension, for Third-Party Senders under their obligations to perform and warrant ODFI obligations, however, the Risk Assessment obligation for TPS is not expressly stated.

The proposed rule will expressly state that a Third-Party Sender, whether or not it is Nested, is required to conduct a Risk Assessment. As with other parties that conduct Risk Assessments, a Third-Party Sender must implement, or have implemented, a risk management program based on their Risk Assessment.

The obligation to perform a Risk Assessment, as well as the required Rules Compliance audit, cannot be passed onto another party; i.e., each participant will conduct or have conducted its own. This rule amendment does not prescribe a specific methodology or list of topics for a TPS Risk Assessment. Risk assessments for TPS should not be one-size-fits-all.

Each TPS operates in a different space, with challenges, risks, and controls that will be different than the challenges, risk and controls faced by another TPS. Attempting to prescribe the exact topics and methods for a TPS risk assessment will likely over-prescribe risk and controls for some TPSs, and fail to identify risk and controls for others.

For the same reason, Rules Compliance Audit requirements were recently removed from the Rules (Appendix 8). Assistance in understanding and performing Risk Assessments is widely available in the marketplace, through Payment Associations, Nacha publications, and many other organizations.

Nevertheless, a TPS risk assessment will likely cover many of the same types of risk as do assessments performed by other parties in the ACH Network, or by the TPS as required for other payment systems when the TPS acts as a TPPP. Broad risk categories include Operational Risk, Return Risk, Credit Risk, Fraud Risk, Compliance Risk, and Reputational Risk.

TPS will look to the ODFI Risk Management Requirements and other requirements of Articles One and Two of the Rules; for example: 1) performing customer due diligence; 2) setting and enforcing customer exposure limits; 3) auditing and testing Originator authorization processes and quality; 4) monitoring forward and return transactions volumes, dollars, and rates; 5) establishing data security policies, procedures, and systems with access controls, authentication, authorization, and encryption; and 6) SEC Code-specific risk management requirements and warranties. TPSs will also look to requirements and guidance issued by banking regulators (such as the OCC and the FDIC) on risk management expectations for ODFIs.

Impact

Benefits

Nested Third-Party Sender

The rule will provide clarity and remove confusion about roles and responsibilities of parties involved in a Nested Third-Party Sender relationship

ODFIs should understand that risk may increase with additional levels of removal from the Originator. Ultimately, better clarity and knowledge by ACH participants about the roles and responsibilities of parties should help improve ACH quality

TPS Risk Assessments

Risk Assessments are vital to managing risk for any party in the ACH Network; clarifying this requirement will promote active risk management by Third-Party Senders

Impacts

Nested Third-Party Sender

To the extent that ODFIs and Third-Party Senders do not already address Nested TPSs in their agreements, they will need to:

ODFIs with Third-Party Sender relationships will need to update their registrations in the Risk Management Portal to denote which TPSs have Nested TPS relationships

ODFIs that have TPS with Nested TPS relationships must be able to provide Nacha with such information, upon request

ODFIs remain responsible for provision of required information to RDFIs (e.g. proof of authorization), regardless of the number of TPS involved in the transaction

TPS Risk Assessments


Changes to ACH Origination Agreements would be effective on a going-forward basis – i.e., applicable to agreements entered into on or after the effective date

ODFIs will notify TPSs of new Rules, even if not required to “re-paper” existing agreements, to ensure knowledge of and compliance with these Rules

A six-month grace period, to March 31, 2023, would be provided for: