ACH Preliminary Risk Assessment and Scope Development
Preliminary risk assessments do not apply to SCUEP defined-scope exams. SCUEP exams include a review of wire transfer programs in the Transaction Risk tab. See NCUA Instruction 5000.20,
The scope of an ACH review depends on:
- The products and services offered by the credit union
- The complexity of operational activity
- Risks related to the delivery of product and services
It also depends on the role(s) the credit union plays in the ACH network:
- RDFI
- ODFI (with limited, moderate, or high risk origination activity)
Examiners should follow the steps below to determine the extent of a review of a credit union’s ACH system:
Step | Potential Risk Impact |
---|---|
Determine if the credit union receives and processes its own ACH transactions or uses a third party | Using a third party may increase the overall risk posture |
Determine if the credit union has written policies, procedures, and risk assessments addressing their ACH operations | The risk impact of these items varies depending on a credit union's complexity; a less complex credit union may have less comprehensive documentation |
Determine if personnel changes at the credit union have an impact on the ACH process | Personnel changes may increase or decrease a credit union’s overall risk posture |
Determine if changes in the ACH process have been implemented since the last examination or audit | Process changes that have not been implemented may increase or decrease a credit union’s overall risk posture |
Determine if a NACHA compliance audit (independent or self-audit) has been completed by a qualified individual at least annually as required by NACHA Rules | Lack of a NACHA compliance audit completed by a qualified individual may increase the credit union’s overall risk posture |
Determine if the credit union is an RDFI | The risk impact of this item varies depending on a credit union’s complexity |
Determine if personnel are aware of and trained on appropriate NACHA rules (RDFI only) | Lack of appropriate training may increase compliance risk |
Determine if the credit union is an ODFI | The risk impact of this item varies depending on a credit union's complexity |
Determine if the credit union has identified high-risk originators and any commercial accounts which are Third-Party Senders | High-risk originators or Third-Party Senders can introduce increased reputation, credit, transaction, and compliance risks to the credit union |
Determine if employees responsible for the ACH operation receive initial and annual training on the requirements of NACHA rules regarding originations, including proper authorization, liabilities, warranties, etc. (ODFI only) | Lack of appropriate training may increase compliance risk |
Determine if the credit union has written agreements with each originator that warrants adherence to the NACHA rules (ODFI only) | Lack of written agreements may increase the credit union’s overall risk posture |
Determine if the credit union identifies and monitors IAT, and performs screening to ensure compliance with OFAC requirements | IATs can introduce increased compliance risk to the credit union |
In addition to these steps, examiners should consult the EPS Risk Overview job aid and document their findings as appropriate. Examiners should pay particular attention to:
- Violations of law, regulations, and third-party agreements;
- Significant issues that warrant inclusion in the exam report; and
- Potential impact of the observations on the CAMELS and risk ratings.
Examiners may refer to Letter to FCUs 02-FCU-09, Risk-Focused Examination Program, for broad guidance on how to assign risk levels.
The information obtained during the scope development, combined with the level of risk assigned during the preliminary assessment, determines the extent of review necessary to complete an exam of the wire transfer system.
Last updated October 14, 2021