ACH Internal Controls

Examiners should review a credit union’s internal controls over ACH activity. These controls can help protect against fraudulent activity. At a minimum, examiners should confirm that:

  • Management writes personnel policies that enhance internal controls within the ACH operation. TheACH job aid offers guidance on what these personnel policies may include.
  • Management ensures that physical security controls are in place. Examples include:

    • Access to ACH computers and communications equipment sites is limited to authorized personnel.
    • Access controls or device locks are used to protect sensitive equipment in secured areas.
    • Access to data on portable media (flash drives, disks, hard copies) is secured and limited.
  • Management ensures data security controls are in place. Examples include:

    • Commercially available software products are used to access production data files.
    • Access to specified programs or user IDs is limited by setting up files for read-only access.
    • Sensitive data is encrypted.
    • Secure Token management is practiced if applicable.
  • Management maintains detailed written policies regarding software development and change.
  • Credit union uses controls, including passwords and/or security tokens, to prohibit unauthorized access.
  • Management requires the use of exposure limits either at the time of entry, batch, or file creation, at the time of transmission, or both. Management enforces the requirement.
  • Credit union requires proper segregation of duties for staff that reconcile ACH transactions.
  • User access reports are accurate and up to date, and user access levels are appropriate based on user’s roles.

Last updated October 14, 2021