ACH Review Procedures

ACH review steps should, at a minimum, include the following:

  1. Determine if management has performed a comprehensive risk assessment identifying threats and inherent risks within ACH. The assessment should be reviewed and updated periodically or as services change. NACHA rules require each participating financial institution to conduct an assessment of the risks related to ACH activity, and implement a risk management program on the basis of such an assessment.
  2. Determine if the credit union has received or performed an annual NACHA Rules compliance audit. This audit must be completed by December 31 each year, and should be in accordance with the most recent NACHA audit guidance (Appendix Eight of the NACHA Operating Rules & Guidelines).

  3. Determine if the credit union has a written ACH policy or risk management program based on the results of its ACH risk assessment. The policy or program should be reviewed and updated periodically or as services change. At a minimum, an ACH risk management program should include:

    • A summary of the program's objectives
    • A description of the board’s risk appetite and tolerances
    • An outline of the types of activities the credit union may conduct
    • Communication expectations
    • Data security requirements
    • NACHA compliance audit requirement
    • Incident response requirement
    • Business continuity requirement
  4. Review a credit union’s internal controls over ACH activity. These controls protect against fraudulent activity.

  5. Assess the adequacy of business continuity planning, including:

    • Business impact analysis and risk assessment process and results
    • Scope, frequency, and results of ACH testing

FedLine Review Procedures

If a credit union uses FedLine, examiners will also complete the following review steps:

  1. Evaluate policies and procedures for processing FedLine transactions to determine whether adequate internal controls have been established:

    • Determine if written policies are appropriate for the credit union’s complexity
    • Ensure credit union controls address adequate separation of duties
    • Walk through the procedures with credit union staff to identify any control weaknesses
    • Determine that credit union follows established written policies and procedures.

  2. Review physical and technical controls

    • VPN device, FedLine security tokens, and workstation management
    • Anti-virus, personal firewall, network security, and network segregation of FedLine router and workstations.

  3. Review access and service controls

    • Official authorization list, system limits, user limits, EUAC, management reports, and audit logs
    • Service alerts, dual-control verification, service, and system settings

    • Review FedLine reports and screen prints, including but not limited to:

      • Subscribers and Roles Report – Provides a list of organization’s current subscribers and access levels
      • Event Tracker Report – Provides credential issuance and maintenance activity over a given period of time, and an audit trail of activity that may be used for subscriber research. Examiners should request and review this report for the past 12 months.
      • FedPaymentsSM Manager – The "Funds Processing Options" screen can be reviewed to determine the system settings. The credit union will provide screenshots.
      • Application Audit Log – This screen lists any changes to the processing options (Settings, Verification, and E-mail Notification). The credit union will provide screenshots.

  4. Review Operational Controls

    • Management oversight and review
    • Independent review (audit)
    • Incident response
    • Business continuity planning and testing

Last updated September 25, 2017