Examiners should review a credit union’s internal controls over ACH activity. These controls can help protect against fraudulent activity. At a minimum, examiners should confirm that:
- Management writes personnel policies that enhance internal controls within the ACH operation. TheACH job aid offers guidance on what these personnel policies may include.
-
Management ensures that physical security controls are in place. Examples include:
- Access to ACH computers and communications equipment sites is limited to authorized personnel.
- Access controls or device locks are used to protect sensitive equipment in secured areas.
- Access to data on portable media (flash drives, disks, hard copies) is secured and limited.
-
Management ensures data security controls are in place. Examples include:
- Commercially available software products are used to access production data files.
- Access to specified programs or user IDs is limited by setting up files for read-only access.
- Sensitive data is encrypted.
- Secure Token management is practiced if applicable.
- Management maintains detailed written policies regarding software development and change.
- Credit union uses controls, including passwords and/or security tokens, to prohibit unauthorized access.
- Management requires the use of exposure limits either at the time of entry, batch, or file creation, at the time of transmission, or both. Management enforces the requirement.
- Credit union requires proper segregation of duties for staff that reconcile ACH transactions.
- User access reports are accurate and up to date, and user access levels are appropriate based on user’s roles.
Last updated October 14, 2021
