With much of the economy disrupted as a result of the COVID-19 pandemic, one area that continues to grow is automated clearing house (ACH) payments, according to data recently released by Nacha, the non-profit that governs ACH payments. While the recent jump in ACH volume was driven in part by the delivery of federal stimulus payments, it is reflective of a longer term trend of growth in the industry, as ACH becomes increasingly popular for consumer bill payment (rent and utilities), health care payments, payroll processing, and business account payables

Also contributing to the growth in ACH payments is the ability of banks to partner with “third-party senders” to facilitate the origination of ACH payments. Like a payment facilitator in the credit card space, a third-party sender can help a bank expand its ACH origination capabilities by signing up customers to receive the bank’s ACH services. Working with a third-party sender, however, can increase a bank’s exposure to legal, compliance, credit, and reputation risks. These risks are reflected in news articles last year about an ACH payroll processor in New York that allegedly absconded with almost $30 million of its clients’ payroll and tax payments.

As ACH continues to grow, it is critical for banks and their partners to understand the ins and outs of facilitating these payments. Accordingly, this article provides a brief overview of the ACH system, the roles and responsibilities of the key players, and best practices for minimizing risk when banks partner with third-party senders.

What is the ACH System and Who are the Key Players?

ACH is a payment system that facilitates the movement of funds between bank accounts. Consumers use the ACH system every day to pay bills online and transfer funds between accounts at different financial institutions, and businesses across the country use it to direct deposit employees’ paychecks and pay invoices. ACH payments are processed by payment networks composed of banks, such as the Federal Reserve System’s Automated Clearing House and the Electronic Payments Network, the two national ACH networks. Electronic debit or credit instructions (Entries) are initiated by participating banks (called the originating depository financial institutions or ODFIs) on behalf of customers (called the Originators). The ACH networks receive the Entries, deliver them to other participating banks (called the receiving depository financial institutions or RDFIs), and settle the payments between the ODFIs and RDFIs.

What is a Third-Party Sender?

To initiate an ACH transaction as an Originator, a consumer or business must have an agreement with an ODFI, which typically would be the sender’s bank. An Originator or ODFI could, however, use the services of a third-party sender as a payment intermediary in originating Entries on behalf of customers. This might happen, for example, where an employer contracts with a payroll processing company to facilitate the company’s payment of payroll to its employees by ACH. In this example, the employer would be the Originator sending payments to employees, and the payroll processing company would be a third-party sender facilitating those payments through its relationship with an ODFI. The use of payments intermediaries to originate ACH transactions is becoming increasingly common.

In these cases, the ODFI does not have a direct agreement with the Originator (the employer in the previous example). Instead, the third-party sender (the payment intermediary) has an Origination agreement with the ODFI, as well as an agreement with each Originator for which it processes Entries. Given that the third-party sender functions as an aggregator of customers, both the ODFI and third-party sender are required to comply with various contractual and compliance obligations to minimize potential risk in connection with the facilitation of ACH payments. In addition, Nacha requires ODFIs to register their third-party senders.

The benefit of a third-party sender arrangement for a financial institution is that it expands the institution’s reach to a broader market of potential customers, while outsourcing some of the day-to-day work to a service provider. The model can also be used by financial institutions to support innovative fintech and payments companies that are looking to incorporate payments into other services that are offered to merchants or consumers. In other words, when done properly, the arrangement offers potential benefits for both the sponsor bank and its third-party senders.

Managing Risks in Third-party sender Arrangements

While there are numerous potential benefits to third-party sender arrangements, there are also risks that need to be understood and addressed by both the financial institution and its partner. Whenever a bank sponsors a third party, federal banking regulators expect the bank to practice effective risk management and oversight. With respect to ACH, partnering with a third-party sender can expose an ODFI to legal, compliance, reputational, and credit risk. Specific areas of legal and compliance risk include consumer protection, anti–money laundering (AML), and compliance with the economic sanctions programs administered by the Office of Foreign Assets Control (OFAC).

To address these risks, an ODFI should implement a compliance program that addresses (1) the nature of the risks associated with ACH activity (including third-party sender activity), (2) due diligence of third-party senders, (3) controls for third-party sender, including through vendor oversight and contractual arrangements, and (4) management, information, and reporting systems to monitor and mitigate risk.

As a starting point, any ODFI that participates in an ACH network should have a dedicated ACH component in its compliance program to mitigate the risks associated with the activities. The systems and controls needed for an effective ACH risk management program include written policies and procedures, strong internal controls, and a risk-based audit program. The depth and breadth of a bank’s ACH policies and procedures will depend on the scope and complexity of its ACH activities.

When a financial institution enters into relationships with any third party vendor, including as an ODFI with a third-party sender, its board of directors and senior management are responsible for managing the risks posed by those relationships. To manage these risks, an ODFI should establish policies and procedures as part of its vendor risk management program to address the particular due diligence, monitoring, and auditing processes for third-party senders. As part of the due diligence process, a financial institution must understand the business model and proposed funds flow of the third-party sender, including whether it is in compliance with applicable law. For example, a third-party sender that takes custody of funds prior to remitting them to a payee may be subject to federal and state money transmission licensing laws and requirements.

Once a relationship is established, the ODFI and third-party sender must enter into an origination agreement. This agreement should address the responsibilities of each party with respect to financial liability for each transaction, data format for Entries, and submission schedules and deadlines. Nacha requires that the origination agreement obligates the third-party sender to obtain each Originator’s authorization for the ODFI to originate payments on behalf of the Originator. This is particularly important for consumer Originators, as various federal laws, ranging from the Electronic Fund Transfer Act (EFTA) and Regulation E to the Restore Online Shoppers Confidence Act (ROSCA), establish authorization requirements for electronic fund transfers.

Often third-party senders intend to embed the ACH function into a particular application or offer payments as part of a large suite of services. The origination agreement should address the responsibilities of each party with respect to the third-party sender’s use case including data quality, processing requirements for the specific applications, liability and accountability for certain procedures related to the applications, application of any laws, including the Uniform Commercial Code Article 4A or EFTA, and any other issues pertinent to the actual processing and delivery of the payment data.

With the volume of ACH payments increasing each year, the third-party sending model will continue to grow and expand. While these types of arrangements have a number of benefits, they also present risk, and any bank looking to sponsor a third-party sender needs to have a strong compliance program in place and protect itself through appropriate agreements.