This checklist is designed to assist financial institutions, Third-Party Service Providers, and Third-Party Senders in preparing for and conducting their annual ACH Rules audit as required by the NACHA Operating Rules.

How do I use this document?The NACHA Operating Rules do not define procedures for completing the annual rules compliance audit. This checklist is designed to assist your auditor in identifying the key ACH operational processes that should be a part of the audit, the materials needed, and where to go for more detailed information on specific requirements and related regulations.

ACH Audit ChecklistFor Audit Year 2018

A new approach to payments advising SM

Publications

©2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 2

2018 ACH Audit Checklist

Separation of DutiesThe ACH Rules require that the audit be performed under the direction of an audit committee, audit manager, senior level officer, or independent (external) examiner or auditor. Some key factors you may want to consider in deciding who should conduct the annual ACH Rules compliance audit are:

• The extent, expertise and availability of internal audit resources

• The level of ACH knowledge or expertise available within the organization

✓ Consider having your audit conducted by a certified AAP (Accredited ACH Professional)

• The financial resources available to consider outside expertise

• Management’s philosophy towards rule or regulatory compliance audits. For instance, whether they prefer to use internal staff or contracted resources to complete audits.

Whomever you elect to perform the audit, we advise you to have a separate group (i.e. audit committee/manager, or other senior manager) approve the final report as evidence of independent review.

Audit Time Frame and Sample SizeThe time frame over which the audit is conducted is up to you and/or your auditor. The population of your samples should be from the current year of processing, and should focus on compliance with recently enacted ACH Rules. The number of samples reviewed, and the time frame used for each ACH process included within the scope of the ACH audit should be determined by your organization’s processing volumes, product and operational complexity, and the manual or automated nature of each process.

Not all ACH entries are equally popular within the network, and depending upon the size and the types of products supported within your organization, you can expect that some types of entries will be difficult for you to find. This is normal, and you will need to decide whether to exert the time and resources to find samples of these rare occurrences, or notate within your report that given their scarcity they were unable to be examined.

Conducting Your AuditFollowing is an outline of key Rules areas that should be reviewed during the audit, with appropriate techniques employed to validate the accuracy of processes, as necessary.

Before You StartIt is important to identify the scope of the audit before you begin, to decide how many samples to examine, and what parts of the organization may need to be called upon for assistance.

©2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 3

2018 ACH Audit Checklist

Prior Year Audit (Section 1.2)Verify documentation of your prior year audit and if applicable, confirm written status or resolution of any identified findings. Issues or concerns from the prior year’s audit should be included within the scope of your current audit to be sure they have been properly resolved.

Risk Assessment (Section 1.2) Verify that your organization has assessed the risks of its ACH activities and has implemented a risk management program based on that assessment. The ACH Rules do not include content or scope requirements of an ACH risk assessment, but it should be commensurate with the size and complexity of your organization’s ACH products and services. WesPay has two options for organizations seeking additional assistance with completing their ACH Risk Assessment; the ACH Risk Review, which is an on-site review of current operating procedures and internal controls, or the ACH Risk Management Self-Assessment Guide which is designed to assist organizations in completing an ACH risk assessment internally.

The ACH Rules also do not specify a frequency with which an ACH Risk Assessment must be updated, only that an organization has this document on file. WesPay suggests that each participating depository financial institution, Third-Party Service Provider, and Third-Party Sender update their ACH Risk Assessment on at least an annual basis to ensure it reflects current rules, regulations, and related products and services of the organization.

Records and Retention (Section 1.4)To audit compliance with the ACH Rules’ record retention requirements, we suggest samples of the following types of entry reports spanning the requisite six-year retention period be verified:

• All entries received for a particular business day

• All entries originated for a particular business day

• All un-postable entries relating to the received items above (i.e., exceptions)

• All outgoing (2-day) returns related to the exception entries above

• All incoming (2-day) returns related to the originated entries above

Requirements for all ACH Participating DFIs, Third-Party Service Providers and Third-Party SendersListed below are the highlights of the most critical components of audit compliance with the ACH Rules for all ODFIs (Originating Depository Financial Institutions), RDFIs (Receiving Depository Financial Institutions), Third-Party Service Providers and Third-Party Senders (with the applicable section of the 2018 ACH Rulebook listed in parenthesis).

©2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 4

2018 ACH Audit Checklist

Security Policies, Procedures, and Systems (Section 1.6)The ACH Rules require that each participating DFI, Third-Party Service Provider and Third-Party Sender establish, implement and update security policies, procedures, and systems related to the initiation, processing, and storage of ACH entries. This audit requirement can be satisfied by validating that your organization’s data security-related policies and procedures address each of the following:

• Protecting the confidentiality and integrity of protected information

• Protecting against anticipated threats or hazards to the security or integrity of protected information

• Protecting against unauthorized use of protected information that could result in substantial harm to a natural person

Secure Transmissions via Unsecured Electronic Networks (Section 1.7)The ACH Rules require that information related to an entry that is transmitted via an Unsecured Electronic Network (i.e., the Internet) is encrypted or securely transmitted using a “commercially reasonable” level of security. This applies to transmissions between:

(a) a Receiver and an Originator

(b) an Originator and an ODFI

(c) an ODFI and an ACH Operator

(d) an ACH Operator and an RDFI

(e) an Originator, ODFI, RDFI, or ACH Operator and a Third-Party Service Provider or Third-Party Sender

If your organization utilizes the Internet for any of the transmissions listed above, ensure data transmission and encryption policies and procedures document how the ACH transmissions utilizing an Unsecured Electronic Network are encrypted or otherwise secured.

©2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 5

2018 ACH Audit Checklist

Receiver Statements; Payment-Related Information (Section 3.1)Validate that your account holder statements are correctly formatted for each ACH Entry type your organization receives. Obtain a sample of each ACH Standard Entry Class Code received by your organization to validate that all required fields in Section 3.1 of the ACH Rules for each entry type are displayed on the Receiver’s periodic statement.

Pay particular attention to the format of credit WEB SEC Code entries used for Peer-to-Peer (P2P) entries. This Entry requires RDFIs to display the contents of the Individual Identification Number Field of the Entry on the Receiver’s periodic statement.

If any non-consumer receivers have requested payment-related information for payments they have received (i.e. CCD, CTX, CIE or corporate IAT entries) that are not Health Care EFT Transactions, verify the timely delivery of such data. For a Health Care EFT Transaction to a non-consumer account, a secure electronic delivery method must also be offered to the account holder.

UCC4A Compliance (Section 3.1)If you have non-consumer accounts, review the terms and conditions of the account agreement to ensure that UCC4A disclosures are provided. If any other methodology such as individual notice is used, review to ensure correct UCC4A notices are communicated to non-consumer account holders.

Availability (Section 3.3)Verify that your organization is making credits available to your Receivers by opening of business on the Settlement Date, and debits are posted no earlier than the Settlement Date. Verify that any received Same Day ACH credits are reflected within the Receiver’s account as of the end of your organization’s processing day.

Effective March 16, 2018 verify that any received Same Day ACH credits are available to the Receiver for withdrawal no later than 5:00 p.m. local time.

Incoming Prenotes and Outgoing Returns/NOCs (Section 3.5)Review documentation that demonstrates your organization is validating that received prenotes contain valid account numbers and if not, or if the prenote contains other errors, they are returned in a timely and accurate fashion (i.e. the correct Return Reason or Change Code is used).

Requirements for RDFIs and Third-Party Service ProvidersThe following are the key audit considerations for all RDFIs (Receiving Depository Financial Institutions) and Third Party Service Providers that perform ACH receipt processes (with the applicable section of the 2017 ACH Rulebook listed in parenthesis).

©2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 6

2018 ACH Audit Checklist

Processing of Reclamations and Written Demands for Payment (Section 3.6)Review how ACH Debits or written demands for payment for non-Federal Government benefit payments are handled. Also review handing of Federal Government benefit payments in accordance with provisions of the Bureau of the Fiscal Service’s Greenbook.

Stop Payments (Section 3.7)Review your stop payment request forms (if required), online stop payment records, and related ACH debits and corresponding returns to ensure that your organization’s processing of stop payments requests comply with the ACH Rules for both consumer and non-consumer accounts. Ensure that the default expiration dates for your stop payment records comply with the ACH Rules, and that your operational processes mirror your explanation of the stop payment process in your stop payment request forms (if required) and account terms and conditions materials.

Returns and Adjustments (Section 3.8)Review the documentation that supports your processing of outgoing returns, including contested dishonored returns, to ensure timely processing and use of the correct return reason codes.

For each adjustment entry (those entries returned either R07 or R10 within 60 calendar days of the original entry Settlement Date), match the return with the corresponding Written Statement of Unauthorized Debit (WSUD) to ensure these returns have been processed timely and accurately per the Receiver’s intent. We also advise you to review your WSUD form to ensure it contains all elements required by Section 3.8 of the NACHA Rules.

Notifications of Change (Section 3.9)If your organization elects to initiate Notifications of Change (NOC), review your return reporting to ensure they are initiated in a timely and accurate manner (i.e., that the appropriate Change Code is used).

©2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 7

2018 ACH Audit Checklist

Origination Agreements (Section 2.2)Validate that you have ACH Origination Agreements with your Originators (you may elect to test a sample of all your Originators to validate this) and that its language contains all the required provisions of section 2.2 of the ACH Rules.

Agreements with Sending Points and Third-Party Service Providers (Section 2.2)Validate that any agreements with external sending points (i.e. correspondent banks, corporate credit unions, banker’s banks), and/or Third-Party Service Providers also contain the required provisions of section 2.2 of the ACH Rules.

Exposure Limits (Section 2.2)Validate your organization has evidence of establishing, periodically reviewing, enforcing, and monitoring the exposure limits in place for each ACH Originator. Also, ensure that a policy and procedures are in place for processing any over-limit exceptions.

Originator Verification (Section 2.2)Evaluate whether your process to on-board a new Originator meets a “commercially reasonable” process and is consistent with industry standards. At a minimum, this should consist of onboarding policies and/or procedures to ensure that the organization has done their due-diligence to understand the nature of the Originator’s business and principal owner(s).

Requests for Authorization (Section 2.3)Validate that your organization, in conjunction with your Originators and Third Party Senders, is responding to proof of authorization requests in a timely manner (i.e. within 10 business days as required by the ACH Rules) and accurately (i.e., the authorizations provided correlate to the SEC Code of the entry).

Requirements for ODFIs, Third-Party Service Providers and Third-Party SendersFollowing are the key audit considerations for all ODFIs (Originating Depository Financial Institutions), Third-Party Service Providers, and Third-Party Senders that perform ACH origination processes (with the applicable section of the 2018 ACH Rules listed in parenthesis).

Financial institutions should be sure to consider any online account transfer, bill pay, online account opening funding, and loan payment processes when determining if they are an ODFI or not.

©2018 All rights reserved WesPay Advisors. Redistribution or use with external clients is not permitted. Page 8

2018 ACH Audit Checklist

UCC4A Compliance (Section 2.3)Confirm that your Originators receive the required UCC4A notices as described in Section 2.3 of the ACH Rules (typically included in the ACH Origination Agreement).

NOCs (Section 2.11)Ensure that received Notification of Changes (NOCs) are provided in a timely and accurate fashion to the corresponding Originators, Third-Party Service Providers, and Third-Party Senders who originated them.

Returns (Section 2.12)Ensure that returns are provided in a timely and accurate fashion to the Originator, Third-Party Service Provider, or Third-Party Senders who originated the item to which the return relates.

Originator Return Rate Reporting (Section 2.17)The minimum audit requirement for this topic is for an ODFI to demonstrate that it has reported return rate information on each Originator or Third-Party Sender upon request of the National Association. WesPay encourages each ODFI to track the unauthorized, administrative, and overall debit return rates for each Originator and Third-Party to demonstrate they have the capability to provide this information to the National Association, even if it has never been requested.

Keeping Originators Informed (Section 2.1)Your Organization should be able to demonstrate a process that ensures your Originators are made aware of any changes that could affect their responsibilities under the ACH Rules. Provision of an annual edition of the rulebook, or distribution of any Rules updates published during the year would be a demonstration of such a process.

Direct Access and Third-Party Sender Registration (Sections 2.15 and 2.17)All ODFIs are required to register their Direct Access and Third-Party Sender status with the National Association.

Direct Access is a situation in which an Originator, Third-Party Sender, or a Third-Party Service Provider transmits credit or debit entries to an ACH Operator using the ODFI’s routing and transit number and settlement account. Even if not participating in Direct Access, ODFIs are required to register their status with the National Association. Additionally, if an ODFI has a Direct Access debit relationship, specific information about that debit Originator and its volumes is required to be registered as well.

Whether an ODFI is originating for Third-Party Senders or not, each ODFI is also required to register their Third-Party Sender status with the National Association. If the ODFI is originating for Third-Party Senders, basic information about each Third-Party Sender is also required to be provided.

Registration for Direct Access and Third-Party Senders can be found on NACHA’s Risk Management Portal : https://www.nacha.org/riskmanagementportal.

We Are Here To Help

Full ACH AuditAn Accredited ACH Professional (AAP) from our staff can conduct your annual ACH audit and examine each facet of your ACH operations including receiving, originating, record retention, time lines of processes, information reporting and completeness of agreements.

Please call (415) 373-1193 or e-mail cselmi@wespayadvisors.com for a quote.

Payments Hotline WesPay is always here to provide assistance from our experts on the Payments Hotline. No question is too big or too small. We have assisted many organizations just like yours through this process and our expertise and experience is at your service.

Staffed by Accredited ACH Professionals (AAP),

Certified Internal Auditors (CIA),

National Check Professionals (NCP),

and Certified Regulatory Compliance Manager (CRCM),

which are recognized industry experts.

Call or email us!

(800) 977-0018

(415) 373-1200

info@wespay.org

Please contact us about your strategic, operational or regulatory payments issues and opportunities. We will be pleased to discuss with you how WesPay Advisors can help.

www.wespayadvisors.com Chris Selmi, Presidentcselmi@wespayadvisors.com(415) 373-1193