Article Two of the ACH Rules contains the responsibilities of ODFIs, including an ODFI’s responsibility for each entry that is transmitted into the ACH Network through the ODFI, as well as Originator and Third-Party Sender (TPS) Compliance with the Rules. Because of these two simple yet important Rules, ensuring each Originator and TPS receive education related to ACH origination is an important risk mitigation tool in each ODFI’s armory.

Some of the questions we receive related to Originator education include the following:

  1. Is it required? Do ODFIs have an obligation/responsibility to educate Originators/TPSs?
  2. How often and in what form should we provide education?
  3. What topics should be included in the education/training?

Let’s get down to the answers.

Is it required?

While there is not a specific rule within the ACH Rules that requires an ODFI to provide education and training to its Originators and TPSs, each ODFI does have a responsibility to ensure that each Originator and TPS has the knowledge and capability to process ACH Entries.  

An ODFI with a small number of Originators may have the capability and manpower to review every ACH File that is processed to ensure that the proper Standard Entry Class (SEC) code is being used and proper authorizations are being obtained; however, an ODFI with many Originators simply does not have the ability to monitor activity in this detailed manner. Therefore, a method used to reduce the risks associated with ACH origination is ensuring that Originators and TPSs are appropriately trained.

How often and in what form should education be provided?

Prior to granting a potential Originator or TPS access to ACH Origination services, thorough training and education should be provided to the client, and ongoing education should be provided at least annually.

EPCOR’s Payments Insider newsletter is often provided to Originators and TPSs, along with an annual communication that includes any updates to the Rules, as well as a reminder of the Rules that apply to the Originator’s and Third-Party Sender’s ACH activity.

As auditors, we tend to have the mindset of “prove it or it never happened.” In other words, document, document, document. Education should be given in such a way that the ODFI can prove the education was provided as well as what information was communicated to the Originators and TPSs. Proof the education was provided as well as confirmation from the Originator can provide some protection to the ODFI in a couple of different ways. By providing education, your organization is arming Originators and TPSs with knowledge, and as Benjamin Franklin said, “An investment in knowledge pays the best interest.” Ensuring ACH clients have the knowledge necessary to originate ACH Entries provides some assurance the Entries will comply with the Rules and reduce the chances of Returns, Rules violations, fines or other monetary loss.

Also, should an issue arise between the ODFI and an Originator due to the Originator’s breach of the Rules, the ODFI can be confident every effort was made to communicate the requirements of the Rules to the Originator, not just initially but on an ongoing basis.

What topics should be included in the education?

Education should be commensurate with the type of activity being processed. In other words, the topics included in the education depend on the complexity of the relationship between the ODFI and each Originator and TPS. Here are a few examples:

An ODFI with Originators processing PPD credits and debits only should include education related to topics such as Prenotes, authorization requirements and taking action on incoming Notifications of Change (NOCs) to name a few. For an ODFI with Originators processing higher-risk SEC codes, such as CCD, TEL, WEB or IAT, the education should include information related to the specific SEC Codes that are being originated.

  • Education provided to a WEB Originator should be cumulative and include the basic information discussed above along with the Rules surrounding the annual audit requirement, the use of a commercially reasonable fraudulent transaction detection system and other Rules requirements specific to the origination of WEB Entries.
  • More complicated ACH origination relationships between an ODFI and a TPS, for example, would need to take into account the SEC Codes being transmitted by the TPS and whether the TPS has any Nested TPS relationships.
  • The education provided to TPSs would need to include the topics related to the ACH activity being processed.

Many ODFIs tend to provide the same education to each Originator and TPS with a wide range of topics being addressed whether or not it relates to all ACH clients. While it is understandable to want to do this, burying the pertinent information for a PPD Originator in a packet of information that includes WEB origination or TPS details increases the chances that the information will be ignored.

Knowing what information to communicate starts with being familiar with each Originator and TPS and the ACH activity for each, which is a risk mitigation tool as well. With this information, ODFIs can provide the information to each Originator and TPS that applies to and is commensurate with the type of ACH activity each client is processing.

Apart from ACH Rules education, current fraud trends such as business email compromise (BEC) scams, payroll impersonation, vendor impersonation, etc., should be included in the material provided to clients in an effort to protect them from monetary loss related to fraud. ODFIs should consider providing Originators and TPSs with tips on identifying these current fraud trends, such as:

  • Examining the URL closely to identify any misspellings that may be used to trick the receiver into clicking on a link,
  • Verifying payment requests from vendors in person or by phone using a phone number that is already on file and
  • Being cautious if the requestor is implying that your action must be taken quickly.

ODFI’s next steps

Now that you have a better idea of the type and timing of ACH education that should be provided to Originators and TPSs, here are some additional tips and to keep in mind as you move forward:

  • The quality of education you provide to your Originators and TPSs must start internally. Ensuring ACH origination staff within your financial institution has the knowledge and skills to process ACH Files, monitor activity, and communicate Rules requirements effectively to ACH clients is going to be your first line of defense.
    • The world of ACH is complex and can be complicated at times, so providing appropriate education and training to staff is an important part of the ACH origination services you are offering your corporate clients.
  •  Internal decisions will need to be made regarding the level of education you will provide your Originators and TPSs. There are no Rules that tell ODFIs what content should be communicated nor how often it should be communicated; therefore, this is a decision that each financial institution will have to make to determine how to classify ACH clients by risk or complexity that will govern what level of education and training will be provided to each Originator and TPS.