The Third Installment of NACHA's RMAG Best Practices Series is Available

This five-part series follows the Risk Management Advisory Group's survey earlier this year.

*The articles were published at the following links on NACHA.org: Part 1, Part 2, and Part 3.

Earlier this year the NACHA Risk Management Advisory Group (RMAG) conducted a survey of the methodologies used by Originating Depository Financial Institutions (ODFIs) to manage ACH risk in their client portfolios. The intent of the survey was to use the results to develop educational materials and best practices for ODFIs to consider as they manage their client portfolios. This is the [first through third] in a series of five articles, one for each of the five parts of the survey.

Part 1: The following are the recommended best practices for Credit Risk Management & Policy.

1. Make sure your policies address ACH risk: Depending on how your financial institution has structured its policies this may be in your Overall Credit Policy, Credit Risk Policy, Risk Management Policy, or in a specific ACH or ACH Risk Policy.
2. Manage risk at the client relationship level: It is important to know your overall exposure risk at the client relationship level. Your management team may also want to look at your clients at a more detailed level such as by subsidiary corporation, division, or line of business within the overall client relationship.
3. Have procedures in place for what to do when exposure limits are approached or breached: These procedures should spell out clear “chain of command” responsibilities such as who should be contacted for review and/or approval when exposure limits are breached. This should also include “who is the backup” when the primary contact is unable to be reached.
4. Manage ACH exposure in coordination with other credit exposures: In order to have an overall insight into the client, your financial institution should manage the ACH exposure in coordination with all other credit exposures to the client. Many financial institutions indicated that they review their ACH exposure at the same time that they review other credit exposures for the client.
5. Understand the key criteria for managing risk and which ones are most important to your organization: The credit risk appetite of each financial institution is somewhat different and therefore the key criteria that your financial institution uses to manage risk as part of your credit underwriting process may be different. Among the key criteria most frequently mentioned by the respondents were the following:
   • Credit worthiness (as defined by your organization)
   • New client vs. Existing client
   • Length of time the client has been with your financial institution
   • Self-Origination vs. being a Third Party Originator
   • Business Segment or Line of Business
   • Recent change in the client’s financial condition (as defined by your organization)

Part 2: The following are the recommended best practices for Limits & Controls.

1. Review exposure limits on a regularly scheduled basis: While most financial institutions review the exposure limits on an annual basis, depending upon your financial institution’s Credit Policy or ACH Policy you may want to review them on a more frequent basis. Refer to your financial institution’s internal policies for additional guidance.
2. Review new clients more frequently: While you are beginning a relationship with a new client it may be advisable to review their exposure limits on a more frequent basis. One respondent indicated that they review new customers at 3 months, 6 months and 1 year, before going to an annual review cycle.
3. Define criteria for when an additional review is needed: Within the policy structure of your financial institution should be the criteria defining when additional reviews are needed. Among the most frequently mentioned criteria were the following:
   • Recent change in the client’s financial condition (as defined by your organization)
   • If an Originator has exceeded their current limit a certain number of times over a defined period of time.
   • If the Originator has a significant change in their business or business practices.
4. Establish limits for Internal Originators to reduce Operational and Reputational Risk: This is an often overlooked area within many financial institutions since Credit Risk for the internal department or affiliate company is generally not an issue. However, establishing an exposure limit that is at an appropriate level may help you to stop a file that was incorrectly built and may contain duplicate or incorrect items. Slightly over 1/3 of the survey respondents had no established exposure limits for Internal Originators.

Part 3: The following are the recommended best practices for Underwriting Credit Origination.

1. Establish criteria for underwriting credit origination: The criteria used should be consistent with your financial institution’s Credit, Credit Risk, and ACH policies. Refer to your internal policies for additional guidance. Among the key criteria most frequently mentioned by the survey respondents were the following:
   • Credit worthiness (as defined by your institution)
   • New client vs. Existing client
   • Length of time the client has been with your financial institution
   • Self-Origination vs. being a Third Party Originator
   • Business Segment or Line of Business
2. Establish criteria for reviewing clients on a regular basis: Your financial institution’s Credit Policy will likely address the overall requirements for a credit review, be it annually, semi-annually, or quarterly. In addition to those overall requirements your financial institution may have additional requirements for specific clients or specific categories of clients:
   • New clients may be subject to more frequent reviews until they have established a track record with your institution.
   • There may be specific requirements for clients who operate in lines of business that have been classified as “high risk” by your institution.
   • Clients who have experienced a recent change in their financial condition may have to be reviewed more frequently.
3. Establish criteria for which clients may be required pre-fund their ACH origination activity:
   • Credit worthiness (as defined by your institution)
   • Recent change in the client’s financial condition
   • Business segment of the client
   • Length of time as a client
   • Client willingness to provide financial statements

Note that these criteria match very closely with the criteria for overall underwriting of credit origination clients. Most financial institutions have established credit scoring systems for clients, and generally the lower the scoring the more likely the institution is the require that the client pre-fund their ACH activity.

Several survey respondents indicated that their financial institution’s Credit Policy required that all ACH origination clients to pre-fund their ACH activity.

4. Review all criteria whenever Risk Policies are updated: Traditionally Risk Policies within a financial institution are updated either annually, or bi-annually. Make sure that the criteria for requiring a risk review, and the criteria for requiring pre-funding are updated at that time.

To read the original articles, click HERE for Part 1, HERE for Part 2, HERE for Part 3.