CUNA Comment Letter

NACHA Management Assessment and Compliance Audit Proposals

February 27, 2008

Maribel Bondoc
Manager, Network Rules
NACHA – The Electronic Payments Association
13450 Sunrise Valley Drive, Suite 100 v Herndon, VA 20171

RE: Request for Comment: Risk Management and Assessment Proposal and Rules Compliance Audit Proposal

Dear Ms. Bondoc:

Credit Union National Association (CUNA) appreciates the opportunity to comment on NACHA’s Request for Comments on its risk management and assessment and compliance audit proposals. By way of background, CUNA is the largest credit union trade organization in this country, representing approximately 90 percent of our nation’s nearly 8,400 state and federal credit unions, which serve more than 88 million members. This letter was developed under the auspices of CUNA’s Payments Policy Subcommittee, chaired by Terry West, President and CEO of VyStar Credit Union in Jacksonville, FL.

Summary of CUNA’s Views

NACHA is proposing to broaden the scope of its Operating Rules (Rules) on risk management to incorporate specific requirements for conducting an overall annual assessment of ACH risk. It is becoming more important to manage risk throughout the payments industry, and we appreciate the need for NACHA to update its Rules to address ACH risk management. The proposed modifications to the Assessment and Audit rules enable participating institutions to match the performance of basic risk management practices effectively with the rules and will ensure that the ACH Network remains a safe and secure method to process payments.

CUNA generally supports NACHA’s proposal, but has recommendations regarding specific rule changes and seeks clarification on a number of other issues. A summary of CUNA’s views is below.

Discussion of CUNA’s Views

NACHA is proposing to require all financial institutions that participate in the ACH Network (DFIs) to assess the risks of their ACH activities annually. The requirements of the assessments would be determined by the nature and complexity of a DFI’s ACH activity. All receiving depository financial institutions (RDFIs) would be required to conduct a “Level 1 Risk Assessment” and an originating depository financial institution (ODFI) would be required to conduct either a “Level 2” or “Level 3” Risk Assessment, depending on whether it meets certain criteria each year. The requirements for each level are listed in a separate Appendix Nine.

We believe that this format makes the rules clear and easy to follow. Matching the risk assessment level to the nature and complexity of ACH activity gives DFI’s a clearer picture of the rules pertaining to risk, which should help improve overall risk management for the financial institution.

NACHA is also proposing to expand the current rules on establishing exposure limits for Originators and Third- Party Senders to incorporate more comprehensive risk management obligations for ODFIs. We believe these obligations are prudent and necessary to ensure that key risk areas would be assessed and reviewed. An important function of risk mitigation for financial institutions is knowing who their members and customers are – a current statutory requirement under the U.S. Patriot Act. However, some issues need further elaboration, such as whether existing agreements between ODFIs and Originators would be grandfathered. Thus, we suggest additional information be provided on the ODFI’s due diligence review of its Originators, specifically on the required frequency of reviews and on the treatment of existing Originators.

One of the proposed conditions for triggering a Level 3 Assessment is when an ODFI originates ACH debit transactions for an Originator whose “business lines include, but are not limited to, money services, money transmission, or online payments processing.” (Proposed NACHA Operating Rules, Appendix Nine § 9.3(6)).

We are concerned that these broad descriptions of business lines do not provide meaningful guidance and could inadvertently include low-risk Originators not intended to fall under this category. We believe the Department of Treasury’s definition of money service business would be an appropriate definition for Originators in this category, and would effectively target a Level 3 Assessment to higher-risk entities.

The Department of Treasury’s definition for money service business (MSB) expressly excludes institutions with less risk such as banks, insured institutions, and those registered, regulated or examined by the Securities and Exchange Commission. Furthermore, an MSB is defined as any person doing business in one or more of specific, listed capacities, including but not limited to: money transmitters, persons engaged in the transmission of funds, and check cashers. (31 CFR 103.11).

Limiting this trigger to unregulated Originators without insurance would facilitate the coordination of the ODFI’s assessment level with the nature and degree of the risk of its transactions. Insured Originators are already highly regulated and pose far less risk to their ODFIs than those that are uninsured.

Additionally, Treasury’s definition expressly excludes those individuals that transmit funds as part of an underlying transaction other than the funds transmission itself. This would exclude individuals accepting or transmitting an ACH for a separate business transaction, enabling financial institutions to offer person-to- person ACH transactions to their members/customers without automatically triggering a Level 3 Assessment.

We recommend that NACHA amend the language in its proposed rules at Appendix Nine § 9.3(6) to maintain that a Level 3 Assessment be triggered if an ODFI originates ACH debit transactions of an Originator which is a “money services business” as defined by the Department of Treasury at 31 C.F.R. 103.11(uu).

NACHA is also recommending changes to its rules that would clarify and expand financial institutions’ and their third-party service providers’ audit obligations.

While we generally believe that certain proposed changes to the audit rules are clear and easy to follow, clarification is needed regarding the audit obligations that do not have specific rule references. NACHA is proposing to include certain best practices as a component of the Rules Compliance Audit. While best practices may help educate those required to implement the rules and help to improve the understanding of existing rules, codified best practices typically evolve into rule requirements without the benefit of notice to and comment from the stakeholders. Also, examiners often interpret best practices as required rules, and penalize an institution for not implementing them.

We believe the rules should expressly state that the best practices are not required and it would not be considered a violation of the NACHA rules if they are not included in an ACH audit.

This clarification should be consistent throughout NACHA’s rules. For example, the audit proposal would require that the financial institution address “all issues raised during the previous audit.” (Proposed NACHA Operating Rules, Appendix Eight § 8.2(C)). We believe clarification is needed to confirm that only issues with a specific rule reference must be addressed from the previous audit, rather than all issues raised during that audit. Clarification should also be provided in proposed Subsection 8.2.1 in Appendix Eight, which is entitled “Additional Audit Obligations for All Participating DFIs” (emphasis added). The first sentence states:

This subsection addresses issues that do not have specific rule references but that are recommended for inclusion within an ACH audit. (emphasis added).

Using the terms, “obligations” and “recommended” in the same section only adds to the confusion when trying to determine if these best practices are required. We recommend NACHA change the title of the subsection to reflect recommendations rather than requirements.

Alternatively, if NACHA believes that best practices are necessary for improving network quality, we urge NACHA to seek comment on a proposal incorporate the best practices in its rules.

Thank you for the opportunity to express our views on the proposed modifications to the risk assessment and audit rules. If you have questions about our letter, please do not hesitate to give Senior Vice President and Deputy General Counsel Mary Dunn or me a call at 202-508-6733.

Lilly Thomas
Assistant General Counsel