Electronic Funds Transfer Risks: ACH Risk Issues and Control Procedures
Oz, Effy, Reinstein, Alan, The Journal of Bank Cost & Management Accounting
Electronic Data Interchange is the most prevalent method that financial institutions use to transfer funds. In the U.S., an estimated $500 billion is transferred among financial institutions daily. While affording convenience and speed, Electronic Funds Transfer (EFT) also involves potentially serious security problems, requiring financial institutions to take special precautions in Automated Clearing House (ACH) activities. The purposes of this article are to enumerate some risks that financial institutions face in ACH activities and describe how to minimize such risks.
The advent of information technology ushered in the paperless payment system among businesses. This paperless transfer, called Electronic Funds Transfer (EFT), is initiated by one party, passed through to the party's bank, dubbed ODFI (Originating Depository Financial Institution), and forwarded on to the Automated Clearing House (ACH) for delivery to the payee's financial institution, called RDFI (Receiving Depository Financial Institution). Thus, an EFT system is a computer-based network that enables the initiation, approval, execution and recording of payment transfers through electronic impulses and machine-sensible data-often leaving no physical audit trail. Financial institutions use three major forms of EFT's: remote banking services, retail point-of-sale services and direct deposit/preauthorized payment services. ACH's commonly call EFT's as ACH credit/debit transactions.
Despite the importance of these systems, many financial institutions fail to understand fully the potential credit risk and fraud related to ACH services. Credit risk and fraud are of particular concern during weak economic periods, when bankruptcies and business failures are more prevalent. The purposes of this article are to address the issues of EFT risks and to suggest measures to reduce exposure to such risks.
Two basic types of ACH transactions exist: ACH credits and ACH debits. ACH credit transactions transfer funds from the transaction's Originator to Receiver. Such transactions include the direct deposit of payroll, pension and annuity payments, corporate-to-corporate electronic data interchange (EDI) payments, and Federal Government Vendor Express Payments. ACH debit transactions transfer funds from the Receiver's to the Originator's account. Examples of ACH debit applications include preauthorized payments for insurance premiums, mortgage payments, health club dues and utility payments; cash concentration; dealer drafting collections; state tax payments; point-of-sale transactions; and third party initiated EDI debits.
ACH RISK ISSUES
As transaction and dollar volumes grow, so do concerns about potential risks. Financial institutions and their customers face four major categories of risk when processing EFT payments:
CREDIT RISK. The risk that a party cannot provide the contracted funds necessary to settle the account. Credit-risk-related losses typically arise from company failure or bankruptcy.
OPERATIONAL RISK. The risk that an employee or computer system unintentionally impedes the intended transaction, including losses due to clerical errors or to hardware and software failures.
FRAUD RISK. The risk that someone will intentionally alter a payment transaction in order to misdirect or misappropriate funds, including embezzlement initiated either by a financial institution's employee or by an interloper who gained unauthorized access to a system.
SYSTEMIC RISK. The risk that the inability of one participant to the EFT system to settle its commitments causes other participants to be unable to settle their commitments.
MINIMIZING ACH RISKS
Financial institutions have adopted several measures to prevent and control ACH risks.
This type of risk falls mainly on the financial institution. Specifically, the ODFI assumes a greater credit risk in processing ACH transactions than does the RDFI, because the ODFI is exposed to credit risk for both ACH debit and credit transactions, while the RDFI is exposed to credit risk only when it handles ACH credit transactions. …