Every financial institution is required to comply with the NACHA Operating Rules for the exchange and settlement of electronic funds transfers through the Automated Clearing House (ACH) network. These rules require an annual ACH audit be performed by December 31 each calendar year. Historically, the rules included Appendix Eight, which outlined the minimum requirements of each ACH audit. However, effective for 2019 ACH audits, Appendix Eight no longer exists! So now what?
If you look in your 2019 rule book, you might still see Appendix Eight in there! However, it was removed from the ACH Rules effective January 1, 2019, by Supplement #2-2018, which was approved on November 2, 2018. That change didn’t make it into the 2019 rule book — or at least the rule books we ordered! The supplement did, however, get printed in the rule book on pages ORl-ORlii. It outlines the changes to the ACH audit requirements. The removal of Appendix Eight applies to all audits due by December 31, 2019.
The annual ACH audit requirement still exists but has changed and no longer states, “… an audit of its compliance with these Rules in accordance with Appendix Eight.” The rule now states, “… an audit of its compliance with these Rules.” That means that ACH audits may need to be revamped and enhanced from what was completed in prior years. Under the old rules, ACH audits didn’t require a specific methodology despite having the minimum “checklist” of Appendix Eight, and ACH audits could always include more than the minimum requirements, such as policies and procedures, internal controls, self-origination items, ACH guidelines, interrelated areas of regulation, etc. Under the new rules, there still isn’t a specific methodology, but there are more sections and specific components of the rules that could apply to the organization and your ACH activities which should be evaluated for compliance. Financial institutions can still include more than “rules compliance” in the audit, so it could be that the annual ACH audit won’t be much different if your prior ACH audit included more than Appendix Eight.
Because those additional areas, guidelines, methodologies, etc. have always had flexibility within the ACH audit requirements, financial institutions (and their third-party senders along with third-party service providers that are also required to have an annual ACH audit) have had many possibilities of what their audit actually entailed. Often, you get what you pay for. With the change in the volume of rules now potentially included in the ACH audit, the likely result is even more disparity within the options available, both in hiring an outside provider to perform the ACH audit and in purchasing an ACH audit program. While resources are finite, management should ensure the ACH audit covers the rules appropriate for the financial institution’s activities and processes and make a risk-based decision about whether additional areas such as policies and procedures, internal controls, ACH guidelines, interrelated areas of regulation, etc. should also be included in the audit.
If you have questions regarding the ACH audit changes or need assistance in determining what this means for your organization, please contact your Wipfli representative.