The world of electronic funds transfer (EFT) underwent a significant shift in September 2022 with the implementation of the NACHA Nested Third-Party Sender (TPS) rules. Those impacted include third-party benefits administrators (TPAs) who utilize an ACH provider to initiate payroll deductions or premium payments, thus acting as nested TPSs within the ACH network. Understanding the NACHA Nested TPS rules is crucial to ensure smooth operations and avoid potential penalties.
What are the NACHA TPS rules?
Traditionally, ACH payments involved a straightforward path. An originator (employer) sends funds through an Originating Depository Financial Institution (ODFI) to the receiver’s bank. Nested TPS rules address a more complex scenario where a TPS (such as a benefits TPA) is an intermediary between the originator and the receiver. This can occur, for example, when a TPA transmits contributions deducted from employee paychecks to an insurance company or other benefit service provider.
Key Changes Impacting TPAs
The new rules introduce several key changes impacting TPAs:
- Transparency through Agreements: ODFI origination agreements with the initial TPS will now address whether nested TPS relationships are permitted. The agreement will outline the primary TPS and nested TPS (TPA) responsibilities.
- Independent Risk Assessment: Regardless of nesting level, every TPS must conduct its risk assessment of ACH activities. This assessment helps identify threats like fraud or errors and the appropriate controls to mitigate them. Previously, TPAs might have relied on the risk assessment completed by the primary TPS, but this is no longer sufficient.
- Data Accuracy and Reporting: Nested transactions require additional data elements within the ACH record, including nested transaction indicators, sequence numbers, and amounts. These elements ensure clear communication and tracking of the originating payment throughout the chain. Although the primary TPS entity(ies) with which the TPA is nested may handle this, the TPA should ensure that their systems can accurately capture and transmit this data.
Staying Compliant as a Nested TPS
Here are some practical steps TPAs can take to ensure compliance with the Nested TPS rules:
- Review Agreements and Processes: Conduct a thorough review of your existing agreements with the primary TPS and your ODFI. Ensure these agreements explicitly allow nested TPS relationships and clearly define responsibilities for all parties involved.
- Perform a Risk Assessment: Develop and implement a risk assessment tailored to your specific ACH activities. This assessment should identify potential risks associated with your role as a nested TPS and outline mitigation strategies.
- Update Systems and Training: Ensure systems are configured to capture and transmit the additional data elements required for nested transactions. Train staff on the new rules and responsibilities to guarantee accurate data entry and processing.
- Maintain Clear Communication: Establish clear communication channels with the primary TPS and the ODFI to ensure a smooth information flow and promptly address any issues.
Consequences of Non-Compliance
Failure to comply with the Nested TPS rules can lead to several potential consequences:
- Returned Transactions: The receiving bank may return non-compliant transactions, causing payment delays and potentially disrupting beneficiaries. These returned transactions often incur additional processing fees.
- Financial Penalties: NACHA may impose penalties for non-compliant institutions, including TPAs.
- Reputational Damage: Non-compliance can erode trust with clients and partners, potentially leading to lost business opportunities.
Frequently Asked Questions
Who is NACHA?
The National Automated Clearing House Association (“NACHA”) creates, implements, and manages the ACH Network’s rules, known as the NACHA Operating Rules (“Rules”).
What is a Third-Party Sender (TPS)?
Article 8 of the Rules defines a Third-Party Sender (“TPS”) as a service provider who is an intermediary in transmitting entries (creation of file, etc.) between the originator and an Originating Depository Financial Institution (ODFI). The originator does not have a direct agreement with the ODFI to process ACH entries. A TPS acts on behalf of an originator or another Third-Party Sender (Nested).
What is a “Nested” TPS?
Article 8 defines a Nested TPS as one that has an agreement with another TPS to act on behalf of an originator and does not have a direct agreement with the ODFI. A Nested TPS maintains a relationship between the originator and the primary TPS.
Why the change?
NACHA approved new rules affecting TPS effective earlier this year. The new rule defined roles and responsibilities for Nested TPS and the TPS Risk Assessment. NACHA and the ODFI are directly involved in monitoring operations of a TPS-operated ACH process. Both require compliance with the new rules and can also request compliance audit results from the primary TPS and Nested TPS.
What is an ACH Risk Assessment?
An ACH Risk Assessment identifies the inherent risks of the organization’s overall ACH program. It also evaluates the controls that mitigate such risks. Its goal is to ensure that the organization’s ACH practices do not expose it to excessive risk outside a financial institution’s risk tolerance. The ACH Risk Assessment should help you evaluate your ACH operating processes to identify the things that may be problematic.
Who must conduct an ACH Risk Assessment?
The Rules require all TPSs and Nested TPSs to conduct risk assessments of their ACH activities and implement risk management programs based on the assessments.
What is an ACH Audit?
Article 1, Subsection 1.2.2.1, defines an ACH Audit as an audit of compliance with the NACHA Rules and Guidelines. It is not considered an IT or financial audit.
Which ACH participants must perform the audit?
TPS and other service providers performing ACH processing functions on behalf of an ODFI or Receiving Depository Financial Institution (RDFI) must conduct an annual audit of compliance with the requirements of the NACHA Operating Rules.
How often do I need to perform an ACH Compliance Review?
It must be performed annually, and documentation supporting its completion must be retained for six (6) years.
What is the penalty for non-performance of the ACH Risk Assessment and Compliance Review?
TPS and Nested TPS must provide evidence of completion of the ACH Risk Assessment upon request. Failure of the ODFI to provide proof of rule compliance by its TPS and Nested TPS may be considered a rule violation.