Use Case for Assessing Risk on Automated Clearinghouse (ACH)
Why assess the risk? Banks that participate in the ACH network, as well as their service providers, should have in place systems and controls to mitigate the risks associated with ACH activities. A strong risk management program begins with clearly defined objectives, a well-developed business strategy, and clear risk parameters. Both the board of directors and management are responsible for ensuring that the ACH program does not expose the bank to excessive risk. The board’s role is to establish the bank’s overall business strategy and risk limits for the ACH program and to oversee management’s implementation of the program. Bank management is responsible for establishing effective risk management systems and controls and regularly reporting to the board on the results of the ACH program. The bank’s ACH program should include an ongoing process that evaluates whether ACH activities are conducted within the risk parameters established by the board of directors. This process should also determine whether existing policies, procedures, and controls effectively address all aspects of the bank’s ACH activities.
Who should assess the risks? Electronic Banking Officer, Chief Operating Officer, Cash Management Officer, Information Technology Officer, Security Officer, Data Security Officer
How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.
Special Note: NACHA provides its own risk assessment which is very specific to the types of customers and transactions handled by the member bank. Tracerisk users are encouraged to perform the NACHA risk assessment as well.