By: Dan Frechtling, SVP of Marketing and Chief Product Officer
Recently, I listened to a head of treasury operations at a $10B bank tell a story about how she fixed delays in ACH underwriting. Traditionally, underwriting was conducted by credit department, which asked credit applicants the kinds of things a credit analyst would ask for. These included three years of financial statements describing revenue, net worth, liquidity, profitability, debt service coverage and debt/income.
But it was difficult for the credit department to translate this process to applicants for ACH or treasury services. If a customer didn’t already have a credit relationship, they would request the financial inputs above. Because they lacked an understanding of ACH products, they didn’t fully understand the risks they were underwriting.
The result was that underwriting was slow, and stacks of applications were held up. This was especially a problem in the summer or fall when most onboarding activity was occurring.
Creating a standalone ACH underwriting process worked
The bank was growing quickly, so they need to fix their bottleneck. They created an independent ACH underwriting process.
A chief part of this process was a search of business and principal history, including years in business, trade history, bankruptcies, judgments and liens provided by a data aggregator, such as LexisNexis or Thomson Reuters. They also reviewed bank statements, including recent balances.
If the merchant was an existing client up for renewal, they created an abbreviated version of the above. They reviewed annual transaction volume and look at ACH usage to determine if the original ACH limit was appropriate or if the limit needed to be raised or lowered.
With a purpose-built process and good Know Your Customer (KYC) practices, the bottlenecks went away and the bank could better support growth in ACH originators.
However, there was a problem with third party processors
The head of treasury operations ran into a problem with third parties. I asked why, and she said:
“When we come across a 3rd party processor prospect, we stop in our tracks. It needs to go to a different review process, as if it were a credit client. The reason is that we care about reputation risk, even if it means losing a potential lucrative arrangement.”
So what process did they follow? “We involve a committee that goes all the way up to the COO. Nine times out of 10 we reject the application.”
Perhaps that’s a high reject rate. But the bank was actually following a defensible process for Third Party Payment Processors (TPPPs) and Third Party Senders (TPSs) based on its risk profile. Other banks should choose a lower reject rate based on a lower threshold for ACH approval
This balance brings to mind direction from OCC 2006-39, and why it’s worth referring back to nearly nine years later.
The enduring guidance from OCC 2006-39
The actions exhibited by the bank are consistent with recommendations from OCC 2006-39. Here’s a rundown of the bulletin, particularly the KYC and KYCC direction:
Appreciate the risks, reputation and otherwise, that some third parties represent. In this bulletin, OCC defines “high risk activities” as engaging in ACH transactions with either high-risk originators or third-party senders. As the bank in our example above indicates, these create “increased reputation, credit, transaction, and compliance risks” for banks
Decide what constitutes high risk originators or third-party senders. The bulletin mentions a few. First, there are business categories of high risk originators. As the OCC notes, “examples of high-risk parties include online payment processors, certain credit-repair services, certain mail order and telephone order (MOTO) companies, illegal online gambling operations, businesses located offshore, and adult entertainment businesses.”
Beyond categories, there are types of business models that classify originators as high risk. These include the SEC codes (check) of TEL or WEB. transactions with higher-risk elements, such as TEL and WEB, and should be monitored to ensure that they are within the institution’s risk tolerance.
To know if a merchant is engaged in high risk categories, KYC Governor® from G2 Web Services offers classification to determine if the business is considered to be online payment processors, credit-repair services, MOTO businesses, offshore, and the like, even when not disclosed by the applicant.
Finally there are business intermediaries, aka third-party senders. These are bank customers to which originators outsource payment services without a direct relationship with the originator. See Figure 1 below.
Once you’re comfortable with your rules for approving higher risk applicants, get to know who you’re really working with. KYC here starts by knowing the third parties. Per the OCC, “Banks should check thoroughly the background of each third-party service provider, including the principal owners.”
This continues with knowing the underlying merchants. According to the bulletin, “banks should require third-party senders to provide certain information on their originator customers such as the originator’s name, taxpayer identification number, principal business activity, and geographic location. Also, before originating transactions, a bank should verify (directly or through a third-party sender) that the originator is operating a legitimate business.”
This also extends to knowing the financial institutions. “Banks should be alert to whether third-party senders are using more than one bank to originate transactions.”
KYC Governor uses the G2 Merchant Map®, with 11 years of history, millions of merchants, and billions of connections between principals and businesses, past and present. KYC Governor also includes proprietary information on prior and current relationships with other banks.
Next year when OCC 2006-39 celebrates its 10th birthday, it will be older, but banks will be wiser when they refer to it. The note provides lasting guidance on ACH risk management.
For more information on OCC 2006-39, click here.