The Top Seven Actions Payroll Providers Can Take for ACH Compliance


As a payroll provider, you know a thing or two about ACH. In fact, Nacha reports that 93 percent of employees receive pay via Direct Deposit, making the ACH a chief component of your payroll strategy. 


But as you’re well aware, payroll relationships can get complicated quickly, and compliance becomes a chief challenge. In fact, not only is compliance an area of concern for you, but your customers also cite it as a key consideration: 81 percent of businesses report compliance as the top area of improvement they’d like to see from their payroll providers. In addition, Nacha requires that you have an ACH Audit of Compliance performed annually be December 31st, and many financial institutions may now be asking that hose audits be performed by outside auditors. 


As experts in the ACH field, we have a deep understanding of the trends impacting your business. For example, in 2021, we uncovered seven common compliance challenges for payroll providers and other third parties. With that in mind, we developed the following checklist to support you in identifying changes to ensure you are compliant.


1. Conduct an ACH Compliance Audit annually. This was a big one: many providers didn’t realize that the Nacha Rules require them to perform ACH Compliance Audits annually. The good news? You know now if you didn’t already. Moving forward, you must conduct an ACH Compliance Audit annually and retain proof of completion for six years. You’ll want to make sure this one’s on the top of your to-do list for 2022, and NPG can help you meet this requirement. 


2. Perform an ACH Risk Assessment every other year. In that same vein, providers didn’t know that an ACH Risk Assessment must be conducted at least every other year, or more often, in the event of a major change in operations or environment, including mergers, acquisitions, core system changes, staffing, and the like. This one is even more critical in today’s environment because Nacha is planning a stronger rule emphasis on risk assessments in 2022 — work done by an FI either during the third-party approval process or as part of a periodic review will count as an ACH Risk Assessment. 


3. Update security policies to accommodate remote work scenarios. In today’s COVID environment, many payroll operations have migrated to home office scenarios. During our audits, we found that data security policies and procedures have failed to consider this new paradigm. The requirement to protect information includes all environments, and it needs to accomodate communications between you and your FI for things like Notification of Change (NOC) reports, copies of authorizations, or Reversal request. There are some things in the ACH world that are still paper-based, and those processes need to be secured and addressed in policies and procedures as well. Payroll providers must have plans in place for each of these scenarios.


4. Format reversals correctly and issue within the appropriate timeframe. Often, payroll providers are not formatting Reversals transactions correctly nor sending them within the required timeframe. (Reversals sent beyond the Nacha Rules timeframe may be subject to fines, so it’s an important distinction.) Getting this right will be even more critical in 2022, because Nacha will be scrutinizing Reversals more carefully. The Rules have been amended to clearly reinforce the instances when a Reversal can be used and how it must be formatted. 


5. Review NOC procedures. NPG also found that some payroll providers are confused when and how to address NOCs. Fortunately, the Nacha Rules set a standard procedure and timeframe for these transactions, so the answers are cut and dry; it just takes a deeper understanding of the requirements. As a rule of thumb, regardless of circumstances, those in receipt of a NOC must act  upon it.


6. Incorporate Nacha language into origination agreements and ensure their complete execution. NPG found that in many cases, payroll provider origination agreements are lacking, either missing standard language or signatures. Nacha Rules require those who are using the ACH Network to have standard language in origination agreements, including Client Service Agreements and ACH Agreements. In addition, these agreements must be fully executed to include dates and signatures by all parties to the agreement. 


7. Tighten exposure limits. FIs set credit and exposure limits, but payroll providers should have their own in place to mitigate risk. For example, if your customer can’t process payroll, the FI will process the file if it is not over the identified exposure limit, which would put you on the hook for settlement. There should be similar boundaries in effect to help protect your organization. In addition, you should periodically review your limits with individual customers to determine if any changes are necessary. When executed well, these limits help protect you from additional financial risks.


Overall, the seven items on this checklist serve as a summary of the most common compliance issues we see during third-party audits. We hope you can use this as a guidepost in evaluating current operations and preparing for 2022. Applying these findings to your ACH program now will help ensure you remain in compliance, mitigate your risk, and support the needs and interests of your customers.


Click the icon below to download The Top Seven Actions Payroll Providers Can Take For ACH Compliance.