Nacha has announced it will begin selecting 460% more financial institutions each month to prove completion of their annual ACH compliance audits.
Historically, Nacha randomly selects 125 Financial Institutions per month to show proof that they've had an ACH compliance audit. The random selections are now increasing to approximately 700 Financial Institutions per month.
What Does This Mean for You?
Ensure completion of an annual ACH Audit to verify compliance with Nacha Operating Rules and Guidelines by December 31st of each year. You must retain proof of completion of your Nacha compliance audit for six years.
Pro Tip: Do not wait until the end of the year to conduct your audit as you increase the risk of missing the end of year deadline.
What Type of Documentation Will You Need to Provide?
You do not need to submit the entire audit report or even the audit results, unless specifically requested to do so by Nacha.
Instead, you can provide a letter or summary identifying:
- The type of audit conducted
- The date it was completed
- The party or organization that performed the audit
How Will You Receive the Request, and How Should You Submit Documentation?
Nacha will send the request via email and through the Risk Management Portal. It is critical to ensure your financial institution’s contact information in Nacha’s ACH Contact Registry remains up to date.
You should respond through the Risk Management Portal. Make sure multiple individuals in your organization have access to the portal to ensure continuity.
How Long Do You Have to Respond?
10 Banking Days.
Does This Apply to Third-Party Sender Proof of Audit Requests?
Absolutely. Nacha is also significantly increasing these requests for Third-Party Senders. Historically, the number of selections each month has only been 125 and it is now increasing to 400.
- Ensure your Third-Party Senders have an annual compliance audit conducted and that they retain proof for six years.
- Keep in mind—you are responsible for obtaining and submitting this documentation to Nacha, not the Third-Party Sender. Ensure they are able to provide necessary documentation to ensure you meet the 10 Banking Day deadline. That's 10 Banking Days from the time Nacha sends you the request. Not 10 Banking Days from the time you deliver the request to the Third-Party Sender.
Be ready. Nacha compliance audits should never be seen as a mere checkbox exercise. They are an opportunity to gain strategic insights that can drive growth and sustainability.
Depository Financial Institutions are also responsible for ensuring that their Third-Party Service Providers conduct an annual compliance audit. This applies to any vendor that you use to assist in your ACH processing. For example, core processors, vendors that format ACH Files, Sending Points and Receiving Points are all examples of Third-Party Service Providers that you are responsible for ensuring their compliance with the Nacha Rules, as a best practice, I recommend requesting proof of their ACH compliance audit during your vendor management reviews.
NEACH Payments Group has an experienced team of payments experts and audit workbooks ready to help you meet regulatory requirements and adopt industry best practices.