Published on Wednesday, September 20, 2023

Third-Party and Nested Third-Party Sender Relationships (Part 2): Common Audit Findings and Ensuring Compliance

An Interview with Sean Carter, President and CEO of NEACH and NEACH Payments Group (NPG)

In our first piece on third-party and nested third-party senders, we explored why ODFIs need to monitor these relationships and the unique risks they present to financial institutions. Part 2 of our series offers actionable feedback and findings from real-world audit scenarios.


Let’s continue the discussion with Sandy Ortins, AAP, APRP, NCP, Senior Vice President of Operations at NEACH, and Sean Carter, AAP, NCP, President and CEO of NEACH and NEACH Payments Group (NPG), as we dive deeper into the topic.


Sandy Ortins: So, now that we have level-set on today’s third-party environment, let’s talk about where ODFIs can strengthen their programs. What are common key findings in third-party sender audits?


Sean Carter: The good news is we’re finding that the customers we’re regularly dealing with have good programs in place. When NPG starts working with a financial institution that has, in the past, used a non-ACH expert to do its audits and risk assessments, we find that we need to start at the beginning, specifically with how to identify third-party and nested third-party senders correctly. That's the first thing we teach people.


Once financial institutions identify third-party and nested third-party senders, they must understand that they are not created equal. For example, some third-party senders deal with payroll, a risk different from debt collection, being a payday lender, or an online retail conglomerate.


When we take on new clients, we generally work with the financial institution and their third-party and nested third-party senders. Our experience with third-party senders has been very positive. The first time we do a third-party sender audit, we usually find several things they need to correct because they don’t understand initially that the obligation comes back to the financial institution. But the second time we return, they almost always show a willingness to try to get it right because they want to preserve their relationship with the financial institution. Overall, the third parties we’ve dealt with are very compliance- cautious. They want to do the right thing.


From the financial institution side, it's essential to communicate with third-party and nested third-party senders about their roles and responsibilities. Financial institutions want to avoid burdening third-party senders by telling them they must do something else. I sometimes hear, “I don't want to tell my customers that they must conduct a risk assessment.” I’ve found that if you just tell them what to do, they'll do it. I've also had some financial institutions say their customer does business without contracts. Well, the Nahca Operating Rules say you must have agreements in place. You can still do business on a handshake, but on the backend, you need to send the customer a contract to sign that outlines the rights and responsibilities of each party. Many financial institutions anticipate conflict around this issue. Honestly, there isn’t any: A signed contract protects the third-party customer as well as the FI.  


We tell third-party senders that everything we ask them to sign is to protect their business. For example, the contract covers security and outlines what happens if there's a loss. If you don't have a contract, where do you turn if there's a problem? So, everything we're telling them to do and everything Nacha requires them to do is actually for their benefit. If a third-party sender is unwilling to protect itself by signing a contract, it will eventually burn you as a financial institution.


Unfortunately, FinTechs sometimes push back on the definition of third-party sender or try to manage the relationships so they don’t meet the definition. They sometimes put a great deal of work into avoiding this designation, which can complicate things for both parties.


Generally speaking, traditional third parties—professional services companies—are willing to do anything financial institutions require. As I mentioned, there are two different worlds in the third-party space. There are the traditional professional services firms and the FinTech space. Financial institutions must recognize that and determine how to work with each segment strategically.


Sandy Ortins: Speaking of different worlds, we’re now in that instant and real-time payments landscape. What have you seen with FinTechs and other third parties in that space? What has come up in RTP audits?


Sean Carter: When we look at the audit, it's about having done certain things. For example, we know payroll companies, like Paychex, use real-time payments, so the audits must also cover the contractual side.


It’s an interesting question—what are the financial institutions’ internal audit people looking at, and what do The Clearing House and Fed expect? As both networks develop more use cases, we hope to see an increase in third-party relationships for the benefits of FIs, third parties, and their customers. Ultimately, the use cases will dictate the definitions and the roles.


Sandy Ortins: What about overall? What has been your experience at NPG as relates to helping ODFIs clarify and manage third-party relationships?


Sean Carter: It often starts with an audit of the ODFI, where we often discover that they have third-party senders. We also test their customer list and look for specific names or types of industries they might be doing business with. We’ll also pull some batches to see how they structure the company name field.


If we learn that the ODFI has third-party or nested third-party senders, and they didn't think they did, we come in, educate, and consult on building a third-party sender program.


We can also do it from the third-party perspective, where organizations come to us as they develop their business and say, "We're not sure if we're a third-party sender." NPG generally asks, "Who's your bank? Let's work with your bank to lay out expectations." Then, we help them build a program.


We usually start with an audit unless someone is building a new program. Then we come in as a consultant.


Sandy Ortins: From your audit experiences, what three or four things can ODFIs do to ensure third-party and nested third-party senders comply with rules and regulations?


Sean Carter: The first is to understand why this is a conversation. Consider what it means to outsource the customer relationship process. Once you put the discussion in this context, it’s easier to say to third-party and nested third-party senders, “Here’s how we do things.”


Second, as a financial institution, how do you help third-party and third-party senders embrace risk planning that mirrors you and then test what they’re doing? It starts with discussing what you want them to do and then managing the process.


The third is to emphasize the importance of testing, including audits, risk assessments, and your annual checklist.


Finally, it helps to communicate clearly with your third-party and nested third-party senders about how they behave—how they approve new customers, for instance. Also, some third-party and nested third-party senders don't have exposure limits for their customers, which, according to Article Two of the Nacha Operating Rules, is required. Teach your third-party senders how your financial institution handles exposure limits. Once they understand the expectations, it's your responsibility to manage them.


Sandy Ortins: This has been an insightful conversation on what you see in real-world scenarios. Is there anything else you would like to add?


Sean Carter: Regulators have some excellent information on their websites through bulletins and blog posts that are clear, concise, and just what you would expect from regulators around relationships with third-party and nested third-party relationships. Take a look at their resources (OCC Bulletin 2023-17, Nacha Third-Party Sender Registration Requirements, Nacha Third-Party Sender Roles and Responsibilities) to help you better navigate this environment.


In addition, NPG can help. Check out our offerings at We have some great information available on our website. You can also reach us by phone at 781-321-1011 or



Sandy Ortins, AAP, APRP, NCP




AUTHOR: Sandy Ortins, AAP, APRP, NCP
Senior Vice President

Sandy Ortins is the Senior Vice President of Operations for NEACH. As Senior Vice President for NEACH, Sandy oversees the NEACH Products and Services, Membership, and Advocacy areas. As such, she manages the organization’s member resources and tools; provides quality service to membership; and represents NEACH and its membership in relevant councils and task forces to drive understanding of and ensure support of the needs of its diverse membership base. Connect with Sandy to read more of her blogs, articles, and posts. 

Rate this article:
No rating
Comments (0)Number of views (390)

Theme picker