Published on Wednesday, September 13, 2023

Third-Party and Nested Third-Party Sender Relationships (Part I): Managing Third-Party and Nested Third-Party Sender Risk

An Interview with Sean Carter, President and CEO of NEACH and  NEACH Payments Group (NPG)

Third-party senders offer many potential benefits for financial institutions, enabling them to attain strategic objectives, expand offerings, and more. However, supporting third-party and nested third-party senders presents unique risks and considerations. Sandy Ortis, AAP, APRP, NCP, Senior Vice President of Operations at NEACH, recently sat down with Sean Carter, AAP, NCP, President and CEO of NEACH and NEACH Payments Group (NPG), to learn more.


Following are highlights from that interview.


Sandy Ortins: We talk about this a lot in our compliance training because knowing these entities is so important to risk management. Would you share a little about why ODFIs need to monitor third-party and nested third-party senders and the ODFI's roles and responsibilities in these relationships?


Sean Carter: ODFIs need to monitor these relationships because third-party and nested third-party senders present unique risks to financial institutions. Although financial institutions can control their third-party and nested third-party senders, they can’t control the customers those entities bring on.


Even though financial institutions don’t incur the costs of dealing with third-party and nested third-party senders directly, other considerations come into play. For example: Do they have the same risk appetite as your financial institution? Are they willing to take chances you wouldn’t take as a financial institution? Managing these relationships is critical. While financial institutions want to bring on more activity, it must fit the level of risk they are ready to assume.


Much of it boils down to trusting your third-party sender to do the right thing. But as former President Reagan once said, "Trust, but verify." So, financial institutions must manage the relationships on whatever basis works for them. For example, this may mean quarterly or annual risk assessments. Most importantly, financial institutions need a third-party and nested third-party sender program that covers operations to compliance and everything in between.


Sandy Ortins: It seems like we’re hearing a lot more about these relationships in today’s environment. Are financial institutions using more third-party senders? Are they increasing because of FinTech relationships?


Sean Carter: That's a great question. Awareness has increased. Consequently, companies that have probably always been third-party senders are now correctly defined that way.


Nacha's Third-Party Sender Identification Tool has helped many financial institutions correctly identify third-party and nested third-party senders. Financial institutions need only go online and answer a couple of questions to determine if they have a third-party or nested third-party sender.


Relationships with FinTech third-party and nested third-party senders are often more complicated. It depends on how those relationships are structured. For example, some FinTechs use Banking as a Service (BaaS) platforms, which, by definition, create new third-party senders. Others use a For Benefit Of (FBO) account, which has its own risks and obligations.


However, there are still scenarios not explicitly spelled out—for example, where one part of the business is an originator and the other a third-party sender. There's more work to do when it comes to educating financial institutions. Still, at least more people are asking questions and going through the exercise to determine if they have any third-party or nested third-party senders. We're on the right track but still have a way to go.


Finally, financial institutions must realize that having a third-party or nested third-party relationship is okay. Third-party senders have meant so much to the ACH Network. Think of payroll and the volume it generates. If managed appropriately, these relationships can be very positive.


Sandy Ortins: What about money services businesses (MSBs)? How do those come into play in the third-party sender picture?  


Sean Carter: There are specific requirements. For example, in some states, payroll companies are automatically defined as money services businesses. In other instances, FinTechs may require a license to operate as an MSB. Each state is different, so financial institutions need to understand when their customers meet that definition.


Sometimes, there are ways to approach these relationships differently: For example, using the FBO structure we discussed earlier. Financial institutions should do their research and educate themselves on the issue.


Sandy Ortins: What about new payment types? How will new payment systems like FedNow® and Real-Time Payments (RTP®) network affect third parties?


Sean Carter: Financial institutions need to understand that they retain responsibility for who they bring in to use the FedNow Service and the RTP network. So, financial institutions need to know who they're offering services to and the types of transactions flowing. Across the board, financial institutions are responsible for the transactions that flow through the system, and this remains true with instant and real-time payments.


Sandy Ortins: If you had to sum things up, what would you say ODFIs and third-party senders most need to know about their responsibilities?


Sean Carter: Surprisingly, we still find ODFIs and third-party senders who fail to realize they are required to conduct ACH risk assessments. Third-party senders need to understand that they must have their own risk assessment completed; they can’t rely on the bank’s initial or yearly risk assessment.


Second, while financial institutions can plug third-party senders into Nacha's risk management portal, they sometimes encounter challenges. There are nuances to how you enter the information into the portal. Although time won't permit me to go into more detail here, financial institutions can review Nacha's Risk Management Portal Reference Guide for ODFIs for more information.


And third, I can tell you that in our audits, we write up financial institutions for nested third-party senders they didn't know they had. Financial institutions need to do the work to ensure they know how their third-parties are operating and what other organizations may be in the mix.


Sandy Ortins: Besides what we discussed, are there any final points you’d like ODFIs to take away?


Sean Carter: Relationships with third-party senders can be highly profitable for a bank. When someone sells volume for you, you don't have the customer acquisition costs. Having a strong third-party sender program makes all the difference for this model: You build a program consisting of key checklists, and it’s a cost-effective way to grow transaction volume. In addition, if you do it well enough, that third-party sender recommends your financial institution to their customers, which can help grow deposit lending. There's much good that can come of these relationships.


When FIs are considering these relationships, I try to remind CEOs and their boards that third-party senders don't want to go out of business either. If a third-party or a third-party sender is an actual business, say a payroll company that makes good money off doing a straightforward task for businesses, they don't want to screw that up.


An ODFI that does their homework and proper due diligence will most likely end up dealing with only reputable third-party senders. It's a sweet spot, especially for community banks, because the larger banks don't want what they perceive as a "headache." In managing these relationships.  This is an excellent opportunity for community banks. The thinking has been that smaller financial institutions are too small to manage third parties and nested third-party senders, but I don't believe that. It's not that complicated to create a solid third-party sender program. You can have a good program if people understand that it's a team effort.


Next Up: Common Audit Findings and Ensuring Compliance


In Part II of our series, “Third-Party and Nested Third-Party Senders: Common Audit Findings and Ensuring Compliance,” we will examine common findings in third-party and nested third-party audits, along with concrete steps your financial institution can take to mitigate risk and ensure compliance.


To learn more about NPG and its services, visit We have some great information available on our website. You can also reach us by phone at 781-321-1011 or at



Sandy Ortins, AAP, APRP, NCP




AUTHOR: Sandy Ortins, AAP, APRP, NCP
Senior Vice President

Sandy Ortins is the Senior Vice President of Operations for NEACH. As Senior Vice President for NEACH, Sandy oversees the NEACH Products and Services, Membership, and Advocacy areas. As such, she manages the organization’s member resources and tools; provides quality service to membership; and represents NEACH and its membership in relevant councils and task forces to drive understanding of and ensure support of the needs of its diverse membership base. Connect with Sandy to read more of her blogs, articles, and posts. 



Rate this article:
No rating
Comments (0)Number of views (348)

Theme picker