As we turn our eyes toward plans for 2023, before the end of the first quarter financial institutions (FIs) need to prepare for changes to their third-party sender agreements and relationships. Specifically, two new modifications to third-party sender roles and responsibilities--which technically went into effect as of September 30, 2022--will start being enforced as of March 31, 2023. Auditors and regulators will be looking closely at these compliance topics.
“If you haven’t had your exams, reviews, or whatever-related to third-party risk management, they are going to be more intense,” shared Kevin Sasser, Director of Sales and Strategic Initiatives at Argos Risk, earlier this year at NEACH’s virtual Payments Management Conference (PMC). “In a recent poll, over 75 percent of the financial institutions polled said, ‘Hey, those regulators are really starting to pay attention to what we’re collecting around our third-party programs.’”
With that in mind, implementing new compliance measures around these rules will require some work on the part of the FI to confirm their procedures allow for a detailed review of all third-party senders. Specifically, FIs will need to tighten their definition of and protocol around nested third-party senders and ensure all third-party senders conduct risk assessments.
And with the clock ticking on that compliance deadline, now’s the time for you to shore up your knowledge of and agreements with any third-party senders.
Identifying Third-Party Senders and Nested Third-Party Senders
But to do that, you have to start at the beginning and look closely at how the new rule language impacts your FI. According to the new rules, third-party senders and nested third-party senders are defined as follows:
- Third-Party Sender: “a type of third-party service provider that acts as an intermediary on behalf of an originator or another third-party sender in transmitting entries between the originator and the ODFI (or the ACH Operator on behalf of the ODFI via direct access), when there is not an origination agreement directly between the originator and ODFI.” (section 8.110)
- Nested Third-Party Sender: “a third-party sender that (i) has an origination agreement with another third-party sender to act on behalf of an originator, and (ii) does not have a direct agreement with the ODFI itself.” (section 8.60)
While seemingly simple, these definitions become increasingly complicated the further out they extend from the ODFI. The rules require the FI to have line of sight to those trickle-down relationships. It becomes a case of not just knowing your customer, but knowing your customer’s customer, and in some cases, your customer’s customer’s customer.
“At minimum you should ask them, ‘Do you process entries for somebody other than yourself?’ That’s a good indication they’re a third-party sender,” Nanci McKenzie, AAP, APRP, EVP, Compliance and Product Strategy at Affirmative Technologies recommended at NEACH’s PMC back in May 2022. She continued, “On those onboarding checklists you have, do you have that question on there? How else are you going to know if they’re a third-party sender or not?”
To that point, Terri Sands, CAMS, CFE, AAP, ACT, Managing Director, Payments, Compliance and Financial Crimes at STOUT, dove a little further along the relationship chain during the virtual session she shared with Sasser.
“When we look at third-party relationships, you’ve always got to think about these downstream relationships. In these downstream relationships you’ve got to look at owners, partners, people who could be corrupt, and that could be a payroll clerk, that could be a cashier, that could be the president of the company. You have to look at the full relationship,” she shared.
Understanding What Changed
Having a detailed understanding of your customers, their businesses, and their customers has always served as a gold standard risk management approach, so you may be asking yourself, “What’s the difference now?”
In short, the details make the difference.
While the rules have always addressed third-party sender and nested third-party sender relationships, the clarification means FIs need to ensure their origination agreements:
- Address nested third-party senders
- Describe reporting requirements for both third-party senders and nested third-party senders in Nacha’s risk management portal
- Require all third-party and nested third-party senders to conduct risk assessments.
Steps FIs Can Take
This rule change creates an opportunity for FIs to institute a bigger review of their policies and agreements around third-party senders. In fact, taking the following steps can help ensure your approach to these relationships aligns with all compliance requirements and your overall organizational strategy:
- Think like a regulator. Ultimately, if you think about how your agreements will be dissected by auditors and regulators, you will be able to better button up your third-party sender operations in a way that can withstand deep scrutiny. As Sasser told the virtual PMC audience, “The minimal acceptable requirements are going to continue to rise, and they’re rising to a point where you can’t not invest in it… Be ready to prove to regulators what you think happens actually does.”
- Determine your risk tolerance on nested third-party senders and include relevant language in your agreements, such as repercussions for any contractual breaches. As McKenzie pointed out in her session, nested third-party senders hold an agreement with the third-party sender, not with the ODFI, so you need to ensure the language you have in your agreements speaks to your institution’s stance on nested third-party senders. If you allow them, what are the requirements for the third-party sender? And if you prohibit those nested relationships, what are the consequences if your customer onboards a nested third-party sender? Those details are critical to your agreements.
- Update all origination agreements to include language about third-party senders and nested third-party senders, what’s required of them, and the ramifications of non-compliance. You also need to extend those new clauses to all agreements to ensure if a current customer becomes a third-party sender, you have offered clarity around what’s expected, allowed, and the consequences of not adhering to the agreement. These can be amendments to master service agreements; you just want to make certain you have language that will protect you and encourage customers to report any changes in how they operate.
- Develop a process for continual due diligence to ensure you can flag any new third-party senders or nested third-party senders in your portfolio. As McKenzie warned, “Due diligence is not just going to be on onboarding. We need to identify and make certain that our originators have not changed over the past year.” And, thinking about changes in organizational stature, Sands emphasized, “If you’re in the acquisition mode you really need to have a full scope review of all the customers, what they do, and make sure that they do fit into your risk profile, before bringing those in.”
Certainly, third-party senders and nested third-party senders create compliance considerations for FIs, but they are manageable with advance planning and strong agreements that spell out roles and responsibilities. By taking a closer examination of existing client rosters and expanding language in agreements, FIs set themselves up for successful relationships with these customers, and now’s the time to take the steps to ensure you’re ready for a strong start to 2023.
For more information on this topic, join us for NEACH’s January 26 webinar, “2023 Industry Update” or consider our online learning courses, “Third-Party Sender Audits What, When, Why?” and “Navigating Through Nested Third-Party Senders.” In addition, Nacha offers a summary of the rule change on their website.
AUTHOR: Sandy Ortins, AAP, APRP, NCP
Senior Vice President
Sandy Ortins is the Senior Vice President of Operations for NEACH. As Senior Vice President for NEACH, Sandy oversees the NEACH Products and Services, Membership, and Advocacy areas. As such, she manages the organization’s member resources and tools; provides quality service to membership; and represents NEACH and its membership in relevant councils and task forces to drive understanding of and ensure support of the needs of its diverse membership base. Connect with Sandy to read more of her blogs, articles, and posts.