[Federal Register Volume 60, Number 157 (Tuesday, August 15, 1995)]
[Notices]
[Pages 42413-42417]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-20128]
=======================================================================
-----------------------------------------------------------------------
FEDERAL RESERVE SYSTEM
[Docket No. R-0889]
Federal Reserve Payment System Risk Policy
AGENCY: Board of Governors of the Federal Reserve System.
ACTION: Notice; request for comment.
-----------------------------------------------------------------------
SUMMARY: The Board requests comment on the benefits and costs of
adopting a policy to control access to the Federal Reserve Banks'
automated clearing house (ACH) service by entities other than the
depository institution whose Federal Reserve account will be debited.
The controls would apply to ACH credit transactions sent by third-party
processors (service providers) and respondent depository institutions
directly to a Reserve Bank or a private ACH operator that exchanges
transactions with a Federal Reserve Bank. Controlling access to the ACH
service will help to ensure the safety and soundness of the ACH system.
The concepts underlying the proposed ACH third-party access policy
are similar to the provisions of the Fedwire third-party access policy,
which was originally adopted in 1987 and amended today. (See notice
published elsewhere in today's Federal Register.) The Board requests
comment on the specific provisions of the proposed policy and the cost
and operational impact of providing risk monitoring capabilities for
controlling access to the Federal Reserve Banks' ACH service. The risk
monitoring capabilities are intended to permit the depository
institutions that are
[[Page 42414]]
responsible for funding ACH credit transactions to control the
potential credit risk and reduce the risk of fraud created by their
customers and respondent depository institutions. The proposed policy
provisions and monitoring alternatives do not cover ACH debit
transactions.
DATES: Comments must be submitted on or before November 9, 1995.
ADDRESSES: Comments should refer to Docket No. R-0889, and may be
mailed to Mr. William Wiles, Secretary, Board of Governors of the
Federal Reserve System, 20th Street and Constitution Avenue, N.W.,
Washington, DC 20551. Comments may also be delivered to Room B-2222
between 8:45 a.m. and 5:15 p.m. weekdays, or to the guard station in
the Eccles Building courtyard on 20th Street N.W. (between Constitution
Avenue and C Street) at any time. Comments may be inspected in Room MP-
500 of the Martin Building between 9:00 a.m. and 5:00 p.m. weekdays,
except as provided in 12 CFR 261.8 of the Board's rules regarding
availability of information.
FOR FURTHER INFORMATION CONTACT: Florence M. Young, Assistant Director
(202/452-3955), Wesley M. Horn, Manager, ACH Payments (202/452-2756),
or Scott E. Knudson, Senior Financial Services Analyst, ACH Payments
(202/452-3959) Division of Reserve Bank Operations and Payment Systems;
for the hearing impaired only: Telecommunications Device for the Deaf,
Dorothea Thompson (202/452-3544).
SUPPLEMENTARY INFORMATION:
I. Background
The ACH is a value-dated electronic payment service that supports
both debit and credit transactions. In ACH debit transactions, funds
flow from the depository institution receiving the transaction to the
institution originating the transaction. Typical debit transactions
include collection of insurance premiums, mortgage and loan payments,
consumer bill payments, point-of-sale transactions, and corporate cash
concentration transactions. Institutions originating ACH debit
transactions are exposed to the risk that the receiving institution
will return a transaction and the originating institution's customer
will not have sufficient funds available to cover the returned
transaction. An originating institution can control its exposure to
potential losses from returned debit transactions by establishing funds
availability policies that are based on the creditworthiness of each
customer. That is, an originating institution can hold all or a part of
the funds collected via ACH debit transactions until returned
transactions are expected to be received.1
\1\ In Regulation CC (12 CFR Part 229), an ACH debit transfer is
excluded from the definition of electronic payment, which is subject
to next-day funds availability, because the receiver of an ACH debit
transfer has the right to return the transfer. Thus, an ACH debit
transfer is more like a check than a wire transfer of funds.
---------------------------------------------------------------------------
In ACH credit transactions, funds flow from the institution
originating the transaction to the institution receiving the
transaction. Typical ACH credit transactions include direct deposit of
payroll, annuity payments, dividend payments, and corporate payments to
vendors and suppliers. When ACH credit transactions are transmitted to
a Reserve Bank, the depository institution originating ACH credit
transactions or its designated correspondent is obligated to fund the
transactions on the settlement day, whether or not the institution's
customers fund the payments.2 3
\2\ The Federal Reserve Banks' Uniform Operating Circular on
Automated Clearing House Items, paragraph 11(c) states ``by sending
an item to a Reserve Bank, the sending institution authorized the
Reserve Bank holding the institution's account to debit the amount
of a credit item to the sending institution's account on the
settlement date.'' Paragraph 38 states ``a sending institution or
prior party may not amend or revoke an item after it has been
received by a Reserve Bank, except as otherwise provided in the
applicable ACH rules.'' The ACH Rules (Article Seven, Section 7.1),
promulgated by the National Automated Clearing House Association
(NACHA), state that ``neither an originator nor an ODFI (originating
depository financial institution) has the right to recall an entry
or file, to require the return of or adjustment to an entry, or to
stop the payment or posting of an entry, once the entry or file has
been received by the originating ACH operator.''
\3\ The Uniform Operating Circular on Automated Clearing House
Items, Appendix 4, Settlement Agreements, states that a sending or
receiving institution (or its correspondent account holder) may
terminate a settlement agreement by providing written notice to a
Reserve Bank. A Reserve Bank may terminate a settlement agreement by
providing written notice to the institution (or correspondent
account holder). In either case, the termination notice is effective
on and after the banking day following the banking day of receipt by
the institution of the notice, or on and after a later date
specified in the notice.
---------------------------------------------------------------------------
ACH transactions are processed in batches one or two days before
they are scheduled to settle. The use of value-dating exposes an
originating institution to interday credit risk that can extend from
one to two business days, depending upon when transactions are
transmitted to an ACH operator and when a depository institution's
customer funds the payments it originates. To address this exposure, as
of January 3, 1995, The Guide to the Federal Reserve's Payment System
Risk Policy requires depository institutions performing self
assessments in order to obtain daylight overdraft caps to (1) evaluate
the creditworthiness of each customer that originates ACH credit
transactions, (2) establish for each customer an interday credit limit,
and (3) monitor compliance with credit limits across all processing
cycles for a given settlement day. For customers in weak financial
condition, real-time monitoring is required.4 In addition, the
Board has issued an Overview of the Federal Reserve's Payments System
Risk Policy for use by depository institutions that use only minimal
amounts of intraday Federal Reserve credit, that is, institutions that
are exempt from filing or that qualify for a de minimis cap. The
Overview indicates that institutions should perform credit assessments
and establish credit or exposure limits for customers originating large
dollar volumes of ACH credit transactions and that compliance with the
limits should be monitored across all processing cycles for a given
settlement day.5 In both documents, depository institutions are
encouraged to require customers in weak financial condition to prefund
or collateralize ACH credit transactions.
\4\ Guide to the Federal Reserve's Payment System Risk Policy,
Section VII, p. 57, January 1995.
\5\ Overview of the Federal Reserve's Payments System Risk
Policy, Section VI, p. 22, October 1993.
---------------------------------------------------------------------------
Many depository institutions originating ACH transactions do so
through third-party service providers. There are a variety of third-
party processing arrangements that result in a service provider's
transmitting ACH transactions directly to a Federal Reserve Bank or a
private ACH operator, which may ultimately transmit the transactions to
a Federal Reserve Bank.6 For example, a depository institution may
contract with another depository institution, acting as a service
bureau, or with a non-depository institution service provider to create
ACH transactions on its behalf. In some cases, companies create ACH
transactions on behalf of their account-holding institution and
transmit the files to third-party service providers. Service providers
may also create ACH transactions directly for corporate customers, such
as payroll payments. In these cases, service providers consider the
contracting companies, not the depository institution, to be their
clients. In addition, respondent depository institutions may send ACH
credit transactions for which settlement will be made through a
correspondent
[[Page 42415]]
depository institution's account directly to a Federal Reserve Bank or
a private ACH operator. In other cases, a respondent depository
institution might transmit transactions to a third-party service
provider, which would in turn transmit the transactions to a Federal
Reserve Bank or private ACH operator. The Board believes that there may
also be other types of third-party arrangements that have not been
identified.
\6\ There are currently one national private ACH operator--Visa,
U.S.A.--and two regional private ACH operators--the New York
Automated Clearing House and Deluxe Data Systems, which is the
service provider for the Arizona Clearing House Association.
---------------------------------------------------------------------------
As noted above, depository institutions are required to fund ACH
credit transactions on the settlement day once they have been
transmitted to a Federal Reserve Bank. Therefore, the transmission of
ACH credit transactions to a Federal Reserve Bank by a third-party
service provider or respondent institution without the explicit review
and consent of the originating institution or correspondent, whose
Federal Reserve account will ultimately be charged for the
transactions, can expose the originating institution or correspondent
to credit risk. For example, if a depository institution's customer
that uses a third-party service provider to originate payroll payments
declares bankruptcy before transactions have settled, the depository
institution would be required to absorb any loss. Similarly, if a
third-party service provider originated fraudulent payments, a
depository institution could, at a minimum, be exposed to liquidity
risk and the safety and soundness of the ACH service could be
undermined.
II. Risk in ACH Third-Party Processing Arrangements
During the mid-1980s, the Board became concerned about the credit
exposure faced by depository institutions entering into arrangements
with service providers to send and receive Fedwire funds transfers. To
address the credit exposure inherent in these arrangements, as part of
its risk reduction policy, in 1987 the Board approved a set of
conditions under which Fedwire third-party access arrangements could be
established. The Board has adopted revisions to the Fedwire third-party
access policy. (See notice published elsewhere in today's Federal
Register.) 7
\7\ The policy requires depository institutions to impose
prudent controls over Fedwire transfers initiated, received, or
otherwise processed on their behalf by a third-party service
provider.
---------------------------------------------------------------------------
At the time the Fedwire controls were adopted, they were not
applied to the ACH because it was considered a small-dollar payment
system. As a result, there was little concern about the risks created
when third parties originated and transmitted ACH transactions to ACH
operators on behalf of depository institutions. Although the average
value of individual ACH credit transactions is relatively small--$2,600
compared with $3 million for Fedwire funds transfers in 1994--the
aggregate value of ACH transactions originated by a customer of an
institution can be significant. Moreover, the volume and value of
commercial ACH credit transactions has increased rapidly. In 1987, when
the Fedwire policy was adopted, 206.8 million ACH credit transfers,
with a value of approximately $410.7 billion, were processed by the
Federal Reserve Banks. In 1994, 955 million transfers, with a value of
almost $2.5 trillion, were processed by the Federal Reserve Banks.
Thus, over the last seven years, the volume of ACH credit transactions
has grown at an average annual rate of nearly 25 percent and the value
of these transactions has increased at an average annual rate of nearly
30 percent. A number of factors indicate that continued rapid growth is
likely.
To assess the level of risk depository institutions face due to ACH
transactions originated through third-party service providers, the
Board's staff surveyed the Reserve Banks to obtain information on the
value of ACH credit transactions that are processed for depository
institutions that have agreements with service providers.8 The
potential credit exposure was measured by dividing the dollar value of
the daily average and peak-day ACH credit transactions originated by
service providers for each depository institution by the amount of the
institution's total capital. In general, the survey results indicated
that the amount of risk faced by institutions in third-party processing
arrangements is a small percentage of capital. Peak-day exposure
averaged approximately 5 percent of the total capital of institutions
using third-party processors. Although the average risk exposure, as
measured by the survey, was not significant, for some institutions
significant exposure existed. Of the 5,020 institutions that permitted
service providers to originate ACH transactions, the peak-day exposure
for seven institutions exceeded 150 percent of capital and, for one
institution, it exceeded 250 percent of capital. As ACH volume
continues to grow, the potential risks created by the use of service
providers is likely to increase. Further, anecdotal evidence suggests
that many depository institutions are not fully aware of the extent to
which third parties originate ACH transactions on their behalves.
\8\ Data were provided by all Reserve Banks, expect the Federal
Reserve Bank of New York, for the month of December 1993. The New
York Automated Clearing House provides essentially all commercial
ACH service in the New York District.
---------------------------------------------------------------------------
The potential exposure created by the use of third-party service
providers to institutions originating ACH transactions, led the Board
of Directors of the National Automated Clearing House Association to
pass a resolution addressing system controls for third-party processors
in November 1993. That resolution, among other things, recommended that
ACH controls include: ``. . . a review and release function capability
for originating depository financial institutions with respect to all
files sent directly to ACH Operators by third parties and respondent
depository financial institutions.. . .'' The purpose of this
resolution was to provide originating depository institutions a
mechanism to control the risks created by third-party service providers
and respondent depository institutions.
The New York Automated Clearing House (NYACH) has implemented a
voluntary mechanism that permits originating institutions to set limits
on the aggregate amount of ACH credit transactions that can be
originated against their accounts by third-party processors. If the
credit limit is exceeded, NYACH will hold the files and contact the
originating institution. Based on its instructions, NYACH will either
reject the file or permit the institution to adjust the credit limit.
Visa, U.S.A. and the Arizona Clearing House Association are considering
instituting third-party controls.
III. Proposed ACH Access Policy
The Board is concerned about the potential lack of control in
third-party arrangements and believes that appropriate measures should
be taken to ensure the safety and soundness of the ACH service by
enabling originating institutions to control the risks created by the
use of service providers. Thus, the Board requests comment on the
benefits and costs of adopting a policy to control access to the
Federal Reserve's ACH services. In particular, the Board requests
comment on the scope of the proposed policy, risk monitoring
capabilities for implementing ACH credit controls, and several other
controls.
A. Scope
The proposed ACH policy would apply only to ACH credit
transactions. As noted above, a depository institution is able to
control its credit risk from ACH debit transactions by delaying the
[[Page 42416]]
availability of funds to the originators of the transactions. The
Board, therefore, believes that limiting the policy to the origination
of ACH credit transactions avoids imposing unnecessary burdens on the
industry while addressing the most significant risk.
The policy would cover all of the following types of arrangements:
Service providers (service bureaus, information
processors, and depository institutions that act as service bureaus for
other institutions) that transmit ACH credit transactions directly to a
Federal Reserve Bank or to an ACH operator that exchanges payments with
a Federal Reserve Bank;
Companies that transmit their ACH credit transactions
directly to a Reserve Bank or private ACH operators that transmit
transactions to the Federal Reserve; and
Institutions that transmit ACH credit transactions
directly or indirectly to a Federal Reserve Bank and designate a
correspondent depository institution for the settlement of the
transactions.
B. Credit Controls
In its payments system risk policies, the Board has indicated that
depository institutions should establish procedures to protect
themselves from the risk created by their corporate customers when they
originate ACH credit transactions. In particular, the Board has
indicated that depository institutions should perform credit
assessments and establish credit limits for corporate customers that
originate ACH credit transactions. That policy applies whether ACH
credit transactions are originated by a depository institution itself
or by a service provider.
In addition to the requirements currently included in the payment
system risk policy, the Board requests comment on the following credit
controls.
Institutions that outsource their own ACH processing would
be required to establish an interday limit on the value of ACH credit
transactions that a service provider can originate on their behalf.
Correspondent depository institutions would be required to
establish interday credit limits for each of their respondent
institutions that originate ACH credit transactions.
Monitoring capabilities would enable institutions to ensure that
the credit limits established by the originating institution for each
corporate customer and for its own transactions are not exceeded. If
monitoring capabilities only enabled a depository institution to
monitor the aggregate value of ACH credit transactions transmitted to a
Reserve Bank or a private ACH operator by a third-party, the
responsible depository institution would not be able to control the
risk that it faces from its corporate customers. The Board believes
that it is important for depository institutions to be able to control
the credit exposure that they face from each of their corporate
customers and respondent institutions. As a result, the Board requests
comment on the benefits and costs of adopting risk monitoring
capabilities that differ from the approach recommended by the NACHA's
Board of Directors and implemented by one private operator, which
establishes controls over the total exposure an institution faces due
to transactions originated through third-party service providers.
Additionally, more than one third-party service provider may originate
ACH credit transactions on behalf of a depository institution's
customers. Therefore, a depository institution would be expected to
ensure that its internal procedures enable it to monitor all ACH credit
transactions originated for each of its corporate customers through
third-party service providers.
The following discussion describes the requirements of the ACH risk
monitoring capabilities. The Board requests comment on whether the
Reserve Banks and private ACH operators and/or third-party service
providers, at the option of depository institutions, should provide the
risk monitoring capabilities.
The institution's management would set credit limits to reflect the
total amount of unsettled ACH credit transactions that the
institution's management had determined was acceptable based on the
customer's or respondent institution's financial condition. The
institution would provide these credit limits to the entity providing
the monitoring capabilities. Upon receipt of a file from a third-party
service provider or respondent institution, the dollar value of the ACH
credit transactions in each batch would be combined with the amount of
other unsettled ACH credit transactions that had previously been
processed for the same company or respondent institution. The resulting
aggregate amount of unsettled credit transactions would be compared to
the pre-established credit limit. If this total were below the credit
limit established for the customer or respondent institution, the
transactions would be processed. If the credit limit for the customer
or respondent institution were exceeded, the batch(es) would be held
and the originating depository institution and/or the correspondent
institution would be notified. The depository institution would have
the option to reject the batch or set a new credit limit for its
corporate or respondent customer.
If an originating institution of ACH credit transactions uses a
third-party service provider to originate ACH transactions and uses a
correspondent institution for settlement, the respondent institution
would be expected to establish credit limits for its customers and to
instruct the provider of the monitoring mechanism regarding the action
to be taken if a batch(es) of ACH credit transactions exceeded its
customer's credit limits. In addition, the correspondent institution
would be expected to establish credit limits for its respondent
institutions and to instruct the provider on the action to be taken if
a batch(es) of transactions originated on behalf of its respondent
institution exceeded the respondent's credit limit.
These risk monitoring requirements would apply if the Reserve Banks
and private ACH operators or third-party service providers provided the
monitoring capabilities. Specifically, the Board is requesting comment
on whether the monitoring capabilities could most effectively be
provided by the Reserve Banks and private ACH operators, third-party
service providers, or some combination selected by depository
institutions.
If the Reserve Banks provided the monitoring capabilities, the
Board believes that the capabilities for this alternative could be
implemented within approximately 12 to 18 months following approval of
the ACH third-party policy. Developing and operating such a monitoring
system would be costly, and the benefits of the system would accrue to
institutions using third-party service providers and correspondent
institutions. Therefore, it is likely that the Reserve Banks would
assess some fee to institutions originating ACH credit transactions
through third-party service providers and to institutions acting as ACH
correspondent settlement agents if they were to provide monitoring
capabilities. The Board is interested in knowing the amount of time
that private ACH operators and service providers would need to
implement the proposed monitoring capabilities.
The Board believes that the risk monitoring capability may require
users of ACH services to make changes that may result in increased
costs. For example, in many instances batches of ACH credit
transactions could be pended after normal business hours. Thus,
originating institutions and correspondent institutions would need to
make personnel with credit-granting
[[Page 42417]]
authority available during these off-hours. Finally, if service
providers provided the monitoring capabilities, originating depository
institutions or correspondent institutions that permit customers or
respondents to transmit ACH credit transactions directly to a Reserve
Bank may not be able to rely on the service provider to provide
effective controls over such transactions.
C. Other Controls
To ensure the integrity of ACH third-party and respondent access
arrangements, the following provisions, which are generally consistent
with those required in the Fedwire third-party access policy, would
apply.
An institution's board of directors would be required to
approve the role and responsibilities of a service provider(s) that is
not affiliated with the institution through at least 80 percent common
ownership.
A depository institution that uses an ACH third-party
access arrangement would be required to have its auditors confirm
compliance with the controls described in the policy at least annually.
The service provider must be subject to examination by the
appropriate federal depository institution regulatory agency(ies).
The conditions under which these arrangements could be
established would be set forth in the appendices of the Reserve Banks'
uniform ACH operating circular. The uniform operating circular would
serve as the legal agreement governing the arrangement between the
institution and the service provider and/or correspondent and would
govern arrangements of which the Reserve Banks otherwise may not be
aware. The ACH Participation Agreement, which is used to document the
various agreements between the Federal Reserve Banks and users of their
ACH services, such as settlement arrangements and electronic
connections, would serve to identify the institution and the service
provider(s) or correspondent(s) in the third-party arrangement(s).
IV. Competitive Impact Analysis
In considering a change that has a substantial effect on payment
system participants, the Board assesses whether the proposed change
would have a direct and material adverse effect on the ability of other
service providers to compete effectively with the Federal Reserve Banks
in providing similar services and if such effects are due to legal
differences or due to a dominant market position deriving from such
legal differences.
The Federal Reserve Banks compete in providing ACH services to
depository institutions with private-sector ACH operators. The intent
of the proposed third-party access policy is to ensure the integrity of
the ACH system. The proposed policy would apply equally to institutions
using Federal Reserve Bank ACH services and to institutions that use
the services of private ACH operators that transmit ACH transactions to
the Federal Reserve Banks on their behalf. Therefore, the Board
believes that although the proposal would impose requirements on
private ACH operators, those requirements would not be any greater than
the additional requirements the Federal Reserve would be placing on
itself.
V. Request for Comments
The Board requests comments on all aspects of this proposal. The
Board specifically requests comments on the following questions:
A. Current Arrangements and Controls
1. Under what types of arrangements do third parties initiate or
transmit ACH credit transactions to the Federal Reserve Banks or
private-sector ACH operators on behalf of depository institutions?
2. What are the unique risk characteristics of third-party
processing arrangements and correspondent settlement arrangements that
concern the institutions, service providers, and private ACH operators
participating in such arrangements? Are the risks in these arrangements
expected to increase in the future?
3. What controls are currently in place that permit institutions to
control their risk in ACH third-party processing arrangements and
correspondent settlement arrangements? Are these controls consistent
with the type of controls required in the payment system risk policy?
B. Risk Monitoring Alternatives
4. How would the requirement to make personnel available after
normal business hours affect institutions' ACH operating risk and
costs? How would it affect the quality of the ACH service? Are there
other operational issues or customer service issues associated with
either risk control alternative?
5. Would monitoring capabilities provided by the Reserve Banks and
private ACH operators or by the service providers be most effective in
achieving the objectives of controlling risk in the ACH? Should the
Board consider permitting depository institutions to select between the
two alternatives or should only one approach be adopted?
6. If only service providers were to provide monitoring
capabilities, how would the activity of originating institutions'
customers and respondent institutions that transmit ACH credit
transactions directly to a Federal Reserve Bank or a private ACH
operator be monitored?
7. What costs would be incurred by (a) private ACH operators to
expand or develop their monitoring systems to permit their users to
monitor ACH credit transactions at the customer level and (b) third-
party service providers to develop such a monitoring mechanism?
8. How do the benefits derived from improving credit controls over
access to the ACH service compare with the potential costs of
implementing the proposal and the operational risk (i.e., possible
untimely processing) that may be created by proposed controls?
9. Are there other monitoring alternatives that would be equally
effective but pose fewer operational issues and be less costly?
10. Could depository institutions, private ACH operators, and
service providers comply with the proposed policy if the final policy
were effective 18 months after adoption by the Board? Could the parties
comply within 12 months after adoption by the Board?
C. Proposed Policy Provisions
11. Do the provisions of the proposed policy address the credit
risk concerns of institutions participating in ACH third-party
processing arrangements? If not, explain your concerns and suggested
alternative controls.
12. Could the risk monitoring controls effectively control credit
risk if they were applied only to corporate customers or respondent
institutions whose financial condition was considered weak? What issues
might be raised if parties other than the responsible depository
institution had information identifying financially weak customers or
respondent institutions?
13. Should a depository institution be responsible for monitoring
the financial stability of its service providers and adopting
procedures necessary to ensure that the activities of the service
provider were controlled appropriately?
By order of the Board of Governors of the Federal Reserve
System, August 9, 1995.
William W. Wiles,
Secretary of the Board.
[FR Doc. 95-20128 Filed 8-14-95; 8:45 am]
BILLING CODE 6210-01-P
