Risk Management

Question 1

What is compliance risk?

Answer 1

Risk that occurs when a party to a transaction fails to comply, either knowingly or inadvertently, with payment system rules, policies, regulations, and applicable U.S. and state law.

Question 2

What is credit risk?

Answer 2

Risk that a party to a transaction will not be able to provide the necessary funds, as contracted for settlement to take place.

Question 3

What is cross-channel risk?

Answer 3

Risk that occurs when the movement of fraudulent or illegal payment transactions from one payments channel to another is met with inconsistent risk management practices and lack of information sharing across payment channels about fraud.

Question 4

What is Direct Access risk?

Answer 4

Risk specific to the ACH Network that occurs when an Originator or third party transmits Files (transactions) directly to an ACH Operator using a financial institution’s routing and transit number and settlement account.

Question 5

What is fraud risk?

Answer 5

Risk that occurs when a payment transaction is initiated or altered by any party to the transaction in an attempt to misdirect or misappropriate funds with fraudulent intent.

Question 6

What is operational risk?

Answer 6

Risk that occurs when a transaction is altered or delayed due to an unintentional error.

Question 7

What is reputation risk?

Answer 7

Risk that occurs when negative publicity regarding an organization’s business practices leads to a loss of revenue or results in litigation.

Question 8

What is systemic risk?

Answer 8

Risk that occurs when one funds transfer system participant is unable to settle its commitments causing other participants to be unable to settle their commitments.

Question 9

What is third-party risk?

Answer 9

Risk that occurs when Organizations rely on outside parties to perform services on their behalf and experience inferior performance by the third party or manage the relationship poorly.

Question 10

All financial institutions participating in the ACH Network must provide information to reach their ACH operations department and ACH risk/fraud department where?

Answer 10

ACH Contact Registry in the Nacha Risk Management Portal

Question 11

ODFIs must complete this database registration if they any of their Originators, Third-Party Service Providers, or Third-Party Senders Transmit Files directly to an ACH Operator.

Answer 11

Direct Access Registration Database

Question 12

ODFIs must complete this database registration if have an agreement with a type of Third-Party Service Provider but do not have an Origination Agreement with the TPSP’s Originators.

Answer 12

Third-Party Sender Registration Database

Question 13

What are administrative controls?

Answer 13

Procedures and practices used to manage risk, ensure compliance, and safeguard sensitive data.

Question 14

What is excused delay?

Answer 14

Permissible delay by a Participating DFI or ACH Operator in the performance of its obligations under the Rules beyond the required time limits provided the delay was:
1. Caused by the interruption of communication or computer facilities; and
2. Beyond the reasonable control of the Participating DFI or ACH Operator

Question 15

What is a contingency plan?

Answer 15

Steps taken to prepare for, respond to, and recover from disruptions to operations.

Question 16

What is the deadline to report a possible ACH Rules violation?

Answer 16

Within 90 days of the occurrence

Question 17

What is the length of time a financial institution has to respond to a written request from Nacha regarding an Originator’s or TPS’s Unauthorized Entry Return Rate?

Answer 17

10 Banking Days

Question 18

Who must conduct an ACH risk assessment?

Answer 18

Participating DFIs and TPSs

Question 19

What are four components of multifactor authentication?

Answer 19

1. Something the Receiver knows (ie: password)
2. Something the Receiver has (ie: computer)
3. Something the Receiver is (ie: voice or fingerprint)
4. Some place the Receiver is (ie: geolocation)

Question 20

What is multifactor authentication?

Answer 20

Use of 2 or more factors to determine a Receiver’s identity

Question 21

Who must protect the confidentiality and integrity of Protected Information until its destruction?

Answer 21

1. Non-Consumer Originators
2. Participating DFIs
3. Third-Party Service Providers
4. Third-Party Senders

Question 22

What criteria must non-consumer Originators (who are not Participating DFIs), TPSPs, or TPSs meet to be required to render DFI account numbers unreadable when stored electronically?

Answer 22

Their volume exceeds 2 million Entries annually

Question 23

Banking information related to an Entry that is Transmitted via an Unsecured Electronic Network must be protected how?

Answer 23

Either encrypted or via a secure session

Question 24

What types of transmissions are not subject to the rule regarding Entries Transmitted via an Unsecured Electronic Network?

Answer 24

Transmissions by means of voice or keypad inputs from a wireline or wireless telephone to a live operator or voice response unit (VRU).

Question 25

What is considered banking information that must be protected as related to Entries Transmitted via an Unsecured Electronic Network?

Answer 25

Routing numbers, account numbers, PINs, or other identification symbols in an Entry

Question 26

Originators of debit WEB transactions MUST establish and implement what type of detection system?

Answer 26

Fraudulent transaction detection system

Question 27

At a minimum, what does an Originator of debit WEB Entries need to validate?

Answer 27

The account number to be debited MUST be validated for the first use and when any subsequent changes are made to the account being debited.

Question 28

An ODFI MUST enter into what with each Originator or Third-Party Sender?

Answer 28

Origination Agreement

Question 29

An ODFI MUST establish, implement, and periodically review this for each Originator or Third-Party Sender.

Answer 29

Exposure limits

Question 30

An ODFI MUST monitor what across multiple Settlement Dates?

Answer 30

An Originator’s or Third-Party Sender’s origination and Return activity

Question 31

Who must approve an ODFI’s Direct Access Debit Participants?

Answer 31

The ODFI’s board of directors or board designees

Question 32

An ODFI may terminate or suspend an Origination Agreement within how many days notice if an Originator or Third-Party Sender breaches or causes the ODFI to breach the Rules?

Answer 32

10 Banking Days
(or less if stipulated in the Origination Agreement)

Question 33

Between the ODFI and Gateway, who bears the risk that the laws of the receiving country prohibit the processing, settlement, or transfer of the proceeds of an IAT Entry?

Answer 33

ODFI

Question 34

The lack of an Origination Agreement between an Originator and ODFI increases what type of risk for the ODFI if the Originator is unable to provide funds for settlement?

Answer 34

Credit

Question 35

What are five things an ODFI MUST do as part of their Originator or TPS risk management due diligence?

Answer 35

1. Assess the nature of the Originator’s or TPS’s activity and the risk it presents
2. Establish, implement, and periodically review exposure limits
3. Establish and implement procedures to monitor origination and Return activity across multiple days
4. Enforce restrictions on types of Entries that can be originated
5. Enforce exposure limits

Question 36

List three controls to help mitigate Direct Access risk.

Answer 36

1. Underwriting
2. Management
3. Monitoring

Question 37

Who is subject to the same risk assessment criteria as its ODFI?

Answer 37

A Third-Party Sender

Question 38

List six requirements that should be part of a Third-Party Sender’s risk management practice.

Answer 38

1. Perform customer due diligence
2. Set and enforce customer limits
3. Audit and test Originator authorization processes
4. Monitor forward and Return transaction volumes, dollars, and rates
5. Establish data security policies, procedures, and systems with access controls
6. Establish SEC Code specific risk management requirements

Question 39

Reviewing an Originator’s business licenses, financial statements, and ACH processing experience during the on-boarding process are examples of what?

Answer 39

Customer due diligence

Question 40

For high-risk Originators, requiring additional documentation, setting transaction limits, and implementing more frequent monitoring are examples of what type of strategy?

Answer 40

Risk mitigation strategy

Question 41

How does the concept of risk management apply to ODFIs for ongoing due diligence of Originators?

Answer 41

Nacha Rules require Originating Depository Financial Institutions (ODFIs) to have a risk management program that should encompass ongoing monitoring of ACH participants, including Originators. This monitoring helps identify and mitigate potential risks associated with an Originator’s activities.

Question 42

What risk is associated with early posting of credits?

Answer 42

Credit risk

Question 43

Who assumes the risk associated with the early posting of credits?

Answer 43

Credit risk is assumed by the ODFI

Question 44

Segregation of duties, transaction monitoring, and account reconciliation are examples of what types of control?

Answer 44

Internal controls

Question 45

Policies, procedures, and risk assessments assist in controlling what type of risk?

Answer 45

Compliance risk

Question 46

What is the level and degree of risk an Organization is willing to assume to meet its strategic goals called?

Answer 46

Risk appetite

Question 47

What is the acceptable level of variance relative to achieving a specific objective called?

Answer 47

Risk tolerance

Question 48

This should be conducted periodically and be designed to review risks associated with an Organization’s ACH program.

Answer 48

ACH risk assessment

Question 49

The Rules allow an ODFI to suspend or terminte an Origination Agreement with an Originator or Third-Party Sender if they breaches the rules or causes the ODFI to breach the rules within how many days notice?

Answer 49

10 Banking Days notice
(or shorter if stipulated in the Origination Agreement)

Question 50

This is a group of employees who are assigned the responsibility of monitoring ACH operations and related maintenance tasks.

Answer 50

ACH operational control group

Question 51

What is the goal of a disaster recovery or contingency plan?

Answer 51

To resume business as quickly and fully as possible