Third Party Senders: Registration, Certification, Audits, and Risk Assessments (Oh my!)

By Sean Carter AAP, APRP, NCP posted 08-03-2017 14:50


The ACH Network and the ODFIs representing them, receive great benefit from Third-Party Senders as it relates to volumes.  There are unique risks associated with processing for Third-Party Senders, which draws the attention of regulators and the internal audit and risk teams at the ODFIs. 

Over time, an apprehension has developed in regards to how Third-Party Senders are viewed in the payments industry.  The negative views stem from some publicized issues related to Third -Party Senders. The losses and risks associated with the bad activity have stained an entire industry.  A lack of understanding or the inability to apply knowledge can often be the reason of such stereotyping. Such behaviors can be overcome by providing clarity to FIs that either deal with Third -Party Senders or are looking to provide services for Third-Party Senders. 

This post is designed to provide clarity about things people may have heard but not fully understand. Trade presses and regulators throw out terms like Audit, Risk Assessment, Registration, and Certification but don’t do enough to describe the intent and what is actually required of FIs.  The following is an attempt to shed light on these 4 important yet different topics.

Firstly, I will clear up the issues about Third-Party Sender Audits.  The NACHA Operating Rules require all Third-Party Senders to conduct an annual audit, which is to be completed by December 31st each year.  The rules are clear that this audit can be performed internally or externally.  The Rules don’t address if an ODFI should request a copy of the audit or not.  The industry norm, however, is that the ODFI at least receive certification of the audit each year.  ODFIs may want to consider not only a certification but to review the scope of the audit in order to measure whether the audit has met the requirement. Incomplete audits or failure to do an audit by a Third-Party Sender could lead to a fine for the ODFI.  Yes, it is true, NACHA does have the power and requests copies of audits from time to time, which also includes requests for the ODFI to provide the audit for their Third-Party Sender.

Next is the issue of risk assessments.  The NACHA Operating Rules pass obligations and warranties of the ODFI to the Third- Party Sender, which include the requirement for a risk assessment. You may think the rules for the audit is ambiguous but even less direction is provided for what should or shouldn’t be included in a risk assessment.  The Rule simply states that a risk assessment of the ACH activity must be conducted, which should lead to creation or updating of a risk management program.  ODFIs, as a best practice, will do a risk assessment of each client on an annual basis; including Third-Party senders.  This may meet the obligation; may being the key word.  It is true the risk assessment can be performed by an outside party but the components of the risk assessment matter significantly.  If an ODFI is simply assessing the credit risk of the Third -Party Sender, then this will not be a complete assessment. If an ODFI is assessing the controls around security, operations, due diligence of new clients, and contingency planning along with the credit review, then it will be a complete assessment. 

For both the audit and risk assessment, it is incumbent upon the ODFI to notify the Third-Party Sender of the requirements under the NACHA Rules.  The audit is an annual requirement and the risk assessment will depend on the nature of the Third- Party Sender’s business.  The ODFI can accomplish this task in any manner they accept as appropriate.  This should be a defined process with written procedures.  The ODFI may also impose greater requirements on their client than the requirements of the NACHA Rules.   To meet this requirement, the ODFI needs to know which of their clients are Third Party Senders and this leads to the registration requirement.

Effective from September 27, 2017, all ODFIs will have to register with NACHA and disclose whether they have Third -Party Senders or not.  ODFIs dealing with Third Party Senders must register their Third-Party Senders with NACHA.   For more information on this process, please review a recent post on by Elizabeth Grayeck of New Egland Automated Clearing House (NEACH). She attended a seminar from NACHA on how the process will work.  If you are looking for more information on this topic, you can browse our education listings on and register for a replay of the New Rules seminar, which covered the topic in detail.  Registration is a mandatory process for the ODFI but not the Third- Party Sender, unlike Certification.

Lastly, we discuss Third-Party Sender Certification. Certification is not a requirement. NACHA launched this program at their Annual Payments Conference in April.  This program is voluntary and simply allows Third-Party Senders to go through a vetting process with NACHA; leading to a defacto seal of approval.   The review is conducted by NACHA staff and is based on requested documents provided by the Third-Sender.  This review is broader than NACHA Rule compliance.  Let me know if you have any interest in learning more about this service.

Remember that Audits and Risk Assessments are required and the ODFI needs to inform their clients about it.  The ODFI also needs to figure out if they want to ensure the clients are meeting the requirement.  Registration is mandatory for all ODFIs but only those with Third- Party Senders have to comply with Third- Party Senders Registration.  Lastly, Certification is a voluntary program run by NACHA.

On a concluding note, there is a fee for Certification but not for Third- Party Senders Registration.   You can also call NEACH or work with other members through the social websites if you need further clarification.