Third-Party Service Providers & Third-Party Sender
For Third-Parties in the ACH network and the financial institutions who may originate entries on their behalf, understanding and completing an ACH audit in accordance with the NACHA Operating Rules can be a challenge. At UMACHA we have the tools and expertise to help ensure you are compliant and to learn how to stay up-to-date on changes that may affect Third-Parties in the network.
For our Affiliate Members, we offer on-site audit services, similar to those that are available to our financial institution members. An UMACHA compliance staff member can come to your location and complete an ACH Audit and/or ACH Risk Assessment for you, providing a comprehensive report of findings and recommendations afterwards for you and your management team. If you or your Third-Party relationship are not already members of UMACHA, visit our membership page to learn more right now!
To help you complete your own *Third-Party Sender audit and/or risk assessment, visit our Compliance Publications page to order our Third-Party Sender ACH Audit Guide and/or Third-Party Sender Risk Assessment Guide. This tool will help you understand what provisions of Chapter 56 apply in the Third-Party Sender environment and how to properly test for compliance, along with guidance on how to mitigate Third-Party Sender Risk.
*Note: This is for Third-Party Senders only, and may not be applicable to Third-Party Service Providers, and Third-Party Payment Processors
THIRD-PARTY COMPLIANCE SERVICES
For our Affiliate members, we offer the following Compliance Services either on-site or remotely:
- Third Party Sender ACH Audit
- Third-Party Sender ACH Risk Assessment
- Third-Party Service Provider ACH Audit (includes Sending/Receiving Points)
- Third-Party Service Provider ACH Risk Assessment (includes Sending/Receiving Point)
Q: What is a Third-Party Sender?
A: According to the NACHA Operating Rules and Guidelines a Third-Party Sender is a type of Third-Party Service Provider that acts as an intermediary in Transmitting Entries between an Originator and an ODFI, including through Direct Access, and acts on behalf of an Originator or another Third-Party Sender. OR69
Q: Is there an easy way we can determine if an Originator is a Third-Party Sender?
A: Review your Originator’s files regularly. If the company name listed in the batch header is different than your Originator’s, it could indicate that they may be acting as a Third-Party Sender. Common Third Party Sender businesses include: accounting firms, apartment/condo management companies, and payroll companies. For other examples refer to the NACHA Operating Rules and Guidelines, Appendix N, ACH Transactions Involving Third-Party Senders and Other Payment Intermediaries – ACH Operations Bulletin #2-2014, page OG343.
Q: We discovered that we have a Third Party Sender, what are our next steps?
A: You will need to update your Third-Party Registration status with NACHA, and will also need to register your Third-Party Sender. You may want to update your ACH Risk Assessment, and verify that Third Party Senders are not prohibited within your ACH Policy. You need to insure that your Third-Party Sender is doing an annual ACH audit as well.
Q: How do I update our Financial Institution’s Third-Party Sender Registration status with NACHA?
A: You should have an assigned administrator at your Financial Institution for the NACHA Risk Management Portal. The administrator will need to log into the NACHA Risk Management Portal and update your Third-Party Registration status and maintain a list of all Third-Party Senders at the Financial Institution.
Q: What databases are available in the Risk Management Portal?
A: The following databases are all accessible through the Risk Management Portal:
- The Third-Party Sender Registration Database
- The Direct Access Registration Database
- The Terminated Originator Database (TOD)
- The Emergency Financial Institution Contact Database
A: No. Each financial institution must register only once in the Risk Management Portal. All databases are available from a single login within the Risk Management Portal.
A: Each financial institution will select their primary RTN at registration and this number will remain associated with the financial institution for all applications within the RiskManagement Portal.
A: Only register the TPS Company ID of the Third-Party Sender and not the company names and IDs of every Originator. The NACHA Operating Rules do not require the Company ID for every Originator associated with the Third-Party Sender.
A: The Portal allows for one administrator from each organization and up to four additional users. The administrator will create an account within the Risk Management Portal and assign users access.
Q: My ODFI has already registered as not having a Direct Access relationship. Do we need to register again?
A: Yes. Each ODFI must reregister their Direct Access status. Each ODFI will attest to its Third-Party Sender customer status and Direct Access customer status during the initial registration. The status of each registration can be changed at any time within the RiskManagement Portal. Once registered, you can print proof of registration for your Risk/ACH audit.
Q: How can I find my ODFI’s registration confirmation?
A: A registration confirmation is now available from the ODFI Management page in the portal. This one page printable document provides the date the financial institution registered, the current Direct Access Registration and Third-Party Sender Registration status, and the current number of registered Third-Party Sender customers and Direct Access relationships.
The Third-Party Sender Registration rule will require Originating Depository Financial Institutions (ODFIs) to identify and register their Third-Party Sender customers. The registration process will promote consistent customer due diligence among all ODFIs, and serve as a tool to support NACHA’s continuing efforts to maintain ACH Network quality. ODFIs will be required to complete their registrations through the Third-Party Sender Registration Database, which can be accessed through NACHA's Risk Management Portal on NACHA’s website.
Registrations can be completed through either an individual TPS upload or bulk TPS upload process. The individual upload process allows for quick registration, editing and deactivating of individual TPS relationships, while the bulk upload (available in XML, Excel, and CSV) allows for registering, editing, deactivating, and maintaining groups of TPS relationships.
The Third-Party Sender Registration Rule requires all ODFIs to either register their Third-Party Sender (TPS) relationships or state that they do not have any.