Payments Insider 1st Quarter 2024
The inside scoop on payments for businesses of all sizes.
As an Originator of ACH entries, it is important to stay current with the ACH Rules, including how updates and changes might impact your business. Get up to speed on these revisions and how they will affect your organization by downloading the 2024 ACH Rules Update for Corporate Originators and Third-Party Senders. If you have any questions about how these changes may pertain to your existing Origination activities, contact Midland’s Treasury Support team at 1-855-696-4352, Option 7.
Fraud attempts with ACH, wire and presumably FedNow®/RTP® payments often occur when a member of an organization falls for a scam impersonating an employee, HR official or vendor. Whether it be through a fraudulent email or some other means of digital communication, businesses like yours are losing funds every single day.
Fraudsters are constantly searching for their next victim, and while steps can be put in place to mitigate certain attacks such as adding tough layers of security to online platforms to prevent account takeover or keystroke logging malware, fraudsters have moved on to coercing the users of those online platforms to willingly give up their credentials or send fraudulent payments on their behalf.
Nacha is currently in the process of implementing new ACH Rules to help reduce credit-push type fraud seen on their network. And, while online attacks from fraudsters are not new, most financial institutions have implemented new systems, more detailed procedures and more interrogative callback processes while having the most commercially reasonable security protections on their online platforms. Although these security measures are certainly helpful, it’s still very common for those who use email as their primary form of communication to fall for impersonation scams asking for login credentials or requesting the individual to send a fraudulent payment.
Regardless of the kind of payments your organization sends, there is always a chance you could fall victim to fraud. Most ACH Originators send payroll credits or utility debits to the same individuals repeatedly, while most businesses send the same ACH or wire payments to the same vendors or suppliers. To make things efficient and reduce errors, many reuse templates on online platforms or have a fixed list that helps generate an ACH file reusing the same account information. Sound familiar? If so, this could become an issue if the account information suddenly changes.
If the payment you’re sending is to a new account, a more elaborate set of procedures should be performed by your organization before forwarding that payment to your financial institution. The checklist below can assist your organization in confirming the legitimacy of the payment information before any funds are transmitted.
|
Yes/No |
Questions to Ask Before Sending |
|
|
Has due diligence been performed on the Receiver/Beneficiary? |
|
|
Did you verify the identity of the Receiver/Beneficiary? |
|
|
Do you know the beneficial owner(s) or any relevant company official to verify the legitimacy of the Receiver/ Beneficiary? |
|
|
Did you perform secondary communication with Receiver/ Beneficiary to verify instructions? |
|
|
Did you verify with another employee of the commercial Receiver/Beneficiary? |
|
|
Was an invoice received legitimately and then verified with secondary communication? |
|
|
If recurring Receiver/Beneficiary, were they contacted as to why account information has changed? |
|
|
For recurring Receiver/Beneficiary, did you verify with known contact about changed info? |
|
|
Any contact with the Receiving or Beneficiary financial institution about newer account info? |
|
|
Is this payment within the normal scope of operations? |
|
|
Are you convinced this is a legitimate payment and won’t take a loss for it? |
|
|
Is upper management aware of this account change? |
If the majority of checkmarks are missing from a list like the above, then really question the risk of sending a payment to the new account. It’s better to ask questions first than act hastily and regret the decision later.
The key to mitigating fraud is to think and perform more procedures regarding payment requests to brand new account information or new clientele. The more thorough you are, and the more serious you take verifying the legitimacy of account information, the better off your organization will be.
With a new year comes new changes, and an important change came from the Financial Crimes Enforcement Network (FinCEN). FinCEN’s purpose is to safeguard the financial system by identifying individuals involved in tax evasion, money laundering and even terrorist financing. FinCEN’s most recent requirements largely impact small businesses by requiring them to file and report Beneficial Ownership Information (BOI). The final ruling which implements the BOI filing and reporting requirements was released in September 2022. However, FinCEN needed time to develop a filing and reporting platform, which is why small businesses are just now being asked to file and report BOI directly to FinCEN. Let’s discuss the requirements for reporting, timelines in which you must file and possible repercussions if you do not file.
Reporting companies are divided into two categories, domestic and foreign:
To put this more plainly, an entity is a corporation or limited liability company registered to do business in the United States under state, local, tribal or federal law.
The reporting company, domestic or foreign, is required to identify itself and report specific information for each beneficial owner. The four pieces of information required include the beneficial owner’s name, birthdate, address and unique identifying number and issuing jurisdiction from an acceptable identification document. Essentially, a U.S. driver’s license would suffice for the identification document.
Regarding who is considered a beneficial owner, one form of beneficial ownership is someone who exercises substantial control over the reporting company. Another form would be someone who owns or controls at least 25% of the reporting company’s ownership interests. You’ll be able to find examples of substantial control and other frequently asked questions in the link provided at the end of the article.
Reporting companies will need to visit boiefiling.fincen.gov to file their beneficial ownership information through FinCEN’s portal. There are specific timeframes as to when a reporting company is created to when they need to file. For any reporting companies established before January 1, 2024, they will be required to file with FinCEN by January 1, 2025. However, for reporting companies established between January 1, 2024, and January 1, 2025, they will need to file within 90 days. This 90-day clock will begin when the company receives notice of its company creation or registration being effective, or after a secretary of state provides public notice of a company’s creation or registration, whichever is earliest. For reporting companies established after January 1, 2025, there will be a 30-day timeframe to file. The 30-day clock also begins after a company receives notice of its creation or registration or after a secretary of state provides public notice of a company’s creation or registration, whichever is earliest.
Like many areas of compliance, there are consequences for not filing or updating beneficial ownership information timely. Violations of beneficial ownership information reporting could result in civil penalties of up to $500 for each day the violation continues, and any beneficial owner could also be subject to criminal penalties of up to two years imprisonment and a fine of up to $10,000. It’s important to note that both individuals and corporate entities can be held liable for willful violations.
After filing, you will simply want to periodically ensure that your entity’s beneficial ownership information has not changed, and if it does you need to update the information within the timeframes found in FinCEN’s frequently asked questions. If you have any questions, visit fincen.gov/boi.
The ACH Rules require Third-Party Service Providers (TPSPs), which include Third-Party Senders (TPS), to perform an annual ACH compliance audit. The number of TPSP/TPS audits performed by EPCOR continues to trend upward year after year, and have included a wide range of organizations, including payroll servicers, healthcare payment providers, bill pay providers, banking platform providers and various other types of payment intermediaries. Across the spectrum of TPSPs that EPCOR audits, there are several audit findings that our team frequently sees during those engagements. Let’s talk about the more common and significant audit issues we observed during 2023, along with the suggestions for remediation.
In 2023 EPCOR continued to perform many first-year ACH audits for TPSPs and TPSs. It is anticipated that this trend will continue, as more entities become aware of, and subject to, these ACH Rules requirements, and as more payment intermediaries enter the ACH Network. What we are seeing, fortunately, is that once TPSPs and TPSs become aware of the ACH audit requirement, they are prudent to ensure the audits are continually performed annually. Third parties are being reminded to not only perform the audit annually but to maintain documentation of those audits for six years as required by the ACH Rules. See ACH Rules, Subsection 1.2.2, Audits of Rules Compliance for more information.
Last year EPCOR also performed a record number of TPS ACH Risk Assessments. Most assuredly, that increase in the volume of TPS ACH Risk Assessment engagements is due to audit findings in prior years, which have contributed to the awareness of the ACH Rules requirement. However, not conducting a Risk Assessment continues to be a common issue, and will be until this Rule, which went into effect on September 30, 2022, is communicated more broadly throughout the Network. This Rule is found in Subsection 1.2.4, Risk Assessments. Please note that the requirement for an ACH Risk Assessment does not apply to all TPSPs, but only those who participate as TPSs.
Deficiencies in the ACH Risk Management Program continue to be significant audit findings for TPSs. This requirement derives from two areas of the ACH Rules, Subsection 1.2.4, which stipulates that the ACH Risk Assessment be used as the basis for an ACH Risk Management Program, and Subsection 2.2.3, ODFI Risk Management (which also applies to TPSs). The latter Rule requires the TPS to perform due diligence on each Originator (and Nested TPS), to assess the nature of the Originator or Nested TPS’s ACH activity, implement and enforce exposure limits for each Originator or Nested TPS and monitor ACH return activity. This can be a tall order, especially for TPS personnel who don’t consider themselves bankers, and we often find deficiencies in this area. Missing items include a lack of appropriate ACH-related policies, procedures and controls, failure to establish exposure limits for individual Originators, periodic assessments of individual Originator’s ACH EPCOR • PAYMENTS INSIDER | First Quarter 2024 3 activity and insufficient reporting of ACH volumes, returns and losses. There is no defined formula or methodology for an ACH Risk Management Program. TPSs should structure the program based on its business model, ACH use cases, specifically identified ACH risks and their clientele. However, some key components should include: 1) a thorough know-your-customer (KYC) and onboarding due diligence process, (2) Risk Assessments of individual Originator/Nested TPS ACH activity and (3) establishment of monitoring and reporting systems.
Another common audit finding relates to noncompliance with or omissions from some of the provisions required under Subsection 2.2.2.2, ODFI Must Enter Origination Agreement with TPS. Items (h) and (i) under this section require TPSs to execute ACH Origination Agreements with each Originator, or Nested TPS, that closely resemble the agreements ODFIs execute with Originators. We find that all TPSs have contractual agreements, or detailed Terms & Conditions, with their client Originators but many times the agreements fail to include the specific, minimum ACH provisions found in Subsection 2.2.2.1(a – f) of the ACH Rules. In response to reasonable resistance from many TPSs regarding complete overhaul and repapering of agreements with all originating clients, EPCOR often recommends TPSs create an “ACH Addendum” that can be added to their existing agreements without a complete repapering project.
For TPSs originating ACH consumer debit entries, EPCOR is repeatedly discovering issues related to reinitiated entries. The three biggest errors related to “Retry Payments” are improper use, inadequate disclosure (on the ACH authorization) and improper formatting. The Rules for reinitiated entries, found in Subsection 2.13.4, dictate that an entry can only be reinitiated a) when the original entry was returned for nonsufficient funds (NSF), b) after a stop payment return and with separate subsequent authorization or other corrective action to remedy the return. Also, an entry can be reinitiated a maximum of two times. As for formatting, “RETRY PYMT” is required to be in the company entry description field of the batch header record. We often find reinitiated entries transmitted more than two times or without the proper file formatting. Another exception we have noted is the use of a reinitiated entry after the receipt of an unauthorized entry.
Yet another audit finding that seems to be on the increase relates to micro entries. As the volume of micro entries increases, so too seems to be errors with their use. Common errors found with micro entries are a) entries greater than $1.00, b) debit entries that exceed the dollar amount of corresponding credit entries and c) improper formatting. Per Section 2.7 of the ACH Rules, micro entries must be less than $1.00, and the debit(s) may not exceed the credit(s). Also, similar to reinitiated entries, micro entries require specific formatting in the company entry description field of the batch header record (“ACCTVERIFY”). Finally, we sometimes find that micro entries are not properly or sufficiently disclosed on ACH authorizations. The disclosure is more of an Originator responsibility, but TPSs sometimes facilitate and/or utilize micro entries on behalf of their origination clients, so the TPS needs to ensure their proper use.
Above are some of the frequent audit issues found by EPCOR during its audits of TPSs and TPSPs in 2023. But of course, those don’t represent all issues found. Other audit findings for TPSs from 2023 include failure to establish Originator exposure limits, failure to communicate NOCs to Originators in a timely manner, incorrect assignment of Standard Entry Class (SEC) Codes, insufficient authorization language and a lack of monitoring of Originator return rates. If you’re a TPS or TPSP and have any questions or concerns, your financial institution is there to help! Reach out and they would be more than happy to assist you with any issue. EPCOR’s team of experts is also available to assist with any payments items or issues on your list. Reach out to advisoryservices@epcor.org for more information.
Limited resources often force small business owners to take on seemingly endless responsibilities, including administrative tasks and financial management, that have little to do with growing the core business. Cash flow management typically is the most critical of these responsibilities. Cash flow complications are one of the top reasons small businesses fail—and the most vexing.
These problems can arise in myriad ways— unpaid invoices, slow payment methods, elongated payment terms, etc.—but the result is a lack of liquidity that can leave entrepreneurs struggling with key business operations such as maintaining inventory, paying bills, repaying loans or making critical repairs.
Thankfully, instant payments offer small business owners a remedy that can address many common cash flow management impediments. Here’s how.
Traditional payment systems have clearing and settling times varying from two to five days, which delays a payment’s settlement and the transaction’s reflection in the business’s financial records and ability to use their cash. Even electronic payments can take numerous days to clear, especially over weekends and bank holidays. Waiting for payments to be processed can create cash flow challenges for small businesses. Owners might face delays in receiving the proceeds from their sales, impacting their capacity to restock inventory, pay their suppliers or invest their funds.
Instant payments are received and settled on a 24/7 basis, with a business owner having immediate access to cash from the payment. A confirmation of funds is provided, and the funds cannot be recalled, giving small to medium-sized businesses (SMBs) peace of mind and real-time insight into their finances. Owners can then make informed decisions and manage liquidity effectively because they know precisely how much capital they have access to at a given moment. In fact, according to a recent study by PYMNTS, over half of surveyed companies cited better cash flow management as a benefit of instant payments.
With instant payments, SMBs are in a stronger position to maintain inventory levels and seize growth opportunities on a tight schedule. Small businesses can receive payments from customers promptly and settle bills with suppliers without the need to wait for traditional banking hours. This is crucial for day-to-day operations, especially when payment delays can disrupt client and supplier relationships.
With payroll being a core business expense, businesses typically need to plan and transfer funds in advance to cover payroll expenses on payday. With instant payments for payroll, small businesses can eliminate the need to pre-fund their payroll days in advance. Employers can fund their payroll with their payroll provider on the actual pay date, preventing delays and potential credit extensions.
Earned Wage Access (EWA) is a growing employer benefit providing employees access to a portion of their earned wages before the regular payday. This new way of being paid can be especially helpful for employees facing financial emergencies or unexpected expenses. The benefit is shown to improve employee satisfaction, productivity and retention, with one study finding that EWA improved employee tenure rates by 63%.
More than half of small business suppliers would prefer to receive payments through faster channels. Instant payments result in quicker access to funds from customer purchases and supplier credits. Paying promptly is beneficial when negotiating discounts with suppliers for early payments.
Processing customer refunds or reimbursements through traditional methods can be time-consuming and costly. Small businesses can promptly reimburse customers for returns or resolve issues by leveraging instant payments. Quicker returns processing boosts customer satisfaction, building trust and loyalty.
This new way to pay has many benefits for SMBs. Instant payments provide real-time confirmation, which reduces the amount of time a business owner needs to spend on bookkeeping. Every minute a small business owner spends on bookkeeping, they’re not focusing on growth and marketing opportunities that could help their business flourish. Those owners adopting instant payments are less likely to chase late invoices and play cash flow jenga and can spend more time strategizing and strengthening their core business.
Some business owners already have access to make an instant payment via their small business banking portal, and we encourage all to begin to experiment with sending an instant payment. It can be for an emergency payment or your everyday supplier payments to get familiar with the instant payment process as a business owner. The immediate payment confirmation, no recall/irrevocable, 24/7 availability and messaging capabilities provide business owners with the peace of mind that their payment was received.
If you’re interested in faster payments, reach out to Midland States Bank.
EPCOR is a not-for-profit payments association which provides payments expertise through education, advice and member representation. EPCOR assists banks, credit unions, thrifts and affiliated organizations in maintaining compliance, reducing risk and enhancing the overall operational efficiency of the payment systems. Through our affiliation with industry partners and other associations, EPCOR fosters and promotes improvement of the payments systems which are in the best interest of our members. For more information on EPCOR, visit www.epcor.org.
Our team of dedicated professionals are here to support you.
