Living with IAT
Whose Responsibility Is It, Anyway?
by Lori Moore, Director of Compliance, ATTUS Technologies Inc.

“The buck stops here.”  President Harry Truman’s famous quote and desk sign reminded everyone, including himself, that he was the end of the line; he had the ultimate responsibility for decisions impacting the United States. Where does the buck stop in complying with NACHA’s fairly recent rules on International ACH transactions (IATs)? Is it with the originating party that initiates the ACH? Or is it further down the line with either of the Depository Financial Institutions (DFIs), the ACH Operators, Gateway Operators (GOs) or the receiver? The truth is each of those parties has responsibility and no one has the luxury of passing the buck. Although the transition to living with NACHA’s IAT rules has been reasonably smooth, this is the one aspect that has caused considerable confusion, and therefore risky non-compliance, especially among corporate originators and Originating Depository Financial Institutions (ODFIs). It’s time to set the record straight.     

Back to the Beginning
Prior to September 18th, 2009, no one had to worry about IATs. International ACHs were blended in with domestic ACHs which was exactly the problem. The Office of Foreign Assets Control (OFAC) was concerned that this blending provided a cover for sanctioned sources to move or launder money through the U.S. financial system.  Even though “all parties to an ACH transaction are subject to the requirements of OFAC,”¹ as a result of being blended with domestic ACHs, it raised the possibility that proper identification of the involved parties and subsequent OFAC screening were inadequate. To combat this concern, NACHA introduced the new rules for IAT’s which require mandatory compliance with the following as of September 18, 2009:

• Use of the new Standard Entry Class (SEC) code for international ACH transactions – IAT
• Completion of the new IAT payment format that captures key additional information
• OFAC Scanning of all IATs 

A Symbiotic Relationship
It is a simple enough transaction. A corporate originator uses ACH transactions to conduct certain aspects of its business because of their ease and affordability. This originator contracts with a financial institution to forward their ACH transactions into the national ACH network as its ODFI. Each party in this transaction is dependent on the other to hold up its end of the bargain.  If one or the other fails to do so, both parties are at risk. With IATs, the lines of responsibility are not clearly separated and sometimes overlap to cause confusion. Until both parties better understand their own responsibilities as well as their counterparts, neither can be certain they are fully complying with NACHA’s IAT Rules.

The Originator Isn’t Just Responsible for Originating
Corporate or business entities that use ACH transactions have several obligations in regards to OFAC, including NACHA’s IAT Rules, besides simply originating their business transactions. First and foremost is knowing that they are obligated to comply with the OFAC sanctions and second is knowing when and how to follow them. A corporation’s financial institution can and should provide assistance, but ultimately the corporation is responsible for its compliance as follows:

1. Recognizing when it is subject to the IAT rules: NACHA has supplied four questions² for making this determination.  A yes to any of these should initiate a discussion about IAT compliance with the corporation’s financial institution.

• Is your company a subsidiary of a multi-national company?
• Does your company…
  • Have foreign subsidiaries?
  • Buy or sell to organizations/individuals outside the territorial jurisdiction of the U.S.?
  • Send payroll, pension or benefit payments via the ACH Network to individuals that have permanent resident addresses outside the territorial jurisdiction of the U.S.?

2. Understanding what an IAT is: It’s impossible to follow the rules without knowing what an IAT is. “The IAT rule defines an International ACH Transaction as an ACH entry that is part of a payment transaction involving a financial agency’s office that is not located in the territorial jurisdiction of the United States.”³  The location of the originator or receiver is irrelevant except when it relates to the location of any of the financial institutions involved.

3. Knowing employees, customers and vendors: When a corporate originator contracts with a financial institution to be its ODFI for ACH transactions, the ODFI provides an upstream warranty stating that transactions will be formatted properly and relevant compliance requirements will be fulfilled. However, this does not exempt the corporation from responsibility. Corporate originators are also bound by OFAC requirements and NACHA's IAT rules. Through a legal agreement, the ODFI and originator should define the responsibility and liability of each party.  It is assumed that the corporation is in a better position to know its employees, customers and vendors and the potential risk that they pose, more so than the ODFI. Sharing that information with the ODFI can help both parties adequately assess the risk to ensure proper steps are taken to avoid violations. 

4. Knowing the ODFI: An open relationship between the corporation and the ODFI is extremely important. Although originators are required to identify and scan IATs, the ODFI is obligated to scan again. If a potential match is found during this scan, the transaction may not be processed.  Therefore, not only does the corporation need to know how the ODFI scans batches of transactions but how quickly they can separate potential OFAC matches from the rest and continue processing the clean IATs without unnecessary disruption. 

5. Properly formatting the cross-border payments: As the start of the line, the accuracy of the ACH file format starts with the corporate originator.  According to EastPay, a regional payments association, in addition to failure to identify IATs, the biggest mistake that corporate originators make is incorrectly populating the payment format or using the default, instead of transaction-specific, language. NACHA’s website, offers complete details on proper formatting in its IAT Corporate Practitioners Executive Summary.

The Dual Responsibility of ODFIs
With IATs, ODFIs have the dual responsibility of meeting their customers’ expectations while maintaining regulatory compliance.   This requires a well thought-out strategy, including:

1. Understanding and mitigating the risk of processing IATs: The use of the ACH system to transact cross-border payments presents a higher level of risk than domestic ACH transactions. This is especially true in circumstances where accounts are opened or transactions are mainly conducted via the internet or telephone; or where a Third Party Service Provider is used.  Evaluating all IAT-related risk and accounting for it in their BSA/AML risk assessment is essential in the ODFI’s strategy. 

2. Building a strong relationship with corporate originators: Developing a good understanding of the details of the originator’s business as well as the types and volume of ACH transactions that they require is the basis for an effective working relationship, as well as a good risk mitigation practice. Next is educating them on the IAT Rules, including making sure they understand their own need to 1) identify IAT transactions and 2) initiate an accurate file before it is sent to the ODFI.

3. Formatting the IAT file: Regardless of the condition of the IAT file received from the originator, ODFIs are responsible for ensuring the new IAT format is properly completed before it is sent down the line to the ACH Operator. NACHA and OFAC see significant benefit in “this additional data (which) may assist banks in their OFAC, anti-money laundering, and monitoring efforts.”⁴

4. Performing the OFAC scan: While accustomed to performing OFAC scanning on all types of transactions, it is important that ODFIs realize that OFAC obligations for IATs are stricter, due to the higher risk they pose. The ODFI is responsible for OFAC scanning, period. It cannot rely on another party’s scan, such as the RDFI. The FFIEC is quite explicit in its direction. “Due diligence for an inbound or outbound IAT may include screening the parties to a transaction, as well as reviewing the details of the payment field information for an indication of a sanctions violation, investigating the resulting hits, if any, and ultimately blocking or rejecting the transaction, as appropriate.”⁵

5. Completing the transactions for corporate originators: Whether there is one OFAC hit or twenty from a customer’s IAT batch, they still expect their remaining IATs to be processed without disruption. Utilizing watch list screening software that is able to accurately scan the entire batch, separate any matches from clean transactions, and then send those clean transactions through without delay is pivotal in satisfying customer expectations and meeting OFAC obligations. 

6. Third-Party Service Providers: A third-party service provider (TPSP) is an entity that processes ACH entries on behalf of the Originator, the ODFI, or the RDFI. NACHA defines TPSPs and relevant subsets of TPSPs that include “Third-Party Senders” and “Sending Points” within its operating rules. The functions of these TPSPs can include, but are not limited to, the creation of ACH files on behalf of the Originator or ODFI, or acting as a sending point of an ODFI (or receiving point on behalf of an RDFI). Under a TPSP arrangement, the ODFI's BSA/AML risks are higher due to the lack of a direct relationship with the originator. Neither the TPSP nor ODFI are in a position to conduct adequate due diligence on the companies on whose behalf they are originating. Legal agreements should clearly delineate the responsibilities for this type of arrangement. The TPSP may be tasked with the responsibility for compliance with the IAT rules.

Working in Concert to Avoid the Negative Consequences
As the one year anniversary of the NACHA Rules approaches and the volume of IATs continue to increase, it’s clear that this will be an area of particular interest to examiners going forward. If a violation occurs, both the originator and the financial institution can be held liable. 

Corporate users of IATs assuming that it will be the financial institution’s problem if an OFAC violation occurs are sadly mistaken. All U.S. corporations are subject to comply with OFAC obligations and the penalties can include jail time and fines ranging from $10,000 to $10,000,000. “If fines are levied against the financial institution they may be passed back to the corporate originator depending on the specifics of the case and the details of their contract with the financial institution.”⁶ That doesn’t mean that the financial institution is off the hook either.  Regulators fully expect financial institutions to educate their customers on the topic if they choose to be an ODFI. 

Bad habits are hard to break. Before NACHA’s IAT rules age any further, now is the time for corporate originators and ODFIs to put their heads together to ensure both are meeting their responsibilities to the rules and to each other. This will make living with IAT much less risky and, therefore, much less costly going forward for both parties.

Sources:
1  FFIEC BSA/AML Examination Manual, page 230, 4/29/2010
2, 6  IAT Corporate Practitioners Executive Summary, page 1, 1/30/2009, NACHA IAT Resources (http://www.nacha.org/c/IATIndustryInformation.cfm)
3  IAT Corporate Practitioners Executive Summary, page 3, 1/30/2009, NACHA IAT Resources (http://www.nacha.org/c/IATIndustryInformation.cfm) 
4  FFIEC BSA/AML Examination Manual, page 227, 4/29/2010
5  FFIEC BSA/AML Examination Manual, page 231, 4/29/2010


Lori Moore is a Certified Regulatory Compliance Manager. She is currently the director of compliance for ATTUS Technologies Inc., and has more than 25 years of experience in the financial services industry. During her career, she has gained in-depth knowledge and practical experience within all areas of community banking and has served in key positions, including vice president of operations, BSA officer, compliance officer, internal auditor and vice president of risk management. Moore was also designated as the Outstanding Graduate of the Texas Bankers Association Operations School.