Nacha Rules

A Participating DFI must annually conduct, or have conducted, an audit of its compliance with these Rules. A Third-Party Service Provider or a Third-Party Sender that has agreed with a Participating DFI to process Entries must annually conduct, or have conducted, an audit of its compliance with these Rules. An annual audit must be conducted under these Rule Compliance Audit Requirements no later than December 31st of each year.

Click here to order a copy of the 2023 Nacha Operating Rules and Guidelines

Requirements

This requirement to conduct an audit relates solely to compliance with these Rules and is not limited to compliance with any specific rule or group of rules. This audit obligation does not address other audit considerations with regard to a Third-Party’s ACH policies, procedures, or regulatory compliance.

For a Third-Party Service Provider, these audit requirements apply only to the functions of ACH processing that it performs on behalf of a Participating DFI or a Third-Party Sender. For a Third-Party Sender, these audit requirements apply to its performance of any obligations of an ODFI under these Rules. References within these Rules to an audit of an ODFI’s or RDFI’s performance therefore also apply to a Third-Party Service Provider or Third-Party Sender acting in the capacities described above.

Audit & Risk Services

ACH Audit

An ACH audit of compliance with the Rules must be performed under the direction of the audit committee, audit manager, senior level officer, or independent (external) examiner or auditor of the Participating DFI, Third-Party Service Provider, or Third-Party Sender.

o   Third-Party Service Provider/ Third-Party Sender ACH Audit  Learn More

ACH Risk Assessment

A Third-Party Sender must conduct an assessment of the risk of its ACH activities and implement a risk management program on the basis of such an assessment.

o   Third-Party Service Provider/ Third-Party Sender ACH Risk Assessment Learn More