If we monitor ACH manually, what documentation will we be expected to provide to the examiners during an examination?

We recommend financial institutions document basic procedures for monitoring fraud risks, focusing on simple reviews tailored to fraud trends, with a low compliance bar: complete periodic checks and update as needed.

Key Monitoring Requirements

What to review: Specify report names (e.g., ACH reports) and frequency (e.g., each ACH window or daily morning)

Who monitors: Identify the department or individuals responsible.

Sign-off process: Detail how reviewers initial or sign reports to confirm completion

Fraud trend adaptation: Adjust monitoring based on past institution fraud or common industry patterns; evaluate if it's sufficient to detect these.

Documentation Needs

Include write-ups for report items: Note if fraud was found, actions taken (e.g., for confirmed cases), and who reviewed (beyond just the signer)

Expect low detail overall: periodic reviews and changes suffice for compliance; deeper info may appear in early risk assessments tied to the FI's risk tolerance, not audits.

General Best Practices from Compliance Guides

Start with risk assessment to prioritize high-impact areas, then define policies, controls, and key performance indicators.

Use techniques like regular audits, automated tools, and self-assessments.

Document everything: test dates, results, testers, and fixes; conduct ongoing entity-level checks by operations staff.

Train staff, report to management, and improve based on findings.