The Nacha Rules require financial institutions to establish, implement, and periodically review exposure limits for their Third-Party Sender (TPS) customers and for their Originator customers. Third-Party Senders are also required to do the same for their Originator customers. The Rules require monitoring origination and return activity across multiple Settlement Dates and on the types of Entries that may be originated, and enforcement of exposure limits. 

Nacha’s Risk Management Advisory Group (RMAG) includes members from financial institutions and Payments Associations. They often hear, “We require prefunding of all credit transactions, so my credit risk is covered. Why do I have to set and monitor exposure limits too? What’s the point?” 

The short answer is that exposure limits protect the financial institution or TPS’s customers from fraud risk, operational risk, and the credit risk associated with returned debits in addition to credit risk from credit-push transactions. Exposure limits are controls which prevent anomalies from exiting the financial institution or TPS without a review and confirmation by the originating customer. Contacting the customer about an overlimit situation or other anomaly also provides a positive touchpoint that can enhance the customer experience and build on the already established trust between partners. 

Exposure limits provide an opportunity to identify:

• Larger-than-expected credits or debits that may be originated due to fraud, error, or as duplicates.
• Variances in credits and debits over multiple days that may be originated due to fraud, error, or as duplicates.
• Credits or debits using an unexpected SEC code or an SEC code that is not permitted in the customer’s origination agreement.
• Credit exposure from Returns on originated debits.

Examples:

ACH Debit Originator
Consider an Originator that collects payments via ACH debits, such as consumer bill payments, and pays vendors, suppliers and utilities using ACH credits. The Originator likely collects payments consistently with some limited variation, and regularly pays for supplies and other inputs with the same consistency. If the vendor finds itself in an account takeover situation with a fraudster, the fraudster may initiate larger credits than typical. If only prefunding is required and money is in the account, the fraudster may drain the account with large fraudulent credits leaving the financial institution before the Originator is aware. This situation would result in a large loss for the Originator and potential litigation for the financial institution or TPS from the Originator. If the outgoing payments breach an exposure limit, the FI or TPS will have an opportunity to contact the Originator before allowing the Entries to flow.

Payroll Provider Third-Party Sender
Payroll providers are TPSs that typically use CCD debits to pull from their employer customers, and use PPD credits to pay employees on expected cycles. Payroll may be weekly, biweekly, or on specific dates during the month.  An error at the TPS or by an employer customer making a request could result in a duplicate payment or an additional payment outside the typical cycle that results in an aggregate value that exceeds the set exposure limit (monitoring across multiple settlement dates). The employer customer may have enough money in their account to cover these payments, but the error could be caught by the exposure limit. There are situations like employee bonuses where a variance from the regular payroll breaches the exposure limits. Most TPSs and FIs report that their customers quickly approve the special items and appreciate the additional control mechanism. 

Protect the ACH Network
Prefunding protects the financial institution or TPS from the risk that their customer may not be able to fulfill their credit commitment when an ACH credit is submitted. Exposure limits protect the financial institution, the TPS, and the Originator from myriad risks. Establishing,  and reviewing debit and credit exposure limits adds a control that can prevent accidents and duplicates, keep an eye on the credit risk from debit return exposure, and watch for malicious actors attempting to take advantage of participants on the ACH Network.