Risk Management Issues

Originators, and ultimately the ODFI, are responsible for any losses associated with activity in the ACH Clearing Account. To mitigate potential losses, risk management protections will be put in place to diminish exposure, such as:

• Implementing Customer credit qualifying conditions, risk parameters, and Risk Management process
• Placing a hold period on collected Customer funds prior to issuing ACH credits
• Establishing a Customer rolling reserve fund based on credit qualifications and risk parameters

Fraud Risk Management

Affirmative, and its Financial Institution clients, share a deep concern with the potential risk of fraud. Each party must be aware of the measures taken by the other parties' systems and processes, so that the various layers of protection work effectively in concert. This risk can only be mitigated, not extinguished. The layers of fraud protection managed by Affirmative in collaboration with an ODFI are described below.

• Affirmative's software permits transmission of transaction data only by users specifically authorized to perform this function, with User ID and Password protection. Without the proper User ID and Password, our software can't be used to transmit ACH transaction files. This and other permissions enforced in Affirmative software may be changed with any frequency desired by Customer or ODFI.
  
  Affirmative Technologies is among the first to offer enhanced security measures with its ACH processing applications by including Biometric Security Systems protection as a part of the end-user login process (See Section Security Issues).
  
• Files sent to the ODFI's ftp (file transmission protocol) site by Customers are encrypted with a password. The encryption passwords are never sent by email, normally only by U.S. mail. If the delay in the U.S. mail is too long for the business need, custom arrangements for communicating new passwords can be made. These passwords can change with any frequency necessary. If the password is incorrect, the file is not processed, and the ODFI contacts the Customer to resolve the issue.
  
• A custom ftp path(s) is created by the ODFI for its Customers. Each transaction file has information identifying the Originator as the customer, and its clearing account as the destination for funds. Files not placed in the appropriate path with correct identifying and account information will not be processed. When any variation from these rules takes place, the ODFI halts processing of the file and intervenes by contacting the Customer to resolve the issue.
  
• The ODFI ftp site requires a User ID and Password for connection. If these are not correct, no connection is established which would permit data movement.
  
• Each file received at the ODFI must be separately authorized by a FAX specifically addressed to the authorization of the individual file, and with a specifically authorized signature. The file is not processed without it. In case a file arrives without this authorization, the ODFI halts processing of the file and contacts Customer to resolve the issue.
  
• The ODFI will establish daily dollar limits for transactions for each Customer. This sets the limit of exposure both for Customer and ODFI. In addition, the dollar limits may be segmented with subordinate dollar limits on subsets of the total transactions. Therefore ODFI can influence the exposure on an account- wide scale, or along the lines of data segmentation ODFI chooses. (E.g., an obvious one, Customer's account holders vs. non-customers). There are many possible ways this limitation can be employed to manage exposure. The core protective function here is that if a daily limit is exceeded, transactions are held from further processing until the ODFI contacts Customer and resolves the issue.
  
• The ODFI monitors returns, and if these exceed established parameters, the ODFI intervenes by contacting Customer to cooperatively analyze the cause and evaluate responsive actions.
  
• The ODFI tracks incoming telephone calls from RDFI banks concerning unauthorized transactions, and if an unusual pattern of these calls is taking place, the ODFI immediately intervenes with Customer to analyze the cause and resolve the issues.
  
• If Customer demonstrates the necessity, Affirmative is willing to customize additional measures of protection against fraud. However, as you can see from reviewing the anti-fraud measures in place, fraud originating in the process from the point of transaction file transmission through its processing at the ODFI is going to be exceedingly difficult for anyone but an insider to make happen. Even where an insider (e.g., Customer's employee) took such actions, the various red flags described above would lead to prompt intervention to limit the exposure.
  
• The ODFI monitors returns, and if these exceed established parameters, the ODFI intervenes by contacting Customer to cooperatively analyze the cause and evaluate responsive actions.
  
• The ODFI tracks incoming telephone calls from RDFI banks concerning unauthorized transactions, and if an unusual pattern of these calls is taking place, the ODFI immediately intervenes with Customer to analyze the cause and resolve the issues.
  
• If Customer demonstrates the necessity, Affirmative is willing to customize additional measures of protection against fraud. However, as you can see from reviewing the anti-fraud measures in place, fraud originating in the process from the point of transaction file transmission through its processing at the ODFI is going to be exceedingly difficult for anyone but an insider to make happen. Even where an insider (e.g., Customer's employee) took such actions, the various red flags described above would lead to prompt intervention to limit the exposure.