We are getting ready to launch commercial internet banking. I have told the department driving this train that for ACH wholesale credits we need to have, or at least offer and have refused, a commercially reasonable agreed upon security procedure to limit our liability for unauthorized entries. The department replied that since the entries come through an internet cash management provider and they require encryption plus the customer assigns and has total control over its user passwords, nothing more should be necessary.
The department does not want to have to use call-backs or anything beyond what the system provides. How are the rest of you dealing with this issue

Thanks!

I'm not sure that I understand your question - what does the processing of ACH Wholesale Credits have to do with the fact that you are launching internet banking? Internet banking is just a view of what is happening, ACH wise, or are you going to allow commercial customers to originate ACH online?

I don't know if this helps but here is some guidance from the "ACH Compliance Manual" regarding security procecdures in the context of liability for unauthorized and erroneous entries as it related to UCC Article 4A:

Article 4A defines a security procedure as a "procedure established by agreement for the purpose of (1)verifiying that an entry or a communication canceling or amending an entry is that of the customer or (2) detecting error in the transmission or the content of an entry or communication.

The determination of whether an agreed-upon security procedure is commercially reasonable is based upon the following factors:

-- The wishes of the Originator expressed to the ODFI;

-- The circumstances of the Originator known to the ODFI, including the size, type, and frequency of entries normally issued by the Originator:

-- Alternative security procedures offered to the Originator; and

-- Security procedures in general use by similarly situated Originators and ODFIs.

I would take your proposed security procedures and compare it against these criteria and see if they meet the qualifications.

Grist - yes, the customers will be originating online.

We are set up through Fiserv, so Fiserv handles security issues with the one company that is now generating credit entries only entering that data via a terminal at a company location. We are notified by Fiserv when a file has been received.

We have no intention to allow the generation of debit entries, so that issue has been been addressed. My opinion is that whatever entity system that you will be using that will allow a customer to originate ACH entries should have security built in, like dollar limits, number of entries per file, number of entries per week, verification of balances, multiple settlement dates, etc.

Actually, I'm happy its you and not me getting into this service as it could be risky.