Figure 1. ACH network payment volume 2020-2024. Growing volume raises the regulatory bar on risk documentation.
An ACH risk assessment template is a structured worksheet that helps a financial institution or Originator evaluate the risks tied to its Automated Clearing House activity, rate them, and document the controls that keep those risks inside appetite.
An ACH risk assessment template sits alongside the broader risk assessment methodology an institution uses across its enterprise, and it is the single artifact most examiners ask for first.
This ACH risk assessment template guide walks through what the template should cover, how to score each risk, and where teams usually get it wrong. A downloadable template is linked at the end.
Why an ACH Risk Assessment Matters
The ACH network moved roughly 33 billion payments in 2024, and volume keeps growing as Same Day ACH limits expand. With that growth, the regulatory expectation around risk documentation has tightened. Three rule sets drive the requirement:
- Nacha Operating Rules: every ODFI, Third-Party Sender, and Third-Party Service Provider must conduct an annual ACH risk assessment and implement a risk management program based on the findings.
- FFIEC IT Examination Handbook (Retail Payment Systems booklet): expects a documented, enterprise-wide view of ACH risk covering credit, operational, fraud, compliance, and strategic dimensions.
- OCC Bulletin 2006-39: still the benchmark guidance. Lays out the risk categories examiners test against during safety-and-soundness reviews.
An ACH risk assessment template does two jobs. It forces consistency across business lines so risks are scored the same way. And it creates an audit trail the board, audit committee, and internal audit can follow.
Figure 2. Inherent versus residual risk across the eight ACH risk categories. Gap between bars is the control effectiveness.
The Eight Risk Categories Your Template Must Cover
A defensible ACH risk assessment template addresses eight categories. Collapsing them into one or two generic rows is the most common finding in exam reports. For the broader treatment of how to structure any enterprise assessment, see our risk assessment process guide.
1. Credit Risk
The risk that an Originator fails to fund a credit entry, or that a Receiver claims a debit is unauthorized after the funds have left the account. Measure exposure by:
- Peak-day and 5-day rolling origination volume
- Concentration by Originator (top 10 as % of total)
- Return rate trends, particularly R01 (insufficient funds) and R02 (account closed)
- Whether exposure limits are set at the Originator, settlement date, and aggregate level
2. Operational Risk
Process breakdowns, file errors, staffing gaps, and system failures. Our operational risk guide goes deeper on scoring methodology.
High-signal indicators include file re-submissions, missed Fed deadlines, manual workarounds, and the number of staff with ACH origination access versus the number who have completed AAP-level training.
3. Fraud Risk
Covers corporate account takeover, business email compromise redirecting payroll, synthetic identities opening Originator accounts, and unauthorized debits.
The assessment should map which controls (dual approval, out-of-band confirmation, behavioral analytics) cover which fraud vectors, and flag gaps.
4. Compliance Risk
Nacha rule changes, BSA/AML obligations (OFAC screening on IAT entries, SAR filings on suspicious ACH activity), Regulation E for consumer debits, and UDAAP exposure on recurring debits.
See our compliance risk assessment framework for the full testing approach. List each obligation, the control that evidences compliance, and the last testing date.
5. Third-Party Risk
Third-Party Senders, Third-Party Service Providers, Payroll Service Bureaus, and Nested Third-Party Senders. Due diligence should cover financial condition, SOC 1 or SOC 2 reports, BCP testing results, underwriting of their Originators, and contractual indemnification.
For the full lifecycle approach, see our third-party risk management framework and the dedicated set of third-party KRIs. Nested arrangements deserve their own row in the template.
6. Systemic and Settlement Risk
Exposure to Fed outages, correspondent bank failure, or a settlement agent disruption. Document the backup Operator relationship, the intraday liquidity plan, and the point at which settlement cannot be completed without regulatory notification. Tie this row to your business continuity plan.
7. Reputation Risk
Linked to the Originator portfolio. High-risk verticals (online lenders, debt collectors, gambling processors, nutraceuticals) carry reputation risk regardless of how tightly the ACH program is run. The template should flag concentration in these verticals and the board’s stated risk appetite for them.
8. Strategic Risk
How the ACH program supports the bank’s revenue and customer strategy, and the risk of over-reliance on a small number of Originators or on aging platforms. Our strategic risk article explains how to frame this at the board level. This is the category most institutions skip. Examiners have started asking for it.
Risk Scoring: Inherent, Controls, Residual
Figure 3. Likelihood-by-impact scoring matrix. Residual scores in orange or red drive the remediation backlog.
An ACH risk assessment template that only lists risks is a checklist, not an assessment. Scoring turns it into a management tool.
| Element | Scale | What it measures |
| Inherent risk | 1 (Low) to 5 (High) | Risk before controls, based on likelihood x impact |
| Control strength | 1 (Weak) to 5 (Strong) | Design and operating effectiveness, evidenced by testing |
| Residual risk | 1 to 5 | Inherent risk adjusted for controls |
| Appetite | Target score | Board-approved tolerance for each risk category |
Residual risk above appetite in the ACH risk assessment template triggers a remediation action with an owner and due date. Many institutions also visualize the results on a risk heat map for board reporting. This is the column auditors and examiners focus on most.
A practical shortcut: set inherent risk in your ACH risk assessment template during the annual assessment, but refresh control strength quarterly using KRI data. It keeps the assessment current without redoing the full exercise.
Building the Template: Row Structure
Each row in the ACH risk assessment template should capture the following fields. If you are starting from a blank workbook, our risk register template covers the underlying column design. Anything less and the assessment becomes hard to audit.
- Risk ID
- Risk category (one of the eight above)
- Risk description (one sentence, specific)
- Inherent likelihood (1 to 5)
- Inherent impact (1 to 5)
- Inherent score
- Key controls in place
- Control owner
- Last control test date and result
- Control strength rating
- Residual score
- Appetite
- Gap or exception
- Remediation action, owner, and target date
- Related KRI and current value
Keep the ACH risk assessment template row count manageable. A community bank program typically lands at 30 to 50 rows. A large ODFI with an active Third-Party Sender channel can reach 120 to 150. If the template exceeds 200 rows, risks are being split too finely.
High-Risk Activities That Need Their Own Treatment
Figure 4. Where exposure concentrates in a typical mid-sized ODFI. Third-Party Senders dominate, which is why Nested TPS visibility matters.
Nacha and OCC guidance single out specific activities that warrant enhanced review. Each should get a dedicated section in the template with its own exposure calculation and controls.
- Third-Party Sender relationships, particularly Nested TPS
- Same Day ACH credits above the per-entry limit
- Consumer debits originated by merchants with elevated return rates
- International ACH Transactions (IAT) requiring OFAC screening on every entry
- Reversals initiated by Originators
- Direct Access clients who transmit files without going through the ODFI’s front-end controls
- Faster-payment adjacencies where ACH reversibility creates arbitrage against RTP or FedNow
For each, the ACH risk assessment template should capture the daily and monthly exposure cap, the actual utilization, and the monitoring cadence.
KRIs That Belong in the Same Workbook
Figure 5. Nacha return-rate caps with recommended warn and escalate thresholds. Crossing warn levels should trigger Originator review.
Risk scores alone go stale. Pair the assessment with a small set of Key Risk Indicators, refreshed monthly, that signal when a control is degrading. For dashboard design, see KRI dashboard best practices.
| KRI | Why it matters | Typical threshold |
| Administrative return rate | Nacha cap is 3.0% | Warn at 2.0%, escalate at 2.5% |
| Unauthorized return rate | Nacha cap is 0.5% | Warn at 0.3%, escalate at 0.4% |
| Overall return rate | Nacha cap is 15.0% | Warn at 10%, escalate at 12% |
| Originator exposure utilization | Credit discipline | Warn at 80% of limit |
| Failed dual-approval transactions | Operational control | Any is a finding |
| Days since last BCP test of ACH platform | BCMS hygiene | Escalate beyond 12 months |
| Nested TPS count and concentration | Third-party visibility | Review at onboarding and quarterly |
These KRIs feed directly into the control strength column of the ACH risk assessment template, which is how the document stays useful between annual refreshes.
The ACH Risk Assessment vs the ACH Audit
The two are routinely confused. They are not the same document.
An ACH risk assessment is forward-looking. It asks what could go wrong, how bad it would be, and whether the current control set is sufficient. It is owned by the risk function, signed off by the ACH risk committee, and refreshed annually.
An ACH audit is backward-looking. It tests whether the controls actually operated during the prior year and whether the institution complied with the Nacha Operating Rules.
It is required annually under Nacha Rule 1.2.2 and is typically performed by internal audit or a qualified third party.
The ACH risk assessment template informs audit scope. The audit validates what the assessment claims. Examiners read them together.
Common Failures to Avoid
Three patterns show up repeatedly in exam criticism:
Generic risk descriptions. Writing “fraud risk is moderate” tells an examiner nothing. Name the fraud type, the channel, and the specific control gap.
Stale controls inventory. The control listed in row 14 was decommissioned two years ago, but the assessment still credits it. Tie each control to a control ID in the GRC system so changes flow through automatically.
No link to exposure limits. The assessment says Originator credit risk is managed, but nothing ties the risk score to the actual limit assignment process. Add a column referencing the limit methodology document.
Ignoring Nested Third-Party Senders. Since the 2022 Nacha rule change, Nested TPS visibility is mandatory. Many templates still treat the first-tier TPS as the endpoint.
How Often to Refresh
- Full assessment: annually, with board or committee sign-off
- Control strength review: quarterly, driven by KRI data and audit findings
- Event-driven refresh: whenever a new Originator channel launches, a material fraud loss occurs, a Nacha rule takes effect, or a Third-Party Sender relationship is added
- Regulatory trigger: before any ACH-focused exam, refresh the control test dates so nothing reads older than 12 months
Putting It to Work
An ACH risk assessment template earns its place when three things are true: the board can read the residual-risk column and understand where the program stands, the first line can use it to prioritize remediation, and internal audit can trace every control claim to evidence. Everything else is documentation theater.
Use the ACH risk assessment template below as a starting point, adapt the risk categories to the activities your institution actually runs, and keep the KRI workbook connected so the assessment stays alive between annual refreshes.
Frequently Asked Questions
How often does Nacha require an ACH risk assessment?
Annually. The assessment supports the broader ACH risk management program required under Nacha Operating Rule 1.2.4. Nested Third-Party Sender relationships and new Originator channels trigger interim updates.
Who should sign off on the assessment?
At minimum, the ACH risk assessment template should be signed off by the ACH operations owner, the compliance officer, and the chief risk officer. Board or risk committee ratification is standard at federally supervised institutions.
What is the difference between inherent and residual risk?
Inherent risk is the exposure before controls. Residual risk is what remains after controls are applied. The residual score compared to risk appetite is what drives remediation.
Do community banks need the same depth as large ODFIs?
The ACH risk assessment template structure is the same; the volume differs. A community bank with ten Originators will have a shorter template than a large ODFI with an active Third-Party Sender book, but every category must still be addressed.
Can the same template be used for Same Day ACH and standard ACH?
Yes, with separate rows. Same Day ACH carries higher fraud and operational risk per entry because of the compressed processing window, so the scoring should not be collapsed into standard ACH.
Is a third-party SOC 2 enough to cover Third-Party Sender risk?
No. SOC 2 is one input. The assessment should also cover financial condition, Originator underwriting standards, BCP testing, exposure limits at the TPS level, and evidence of Nested TPS oversight. See our third-party risk management framework for the full due diligence checklist.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.