We are not aware of any laws or regulations that require you to institute approval procedures for ACH transactions that exceed your institution’s legal lending limit. Your approval processes and policies on ACH transfers are risk management decisions left to your institution’s discretion.
The FFIEC’s Retail Payment Systems IT Booklet has general guidance on setting ACH limits, but it does not require you to adopt a particular approval threshold to control or mitigate the risks of handling large ACH payments. As part of your risk management, your institution must demonstrate an understanding of the risks of ACH transactions, which apparently are treated similarly to credit risks — “for ACH credit entries, a financial institution that serves as the ODFI incurs credit risk upon initiating the entries until its customer funds the account.” FFIEC IT Booklets, Retail Payment Systems, ACH Risk Management Controls.
To minimize ACH risks, the FFIEC encourages the use of written policies and monitoring for compliance with your internal policies. Due to the possible credit risk of ACH transactions, the FFIEC advises institutions to manage the customer relationship “in the same manner as any credit, subjecting the customers to credit administration processes for due diligence and ongoing monitoring.” FFIEC IT Booklets, Retail Payment Systems, Credit Risk. The FFIEC suggests involving management in ACH monitoring, as its examination procedures include an analysis of “whether management adequately tracks exceptions to credit limit policies and legal contracts.” Appendix A, Examination Procedures. A possible alternative to a preapproval process for the customer’s ACH transactions might be to “ensure payments are made against collected funds” or to require your customer to prefund any large ACH credit transactions. See Appendix A, Examination ProceduresFFIEC IT Booklets, Retail Payment Systems, ACH Risk Management ControlsFFIEC IT Booklets, Retail Payment Systems, Credit Risk.