Key Risk Issues Every Treasury Management Officer Should Consider
December 27, 2015
Treasury management agreements often remind me of the Winchester Mystery House.
The Winchester Mystery House is a beautiful, sprawling, and bizarre Victorian mansion. The story goes that Sarah Winchester, reeling from the untimely deaths of her infant daughter and husband, William Wirt Winchester (of Winchester repeating rifle, “The Gun That Won The West” fame) consulted a medium. The medium advised her that her family and fortune were being haunted by the spirits of American Indians, Civil War soldiers, and others killed by Winchester rifles. The medium instructed Mrs. Winchester to move west and build a great house for the spirits. So long as construction never stopped, they would be appeased, and Mrs. Winchester would be safe.
Thirty-eight years of uninterrupted construction unguided by blueprints transformed a tidy 8-room house into a rambling maze of a mansion with 160 rooms and nearly as many architectural oddities, some more functional than others: a staircase that descends seven steps and then rises eleven, columns installed upside down, stairs that lead to the ceiling, and doors that go nowhere.
For many financial institutions, their treasury, or cash management, agreements started out like the tidy 8-room Winchester house, neatly constructed and limited in purpose, perhaps at first addressing basic ACH services. With the addition of each “room”—online business banking, positive pay, a sweep account, lock box, remote deposit capture—the stack of documents grew bigger, somewhat disjointed, perhaps even unintentionally conflicting, like stairs leading to a ceiling.
Such add-on drafting of treasury management agreements creates fraud, operational, regulatory, and legal risks. A comprehensive review and update of your bank’s treasury management and other related bank agreements can help reduce fraud losses, improve the customer experience while shortening time to revenue, and ensure legal enforceability and manage regulatory risk.
Reduce Fraud Losses
Are your bank’s agreements structured to take advantage of changes in the law, especially beneficial ones?
With the exponential increase in wire and other electronic transfers between commercial accounts comes increased cyber risk and the related risk of unauthorized transactions. The general rule is that the bank bears the risk of loss for fraudulent transfers from a commercial deposit account.1 UCC Article 4A provides a key exception to this rule, but your bank’s agreement must be properly structured to take advantage of it.
If a bank and its customer have an agreement as to what constitutes a commercially reasonable security procedure,2 the risk of loss for fraud shifts to the customer if the bank proves that it accepted a fraudulent payment order (1) in good faith and (2) in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.3
Also, if a bank has established commercially reasonable security procedures that a customer has declined to use, and the customer instead agrees in writing to be bound by payment orders issued in its name and accepted by the bank in accordance with another security procedure, then the customer will bear the risk of loss from a fraudulent payment order.4
Thus, it is vitally important to ensure that your bank’s treasury management agreement addresses security procedures so that you can take advantage of the risk allocation rules of Article 4A.
Improve the Customer Experience While Shortening Time to Revenue
Are you using a separate agreement for each treasury management service you offer so that if your customer wants online business banking, ACH, bill pay, a sweep account, lock box, and remote deposit capture, the customer must sign six (or more) separate agreements? Or did your bank start with a short agreement when it first launched ACH services, and with each new service, tack on more and more and more provisions over time so that it now has a rambling, less than coherent, mansion of an agreement?
Whether you are using separate agreements for each service offering or one long agreement that addresses all treasury management services (including ones the customer does not want), restructuring these into one master agreement with supporting addenda for each service can improve the customer experience. This will simplify and speed not only initial onboarding, but also adding services for that customer later. Quicker onboarding leads to quicker revenue.
From an administrative and legal perspective, using a master agreement structure also ensures that defined terms, standard terms and conditions, and most importantly security procedures are addressed consistently across all service offerings and are not unnecessarily repeated in numerous and lengthy contract documents.
Ensure Legal Enforceability and Manage Regulatory Risk
Does your bank’s treasury management agreement accurately reflect the current service offerings? Does your treasury management agreement dovetail with your deposit account and other bank agreements? Does your treasury management agreement include provisions required by rules mandates or “recommended” by regulation?
It is not uncommon for a bank’s treasury management agreement to be out of sync with its current service offerings. A marketing initiative results in an inadvertently architected “upside down column” in the treasury agreement which still refers to the bill pay service as PAYEASE, but the business unit is selling a service called EASYPAY. In some cases, a service is discontinued, yet still addressed in the agreement. More often, a service is added or a functionality is changed, but the agreement does not address it.
This creates legal risk. If the agreement does not properly address the service and the related obligations the customer is assuming, this calls into question the legal enforceability of the agreement, not only regarding the customer’s obligations, but also regarding general terms and conditions, including disclaimers, indemnities, and limitations of liability, that protect the bank.
It is also common for a bank’s treasury management agreement not to dovetail with the bank’s deposit account agreement (when was the last time it was updated?) or online banking terms and conditions. This also creates legal risk. For example, the security procedures in the treasury management agreement may differ from those in the online banking terms and conditions. Which controls? The answer to this question is critical and may impact the bank’s ability to avoid a fraud loss under the risk allocation provision of UCC Article 4A.
It also creates regulatory risk. If your bank’s treasury management agreement does not accurately reflect all services, it will necessarily fail to include provisions mandated by applicable rules. For example, National Automated Clearing House Association (NACHA) Rules require, among other things, that a bank audit its customer’s compliance with ACH rules.5 To ensure the customer’s cooperation and the bank’s right to do so, your bank’s treasury management agreement should expressly grant this audit right.
The treasury management agreement will also fail to follow recommended regulatory guidance. For example, the FFIEC’s guidance on Remote Deposit Capture6 (RDC) recommends that a treasury management agreement contain numerous contractual provisions that address the parties’ respective roles and responsibilities. A sample of the recommended provisions regarding the customer’s responsibilities includes: (1) handling and record retention procedures for the information in RDC, including physical and logical security expectations for access, transmission, storage, and disposal of deposit items containing nonpublic personal information; (2) types of items that may be transmitted and aggregate limits on daily deposits; (3) processes and procedures that the customer must follow, including those related to image quality; (4) imaged documents (or original documents, if available) RDC customers must provide to facilitate investigations related to unusual transactions or poor quality transmissions, or to resolve disputes; and (5) periodic audits of the RDC process, including the IT infrastructure. It is a good idea to heed such guidance because today’s “recommended” guidance will likely become a requirement in one or two examination cycles.
While the architectural oddities of the Winchester House have created a tourist attraction, the drafting oddities of treasury management agreements create fraud, operational, regulatory, and legal risks. By updating your bank’s treasury management agreement and ensuring consistency with other bank agreements, you can reduce fraud losses, improve the customer experience while shortening time to revenue, and ensure legal enforceability and manage regulatory risk. We would be happy to assist you in performing such a review and update.
[1] U.C.C. §4A-204 (Unif. Law Comm’n 1989).
[2] U.C.C. §4A-201 (Unif. Law Comm’n 1989).
[3] U.C.C. §4A-202(b) (Unif. Law Comm’n 1989).
[4] U.C.C. §4A-202(c) (Unif. Law Comm’n 1989).
[5] NACHA Operating Rules & Guidelines, App. 8, Part 8.4. Part 8.4(a) provides a list of items that must be contained in an origination agreement.
[6] Federal Financial Institutions Examination Council, Risk Management of Remote Deposit Capture (2009).
Industries
December 27, 2015
Treasury management agreements often remind me of the Winchester Mystery House.
The Winchester Mystery House is a beautiful, sprawling, and bizarre Victorian mansion. The story goes that Sarah Winchester, reeling from the untimely deaths of her infant daughter and husband, William Wirt Winchester (of Winchester repeating rifle, “The Gun That Won The West” fame) consulted a medium. The medium advised her that her family and fortune were being haunted by the spirits of American Indians, Civil War soldiers, and others killed by Winchester rifles. The medium instructed Mrs. Winchester to move west and build a great house for the spirits. So long as construction never stopped, they would be appeased, and Mrs. Winchester would be safe.
Thirty-eight years of uninterrupted construction unguided by blueprints transformed a tidy 8-room house into a rambling maze of a mansion with 160 rooms and nearly as many architectural oddities, some more functional than others: a staircase that descends seven steps and then rises eleven, columns installed upside down, stairs that lead to the ceiling, and doors that go nowhere.
For many financial institutions, their treasury, or cash management, agreements started out like the tidy 8-room Winchester house, neatly constructed and limited in purpose, perhaps at first addressing basic ACH services. With the addition of each “room”—online business banking, positive pay, a sweep account, lock box, remote deposit capture—the stack of documents grew bigger, somewhat disjointed, perhaps even unintentionally conflicting, like stairs leading to a ceiling.
Such add-on drafting of treasury management agreements creates fraud, operational, regulatory, and legal risks. A comprehensive review and update of your bank’s treasury management and other related bank agreements can help reduce fraud losses, improve the customer experience while shortening time to revenue, and ensure legal enforceability and manage regulatory risk.
Reduce Fraud Losses
Are your bank’s agreements structured to take advantage of changes in the law, especially beneficial ones?
With the exponential increase in wire and other electronic transfers between commercial accounts comes increased cyber risk and the related risk of unauthorized transactions. The general rule is that the bank bears the risk of loss for fraudulent transfers from a commercial deposit account.1 UCC Article 4A provides a key exception to this rule, but your bank’s agreement must be properly structured to take advantage of it.
If a bank and its customer have an agreement as to what constitutes a commercially reasonable security procedure,2 the risk of loss for fraud shifts to the customer if the bank proves that it accepted a fraudulent payment order (1) in good faith and (2) in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.3
Also, if a bank has established commercially reasonable security procedures that a customer has declined to use, and the customer instead agrees in writing to be bound by payment orders issued in its name and accepted by the bank in accordance with another security procedure, then the customer will bear the risk of loss from a fraudulent payment order.4
Thus, it is vitally important to ensure that your bank’s treasury management agreement addresses security procedures so that you can take advantage of the risk allocation rules of Article 4A.
Improve the Customer Experience While Shortening Time to Revenue
Are you using a separate agreement for each treasury management service you offer so that if your customer wants online business banking, ACH, bill pay, a sweep account, lock box, and remote deposit capture, the customer must sign six (or more) separate agreements? Or did your bank start with a short agreement when it first launched ACH services, and with each new service, tack on more and more and more provisions over time so that it now has a rambling, less than coherent, mansion of an agreement?
Whether you are using separate agreements for each service offering or one long agreement that addresses all treasury management services (including ones the customer does not want), restructuring these into one master agreement with supporting addenda for each service can improve the customer experience. This will simplify and speed not only initial onboarding, but also adding services for that customer later. Quicker onboarding leads to quicker revenue.
From an administrative and legal perspective, using a master agreement structure also ensures that defined terms, standard terms and conditions, and most importantly security procedures are addressed consistently across all service offerings and are not unnecessarily repeated in numerous and lengthy contract documents.
Ensure Legal Enforceability and Manage Regulatory Risk
Does your bank’s treasury management agreement accurately reflect the current service offerings? Does your treasury management agreement dovetail with your deposit account and other bank agreements? Does your treasury management agreement include provisions required by rules mandates or “recommended” by regulation?
It is not uncommon for a bank’s treasury management agreement to be out of sync with its current service offerings. A marketing initiative results in an inadvertently architected “upside down column” in the treasury agreement which still refers to the bill pay service as PAYEASE, but the business unit is selling a service called EASYPAY. In some cases, a service is discontinued, yet still addressed in the agreement. More often, a service is added or a functionality is changed, but the agreement does not address it.
This creates legal risk. If the agreement does not properly address the service and the related obligations the customer is assuming, this calls into question the legal enforceability of the agreement, not only regarding the customer’s obligations, but also regarding general terms and conditions, including disclaimers, indemnities, and limitations of liability, that protect the bank.
It is also common for a bank’s treasury management agreement not to dovetail with the bank’s deposit account agreement (when was the last time it was updated?) or online banking terms and conditions. This also creates legal risk. For example, the security procedures in the treasury management agreement may differ from those in the online banking terms and conditions. Which controls? The answer to this question is critical and may impact the bank’s ability to avoid a fraud loss under the risk allocation provision of UCC Article 4A.
It also creates regulatory risk. If your bank’s treasury management agreement does not accurately reflect all services, it will necessarily fail to include provisions mandated by applicable rules. For example, National Automated Clearing House Association (NACHA) Rules require, among other things, that a bank audit its customer’s compliance with ACH rules.5 To ensure the customer’s cooperation and the bank’s right to do so, your bank’s treasury management agreement should expressly grant this audit right.
The treasury management agreement will also fail to follow recommended regulatory guidance. For example, the FFIEC’s guidance on Remote Deposit Capture6 (RDC) recommends that a treasury management agreement contain numerous contractual provisions that address the parties’ respective roles and responsibilities. A sample of the recommended provisions regarding the customer’s responsibilities includes: (1) handling and record retention procedures for the information in RDC, including physical and logical security expectations for access, transmission, storage, and disposal of deposit items containing nonpublic personal information; (2) types of items that may be transmitted and aggregate limits on daily deposits; (3) processes and procedures that the customer must follow, including those related to image quality; (4) imaged documents (or original documents, if available) RDC customers must provide to facilitate investigations related to unusual transactions or poor quality transmissions, or to resolve disputes; and (5) periodic audits of the RDC process, including the IT infrastructure. It is a good idea to heed such guidance because today’s “recommended” guidance will likely become a requirement in one or two examination cycles.
While the architectural oddities of the Winchester House have created a tourist attraction, the drafting oddities of treasury management agreements create fraud, operational, regulatory, and legal risks. By updating your bank’s treasury management agreement and ensuring consistency with other bank agreements, you can reduce fraud losses, improve the customer experience while shortening time to revenue, and ensure legal enforceability and manage regulatory risk. We would be happy to assist you in performing such a review and update.
[1] U.C.C. §4A-204 (Unif. Law Comm’n 1989).
[2] U.C.C. §4A-201 (Unif. Law Comm’n 1989).
[3] U.C.C. §4A-202(b) (Unif. Law Comm’n 1989).
[4] U.C.C. §4A-202(c) (Unif. Law Comm’n 1989).
[5] NACHA Operating Rules & Guidelines, App. 8, Part 8.4. Part 8.4(a) provides a list of items that must be contained in an origination agreement.
[6] Federal Financial Institutions Examination Council, Risk Management of Remote Deposit Capture (2009).