A5000.15 ACH Fraud Prevention

Operating Standard

Type: Administrative
Responsible: VP of Administrative Services
Related Policies: B3000, B3006, B3007, A5000
Linked Operating Standards: 
Related Laws: EFTA, UCC 4A, FISMA
Related External Standards: NACHA
HLC Criterion2D2D The institution supports academic freedom and freedom of expression in the pursuit of knowledge as integral to high-quality teaching, learning and research. , 4A4A The institution’s administrative structures are effective and facilitate collaborative processes such as shared governance; data-informed decision making; and engagement with internal and external constituencies as appropriate.

A5000.00 ACH Fraud Prevention PDF

Table of contents

 

1.0 Statement

Shawnee Community College originates limited Automated Clearing House (ACH) transactions consisting only of recurring payroll direct deposit and one established recurring vendor payment. The College maintains risk‑based ACH fraud prevention procedures reasonably intended to identify ACH entries initiated due to fraud, including unauthorized or false‑pretense authorizations, in accordance with the National Automated Clearing House Association (NACHA) Operating Rules applicable to low‑risk ACH originators.

 

2.0 Purpose & Scope

Purpose: To establish internal controls and procedures that prevent, detect, and respond to potential ACH fraud risks associated with payroll direct deposit and recurring vendor payments while maintaining compliance with NACHA requirements proportionate to the College’s low‑risk ACH activity profile.

Scope: This standard applies exclusively to payroll direct deposit to College employees and vendor ACH payment to State Universities Retirement System (SURS). The College does not originate ACH for student refunds, new vendors, ad‑hoc payments, or same‑day ACH.

 

3.0 Definitions

  • ACH: Automated Clearing House electronic funds transfer network.
  • Recurring ACH: Regularly scheduled electronic payments to established recipients.
  • Banking Change: Any modification to payee or employee ACH account information.
  • Settlement: Date ACH funds are transferred between financial institutions.

 

4.0 Roles & Responsibilities

  • Payroll Specialist: Prepares ACH file, maintains payroll banking records, and documents payroll changes. Verifies SURS payment amount and maintains SURS banking records.
  • Director of Business Services: Approves payroll and vendor ACH files.

 

5.0 Procedures

Payroll ACH Processing

  1. Payroll Specialist generates payroll ACH file from ERP system.
  2. Director of Business Services reviews and approves payroll registers.
  3. Payroll Specialist transmits ACH files to bank.
  4. Director of Business Services reviews bank confirmations.

 

Payroll Direct Deposit Changes

  1. Employee submits signed Direct Deposit Authorization Agreement.
  2. Payroll Specialist verifies employee identity.
  3. Independent confirmation is performed using known contact information.
  4. Director of Business Services approves the change.
  5. Change becomes effective no earlier than the next payroll cycle.

 

SURS ACH Payment

  1. Payroll Specialist verifies SURS payment matches SURS report.
  2. Director of Business Services reviews and approves SURS ACH payment.
  3. Payroll Specialist generates ACH file from ERP system
  4. Payroll Specialist transmits ACH file to bank.
  5. Director of Business Services reviews bank confirmation.

 

SURS Banking Changes

  1. SURS submits written bank change request.
  2. Payroll Specialist performs callback to SURS contact.
  3. Authorized signer is verified.
  4. Director of Business Services approves change.
  5. First payment to new account occurs no earlier than (7) days after verification.

 

Monitoring

  1. Payroll and SURS payment reviewed each cycle.
  2. Bank confirmations reviewed after each ACH release.

 

Fraud Response

  1. Before Settlement
    1. Stop ACH release
    2. Notify bank ACH department
    3. Freeze affected account
    4. Notify Director of Business Services
  1. After Settlement
    1. Request ACH reversal immediately
    2. Notify bank and recipient
    3. Document incident
    4. Review controls

 

6.0 Guidelines

  • Recordkeeping: The Payroll Specialist maintains banking change log, SURS banking change log, ACH approvals, and bank confirmations.
  • Internal Controls: Segregation of duties maintained. Payroll Specialist generates ACH files, Director of Business Services approves ACH files, Payroll Specialist transmits ACH files to bank, Director of Business Services reviews ACH confirmations from bank. Multi-factor authentication for bank access. No same-cycle banking changes.
  • Compliance: This establishes risk-based ACH fraud prevention procedures proportionate to the College’s limited ACH activity and is intended to comply with NACHA Operating Rules for non-consumer ACH originators.

 

7.0 SCCES Connections

This Operating Standard supports the Infrastructure Effectiveness Element within the SCCES framework, particularly the Fiscal Stewardship and Reliable System Performance Key Performance Areas.

ACH fraud prevention practices serve as a critical control function within the College’s financial systems, ensuring the integrity, security, and reliability of electronic payment processes. These controls support risk mitigation, safeguard institutional resources, and reinforce operational accountability.

Through consistent application, this standard contributes to:

  • Protection of financial resources and risk mitigation (Fiscal Stewardship)
  • Reliable and secure operation of financial systems (Reliable System Performance)

The practices defined in this standard serve as key process inputs that support financial integrity, compliance, and institutional trust.

 

8.0 SCCES Connections

This Operating Standard supports the College’s annual Finance and Investment Monitoring Report by generating evidence related to financial controls, fraud prevention, asset protection, and system reliability.

Evidence generated through this standard contributes to the evaluation of Board policies, including:

  • B3000 – General Executive Limitations
  • B3006 – Financial Condition and Activities
  • B3007 – Asset Protection

Evidence generated may include:

  • Number of ACH transactions processed per cycle
  • Frequency and verification of banking changes
  • Instances of attempted or confirmed fraudulent activity
  • Timeliness and completeness of ACH approval and verification processes

These indicators provide insight into the effectiveness of internal controls, financial risk mitigation, and system integrity. Collectively, they support Board evaluation of fiscal stewardship, asset protection, and compliance with Executive Limitations.

The following alignment illustrates how operational practices defined in this standard contribute to key Monitoring Report measures:

 

Operational Area

Evidence Generated

Monitoring Alignment

ACH Processing Volume

Number of transactions processed

Financial System Activity

Banking Change Controls

Verified vs. attempted changes

Fraud Prevention & Risk Control

Approval Process Integrity

Timeliness and completeness of approvals

Internal Control Effectiveness

Fraud Incidents

Detected or attempted fraud events

Risk Mitigation & Compliance

 

Collectively, these indicators provide insight into financial control effectiveness and institutional risk management, supporting continuous improvement and informed decision-making.

 

9.0 Data Collection & Review

This Operating Standard supports ongoing evaluation of ACH processing and fraud prevention practices through structured data collection and review.

Data Collection:  The Payroll Specialist and Director of Business Services will maintain and review data related to:

  • ACH transaction volume and frequency
  • Banking change requests and verification outcomes
  • Approval and confirmation records
  • Any suspected or confirmed fraud incidents

Review and Analysis: Administrative Services will evaluate compiled data for patterns, trends, and areas of concern, including unusual transaction patterns, frequency of banking changes, and compliance with verification procedures.  Findings will be used to strengthen internal controls, inform process improvements, and support audit and compliance activities.

Review Cycle:  Data will be reviewed on an ongoing basis, with formal review conducted at least annually or as needed based on identified risks or audit findings.

Coordination:  Administrative Services will coordinate with appropriate institutional offices, as needed, to support audit, compliance, and institutional effectiveness processes.

 

10.0 Oversight & Review

This Operating Standard will be reviewed at least every three (3) years or sooner as required based on legal, regulatory, audit, or institutional needs.

Oversight of this standard is coordinated by Administrative Services, with support from relevant institutional offices to ensure alignment with internal controls, audit practices, and institutional priorities.

Revisions will follow the College’s Shared Governance processes and will be documented in the Change Log.

 

Change Log Governance Unit: Administrative Services Council 
Date Description of Change
04.23.26 Initial Adoption