Beyond Credit: Sean Carter on Reframing Exposure Limits in Payments Artwork

Wrestling Payments

Wrestling Payments is a podcast for professionals working at banks, credit unions, and FinTechs who are responsible for managing ACH and payment operations. In each episode, members of NEACH guide conversations to help professionals examine the challenges of modernizing payment operations. Ultimately, the stories uncovered through guest interviews and solo episodes will highlight industry trends and identify how organizations can build their payment operations for the future.

All Episodes

Wrestling Payments

Beyond Credit: Sean Carter on Reframing Exposure Limits in Payments

April 24, 2025 • NEACH • Season 3 • Episode 7

Send us a text. (email us if you need a response)

EPISODE SUMMARY
This episode of Wrestling Payments tackles the critical topic of exposure limits in modern payments. Host Joe Casali and guest Sean Carter, President & CEO of Neach Payments Group, dissect an article by Jordan Bennett of Nacha, which focuses on payment modernization and digital transformation. Sean highlights a common misconception: viewing exposure limits solely through the lens of credit risk. He argues for a broader perspective, emphasizing operational risks like account takeovers and business email compromise.

Sean explains how current exposure limit practices often focus on the unlikely event of a business's complete failure, rather than the more frequent occurrences of chargebacks and return items. He advocates for a more holistic review process, considering IT security practices and overall risk management. Sean also discusses the challenges financial institutions face with third-party senders and the importance of consistent due diligence.

Finally, Sean challenges the common practice of assigning uniform exposure limits. He urges listeners to consider the unique risks of each originator and leverage available tools for efficient limit monitoring and enforcement. This episode provides valuable insights for financial institutions looking to strengthen their payment processes and mitigate risk.

Sean Carter
President & CEO
Neach Payments Group and NEACH
Payments risk expert advocating for holistic exposure limit reviews.
LinkedIn

KEY INSIGHTS
Rethinking Exposure Limits

Exposure limits are often mistakenly viewed solely through the lens of credit risk. This narrow focus overlooks the significant operational risks prevalent in today's digital payment landscape, such as account takeovers and business email compromise. A more comprehensive approach considers a company's IT security practices, overall risk management, and the potential for fraud, ensuring a more robust and effective risk mitigation strategy. Shifting the focus from the unlikely scenario of complete business failure to the more frequent occurrences of chargebacks and returns offers a more practical and relevant assessment of risk.

Third-Party Sender Oversight

Financial institutions must extend their rigorous risk management practices to third-party senders. While institutions may have robust internal controls, neglecting the oversight of third-party partners creates a vulnerability. Ensuring these partners adhere to the same level of due diligence and risk assessment is crucial for maintaining a strong security posture and protecting the institution from potential fraud and operational failures. This includes implementing agreements and monitoring processes to guarantee consistent security practices across the payment ecosystem.

Wrestling Payments - Sean Carter

Beyond Credit: Sean Carter on Reframing Exposure Limits in Payments
season 3 episode 7

Sean Carter: [00:00:00] without anybody stepping in. If I have a hundred thousand dollars exposure limit, I just go in and I take a previous ACH credit payment. I change the receiver's information, I upload the file through online banking, or maybe it's a template within the online banking. I push a payment out, and because it's on, it's gonna be at or under the dollar limit, establish it's most likely going right for a ride through the network.

And then when I get that call as a banker to say, what was this? You're gonna say, well, we had this limit. You've agreed to security procedures with us.

[00:01:00]

Joe Casali: Hello and welcome to Wrestling Payments. We're here today. We're talking about something that caught our eye. Sean, you were looking through your email the other day, and you came across an article by Jordan Bennett of Nacha discussing payment modernization and digital transformation from the perspective of exposure limit.

For anyone who's not familiar with an exposure limit, Sean, what's an exposure limit and what are we talking about?

Sean Carter: yeah, so exposure limits, typically are dull limits are assigned to a cash management customer, whether it's ACH or wire. And in theory, an exposure limit is meant to protect both the customer and the institution from different level types of risks, whether it's operational, fraud, [00:02:00] credit, However, I think the purpose of this article is 'cause a lot of people have just treated exposure limits from the view of credit exposure. And the reason this caught my eye is because I've been talking about this for years with our members, haven't done audits and risk assessments. We write a lot of people up because their process for establishing these limits is literally just a credit review.

And you could argue over the last couple of years. Your bigger threat has been on the operational risk side of an account takeover or a business email compromise and someone pushing out a payment; an exposure limit should be able to guard against that if it's done appropriately. So it's a great topic. R Mag did a great article, as you mentioned, written by Jordan, but they get input from the group. It's a really good article. I suggest everybody go take a peek at it. But that's what you and I are gonna discuss today, kind of. Take this and [00:03:00] muddy it up a little bit and throw our own feelings around.

Joe Casali: All right, so I'm gonna disclose. I consider myself an ACH guy, so I talk about ACH all the time, and I'm going to let you guys in on a little secret. Sean and I both work in the office, and we have conversations throughout the day and we had a conversation this week. Where we had to set up a merchant account without mentioning names.

as you compare setting an ACH exposure limit and setting us up to accept credit cards, any observations

Sean Carter: Yeah, it took us about 20 minutes to set up a merchant account to accept credit card payments. They asked some very basic questions more on the CDD side. They didn't really ask much about what we expected our, average transaction or anything that. in that regard, I was kind of [00:04:00] dumbfounded by how easy it was, to do that because we had previously done it with a different company and we had to do a bank statement. There was some work that had to go into that, which we didn't have to do this time. And I'm not judging, I'm not saying one is better than the other. Absolutely. I don't want that to come across. I just found that strike. Remember we were dreading back and forth in the email who was gonna take the lead? And setting up the account and I'm like, oh, okay, I'll just do it. And it was really easy. But when you think about an ACH, right? So this is to accept credit cards, which have, we are, we're taking business to business credit cards. I highly doubt we're gonna have many chargebacks for people paying each payments group for anything. So when you think about exposure limits. Right in an ACH context or even accepting card payments, right? It's really about what do you expect is going to go wrong and how do you protect yourself, [00:05:00] right? And, so when you think about how people have been doing things with exposure limits and, almost to a fault, right?

Is they just worry about the complete failure of the business, right? And that's what they seem to be guarding against. And it's like how many of your customers have completely folded, right? Whereas if you asked another question a different way, let's say you're a merchant provider as a bank, how many of your customers get chargebacks?

Oh, a hundred percent of them, right? How many of your customers of an ACH debit get returns? Oh, a hundred percent of them, right? That's really what you want to be guarding against. And so it was really interesting how this article was written as well, right? Because under the NACHA rules, prerequisite to origination for ACH, you must establish, enforce, monitor, and review exposure limits. Nowhere in Article two does it talk [00:06:00] about credit risk; it talks about all the risks that an originator represents to the institution. So if you think about today's day and age, when you're coming up with that number for an exposure limit, what if a company is an absolute train wreck with their IT security and their practices as a business?

Right? But let's say they're very sound financially, so their financials look good. If you give that party a limit, right? You are more likely to have an operational disaster with them sending money to the wrong customer or duplicating a file or you name it, more so than them going out of business. So I think the point of what NA and Arm mag were trying to get across is something we've been trying to get across is that the process of doing an exposure limit, the way people are doing it, actually is causing heartache, right?

Because the lenders hate being responsible for it, right? [00:07:00] You have lenders that at most of our member FIs and our clients, the cash management has to get lending approval. To give a limit to a customer, the process takes way too long. Judging by how easy it was to get this other merchant account versus even us getting reviewed as an ACH.

Joe Casali: let me ask you a couple of questions based and we'll, Not that it's fair and not, we're not naming any names, but let's, compare and contrast the signing up for a merchant account and setting of exposure limits my observations. So first on the, merchant account, we are signing up to accept.

Credits. So we are gonna receive credits, that's all we're gonna do. One thing when you talk about the ACH, you are looking, you pos potentially looking at both sides, even if it's just a funding debit to fund credits you're sending out. so, and I always thought people in general [00:08:00] in our industry kind of threw this part away.

They kind of, oh yeah, we gotta set up exposure limits.

And the article seemed to say, oh, no, do you wanna explain

Sean Carter: Yeah. So yeah, so exactly the point of the article is that this process needs to be taken seriously. and, but in a way that it benefits you, right? So it's one of those things where you're highlighting the need to do something from a regulatory standpoint, but it's actually for your better. It's for better good, right? And so when you think about what we just went through, right? These folks are just going to, send us a credit or, if there's a chargeback, they then come back and debit the account. They don't know if we're gonna have money or not. Whatever. But when you have,the way people write limits sometimes in ACH and we write people up for this actually, is the customer will say, I need a hundred thousand dollars credit limit. And then they automatically assign a hundred thousand dollars [00:09:00] debit limit and the person never asked for that. Right? So let's say you did that in the reverse order. I wanted a hundred thousand dollars debit limit and you also gave me a hundred thousand dollars credit limit. And then I have an email compromise. That pushes out a hundred thousand dollars ACH credit, and I come back to you and say, I never wanted to send that big of a payment.

Joe Casali: Time out just for a second.

Go. Go through that scenario. What? What could happen if they didn't have good it? They did get a compromise. Someone had the credentials. What could that entity do without anyone taking a look?

Sean Carter: Yeah. So, without anybody stepping in. If I have a hundred thousand dollars exposure limit, I just go in and I take a previous ACH credit payment. I change the receiver's information, I upload the file through online banking, or maybe it's a template within the online banking. I, push a payment out and because [00:10:00] it's on, it's gonna be at or under the dollar limit, establish it's most likely going right for a ride,through the network.

And then when I get that. Call as a banker to say, what was this? You're gonna say, well, we had this, we had the limit. you've agreed to security procedures with us. and,

Joe Casali: I'll play the other side. We never asked you for a credit limit. We are just sending out debits. Why did you give us a credit limit?

Sean Carter: and, a lot of times the answer is, the system makes me do that. And it's like, well, the system is a problem, right? Because you should really be underwriting based upon the natural rules. Say this. Based upon the risk that the originator represents to the bank. So if they're not asking for a credit limit, why are you giving them a, you shouldn't have to manage anything related to ACH credits 'cause they're not sending them. Right. So this, is a great area for financial institutions to, a take a step back. And is there a [00:11:00] way to make this process more efficient? Right. And the, reason I say that is you could create a questionnaire. That the customer fills out. That includes the IT stuff. And then with your lenders, they only have to look at a portion of the process, right? Does this customer have the ability to pay us back? Now, the other part of this, from a lender standpoint, they're used to saying, can the person pay us back 10, 15, 20 years from now with payments is, can the person pay us Thursday? And that's a really different mindset and I know a lot of lenders. Talk to me.

they reach out to us and say, Hey, they're asking me to do this limit. can you make us understand how the ACH or the wire system works before I prove this? so it is a, it, is a, the way it's being done is very tough because number one, we're putting it on to people that might not truly understand the payment. And you can't manage risk unless you understand the payment [00:12:00] system. You just can't, I'm sorry, you can't do that. Right? So. But then the whole, they're also missing the entire operational fraud, compliance risk related to these payments. And some of it,to be honest, the system says, I just can only put a limit here. this is what's in our active ACH policy. 'cause you have to follow policy at the institution. Policy maybe have been written before all these, it troubles became prevalent in payments. So it, It's tough, but it is actually the rule that you're supposed to be doing it in the way you and I are describing.

It's supposed to be a holistic review of the risk that the originator represents to the institution, not your originators at whole, not a subsection of the originator, each originator to the bank like our bank does with us when we do that annual review,

which is not a problem we'll get into in this podcast, but if you're just looking at my limit. Every year as part [00:13:00] of the review and saying, Sean has a good exposure limit you, you're missing the vote, right? Because have I used it up to the limit? Have I come close to that limit? were there other issues throughout the year like I needed to send reversals a bunch of times 'cause I keep duplicating files.

How many times have I been hacked? That review process should not just be, oh, good job credit. We'll give them the same limit going forward. It really actually has to be a periodic review. Of the limit, which includes the holistic review of the relationship.

Joe Casali: So just a couple of questions. So easy one first. This should take about two seconds sometimes. You would go in and see all the exposure limits and weirdly, it was all a million dollars. What's the problem with that?

Sean Carter: Yeah. I mean, giving everybody the same limit. I've always argued as a violation of the rule, just like in, in here, it, also highlights Jill, those people that say, oh, we do pre-funding. We don't have to have an exposure limit. [00:14:00] Not true. The rules don't actually say, well, if you do pre-funding, you don't need to do a limit.

And, there's a reason for that, and I'm gonna explain this to you. A lot of people do pre-funding, and there's a couple different ways to do it wrong. Number one, they're not actually pulling the money from the account into an account the bank owns. So that's the first problem. So people have kind of corrected that over the years, that's less prevalent. But now what I see is people say, oh yeah, we pulled the money. It's in the, an account from the bank, but you're actually not pulling good funds because you're allowing people that just did an RDC deposit. The funds aren't final yet, and you're sweeping those funds out of the account to fund the ACH.

What would happen if you get a check return? So when you say pre-funding and when you're talking to your regulator, they're assuming you mean you have zero risk on that money. Because that's how they define pre-funding.

If you actually have [00:15:00] money on that risk, what you're doing is,risk on that. Money is what you're doing is not pre-funding.

It's sort of pre-funding. It's like a,pre half funding. I don't know what the word would be, but,yeah, so that's another, interesting one is like we go and we see everybody that does web has a million dollar limits. Like, well, they're not all selling the same product. They're not all the same companies. And again, sometimes people will say it's easier on our system to give everybody the same limit. I get it. but at that point, you need to investigate different ways to do it. I'm not gonna promote any products, but there are different products other than the core system. The Federal Reserve has products, EPN, if you use them as a, they have monitoring tools that you can do your limits in, and you can use multiple systems to monitor limits.

So that excuse isn't. A good one anymore. Like we have to rely solely on our system, which isn't true anymore. there's other ways to do it and people, once you read this [00:16:00] article, you should explore all the ways that you can make this a more, again, if it's an efficient process, people are gonna take it more seriously and it's not a checks the box activity, which it has become at a lot of organizations because they

don't want to go through the pain of. Asking you 10 or 12 it questions, right? Asking you,these things. And I, just think it's really important that we broaden how we look at exposure and

not just for ACH, all cash management.

Joe Casali: L let me jump into a different part of the article. Now, I, have to admit, I only skimmed the article. I'm sorry. But, and this is certainly part of a bigger originator onboarding conversation, but the part I did see on this is,and again, I think if it's a throwaway, I think it may be that they, that the originator may not even know what if there's a third party sender involved

and what is a third party sender?

Sean Carter: Yeah, this is a great, Joel. This is a great part of the [00:17:00] article again, and, this is really why I like this article, right? So if you like this stuff, it really is a good article. Shout out to Jordan and the folks on R mag at Nacho. when you think about a third party senator, which by definition is an entity that exists between the ODFI and the actual originator of the item.

So now we're adding a layer of complexity onto a relationship. So if you as a financial institution are underwriting your third party sender as if it's one company, that's a problem, right? Because they're multiple, they're originating for multiple companies. The second part of that problem is, let's say you are doing a good job with your own limits in underwriting the third party sender. Are you ensuring that the third party sender is imposing limits? On their customers. And if you think you're doing a good job, you should be expecting the same level of risk management and due [00:18:00] diligence that you are doing to the third party sender. You should be imposing that on your third-party senders and the originators. I see a lot of fis don't do that. They'll say, oh yeah, we have a really great risk management program in place. And we ask them, do you make your third party senders do the same? No. Well, then they're doing less than what you are doing. So your great program that you built has been weakened because you're allowing this third party to not act in the same manner.

And you could do that through agreement. This, you control the relationship. And so, yeah, that I do think it was kind of just in there like, Hey, keep in mind you could have third party senders, but this is an area of weakness we see, not that people have 20, 40, 50 third party senders, but if you have 10. Payroll companies and, they're not doing anything, right. They're doing a handshake and asking the customer what their payroll is, and then you're telling everybody how safe you are. I think you're missing the point,of some, and, especially in [00:19:00] payroll with the direct deposit fraud that's going through the roof. What are they doing to make sure they're protecting their computer systems and all? And it's gotta factor into, maybe it doesn't factor directly into a limit, but at least in your risk rating. Which then through policy should affect what limits or how you monitor them. yeah, really, good point By you is that third party center piece

and let's

Joe Casali: I, caught that part.

Sean Carter: Yeah, let's gonna go down another level with nested third parties right now. We could get crazy here, but, yeah, really interesting.

Joe Casali: So we will put the link in the article,and in the post so you'll be able to read the, the article yourself. Anything else? What, did we miss?

Sean Carter: No, really just to just, I think the intent of the article and hopefully the intent of the podcast is just to get to people think the differently, right? So, the baseline of the rule is an exposure limit, and nowhere in there does it say limited to the credit. Risk, right? It's talking about the [00:20:00] total risk an originator represents to an ODFI, I think.

I think if people look at it in that lens, it makes more sense and they'll do a better job. also, mentioning the systems that people are on, sometimes you have to push back

if your system is preventing you from doing good risk management. You gotta call the vendor and say, this doesn't work for us.

I shouldn't have to put the same limit for debit and credit on each customer. That's just ridiculous. That's like 1980s, setting up,ACHs. So I do think there needs to be pushback there.

Joe Casali: So let me ask you one more question. This one's really Out there. we have, we had a rule call yesterday. a financial institution was setting up origination, it may be for the first time, and in their scenario, they were going to use a third party. I think they're a third party processor.[00:21:00]

But what was gonna happen is that the third party processor ran it all, including the connection to the Fed. And in the discussion,with my colleague, we were talking about, the fact that they need to have,all their, Due diligence really done well. I called her back this morning 'cause I knew we were gonna do this episode and I said, you know what?

If they really need to set their exposure limits, transfer 'em to the third party so they know their maximum exposure, every day. Thoughts.

Sean Carter: Yeah, no, I think anytime you're allowing, what that would be considered a direct access type arrangement, I would absolutely look at the Fed controls because you can set at the operator level by originator id. You could make sure to either monitor by exposure date or by process date. I, would highly, anybody that does not control the file, right? [00:22:00] 'cause you're not touching the file. It's going from customer to third party to the operator. Even with online banking, you're not touching the file, right? It goes online banking, the court comes in and pulls it. The bank's actually no longer touching the file. That's why. That's why this is also important. to, think about those limits again. In the eighties, seventies, you were uploading a file or a disc. You had control of the entries, right? So you could get away with being lazy on limits or, but I think there's so many different types of arrangements. The only way to protect yourself is through proper establishing of the limits and proper monitoring of those limits, right?

Don't forget, that's the second part of the rule, is establish the limit. Then monitor it, enforce it, and then periodically review it. So those are the four steps. And I think when you're in those relationships, you have to look at the operator tools because they've become really good, number one. and it's just, I mean, [00:23:00] you'd be, all, your concentration risks would be at the third party if they're also managing your limits for you, right? So they're doing everything now. That's a lot of risks there, right? I mean, think about. having no control of something.

Joe Casali: Right.

Sean Carter: Yep. So.

Joe Casali: so I thought I had you with that one. Let's see if I can have you, this is my last question. so we've never talked about this, I don't think in a scenario where,say, an originator starts out 10 years ago and they have a hundred customers, and they gave 'em all a million dollars and, say.

they continue to add originators and they continue to up, exposure limits. can this exposure limit, I wanna say cause a problem, but limit their scalability as far as adding new originators? I.

Sean Carter: Also, it depends, right? so if you look at some of the financial institutions, they'll tell you that when they get reviewed by their regulators, that some of them [00:24:00] are looking at a percentage of capital, right? Like OCC board reporting says you have to present what is your percentage of capital exposed via ACH origination. And some regulators get comfortable after certain percentages, right? We used to have, in, Connecticut, it doesn't exist anymore. It used to be 25%. It was a state thing. but you would, if you were over that, if you are ca, if you were exposed in your capital more than 25% ACH. So that's where you could run into a problem is with a regulator.

So if you have limits that are so high and they're not needed to be that high, it could ultimately show on a report. That, yeah, the bank is technically exposed to $600 million, even though in theory it's a hundred million for Regulat says that's too much of your capital exposed, then you gotta go back and re-look at the, limits.

Anyway, so the, again, it's not just a check the box item, put a million dollars for everybody and I've done it. We have to break that mindset and [00:25:00] any if i's still doing that, reach out. We can help you. With this. I mean, we can walk, you through different ways of doing it. There are tools you can use. Rewriting your policy is not a hard thing to do. Right. Coming up with, and it's not like you have to do this the same again for everybody. So let's say you had a hundred customers, Joe

and five of them process like $10,000 files and under. Forget those people, right? Their limit's 10,000. We're not gonna spend any time we're gonna spend. 90% of our time on the people with actual volume. And that's how the policy's going to be structured. So if you're looking for a limit over 50,000, here are the five things you need to have. If you go 50 to a hundred, here are the six things a hundred and above. Here are the seven things people get. So panic.

'cause a lot of their customers are so small. You can, you still establish a limit 'cause the rule requires it. But that doesn't mean you have to review that limit every year. It's a periodic [00:26:00] review. You could set that to be reviewed every two years, and then your higher risk ones every eight months, whatever, whatever cycle you want to get put on.

So don't let the, the existence of the,overabundance of small originators make you go, oh, this is too hard to, redo, because it's really not. It's, an actually, it's an easy process and at the end it becomes more efficient. we were talking with a bank. About two months ago, they were spending 380 some odd hours doing reviews, and it's like, well, we could cut that in half by just looking at your customer list and extending some of those reviews to every two years because they don't have lots of returns. They're great customers, right? Like this. This idea that they all have to be done at the same time and your policy can't be different. I don't know where that comes from. That is not written anywhere. Either in the OCC, the retail handbook of the FFIC or the natural rules, that's just become like this [00:27:00] mythical thing.

Like, oh, we have to do 'em every year. And at the same time it's like, no, you don't. and in fact, that's a waste of energy. It, is really inefficient.

Joe Casali: Excellent. any parting words?

Sean Carter: No, I just think everybody should take a peek at, this article. it's really well done. And also just read the first couple of pages of Article two and the rules. I've,you, know me, I've been pushing Nacho to make Article two the first three pages and eliminate everything else,because I think it really gets at what you should be doing as an ODFI, those first couple of pages, prerequisite to origination.

Read it, love it. Read this article and, you are on your way.

Joe Casali: All right. That's the instruction. Read those pages and love it.

Sean Carter: Yeah.

Joe Casali: Alright, thanks for joining me. thanks Sean. You are always great. appreciate it.

[00:28:00]