The Division of Local Government Services has issued Local Finance Notice 2018-13 providing guidance on the recently adopted amendments to N.J.A.C. 5:30-9A, Electronic Disbursements & Claimant Certification. The amendments implement the provisions of P.L. 2016, c. 29, effective on April 1, 2017, which authorized local government entities to adopt policies for the payment of certain claims through the use of standard electronic funds transfer technologies. While the Local Finance Notice provides guidance for all local government entities, this blog post will only focus on the guidance for municipalities.
Instead of paper checks, governing bodies can adopt policies and procedures permitting specific officers and employees to pay claims electronically using electronic fund technology (EFT), such as Automated Clearing House (ACH), wire transfers and e-checks. The written policies and procedures must be adopted by resolution or ordinance as appropriate. If the municipality has a payment of claims ordinance it is recommended that EFT policy is incorporated into that policy. The Chief Financial Officer (CFO) is responsible for ensuring that the controls set forth in state regulations and local policies are in place and adhered to.
All EFT policies and procedures must allow for the designation of separate roles for the initiation and authorization of the payment of claims using EFTs. The initiation and authorization roles must be segregated and they must password-restricted and/or subject to other security controls, appropriate for the technology. The role of initiation must be filled by the mayor or another chief executive officer unless the municipality has a payment of claims ordinance which designates another individual. The CFO and Municipal Clerk are responsible for authorization role. The governing body must designate an officer, who is not supervised by the CFO, to authorize transfers initiated by the CFO. Additionally, it is recommended that a backup officer be designated in the event the Mayor, Municipal Clerk, or CFO is unavailable. Any adopted EFT policy must specify permitted EFT methods and incorporate the regulatory safeguards.
EFT technologies must facilitate measures that would mitigate the risk of a single payment being made more than once. Each individual disbursement to a vendor must be preceded by instructions transmitted to the bank. No automatic debits are permitted.
No less than a weekly basis, activity reports on all EFT based transactions must be reviewed by the CFO or another individual under the CFO’s supervision. The governing body must designate someone, not under the CFO’s supervision, to review any CFO generated activity report. The municipal auditor may be designated instead of another official. At least on a monthly basis reconciliation of the actual EFT transactions to the accounting records must be performed and maintained for audit.
Each bill list approved by the governing body must indicate the type of technology used in each EFT transaction. An audit trail must be created and maintained such that transaction history, including documentation of demands for payment and payment initiation, authorization and confirmation, can be independently tracked and detailed. For wire transfers and ACH debit description, the bank posting the name of the vendor based upon the transaction routing number provides an adequate audit trail.
Procurement card issuers, along with providers of ACH and wire transfers services, must be financial institutions chartered by a State or federal agency, with the further requirement that financial institutions providing ACH and wire transfer services be covered under GUDPA (N.J.S.A. 17:9-41 et seq.). The use of PayPal and Venmo are not permitted under these rules.
ACH payments must follow the National Automated Clearing House Association (NACHA), or equivalent banking industry standard, rules. EFT through ACH must utilize Electronic Data Interchange (EDI) technology, which provides transaction-related details including invoice numbers, pay dates, and other identifying information. An ACH Origination Agreement must be in place with the financial institution.
The regulations also include a cybersecurity framework that must be incorporated into standard EFT technologies. Elements include:
- System hosting; data encryption;
- Password policy and staff security;
- System risk assessment and security updates;
- Limitations on the maintenance of personal identifying information; and
- Cybersecurity incident response plan and response team.
Financial institutions providing EFT technologies must annually provide evidence of satisfactory internal controls to the CFO.
In regards to Claimant Certification, the adopted rules:
- Clarify that the certification may be executed by a vendor or claimant by signature stamp, facsimile signature, or electronic signature in addition to a “wet” signature;
- Permits a municipality not to require claimant certification for transactions where a local unit makes payment through standard EFT;
- Permits a municipality to enact a standard policy through resolution or ordinance, as appropriate, to not require claimant certification where the vendor or claimant does not provide such certification as part of its normal course of business; and
- Permits payment to vendors in advance of delivery of materials or services for State or federal payment obligations, membership in a non-profit organization, educational courses, registration for a conference or convention sponsored by a non-profit organization, and web hosting.
The regulations on Procurement Cards (P-Cards) remain largely unchanged except the qualified purchasing agent must be designated as a “program manager” when P-Cards are used regardless of dollar amount and the CFO is ultimately responsible for ensuring proper internal controls for P-Card usage.
We suggest you review this Local Finance Notice with your Chief Financial Officer, Purchasing Agent, and Municipal Clerk.
Contact: Lori Buckelew, Senior Legislative Analyst, email@example.com, 609-695-3481 x112.