Payment Run Agent - ACH NACHA, Fedwire, SEPA SCT Inst, ISO 20022 | Gosign

Cross-border disbursement at a multinational does not run on one payment rail - it runs on nine in parallel. A US-listed parent with European subsidiaries and UK operations releases payments through ACH (NACHA Operating Rules) for batched US supplier payments, Fedwire (Federal Reserve Regulation J) for US high-value over the USD 1M Same-Day ACH cap, RTP (The Clearing House) and FedNow (Federal Reserve, launched July 2023) for US instant payments, BACS (Pay.UK Standard 18) for batched UK supplier payments, CHAPS (Bank of England RTGS) for UK same-day high-value, Faster Payments (Pay.UK FPS) for UK instant under GBP 1M, SEPA Credit Transfer (EPC scheme) for batched euro-denominated payments, and SEPA Instant Credit Transfer (Regulation 2024/886, mandatory receive 9 January 2025 and mandatory send 9 October 2025) for euro-denominated instant. Cross-border non-EU continues on SWIFT MT103 transitioning to ISO 20022 MX (PACS.008) by 22 November 2025 under the coordinated central-bank cutover. Layer over this OFAC strict-liability sanctions screening with USD 1.5M average penalty per violation, the BSA + UK MLR 2017 + EU AML monitoring regimes, and the SOX 404 internal controls regime with PCAOB AS 2201 design + operating-effectiveness testing, and the payment run becomes a coordination problem that no single AP clerk can run consistently at weekly or daily velocity.

OFAC sanctions violation USD 1.5M average penalty + SOX 404 disbursement material weakness erodes 4-7% of share price + SEPA SCT Inst mandatory send enforcement from 9 October 2025

OFAC operates under strict liability. Civil penalties under IEEPA 50 USC 1705 do not require intent - the fact of the prohibited transaction is sufficient for liability. The current per-violation average penalty is approximately USD 1.5M, with cumulative annual OFAC enforcement actions exceeding USD 1.5B in 2024 across all sanctions programs. UK enforcement under the Sanctions and Anti-Money Laundering Act 2018 (administered by OFSI) and EU enforcement under Regulation 2580/2001 plus national criminal-code implementations operate on similar principles. The exposure compounds when an enforcement action also triggers SOX 404 material-weakness disclosure - a sanctions breach that bypassed disbursement controls is, by definition, a controls failure - producing the typical 4-7% share-price erosion in the trading week following the 10-K filing. For a Russell-3000 mid-cap with USD 800M market cap, a 5% impact equals USD 40M of shareholder value destroyed by a payment-release that an automated screening engine plus four-eyes log would have prevented.

The SEPA SCT Inst mandate adds a third deadline-driven exposure. Regulation 2024/886 imposes mandatory receive of SCT Inst from 9 January 2025 and mandatory send from 9 October 2025 on every euro-area Payment Service Provider offering SCT. National competent authorities under Article 5d enforce against non-compliant PSPs with administrative penalties. Corporates that depend on non-compliant banking partners face operational disruption when partner banks lose the ability to send instant payments. The Agent’s deterministic rail selection embeds the SCT Inst default into the payment policy - euro-denominated payments under EUR 100,000 default to SCT Inst from 9 October 2025 onward, with documented fallback only where the receiving bank explicitly does not support Inst (now rare).

The international payment pipeline runs 16 deterministic steps - not 8

Domestic single-rail payment runs can be modelled in 8 steps. International multi-rail payment runs cannot. The Agent splits the pipeline into 16 steps because every payment-line decision requires checking the destination corridor (US versus UK versus EU versus cross-border non-EU), the rail selection (9-way US + UK + EU choice), the amount-and-urgency thresholds (NACHA Same-Day USD 1M cap, Fedwire over that, RTP USD 10M cap, FedNow USD 10M cap, CHAPS over GBP 1M, SEPA SCT Inst EUR 100,000 cap), the OFAC + UK FCO + EU + UN sanctions screening with fuzzy transliteration, the BSA + UK MLR 2017 + EU AML transaction-monitoring rules, the IBAN + ABA + UK sort-code format validation with Confirmation of Payee where available, the SOX 404 segregation-of-duties between initiator and releaser, the PSD2 Strong Customer Authentication challenge for online release, the WORM-archive retention class (PCAOB AS 1215 7 years for issuer audits, FinCEN BSA + OFAC 5 years, UK MLR 2017 + EU AMLD 2024 5 years), and the IFRS 9 Para 3.3.1 versus ASC 405-20 derecognition trigger.

A concrete scenario: a SEC-listed mid-cap with USD 800M revenue, EU operations across Germany France Netherlands plus UK, weekly payment-run cycles with 1,200 supplier payments across USD GBP and EUR. On a typical run, the Agent identifies 1,200 due open-items, applies OFAC + UK FCO + EU + UN sanctions screening producing 4 fuzzy-match positives for AML-officer review (3 cleared as transliteration false-positives, 1 confirmed and blocked with SAR filing), runs AML transaction monitoring producing 2 structuring-pattern alerts (both cleared), validates 1,200 IBAN + ABA + sort-code formats with 6 format errors flagged for vendor correction, selects 480 ACH, 18 Fedwire, 2 RTP, 320 BACS, 8 CHAPS, 12 FPS, 320 SEPA SCT Inst, 36 SEPA SCT, and 8 SWIFT MT103 transitioning to PACS.008, generates 9 ISO 20022 PAIN.001 batches plus the NACHA + BACS Standard 18 + CHAPS messages, runs duplicate-payment detection finding 0 duplicates against 90-day history, verifies liquidity across 4 debtor accounts in 3 currencies, enforces SoD with 2 different releasers per debtor account, captures four-eyes release with PSD2 SCA challenges, transmits via SWIFT FIN + EBICS + SFTP-PGP per bank contract, captures bank ACK on all submissions within 30 minutes, and reconciles next-day BAI2 + CAMT.053 + MT940 confirmations - 1,196 matched, 4 returned by beneficiary banks routed to AP for re-issuance.

In the Decision Layer, 14 of the 16 steps are rule-based (R), 0 are LLM-suggestion (A), and 1 is human (H) for four-eyes release approval. The remaining step (sanctions match disposition) routes deterministically to the AML officer for human investigation when a fuzzy-match flag triggers - the Agent never silently clears a sanctions match. Every other step - duplicate detection, format validation, rail selection, liquidity check, SCA challenge, transmission, reconciliation - is a deterministic application of accounting standard, scheme rule, or compliance regulation.

Sanctions and AML clearance is the regulatory linchpin

Big-4 audits and FinCEN + OFAC examinations focus heavily on the sanctions and AML clearance evidence chain. The Agent operates against the union of OFAC SDN List + Sectoral Sanctions Identifications List + Foreign Sanctions Evaders List, UK FCO Consolidated Sanctions List, EU Restrictive Measures List, and UN Security Council Consolidated List - all updated daily from the source authorities. Fuzzy-matching covers exact name match plus transliteration variants (Cyrillic-to-Latin, Arabic-to-Latin, Chinese pinyin), abbreviation variants, and corporate-structure variants (subsidiary identification through ultimate-beneficial-owner registries where available). False-positives are managed under documented investigation procedure - the AML officer reviews match evidence, performs Customer Due Diligence and Enhanced Due Diligence per UK MLR 2017 Reg 28-35 + BSA 31 CFR 1020.220, and clears only with documented rationale. False-negatives are the strict-liability exposure - hence the cross-list union and the daily list pull.

AML transaction monitoring runs against vendor + amount + corridor + frequency + timing patterns. Structuring (multiple sub-threshold payments to evade BSA CTR USD 10,000 reporting), unusual-volume thresholds versus 90-day vendor baseline, high-risk corridor flags (FATF grey-list and black-list jurisdictions plus internal corporate risk-rating), and timing-cluster patterns trigger alerts that route to the AML officer for SAR / SAR-equivalent decision under BSA 31 CFR 1020.320 + UK MLR 2017 Reg 28 + EU AMLD 2024. The Agent’s Decision Log captures every alert with the rule that triggered it and the officer’s disposition - producing the FinCEN-inspection-ready evidence chain that compliance officers spent decades assembling manually.

Cross-rail finality and derecognition timing prevents reconciliation drift

Payment finality varies sharply by rail and matters for both operational recovery and accounting derecognition under IFRS 9 Para 3.3.1 + ASC 405-20. ACH supports returns up to 60 days for consumer R10 unauthorised-debit and up to 2 banking days for most return reasons. Fedwire is final and irrevocable on confirmation. RTP and FedNow are final and irrevocable on confirmation per The Clearing House and Federal Reserve scheme rules. SEPA SCT supports R-transactions for up to 5 business days. SEPA SCT Inst is final and irrevocable on confirmation. CHAPS is final on confirmation. BACS supports recall under limited conditions for up to 2 working days. The Agent records expected-finality at release time and posts derecognition only on confirmed payment per IFRS 9 + ASC 405-20 - never on file initiation. Returns within the same accounting period reverse cleanly. Returns crossing period-end flag for IAS 8 / ASC 250 evaluation by the Journal Entry Agent for prior-period error-correction analysis.

Integration ecosystem: SAP S/4HANA F110, Oracle Fusion Payments, Workday Settle Payment, plus payment-factory platforms

The Agent integrates natively with the major international ERPs: SAP S/4HANA F110 Automatic Payment Run + Bank Communication Management + Multi-Bank Connectivity (MBC); Oracle Fusion Cloud Financials Payments + Cash Management + iPayment for ISO 20022 message generation; Workday Financial Management Settle Payment business process + Bank Account integration + secondary ledger postings; Microsoft Dynamics 365 Finance Vendor payment journal + Electronic reporting (ER) for ISO 20022 PAIN.001; Oracle NetSuite SuitePayments + Vendor Bills + Bill Payment workflows; Sage Intacct AP Payment Services with US ACH + check + multi-entity disbursement. For payment-factory architecture: Kyriba treasury management with bank-connectivity hub + sanctions screening + payment workflow; FIS Quantum / GTreasury / ION Treasury for corporate treasury; Bottomline PTX (Payments Transaction Exchange) with integrated Cyber-Crime detection. Bank connectivity per relevant rails: SWIFT FIN + MX migration via SWIFT direct connectivity or Service Bureau (Bottomline, Broadridge, AccessPay), Federal Reserve FedLine for Fedwire + FedNow, NACHA-certified ODFI for ACH, BACS-approved Service User for UK, EBICS T-version + H006 keys for German + EU corporate banking, or bank-direct API (US Open Banking through FDX, EU + UK Open Banking through PSD2 XS2A). Audit-evidence integration: Deloitte ASM, PwC Halo, EY Helix, KPMG Clara via standardised payment-run export formats with PCAOB AS 1215-compliant metadata. WORM-archive integration: Amazon S3 Object Lock, Azure Blob Immutable Storage, Google Cloud Storage Bucket Lock with retention-class tagging per PCAOB AS 1215 (7 years issuer audits), SEC Rule 17a-4 (6 years broker-dealer), FinCEN BSA + OFAC (5 years), UK MLR 2017 + EU AMLD 2024 (5 years) - all generated as deterministic templates with audit-trail metadata for SOX 404 evidence packs and PCAOB substantive testing.