APRP - LM
What are Central Counterparties (CCPs)
A financial institution that takes on counterpart credit risk between parties to a transaction & provides clearing & settlement services for trades in foreign exchange, securities, options & derivative contracts. Highly regulated institutions that specialize in managing counterparty credit risk (NSCC, FICC,ICC, OCC, etc.).
What is the Federal Financial Institutions Examination Council (FFIEC)?
A formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions; and to make recommendations to promote uniformity in the supervision of financial institutions.
Name the Risk Mitigating Controls
1. Strong Policies and Detailed Procedures 2. Know Your Customer (KYC) 3. Adherence to Laws, Regs, and Rules 4. Data Security Practices 5. Multi‐Factor Authentication 6. User Access Controls 7. Executed Agreements 8. Vendor Due Diligence 9. Training and Education
Name examples for risk analysis
1. Trend Analysis 2. Fraud Monitoring 3. Predictive Modeling 4. Technology-based risk scoring
What is Continuous Linked Settlement Bank (CLS Bank)
A special purpose bank settlement system for foreign exchange trades that is designed to eliminate settlement risk when each leg of certain FX transactions is settled separately.
Name the Risk Controls for ACH
1. ACH policy 2. Risk assessments 3. Due diligence of Originators and Third-Party Senders 4. Establish and monitor exposure limits 5. Credit policy to reduce credit risk 6. Create procedures to establish proper control environment 7. Conduct an annual ACH Audit
Name risk controls for ACH
1. ACH policy 2. Risk assessments 3. Due diligence of originators and third-party senders 4. Establish and monitor exposure limits 5. Credit policy to reduce credit risk 6. Create procedures to establish proper control environment 7. Conduct ACH audit
Name the Federal Reserve Operating Circulars
1. Account Relationships 2. Cash Services 3. Collection of Cash Items and Returned Checks 4. Automated Clearing House Items 5. Electronic Access 6. Funds Transfer through Fedwire 7. Book Entry Securities Account Maintenance and Transfer Services 8. Collateral 9. Federal Tax Payments and Treasury Tax and Loan Depositaries 10. Lending 11. Net Settlement Arrangements
What are the steps of Business Continuity Planning
1. Analyze - Business Impact Analysis (BIA) 2. Identify - Risk Assessment 3. Develop - Risk Management 4. Monitor & Test - Risk Monitoring and Testing
Name the Risk Controls for Check
1. Appropriate account opening and monitoring controls 2. Process to identify and monitor for fraudulent activity 3. Agreements for commercial and consumer RDC 4. Restrictive endorsement review/enforcement 5. Duplicate detection software 6. Policy and procedures for Image Cash Letter processing
What are the ongoing steps for adhering to PCI-DSS?
1. Assess 2. Repair 3. Report
What are the key components of a strong ERM plan?
1. Business strategy and risk coverage 2. Risk appetite 3. Culture, Governance, and Policies 4. Risk data and infrastructure 5. Control environment 6.Measurement and evaluation 7. Scenario planning and stress testing
Name the Risk Controls for Card
1. Card Policy 2. Merchant and customer contracts that establish each party's liabilities and responsibilities 3. Appropriate underwriting, account management, monitoring, and collection practices 4. Proper authorization process (EMV) 5. Address verification service (AVS) 6. Adequate card and PIN issuance procedures 7. Proper controls of card stock storage and issuance
What are the Key Components of Information Security
1. Confidentiality 2. Data Integrity 3. Availability
Name the Key Components of a Internal Control Program
1. Control environments 2. Risk assessments 3. Control activities 4. Information and communication 5. Monitoring
Name the ancillary payments system risks
1. Counterparty 2. Cross- Channel 3. Direct Access 4. Legal 5. Liquidity 6. Strategic 7. Third-Party 8. Transaction
An effective risk management process involves what factors?
1. Establishing senior mgmt. and board awareness of the risks associated with outsourcing agreements in order to ensure effective RM practices. 2. Ensuring that an outsourcing arrangement is prudent from a risk perspective and consistent with the business objectives of the FI. 3. Systematically assessing needs while establishing risk-based requirements. 4. Implementing effective controls to address identified risks. 5. Performing ongoing monitoring to identify and evaluate changes in risk from the initial assessment. 6. Documenting procedures, roles/responsibilities, and reporting mechanisms.
Name the Internal Controls for E-banking
1. Segregation of duties 2. Dual controls 3. Reconcilements 4. Suspicious activity 5. Similar website names 6. Error check 7. Alternate channel confirmations
ERM strategy should provide answers to what basic questions?
1. Should we do it (aligned with business strategy, risk appetite, culture, value, and ethics)? 2. Can we do it (people, processes, structure, and technology capabilities)? 3. Did we do it (assessment of expected results, continuous learning, and a robust system of checks and balances)?
What is a business continuity test/disaster recovery exercise?
A test of an institution's disaster recovery plan or BCP
What is Distributed Ledger Technology (DLT)
A type of database that is consensually shared and synchronized across nodes in a network spread across multiple sites, institutions or geographies.
What are some Elements of a BSA/AML Program
A written policy and program that includes: • Internal controls for ongoing compliance • Independent testing and auditing • Designated individual responsible for day-to-day compliance • Ongoing staff training
What is Logical Access Control
Access control that limits connections to computer networks, system files and data.
What does OCC Bulletin 2006-39 govern?
Activities of the Automated Clearing House Activities
What does Operating Circular 6 govern?
Along with subpart B of Regulation J, applies to funds transfers made through the Fedwire® Funds Service
What is the National Settlement Service (NSS)
Also referred to as Deferred Net Settlement. The Federal Reserve Banks' multilateral settlement service, is offered to depository institutions that settle for participants in clearinghouses, financial exchanges, and other clearing and settlement groups. Settlement agents acting on behalf of those depository institutions electronically submit settlement files to the Federal Reserve Banks. Files are processed on receipt, and entries are automatically posted to the depository institutions' Reserve Bank accounts. Entries are final when posted.
What does Reg P govern?
Annual Privacy Notice and Information Sharing
What does Operating Circular 3 govern?
Applies to the handling of all cash items that we accept for forward collection and all returned checks that we accept for return. Defines Federal Reserve Bank and financial institution responsibilities in clearing checks
What are some action items in a BCP Risk Assessment
Assess/Analyze threats based upon business impact - Prioritize potential business disruptions based upon severity Evaluate BIA assumptions using various threat scenarios Analyzing threats based upon impact to: - Institution - Customers/Community - Financial markets Perform gap analysis to compare existing BCP to: - Current policies and procedures - What should be implemented based upon findings
What is Complex Device Identification
Authentication technique that uses one-time cookies, PD configuration, IP address, geo-location and other factors.
What does Operating Circular 4 govern?
Automated Clearing House Items - incorporates the Nacha Operating Rules, with certain exceptions and generally conforms to the requirements of UCC 4A. The Circular governs the clearing and settlement of ACH items by Federal Reserve Banks, ODFIs and RDFIs. Governs the clearing and settlement of ACH credit and debit items by the Federal Reserve Banks, OFDIs and RDFIs
ACH operational risk mitigation measures are
Business resiliency Business continuity Information security Operational controls
PCI-DSS defines cardholder data as full Primary Account Number (PAN) with any of the following
Cardholder name, expiration date, and service code
What does Reg CC govern?
Check 21, Collection of Checks, and Funds Availability To decrease the risk to a depositary bank that a check will be returned after funds have been made available for withdrawal, this reg requires "expeditious" return of checks. A paying bank returns a check expeditiously if it returns the check to the the BOFD by 2pm on the second business day following date of presentment.
The process of ensuring the funds represented by the check are debited from and credited to accounts is called
Check collection
What Transactions are governed by UCC 4A
Commercial wholesale credits, including wire transfers and CCD/CTX credits
What does COSO stand for and what does it do?
Committee of Sponsoring Organizations. It is the organization that established the common internal control framework that most businesses subscribe to. A joint initiative of the five private sector organizations listed on the left and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
PRIMARY PAYMENTS SYSTEM RISK
Compliance Credit Fraud Operational Systemic
What is a Business Continuity Strategy
Comprehensive strategies to recover, resume and maintain all critical business functions
What does Operating Circular 1 govern?
Contains the terms for opening, maintaining and terminating a master account with a Federal Reserve Bank, as well as general provisions regarding Reserve Bank
What does Operating Circular 7 govern?
Contains the terms under which the Federal Reserve Banks maintain securities accounts and effect transfers of book-entry securities for participants
What are Administrative Controls
Controls that align with board-approved risk appetites and inform employees of management's expectations.
What are Procedural Controls
Controls that establish policies and procedures that reduce risk and ensure operating, reporting and compliance objectives are met
Define UCC 4
Covers the liability of a bank for action or non-action with respect to an item handled by it for purposes of presentment, payment or collection.
Define UCC 4A
Covers wholesale credit transfers, wire transfers, and wholesale ACH credit transfers.
What does Reg Z govern?
Credit cards and Truth in Lending
What does Reg E govern?
Electronic Funds Transfers (EFTs)
What does Title 31 of the Code of Federal Regulation (CFR) Part 370 govern?
Electronic Transactions and Funds Transfers Relating to United States Securities Applies to the transfer of funds via ACH as used in connection with US Securities
What is the Electronic Funds Transfer Act (EFTA)
Enacted in 1978, this act implemented through Reg E is intended to protect individual consumers engaging in electronic fund transfers (EFTs) and remittance transfers (ATM, POS, ACH, Remittance transfers, remote banking programs and phone bill-pay plans).
What is the USA PATRIOT Act & OFAC
Established standards for identifying consumers at account opening utilizing a Customer Identification Program (CIP)
What does EFFA stand for?
Expedited funds availability act
Credit risk is also known as
Exposure or Temporal risk
What does Reg II govern?
Debit Card Interchange Fees and Routing
Regulation II governs what
Debit card interchange fees and routing at least 2 unaffiliated debit card networks
What does 31 CFR Part 210 govern?
Federal Government Participation in the Automated Clearing House
What is Risk identification
Finding, recognizing, and describing risks
What issues should ACH Procedures address?
For both originating and receiving · Onboarding · Prohibited relationships · Underwriting · Customer Identification Program and Customer Due Diligence · Agreements · Credit Risk · Ongoing monitoring and review · Good funds vs. risk-based model
What is Risk Assignment
Form of risk sharing that allocates risk equitably.
What does Uniform Commercial Code Article 4 (UUC 4) govern?
Governs check collection outside the Federal Reserve Bank
What does Regulation J, Subpart A govern?
Governs check collection through the FRB
What does Regulation J, Subpart B govern?
Governs the rights and responsibilities of the Federal Reserve System and the users of FedWire
Why are risk assessments completed?
In order to identify, measure, and prioritize risks so that attention is placed first on areas of greatest importance
What does Operating Circular 5 govern?
Includes the terms under which an institution may access certain services and applications provided by a Federal Reserve Bank and under which an institution may send certain data to or receive certain data from a Federal Reserve Bank, in each case, by means of an electronic connection.
What does OCC Bulletin 2011-21 govern?
Interagency Guidance on the Advanced Measurement Approaches for Operational Risk
What is risk sharing?
Is a form of risk treatment involving the agreed-upon distribution of risk with other parties.
What is a risk rating?
It is a credit analysis technique that is used to determine whether or not it is safe enough to continue with the work related a business or whether they, the FI, needs to adopt additional control measures to reduce or eliminate risk. The primary summary indicator of risk for financial institutions' individual credit exposures. Used to determine if it is safe to continue or adopt additional control measures.
What is BCP Risk Management
It is the Identification, assessment, and reduction of risk to an acceptable level It is the written, published enterprise-wide BCP. The FI should develop, implement and maintain procedures - Procedures for continuity teams - Current contact lists of critical personnel - Communication process for internal and external stakeholders - Critical versus non-critical functions, services, processes - Relocation strategies to alternate facilities - Procedures to handle unanticipated expenses
What is Enterprise Risk Management (ERM)?
It is the holistic approach to managing both the upside and downside of qualitative and quantitative risk in a manner that is appropriate to the objectives of an organization. It is the process of planning, organizing, leading, and controlling activities of an organization to minimize the effects of risk on that organization
What does 12 CFR Part 208 govern?
Membership of state banking institutions in the federal reserve system
What are Financial Market Infrastructures (FMI)
Multilateral systems among participating financial institutions including the system operator, used for the purposes of clearing, settling or recording payments, securities derivatives or other financial transactions.
What are Financial Market Utilities (FMUs)
Multilateral systems that provide the infrastructure for transferring clearing and settling payments, securities and other financial transactions among financial institutions or between financial institutions and the system.
NAME THE RULES AND REGS GOVERNING ACH
Nacha Operating Rules EFTA and Regulation E Regulations CC and D 31 CFR 203, 208, 210 and 370 UCC 3, 4, 4A BSA/AML State EFT Acts FRB OC 4 Private Sector ACH Operator Rules OFAC
WHAT IS SYSTEMIC RISK
Occurs when a funds transfer system participant is unable to settle its commitments, causing other participants to fail.
What is Compliance risk?
Occurs when a party to a transaction fails to comply, either knowingly or inadvertently, with payment system rules and policies, regulations and applicable US and state laws
WHAT IS FRAUD RISK
Occurs when a payment transaction is initiated or altered by any party to the transaction in an attempt to misdirect or misappropriate funds with fraudulent intent. Common examples of this risk include: · Account Takeover/misdirect payment · Business email compromise scam/vendor impersonation · Data Breaches/Malware/viruses · Alteration/forgery
What is a Change Control Policy
Policy designed to maintain the viability of the BCP by addressing potential changes to the operating environment. This policy should allow for changes to be implemented quickly, monitored and documented as well as updated back-up system copies.
What are some Financial Controls
Process designed to detect or prevent errors, misappropriations, and adherence to policy by: 1. Funds movement s/b reviewed at several levels 2. Transaction postings s/b verified & reports generated 3. Reconciliation s/b done using independently generated data points 4. Common sense analysis using ratios and trends s/b performed
What is Risk Mitigation
Process of reducing risks through the introduction of specific controls and risk transfer.
What is Risk Measurement
Process to determine the likelihood of an adverse event of threat occurring and the potential impact of such an event on the institution
What is the Sarbanes-Oxley Act?
Protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.
WHAT ARE THE FACTORS OF RISK MANAGEMENT
Identify Measure Monitor Manage
NAME THE RULES AND REGS GOVERNING CHECK/RDC
Regulation CC UCC 3 and 4 Regulation J, Subpart A FRB OCC 3 ECCHO Rules BSA/AML
NAME THE RULES AND REGS GOVERNING WIRES
Regulation E, Subpart B Regulation J, Subpart B Regulation CC FRB OCs 1, 5 and 6 UCC 4A BSA (31 CFR 103) OFAC
NAME THE RULES AND REGS GOVERNING CARDS
Regulations E, Z and II Card Network Rules Credit CARD Act of 2009 PCI DSS
What does CFR Chapter X, Section 1020.310 govern?
Reports by Banks of Suspicious Transactions
What is Gramm-Leach-Bliley Act (GLBA)?
Required FIs to protect and identify non-public personal information (NPPI) practices and safeguard sensitive data Required federal banking agencies to establish information security standards for financial institutions (a.k.a. the Financial Services Modernization Act of 1999) Safeguarding consumer, non-public info & giving the opportunity for privacy notice opt-out
What does 31 CFR Part 208 govern?
Requires individuals to elect an EFT option for the receipt of federal benefit payments
What does Reg D govern?
Reserve Requirements, Defines Transaction and non-Transaction Accounts
What is the process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the FI?
Risk Measurement
What is Risk Acceptance without Treatment
Risk is accepted as tolerance and falls within the risk appetite.
What is Cross-Channel Risk
Risk that occurs when the movement of fraudulent or illegal payment transactions from one payments channel to another (e.g., check payments to ACH) is met with inconsistent risk management practices and lack of information sharing across payment channels about fraud.
What is Risk Acceptance with Treatment
Risks that are monitored and reviewed to ensure they remain within the risk appetite
What is Direct Access Risk
Specific to the ACH Network, this risk is defined as a situation in which an Originator, Third-Party Sender or Third-Party Service Provider transmits ACH files directly to an ACH Operator using the ODFI's routing number and settlement account.
What does UCC 3, 4, 4A govern?
State laws governing the negotiation and collection of checks and wholesale credits
What is a Business Impact Analysis (BIA)
Step in the BCP process that identifies the potential impact of uncontrolled, non-specific events on an institution's business processes.
Wire operational risks include
System failure System disruption System compromise
What is a Vulnerability Assessment
Systematic examination of systems to identify, quantify and prioritize the security deficiencies of the systems.
What is a Tabletop Exercise/Structured Walk-Through Test
Testing method ensures critical personnel from all areas are familiar with the business continuity plan (BCP) and may be used as an effective training tool.
What is a Full-Interruption/Full-Scale Test
Testing method involves a simulated real-life emergency and all or portions of the business continuity plan (BCP) are implemented by processing data/transactions using back-up media at the recovery site.
What is a Functional Drill/Parallel Test
Testing method involves actual mobilization of personnel to other sites attempting to establish communications and perform actual recovery processing as outlined in the BCP
What is a Walk-Through Drill/Simulation Test
Testing method used to apply a specific event scenario to the BCP
What does Title 31 of the Code of Federal Regulation (CFR) Part 203 govern?
Provides rules for FIs that use EFT to process federal tax payments through EFTPS
What does OCC Bulletin 2013-29 govern?
Third-Party Relationships: Risk Management Guidance
Define UCC 3
This Article applies to negotiable instruments. It does not apply to money, to payment orders governed by Article 4A or to securities governed by Article 8.
What does OCC 235 govern?
This Circular was issued to alert national banks to the risks associated with large-dollar payments systems, particularly within the international sector.
What is Liquidity Risk
This risk involves the possibility that earnings or capital will be negatively affected by an institution's inability to meet its obligations when they come due. Liquidity risk is the risk that the financial institution cannot settle an obligation for full value when it is due (even if it may be able to settle at some unspecified time in the future).
What is Strategic Risk
This risk is associated with the financial institution's mission and future business plans. This risk category includes plans for entering new business lines, expanding existing services through mergers and acquisitions, and enhancing infrastructure (e.g., physical plant and equipment, IT, and networking).
What is Transaction Risk
This risk is the exchange rate risk associated with the time delay between entering into a contract and settling it. The greater the time differential between the entrance and settlement of the contract, the higher the risk, because there is more time for the two exchange rates to fluctuate.
What is Transit Risk
This risk is the risk of not successfully moving the payment between buyer and seller, or having the payment altered in some way during the transit process. Electronic payments transmission has mostly taken over the payment transit role.
What is Legal Risk
This risk occurs from an institution's failure to enact appropriate policies, procedures or controls to ensure it conforms to laws, regulations, contractual arrangements and other legally binding agreements and requirements.
What is Reputation Risk
This risk occurs when negative publicity regarding an institution's business practices leads to a loss of revenue or litigation. For retail payment-related systems, this risk is linked to consumer expectations regarding the delivery of retail payment services, and the institution's ability to meet its regulatory and consumer protection obligations related to those services.
The Payment System Risk (PSR) Policy was developed why and what does it do?
To address risks that payments and securities settlement systems present to the financial system and to the Reserve Banks. The policy seeks to control and reduce credit risk to the Reserve Banks by controlling an FI's use of Federal Reserve daylight overdraft. It establishes limits, or net caps on the amount of Reserve Bank daylight credit that a depository institution may use during a single day or over a two-week reserve period
What is Risk Management
Total Process required to identify, control and minimize the impact of uncertain events.
What does Reg DD govern?
Truth in Savings
What does Reg GG govern?
Unlawful Internet Gambling
What is Layered Security
Use of difference controls at different points in a transaction process.
What is Third-Party Risk
Use of third parties reduces management's direct control of activities and may introduce new or increase existing risks, specifically, operational, compliance, reputation, strategic, and credit risks and the interrelationship of these risks.
What does Reg J govern?
Wires, Check Collection through the Federal Reserve
Who is the FFIEC
The Federal Financial Institutions Examination Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of FIs by the FBR, FDIC, NCUA, OCC, and CFPB, and to make recommendations to promote uniformity in the supervision of FIs.
What is resilience?
The ability to prepare for and adapt to changing conditions and withstand and rapidly recover from disruptions
What is Recovery point objective (RPO)
The amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).
What are Control Activities
The policies and procedures institutions establish to manage risks and ensure predefined control objectives are met.
What is a risk evaluation?
The process of comparing risk analysis results to determine risk is at an acceptable level
What is a risk analysis?
The process to comprehend the nature of risks and determine the level of risks
WHAT IS CREDIT RISK
The risk that a party to a transaction will not be able to provide the necessary funds, as contracted, for settlement to take place on the scheduled date. Common examples of this risk include: · Irrevocable payment made on extension of credit · Merchant or entity declares bankruptcy · Funds unavailable to satisfy return or chargeback · RDFI is untimely in returning debit entries
What is Counterparty Risk
The risk to each party of a contract that the other party will not live up to its contractual obligations.
A BCP Business Impact Analysis (BIA) should include what
· Assessment and prioritization of all business functions and processes · Identify potential business disruption impact resulting from uncontrolled events · Identify legal/regulatory requirements of business functions and processes · Determine and estimate maximum allowable downtime and acceptable losses · Determine Recovery time objectives (RTOs), Recovery point objectives (RPOs), and Recovery of the critical path
What issues should E-Commerce/Information Technology/Internet Banking Procedures address?
· Authentication of the user · Encryption of the data · Password requirements · Restricting access after a set number of login attempts · Incident response plan in case of a breach
What are the PCI Security Standards goals?
· Build and maintain a Secure Network · Protect Cardholder Data · Maintain a Vulnerability Program · Implement Strong Access Control Measures · Regularly Monitor and Test Networks · Maintain in Information Security Policy
What are the goals of PCI DSS?
· Build and maintain a secure network and systems · Protect cardholder data · Maintain a vulnerability management program · Implement strong access control measures · Regularly monitor and test networks · Maintain an information security policy
What is the Risk Management Framework Security Life Cycle
· Categorize the Information System · Select Security Controls · Implement Security Controls · Assess Security Controls · Authorize Security Controls · Monitor Security Controls
What are some common reasons for Fraud Loss
· Corporate account takeover · Phishing/Business email compromise · Vendor impersonation fraud · Internal employee fraud · Lack of routine account monitoring and reconciliation · Data breaches · Not understanding compliance obligations and requirements · Not following policies and procedures
What are the types of fraud risk are associated with ACH?
· Hacking · Account Takeover · Insider Fraud · Business Email Compromise Scam · Vendor impersonation fraud
WHAT IS THE PURPOSE OF A RISK ASSESSMENT
· Identify risks · Report risks · Track issues · Validate issues · Escalate issues · Resolve issues
Operational risk is characterized by factors associated with
· Internal Fraud · External Fraud · Employment practices and workplace safety · Clients, products, and business practices · Damage to physical assets · Business disruption and system failure · Execution, delivery, and process management
What are the types of fraud risk are associated with Cards?
· Lost or stolen cards · Phishing scams · Skimmers · Data breaches · Counterfeit or altered cards · Unauthorized use of a cardholder's number for CNP transactions
What are the types of fraud risk are associated with Check/RDC?
· Lost or stolen checks · Alteration of deposited items · Forged or missing endorsement · Deposit of counterfeit items · Check kiting · Redeposit of items/duplicate presentment through RDC · Improper disposal of deposited items by RDC customers
What are the types of fraud risk are associated with Wires?
· Malware, spyware, and viruses providing access to fraudsters resulting in unauthorized transactions · Account takeover · Business Email Compromise, resulting in wired funds to scammers · Dishonest employees · Lack of dual control, segregation of duties and/or other commercially reasonable security procedures
Appropriately implemented internal controls will prevent or detect what?
· Materially inaccurate, incomplete, or unauthorized transactions · Deficiencies in the safeguarding of assets · Unreliable financial and regulatory reporting · Deviations from laws, regulations, internal policies
What are the COMPONENTS of the Enterprise Risk Management Framework?
· Mission, vision, and core values · Strategy development · Business objective formulation · Implementation & performance · Enhanced value
WHAT IS OPERATIONAL RISK
· Occurs when a transaction is altered or delayed due to an unintentional error. · Examples: Hardware/Software failure, Power failure, Telecommunications failure, Human error · May result in a failure to adhere to payment system rules, regulations, and laws · May leave the organization vulnerable to financial loss and fraud · May affect an organization's reputation Common examples of this type of risk include: · Inadequate procedures/training · Clerical errors/missed deadlines · System failure/disruption/compromise · Vendor reliability
What are the objective categories of the COSO integrated framework?
· Operational · Reporting · Compliance
What issues should Card Procedures address?
· Processing procedure · Onboarding · Prohibited relationships · Underwriting · Customer Identification Program and Customer Due Diligence · Agreements · EMV procedures · Communication and monitoring
What issues should Wire Procedures address?
· Processing procedures · Check holds · RDC set-up · Limitations and monitoring and · Handling of wires
What issues should Emerging Payment Procedures address?
· Processing procedures as they relate to product or platform · Education and identification of a subject matter expert
Name the characteristics of the Fedwire SECURITIES Service
· Provides a way for issuing, transferring, and maintaining US securities · Held and transferred in electronic or book entry form · Debit Pull · Delivery versus payment system · Sender initiates the payment · Automatically debits payment the Beneficiary Bank's FRB account
Name the characteristics of the Fedwire FUNDS Service
· Real time gross settlement (RTGS) payment owned and operated by the FRB · Credit Push · Settled by adjusting the reserve/clearing balances of depository FIs held at the FRB · FIs have several access options to Fedwire
What are the types of fraud risk are associated with Emerging Payments?
· Speed of processing · Reduced reaction time to fraud · Breaches/Data security · Malware, spyware, and viruses providing access to fraudsters resulting in account takeover
Emerging payments require an FI to review the client for what?
· Type of usage and exposure related to dollar amount · How these payments interact with other payment types · The speed of the payment processing
BCP Risk Monitoring & Testing Program
• Conduct exercises and tests; • Review results; • Ongoing monitoring, revising BCP as conditions warrant.
What Information Security policies and procedures should be provided for
• Environmental controls • Preventive maintenance • Physical security • Logical security • Personnel controls • Change management • Information controls • User support/help desk • Controls over job scheduling, output and negotiable instruments • Event management
What is the International Organization for Standards (ISO)
An international standard-setting body composed of representatives from various national standards organizations.
Define Risk Appetite
The level and degree of risk an organization is willing to assume in order to meet its strategic goals
What is Recovery time objective (RTO)
The maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable).
What is the Net debit cap
The maximum dollar amount of uncollateralized daylight overdrafts that an institution is authorized to incur in its Federal Reserve account. The net debit cap is generally equal to an institution's capital times the cap multiple for its cap category.
What is an Risk assessment?
The overall process of risk identification, analysis and evaluation
What is Internal Control
A process effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of company objectives related to operations, reporting, and compliance
What are the PRINCIPLES of the Enterprise Risk Management Framework?
1. Governance and Culture 2. Strategy and Objective Setting 3. Performance 4. Review and Revision 5. Information, communication, and reporting
What are the steps of an Effective Audit Program
1. Identify areas of greatest risk exposure to the institution in order to focus audit resources 2. Promote the confidentiality, integrity and availability of information systems 3. Determine the effectiveness of management's planning and oversight of activities 4. Evaluate the adequacy of operating processes and internal controls 5. Determine the adequacy of enterprise-wide compliance efforts related to policies and internal control procedures 6. Require appropriate corrective action to address deficient internal controls and follow-up to ensure management promptly and effectively implements the required actions
Name the Risk Controls for Wholesale and Retail Payments
1. Implement payment data scheduling, monitoring and verification 2. Process mapping with update schedule 3. Establish logical system and physical access control procedures 4. Implement separation of duties for critical functions 5. Implement procedures to protect sensitive data 6. Install and maintain anomalous transaction detection system and procedures to resolve
What is the Dodd-Frank Act?
1. It addressed concerns in banking regulation that stemmed from the financial crisis of 2008 2. It is meant to limit risk and enforce transparency and accountability 3. It created the Consumer Financial Protection Bureau (CFPB) 4. It established Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) 5. Includes the Durbin Amendment 6. Added protections for Whistleblowers
List COSO's Three Lines of Defense model
1. Operational Management. Own and manage risk and control. 2. Internal monitoring and oversight functions. Monitor risk and control in support of management (risk, control, and compliance functions put in place by management). 3. Internal Audit. Provide independent assurance to the board and senior management concerning the effectiveness.
Name the Risk Controls for Wires
1. Physical and logical access control 2. Dual control and separation of duties 3. Verification of outgoing instructions 4. Securing funds prior to the release of outgoing payment 5. Out-of-band authentication procedures 6. Ensure integrity and confidentiality of customer information
Name the steps in the vendor management life cycle according to the FFIEC
1. Planning 2. Due Diligence in Vendor Selection 3. Contract Negotiation 4. Ongoing Monitoring 5. Termination
What are the NIST Risk Management Framework Steps
1. Prepare 2. Categorize 3. Select 4. Implement 5. Assess 6. Authorize 7. Monitor
Name the FTC's "four Ps" for evaluating whether a representation, omission, act or practice is likely to mislead.
1. Prominent - will the consumer notice the information? 2. Presented - is the format easy-to-understand? 3. Placement - is the information located where a consumer would expect to look? 4. Proximity - is the information close to the claim it qualifies?
Legally what is BSA
FI is required to provide evidence that necessary and reasonable actions were taken in order to identify an incident relating to money laundering and criminal activities
What is the E-Sign Act?
Facilitated the use of electronic records and electronic signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically
What is risk acceptance?
The informed decision to accept or take a particular risk. Acceptance can occur with or without treatment of risk. Without treatment, the risk is accepted as tolerable and falls within the risk appetite. With treatment refers to the risks that are monitored and reviewed to ensure they remain within the risk appetite
What is risk avoidance?
The informed decision to withdraw from or not become involved with an activity in order to avoid exposure to unwanted or unacceptable risks
What is the Federal Funds Rate
The interest rate at which depository institutions lend reserve balances to other depository institutions overnight, on an uncollateralized basis.