APRP Vocab

Faster Payments Mechanism

"A means or instrument for payments clearing and settlement to occur to clear between parties rapidly and for funds to be made available to the payee either same day or real time"

FMU

"Financial Market Utilities- multilateral messaging systems that provide the infrastructure for transferring, clearing, and settling payments, securities, and other financial transactions among financial institutions or between financial institutions and a system"

Data Integrity

"Maintaining and assuring the accuracy and completeness of data over its life-cycle. This means that data cannot be modified in an unauthorized or undetected manner"

Third party Risk

"Most often arises from greater complexity, ineffective risk management by the bank, and inferior performance by the third party"

Decoupled Debit Cards

"Permit a financial institution to issue a debit card to consumers regardless of where their demand deposits or other transaction accounts are held"

Authentication

"The explicit instructions, including: timing, amount, payee, source of funds and other conditions, given by the payer to the payee to transfer funds on a one-time or recurring basis"

Credit Analysis Techniques

"There are several techniques that can be used when performing credit analysis of a business or organization, including: Credit Policy; Risk Rating; Ongoing Monitoring and Review; Cross-Channel; Prohibited/Restricted Businesses"

Emerging Payments Policy

"This policy is approved by the board annually, or when there are significant changes in emerging technologies Policy should address: Software used; Board approved payment types; Use of security procedures and agreements; Approval of an administrator; Limitations"

Green Book

A financial institution's operating manual and primary source of information when processing federal government ACH transactions

Audit Policy

A financial institution's policy that should address the following objectives, whether or not the audit functions are handled in-house or outsourced: Policy Objective; Scope of work; Authority; Auditing standards; Outsourcing/third parties; External auditor restriction

Business Impact Analysis (BIA)

A flow analysis that involves an assessment and prioritization of those business functions and processes that must be recovered. should also consider the impact of legal and regulatory requirements. should also estimate the maximum allowable downtime for critical business functions and processes and the acceptable level of losses (data, operations, financial, reputation, and market share) associated with this estimated downtime

FFIEC (Federal Financial Institutions Examination Council)

A formal U.S. government interagency body that includes five banking regulators—the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).

System Failure

A breakdown in the hardware and/or software supporting the system

Basel III Regulatory Capital

A comprehensive set of reform measures, developed by the Basel Committee on Banking Supervision (BCBS), to strengthen the regulation, supervision, and risk management of the banking sector, including both liquidity and capital reforms.

Ancillary Risk

A consequence or by-product of not managing credit, operational, fraud, systemic or compliance Risks

Device Identification

A cookie loaded on the customer's PC to confirm that it is the same PC that was enrolled by the customer and matches the logon ID and password that is being provided. Can also mean the use of "one-time" cookies and creates a more complex digital "fingerprint" by looking at a number of characteristics including PC configuration, Internet protocol address, geo-location, and other factors

Enterprise Risk Management (ERM)

A process, effected by an entity's board of directors; management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value

Venmo

A service of PayPal, Inc., is a person to person (P2P) payment method combining streamlined payments with a social-media overlay. It is an open loop system.

API

A set of specifications, standards or conventions that enable programs to exchange information

Direct Access Risk

A situation in which an Originator, Third-Party Sender or Third-Party Service Provider transmits ACH files directly to an ACH Operator using the ODFI's routing number and settlement account and involves a separation of control and responsibility

Charge-backs

A demand by a credit-card provider for a retailer to make good the loss on a fraudulent or disputed transaction

Android Pay

A digital wallet platform developed by Google to power in-app and tap-to-pay purchases on mobile devices, enabling users to make payments with Android phones, tablets or watches. It is an open loop system

Anomaly Detection

A technique that compares current behavior with established patterns of legitimate behavior and looks for anomalies

Business Continuity Testing

A testing program that provides a high degree of assurance for the continuity of critical business processes, including supporting infrastructure, systems, and applications, without compromising production environments

Distributed Ledger Technology (DLT)

A type of asset database that is shared across nodes in a network across sites, geographies or institutions

Interoperability

Ability to process payment instructions across payment systems or platforms. Requires the use of common standards and technical compatibility between systems

Third Party Sender (TPS)

Acts as an intermediary between an ODFI and Originator, and there is no contractual agreement between the ODFI and the Originator.

Change Control Policy

Addresses potential changes to the operating environment

Risk assignment

Allocates risk equitably and is a form of risk sharing

Daylight Overdraft

Also called intraday overdraft, is a system in which "allows qualifying banks to overdraw on their Federal Reserve accounts in order to make payments via Fedwire. By the end of that particular day, Bank A has an obligation to pay back the Federal Reserve.

Credit Risk

Also known as exposure or temporal risk. Arises when a party to a transaction is unable to provide the necessary funds, for settlement to take place on the scheduled date. Especially evident in ACH, Merchant Card and RDC. As well as, returns, as evident with all other retail payment systems, including checks and direct debit.

Office of Foreign Assets Control (OFAC)

An agency of the U.S. Treasury, administers a series of laws imposing economic sanctions against targeted hostile foreign countries to further U.S. foreign policy and national security objectives

AML

Anti- Money Laundering-

Nonpublic Personal Information

Any information that is not publicly available and that a consumer provides to a financial institution

ACH

Automated Clearing House

Addressing

Automated means to route/direct a transaction using a set of data often employing a directory service.

ACH Network

Backbone for the electronic movement of money and data, a processing and delivery system that provides for the distribution and settlement among financial institutions of electronic credits and debits, as well as, non-monetary entries with payment related information

Compliance risk management

Be aware of all payment system rules, policies, regulations and applicable U.S. and state law

Control Environment

Begins with a bank's BOD & senior management, who are responsible for developing effective internal control systems and ensuring all personnel understand and respect the importance of internal controls. Control systems should be designed to provide reasonable assurance that appropriately implemented internal controls will prevent or detect: Materially inaccurate, incomplete, or unauthorized transactions; Deficiencies in the safeguarding of assets; Unreliable financial and regulatory reporting; Deviations from laws, regulations, and internal policies

Wholesale payments

Business or corporate payments

Regulation E

Carries out EFTA. Federal law covering Electronic Funds Transfers. Applies only to consumer payments. It does not apply to corporate electronic funds transfers.

ACH Operator

Central clearing facility that receives entries from the ODFIs and distributes the entries to the appropriate Receiving Depository Financial Institution

Layered Security Programs

Characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control

COSO

Committee Of Sponsoring Organizations Of Treadway Commission

Retail payments

Consumer based payments.

Outsourcing

Contracting out; a business practice used by companies to reduce costs or improve efficiency by shifting tasks, operations, jobs or processes to an external contracted third party for a significant period of time

Federal Reserve Bank Operating Circular 6 (OC6)

Covers FedWire services related to FedWire funds

Federal Reserve Bank Operating Circular 7 (OC7)

Covers FedWire services related to FedWire securities

Federal Reserve Bank Operating Circular 3 (OC3)

Covers exchange of items (paper, image and substitute checks) with the Federal Reserve Bank

Federal Reserve Bank Operating Circular 5 (OC5)

Covers managing the electronic connection with the Federal Reserve Bank. It is the responsibility of financial institutions to manage their connection to the Fed.

Card Products

Credit cards, Debit cards and Prepaid cards

CTR/ SAR

Currency Transaction Report / Suspicious Activity Report

CDD

Customer Due Diligence

CIP

Customer Identification Program

Business Continuity Planning (BCP)

Develop, implement, and test appropriate disaster recovery, in order to maintain acceptable retail payment-related customer service levels

Remotely created check (RCC)

Does not bear the signature of a person on whose account the check is drawn. In place of the signature, bears the account holder's printed or typed name or a statement that the account holder authorized the check. The account holder can authorize the creation by telephone by providing the appropriate information, including the MICR data

EFTPS

Electronic Federal Tax Payment System

EFT

Electronic Funds Transfer

Regulation DD

Enables consumers to make informed decisions about accounts at depository institutions, requiring depository financial institutions to provide disclosures to their end users.

PCI Security Standards

Establishes standards to ensure card payment participants meet minimum levels of security when storing, processing and transmitting cardholder data.

Credit Policy

Establishing this policy is just one part of the credit analysis techniques used by financial institutions

ACH Policy

Every financial institution should have this policy that outlines the financial institution's goals and objectives for its ACH program. The policy should have the approval of the board of directors. Some elements to be considered or be addressed include: • A general statement that the organization will process ACH in accordance with U.S. law and the NACHA Operating Rules • Compliance with NACHA Operating Rules • Outline of the types of ACH products the FI will offer • Any types of prohibited/restricted originators • Internal controls practices to address the risk inherent to offering certain ACH products • Third Party Senders relationships should be addressed • ACH Receipt • ACH Origination • OFAC Requirements"

Messaging

Exchange of data between entities to support a request for or a response to a request about a payment or its status (could include authorization)

Electronic Data Interchange (EDI)

Data format that is used for machine-to-machine exchanges of data and messages or a range of payment and related processes

EFT Mandate

Debt Collection Improvement Act of 1996, the federal government has required that virtually all non-tax related payments made by the federal government be made via electronic funds transfer (EFT).

FRB

Federal Reserve Bank

Expedited Funds Availability Act (EFAA)

Federal law applies to making proceeds of deposits into bank accounts available to depositors.

Electronic Funds Transfer Act (EFTA)

Federal law that established the basic rights, liabilities and responsibilities of consumers who use electronic funds transfer services and of financial institutions that offer such services.

Regulation J

Federal regulation covering Federal Reserve Bank processing of checks and wires. Defines an image plus data as an electronic item.

Regulation P

Federal regulation governing the treatment of nonpublic personal information about consumers by financial institutions.

Settlement

Final payment

Suspicious activity

Financial Institutions should establish fraud detection controls that could prompt additional review and reporting of things like false or erroneous application information, large check deposits on new e-banking accounts, unusual volume or size of funds transfers, multiple new accounts with similar account information or originating from the same Internet address, and unusual account activity initiated from a foreign Internet address. Security- and fraud-related events may require the filing of a SAR with the Financial Crimes Enforcement Network (FinCEN)."

Operational risk management

Financial institutions should employ vendor management programs that provide for due diligence of new service providers as well as ongoing monitoring of existing vendors with a focus on data security and business continuity.

Risk identification

Finding, recognizing, and describing risks

System Compromise

Fraud, malicious damage to data, or error

Systemic Risk

Funds transfer system participant is unable to settle its commitments causing other participants to fail. Financial institutions can manage this risk by being aware of all rules, regulations and laws governing the payments industry

GSE

Government sponsored enterprises

Contactless cards

Have an embedded computer chip with financial and personal information used for payment transactions, and they employ RFID technology for payment transmission. They include a microcontroller (or equivalent intelligence) and internal memory and have the ability to secure, store, and provide access to data on the card.

Verification with non-documentary methods

Include contacting a customer independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source checking references with other financial institutions and obtaining a financial statement

Control Activities

Include the policies & procedures institutions establish to manage risks and ensure predefined control objectives are met. Should cover all key areas of an organization and address items such as organizational structures, committee compositions and authority levels, officer approval levels, access controls (physical and electronic), audit programs, monitoring procedures, remedial actions, and reporting mechanisms.

Federal Reserve Bank Operating Circular 4 (OC4)

Incorporates the NACHA Operating Rules, with certain exceptions and generally conforms to the requirements of UCC 4A. The Circular governs the clearing and settlement of ACH items by Federal Reserve Banks, ODFIs and RDFIs where Fed is the ACH Operator.

ISO

Information Security Officer

Issue-tracking

Information gathered for the tracking of activities reported is typically provided by the electronic systems or endors used to perform the services

Payment-Related Information

Information that flows directly with a payment to describe its purpose and/or instruct the receiving party how to apply the funds.

IP

Internet protocol

Liquidity Risk

Involves the possibility that earnings or capital will be negatively affected by an institution's inability to meet its obligations when they come due

Risk sharing

Is a form of risk treatment involving the agreed-upon distribution of risk with other parties. Carried out in insurance, hold harmless clauses, or other contractual agreements

OCC Banking Circular 235

Issued to alert national banks to the risks associated with large-dollar payments systems, particularly within the international sector.

KYC

Know your customer

Exposure

Level of risk faced by companies involved in financial transations

MICR

Magnetic Ink Character Recognition

Dual controls

Making more than one employee approve the transaction before authorizing the transaction

MIB

Man-in-the browser

MIM

Man-in-the-middle

Cross channel risk monitoring

Management should develop an enterprise wide view of retail payment activities due to cross-channel risk as part of a credit analysis technique as credit risk can be increased by the overall relationship the financial Institution has with a customer

Vendor Management

Managing third party service providers or other FIs for payment system products and services

Biometrics

Methods include voice scanning and iris and retinal imagingfinger scan linked to his or her personal identification information.

Open Loop Network

Multi-party network that connects two financial institutions, the issuing financial institution (issuer/ cardholder's bank) and the acquiring financial institution (acquirer/merchant's bank) and manages the flow of value between the two financial institutions. VISA and MasterCard are examples.

NSS

National Settlement Service

Risk Monitoring and testing

Necessary to ensure that the business continuity planning process remains viable through the incorporation of the BIA and risk assessment into an enterprise-wide BCP and testing program.

Reputation Risk

Negative publicity regarding an institution's business practices leads to a loss of revenue or litigation

Segregation of duties

No one employee should be able to process a transaction from start to finish. Institution management must identify and mitigate areas where conflicting duties create the opportunity for insiders to commit fraud

Legal Risk

Occurs from an institution's failure to enact appropriate policies, procedures or controls to ensure it conforms to laws, regulations, contractual arrangements and other legally binding agreements and requirements

Visa Direct

Offers real-time push payment capabilities that utilize Visa's global payment system. Also offers the capability to push payments to other U.S. debit networks using the Visa Push Payments Gateway Service (PPGS) and the Funds Transfer APIs. PPGS allows originators to send their PushFundsTransactions (OCTs) and PullFundsTransactions (AFTs) to Visa for routing to multiple U.S. debit networks. VisaNet translates and reformats the message into the correct network format, rather than an originator having to develop and maintain transaction formats for each debit network.

E-Sign Act

Officially known as the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq.), gives electronic signatures and documents the same force in law as those done with ink on paper

Risk Selection

Ongoing credit analysis, including maintaining a credit file on the originator that will include the types of ACH transactions that are authorized, the bank's financial analysis and evaluation of creditworthiness, and approved exposure limits for daily and multi-day settlements

ODFI

Originating Depository Financial Institution

Originator

Originating company or individual/ person that has authorized an ODFI (directly or through a Third-Party Sender) to transmit, for the account of that person, a credit, debit or non-monetary entry to the Receiver's account

Risk Management Policy

Outlines the high-level principles for the financial institution's management of its key risks: Credit risk; Liquidity risk; Operational risk; Compliance/legal risk; Cross channel risk

Zelle

Owned by Early Warning Services, LLC, is a person to person (P2P) payment method available to U.S. bank account holders only. It is an open loop system.

31 CFR Part 212

Part of Code of Federal Regulations. Addresses garnishment of accounts relevant to Federal benefit payments.

12 CFR Part 363

Part of Code of Federal Regulations. Also known as Federal Deposit Insurance Corporation Improvement Act (FDICIA). Outlines annual independent audit and reporting requirements for financial institutions. Safety and Soundness.

31 CFR Part 210

Part of Code of Federal Regulations. Covers Government ACH transactions.

31 CFR Part 240

Part of Code of Federal Regulations. Covers Treasury checks.

31 CFR Part 203

Part of Code of Federal Regulations. Deals with electronic or paper collection of federal tax payments.

Compliance Risk

Party to a transaction fails to comply, either knowingly or inadvertently with payment system rules and policies, regulations and applicable U.S. and state law

Fraud Risk

Payment transaction is initiated or altered by any party to the transaction in an attempt to misdirect or misappropriate funds with fraudulent intent

POS

Point of Sale

Interface Points

Points when entities or processes interact with a transaction flow

Internal Controls

Policies and procedures that financial institutions establish to reduce risks and ensure they meet operating, reporting, and compliance objectives

Wire Policy

Policy approved by the board annually, or when there are significant changes in the wire process or systems. Policy should address: Wire software used; Types of wires (domestic vs. international, accountholder vs. non-accountholder); Use of security procedures & accountholder agreements; Approval of an administrator; Wire limits

On-Boarding

Policy establishing what information is required from new vendors, who gathers the information and how the information is retained is key. Risk rating should also be considered. The policy should address the metric that will be used to assess the risk that each vendor brings to the financial institution and what individual or department will be responsible for conducting the assessment

ECCHO Rules

Private clearinghouse rules under the Uniform Commercial Code that provide the legal framework for forward check image presentment and return of a check image

Alternate channel confirmations

Process of encouraging customer participation in fraud detection and increase customer confidence by sending confirmations of certain high-risk activities through additional communication channels such as the telephone, e-mail, or traditional mail

Reconcilements

Provide sufficient accounting reports to allow employees to reconcile individual transactions to daily transaction totals

Regulation D

Imposes reserve requirements on certain deposits held by depository institutions, including all FDIC-insured banks, insured credit unions, savings banks and mutual savings banks

RTGS

Real time gross settlement

RDFI

Receiving Depository Financial Institution

Underwriting

Receiving payment for the willingness to cover a potential contingent risk

Capital adequacy

Refers to the amount of capital a financial institution has to hold as required by its regulator

Underwriting Standards

Relative to electronic ACH payments, includes review of the originators credit exposure. Including a bank's loan policies, including formal underwriting standards and an approval policy for ACH originators. Rejection can include originators that have a history of excessive unauthorized returns, or that do not operate a legitimate business.

RDC

Remote Deposit Capture

Lending/Credit Policy

Reviewed regularly and revised due to changing circumstances surrounding the borrowing needs of the financial institution's lending accountholders as well as changes that may occur within the financial institution itself

Strategic Risk

Risk associated with the financial institution's mission and future business plans

Consumer Financial Protection Bureau (CFPB)

Rule-making authority and, with respect to entities within its jurisdiction, enforcement authority to prevent unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service

SSL

Secure socket layer

Temporal Risk

See 'Exposure'

Peripheral ACH participants

Sending point, Receiving point, Third Party Service Provider, & Third party sender

Security/ Cyber Security/ Data Security Policy

Senior management is responsible for establishing and enforcing a written information security policy including standards, procedures, guidelines and rules of use.

Check/Remote Deposit Capture (RDC) Policy

Sets forth policies and procedures adopted by the FI in regards to risks associated with its offering of RDC services to its accountholders

keylogging malware

Software program that records the keystrokes entered on the PC

SDN

Specially Designated Nationals

Uniform Commercial Code Article 4 (UCC4)

State law that applies to checks. This article governs bank deposits & collections. Applies to consumer & non-consumer transactions.

Uniform Commercial Code Article 3 (UCC3)

State law that applies to checks. This article governs negotiable instruments. Applies to consumer & non-consumer transactions.

Check Clearing for the 21st Century Act (Check 21)

Subpart D to Regulation CC facilitates truncation and image exchange but does not govern it. Creates and governs the use of a substitute check in place of the original item without the agreement of the recipient as a negotiable instrument. Provides warranties and indemnities that flow with a substitute check.

Microcontroller

Supports the use of improved security features including authenticated information access and information privacy

System Disruption

System is unavailable to process transactions

TCH

The Clearing House

Closed Loop Network

Provides payment services directly to merchants and cardholders by the owner of the network without involving financial institutions as intermediaries. American Express and Discover are two examples.

TSPS

Third Party Service Provider

E-Commerce/ Information Technology/ Internet Banking Policy

This policy should express the terms and conditions for accountholders using a website and online banking platform and should include: Encryption standards; User authentication methods; Password requirements; Maximum number of log in attempts; Length of time before the website times out; Incident response plan in case of a data breach

Operational Risk

Transaction is altered or delayed due to an unintentional error

Regulation Z

Truth in Lending Act. Federal regulation ensures that credit terms are disclosed in a meaningful way so consumers can compare credit terms more readily and knowledgeably

UDAAP

Unfair, Deceptive, or Abusive Acts or Practices

USA Patriot Act

Uniting & Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. Broadened the scope of the BSA/AML Act to prevent and detect possible acts of terrorism. Regulations require that each financial institution develop and implement a customer identification program (CIP) that is appropriate given the institution's size, location, and type of business

Challenge Questions

Used as a backup in the event that primary logon authentication technique becomes inoperable or presents an unexpected characteristic. Can include "out-of-wallet' questions, which are questions that a user only knows and a fraudster cannot obtain just with stolen identity.

Encryption

Used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. Can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols

Dwolla

Uses an Application Programming Interface (API) to send payments using the ACH Network. It is a closed loop system.

Address Verification System (AVS)

Verify a cardholder's billing address and other pertinent information, used for mail, telephone, and Internet transactions

VPN

Virtual private network

Regulation CC

Was enacted by Congress in order to curb unnecessary holding of funds by financial institutions. Federal regulation implementing Fed's authority over check collection under the EFAA and sets forth funds availability schedules based on the type of deposit a customer makes. Covers availability of all funds deposited in DDA, collection & return of special checks, special warranties for RCCs and substitute checks.

Cross Channel Risk

When movement of fraudulent or illegal payment transactions from one payments channel to another is met with inconsistent risk management practices and lack of information sharing across payment channels about fraud

Gramm-Leach-Bliley Act (GLBA)

also called the Financial Services Modernization Act of 1999, repealed many aspects of the Glass Steagal Act and allows for commercial banks, securities and insurance companies to consolidate and offer additional services to their customers

Financial Penetration

The ability for a hacker to bypass firewalls and access financial IT systems

Risk Rating

The primary summary indicator of risk for financial institutions' individual credit exposures. They both shape and reflect the nature of credit decisions that institutions make daily.

Risk evaluation

The process of comparing risk analysis results to determine if risk is at an acceptable level

risk management framework

The process of the "security life cycle." NIST describes the steps as: Categorize the Information System, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize Security Controls, Monitor Security Controls

Risk analysis

The process to comprehend the nature of risks and determine the level of risks

Sender Risk

The risk an institution assumes when it makes an irrevocable payment on behalf of its customer through an extension of credit

Mastercard Send

An interoperable global platform that enables funds to be sent quickly and securely via three payment flows

Risk assessments

The overall process of risk identification, analysis, and evaluation

Public Information

An institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public

Apple Pay

A mobile payment and digital wallet service by Apple Inc. that lets users make payments using an iPhone, Apple Watch, iPad or Mac. It is an open loop system.

Receiver

A natural person or an organization that has authorized an Originator to initiate an ACH entry to the Receiver's account with the RDFI. A Receiver may either be a company or a consumer, depending on the type of account held with the RDFI.

Real time payments (RTP)

A new, core industry infrastructure, like ACH, Fedwire or CHIPS. The goal is for total ubiquity, with every U.S. financial institution connected directly or indirectly. The system is designed for global compatibility"

Payment System Risk (PSR) Policy

A policy for compliance that should ensure management establishes sound internal operating practices, including compliance with applicable banking laws, and carefully manages retail payment system-related financial risks

Transaction Risk

The exchange rate risk associated with the time delay between entering into a contract and settling it

Risk acceptance

The informed decision to accept or take a particular risk. Can occur with or without treatment of risk. Without treatment, the risk is accepted as tolerable and falls within the risk appetite. With treatment refers to the risks that are monitored and reviewed to ensure they remain within the risk appetite

Risk avoidance

The informed decision to withdraw from or not become involved with an activity in order to avoid exposure to unwanted or unacceptable risks