Payment Systems
Change Control Policy
Addresses potential changes to the operating environment
Risk assignment
Allocates risk equitably and is a form of risk sharing
Operation Risk
Transaction is altered or delayed due to an unintentional error
Bank of First Deposit
(BOFD) Payees bank or Depository Bank
System Failure
A breakdown in the hardware and/or software supporting the system
Basel III Regulatory Capital
A comprehensive set of reform measures to strengthen the regulation, supervision, and risk management of the banking sector, including both liquidity and capital reforms.
Ancillary Risk
A consequence or by-product of not managing credit, operational, fraud, systemic or compliance Risks
Device Identification
A cookie loaded on the customer's PC to confirm that it is the same PC that was enrolled by the customer and matches the logon ID and password that is being provided.
Charge-backs
A demand by a credit-card provider for a retailer to make good the loss on a fraudulent or disputed transaction
Real time payments (RTP)
A new, core industry infrastructure, like ACH, Fedwire or CHIPS. The goal is for total ubiquity, with every U.S. financial institution connected directly or indirectly. The system is designed for global compatibility
"on-line" payment order
A payment order transmitted directly to or from a Reserve Bank by electronic data transmission, excluding transmission via phone.
Payment System Risk (PSR) Policy
A policy for compliance that should ensure management establishes sound internal operating practices, including compliance with applicable banking laws, and carefully manages retail payment system-related financial risks
API
A set of specifications, standards or conventions that enable programs to exchange information
daylight overdraft
A system which "allows qualifying banks to overdraw on their Federal Reserve accounts in order to make payments via Fedwire. By the end of that particular day, Bank A has an obligation to pay back the Federal Reserve.
Anomoly Detection
A technique that compares current behavior with established patterns of legitimate behavior and looks for anomalies
Risk Testing
A testing program that provides a high degree of assurance for the continuity of critical business processes, including supporting infrastructure, systems, and applications, without compromising production environments
Distributed Ledger Technology (DLT)
A type of asset database that is shared across nodes in a network across sites, geographies or institutions
interprobability
Ability to process payment instructions across payment systems or platforms. Requires the use of common standards and technical compatibility between systems
Dwolla
An Application Programming Interface (API) used to send payments using the ACH Network. It is a closed loop system.
Office of Foreign Assets Control (OFAC)
An agency of the U.S. Treasury, administers a series of laws imposing economic sanctions against targeted hostile foreign countries to further U.S. foreign policy and national security objectives
MasterCard Send
An interoperable global platform that enables funds to be sent quickly and securely via three payment flows
AML
Anti- Money Laundering-
Nonpublic Personal Information
Any information that is not publicly available and that a consumer provides to a financial institution
Strategic Risk
Associated with the financial institution's mission and future business plans
Dual Message Transactions
Authenticated with a signature
ACH Network
Backbone for the electronic movement of money and data, a processing and delivery system that provides for the distribution and settlement among financial institutions of electronic credits and debits, as well as, non-monetary entries with payment related information
Compliance risk management
Being aware of all payment system rules, policies, regulations and applicable U.S. and state law
Systemic risk management
Being aware of all rules, regulations and laws governing the payments industry
ACH Network
Central clearing facility that receives entries from the ODFIs and distributes the entries to the appropriate Receiving Depository Financial Institution
Layered Security Programs
Characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control
Payor
Check Writer
ECCHO Rules
Clearinghouse rules under the Uniform Commercial Code that provide the legal framework for forward check image presentment and return of a check image
COSO
Committee Of Sponsoring Organizations Of Treadway Commission
Retail Payments
Consumer based payments.
Outsourcing
Contracting out; a business practice used by companies to reduce costs or improve efficiency by shifting tasks, operations, jobs or processes to an external contracted third party for a significant period of time
Control Environment
Control systems designed to provide reasonable assurance that appropriately implemented internal controls will prevent or detect: Materially inaccurate, incomplete, or unauthorized transactions; Deficiencies in the safeguarding of assets; Unreliable financial and regulatory reporting; Deviations from laws, regulations, and internal policies
Control activities
Cover all key areas of an organization and address items such as organizational structures, committee compositions and authority levels, officer approval levels, access controls (physical and electronic), audit programs, monitoring procedures, remedial actions, and reporting mechanisms.
CDD
Customer Due Diligence
CIP
Customer Identification Program
Electronic Data Interchange (EDI)
Data format that is used for machine-to-machine exchanges of data and messages or a range of payment and related processes
EFT Mandate
Debt Collection Improvement Act of 1996, the federal government has required that virtually all non-tax related payments made by the federal government be made via electronic funds transfer (EFT).
Business Continuity Planning
Develop, implement, and test appropriate disaster recovery, in order to maintain acceptable retail payment-related customer service levels
Remotely Created Check (RCC)
Does not bear the signature of a person on whose account the check is drawn. In place of the signature, bears the account holder's printed or typed name or a statement that the account holder authorized the check. The account holder can authorize the creation by telephone by providing the appropriate information, including the MICR data
Operational Risk Mgmt
Employ vendor management programs that provide for due diligence of new service providers as well as ongoing monitoring of existing vendors with a focus on data security and business continuity.
Reg DD
Enables consumers to make informed decisions about accounts at depository institutions, requiring depository financial institutions to provide disclosures to their end users.
Risk Monitoring
Ensure that the business continuity planning process remains viable through the incorporation of the BIA and risk assessment into an enterprise-wide BCP and testing program.
Truth in Lending Act
Ensures that credit terms are disclosed in a meaningful way so consumers can compare credit terms more readily and knowledgeably
Messaging
Exchange of data between entities to support a request for or a response to a request about a payment or its status (could include authorization)
Gramm-Leach-Bliley Act (GLBA)
Financial Services Modernization Act of 1999, repealed many aspects of the Glass Steagal Act and allows for commercial banks, securities and insurance companies to onsolidate and offer additional services to their customers
Truncating Bank
Financial institution that creates an image of the original check
Reconverting Bank
Financial institution that produces the substitute check or Image Replacement Document (IRD)
Risk Identification
Finding, recognizing, and describing risks
Business Impact Analysis (BIA)
Flow analysis that involves an assessment and prioritization of those business functions and processes that must be recovered.
System Compromise
Fraud, malicious damage to data, or error
Systemic Risk
Funds transfer system participant is unable to settle its commitments causing other participants to fail
Legal Risk
Occurs from an institution's failure to enact appropriate policies, procedures or controls to ensure it conforms to laws, regulations, contractual arrangements and other legally binding agreements and requirements
Contactless cards
Have an embedded computer chip with financial and personal information used for payment transactions, and they employ RFID technology for payment transmission. They include a microcontroller (or equivalent intelligence) and internal memory and have the ability to secure, store, and provide access to data on the card.
Strategic Risk Management
Having a strategic planning process that addresses its retail payment business, goals and objectives, including supporting IT components
Reg D
Imposes reserve requirements on certain deposits held by depository institutions, including all FDIC-insured banks, insured credit unions, savings banks and mutual savings banks
Verification with non-documentary methods
Include contacting a customer independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source checking references with other financial institutions and obtaining a financial statement
Issue-tracking
Information gathered for the tracking of activities reported is typically provided by the electronic systems or endors used to perform the services
Payment-Related Information
Information that flows directly with a payment to describe its purpose and/or instruct the receiving party how to apply the funds.
Correspondent Bank
Institution providing clearing or settlement services to a Paying Banking or Collecting Bank (Federal Reserve Bank)
Liquidity Risk
Involves the possibility that earnings or capital will be negatively affected by an institution's inability to meet its obligations when they come due
Risk Sharing
Is a form of risk treatment involving the agreed-upon distribution of risk with other parties. Carried out in insurance, hold harmless clauses, or other contractual agreements
OCC Banking Circular 235
Issued to alert national banks to the risks associated with large-dollar payments systems, particularly within the international sector.
Exposure
Level of risk faced by companies involved in financial transactions
MICR
Magnetic Ink Character Recognition
Data Integrity
Maintaining and assuring the accuracy and completeness of data over its life-cycle. This means that data cannot be modified in an unauthorized or undetected manner
Vendor Management
Managing third party service providers or other FIs for payment system products and services
Biometrics
Methods include voice scanning and iris and retinal imaging/finger scan linked to his or her personal identification information.
Open Loop Network
Multi-party network that connects two financial institutions, the issuing financial institution (issuer/ cardholder's bank) and the acquiring financial institution (acquirer/merchant's bank) and manages the flow of value between the two financial institutions. VISA and MasterCard are examples
Financial Market Utilities (FMU)
Multilateral messaging systems that provide the infrastructure for transferring, clearing, and settling payments, securities, and other financial transactions among financial institutions or between financial institutions and a system
Reputation Risk
Negative publicity regarding an institution's business practices leads to a loss of revenue or litigation
Segregation of Duties
No one employee should be able to process a transaction from start to finish. Institution management must identify and mitigate areas where conflicting duties create the opportunity for insiders to commit fraud
Risk Selection
Ongoing credit analysis, including maintaining a credit file on the originator that will include the types of ACH transactions that are authorized, the bank's financial analysis and evaluation of creditworthiness, and approved exposure limits for daily and multi-day settlements
risk management policy
Outlines the high-level principles for the financial institution's management of its key risks: Credit risk; Liquidity risk; Operational risk; Compliance/legal risk; Cross channel risk
Payee
Party due payment
Fraud Risk
Payment transaction is initiated or altered by any party to the transaction in an attempt to misdirect or misappropriate funds with fraudulent intent
Decoupled Debit Cards
Permit a financial institution to issue a debit card to consumers regardless of where their demand deposits or other transaction accounts are held
Check Clearing
Physical path a check follows. Exchange of pymt date/info between FIs in the forward collection process
Interface Points
Points when entities or processes interact with a transaction flow
Internal Controls
Policies and procedures that financial institutions establish to reduce risks and ensure they meet operating, reporting, and compliance objectives
On-boarding
Policy establishing what information is required from new vendors, who gathers the information and how the information is retained is key.
Check Collection
Process of ensuring funds represented by the check are debited from and credited to the appropriate accounts.
UCC4A
Provides a detailed and comprehensive set of rules for determining rights and obligations of both financial institutions and end users handling Wholesale funds transfers
Closed Loop Network
Provides payment services directly to merchants and cardholders by the owner of the network without involving financial institutions as intermediaries. American Express and Discover are two examples
"out-of-wallet" questions/Challenge questions
Questions that a user only knows and a fraudster cannot obtain just with stolen identity.
Underwriting
Receiving payment for the willingness to cover a potential contingent risk
Capital adequacy
Refers to the amount of capital a financial institution has to hold as required by its regulator
USA PATRIOT Act
Regulations require that each financial institution develop and implement a customer identification program (CIP) that is appropriate given the institution's size, location, and type of business
Lending/Credit Policy
Reviewed regularly and revised due to changing circumstances surrounding the borrowing needs of the financial institution's lending accountholders as well as changes that may occur within the financial institution itself
Compliance Risk
Risk that occurs when a party to a transaction fails to comply, either knowingly or inadvertently with payment system rules and policies, regulations and applicable U.S. and state law
Credit Risk
Risk that occurs when a party to a transaction is unable to provide the necessary funds, for settlement to take place on the scheduled date. Especially evident in ACH, Merchant Card and RDC. As well as, returns, as evident with all other retail payment systems, including checks and direct debit.
Consumer Financial Protection Bureau (CFPB)
Rule-making authority and, with respect to entities within its jurisdiction, enforcement authority to prevent unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service
keylogging malware
Software program that records the keystrokes entered on the PC
Microcontroller
Supports the use of improved security features including authenticated information access and information privacy
System Disruption
System is unavailable to process transactions
Reg CC
The Expedited Funds Availability Act (the EFAA) was enacted by Congress in order to curb unnecessary holding of funds by financial institutions and sets forth funds availability schedules based on the type of deposit a customer makes
Paying Bank
The FI associated with the routing number encoded on the MICR line
Financial Penetration
The ability for a hacker to bypass firewalls and access financial IT systems
Enterprise Risk Management (ERM)
The culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value
Transaction Risk
The exchange rate risk associated with the time delay between entering into a contract and settling it
Authentication
The explicit instructions, including: timing, amount, payee, source of funds and other conditions, given by the payer to the payee to transfer funds on a one-time or recurring basis
Risk Acceptance
The informed decision to accept or take a particular risk.
Risk Avoidance
The informed decision to withdraw from or not become involved with an activity in order to void exposure to unwanted or unacceptable risks
Risk Assessment
The overall process of risk identification, analysis, and evaluation
Risk Rating
The primary summary indicator of risk for financial institutions' individual credit exposures. They both shape and reflect the nature of credit decisions that institutions make daily.
Risk Evaluation
The process of comparing risk analysis results to determine is risk is at an acceptable level
Risk Analysis
The process to comprehend the nature of risks and determine the level of risks
UDAAP
Unfair, Deceptive, or Abusive Acts or Practices
Encryption
Used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information.
Cross - channel risk
When movement of fraudulent or illegal payment transactions from one payments channel to another is met with inconsistent risk management practices and lack of information sharing across payment channels about fraud
Venmo
a service of PayPal, Inc., is a person to person (P2P) payment method combining streamlined payments with a social-media overlay. It is an open loop system.
Zelle
owned by Early Warning Services, LLC, is a person to person (P2P) payment method available to U.S. bank account holders only. It is an open loop system.
PIN
personal identification number
Visa Direct
real-time push payment capabilities that utilize Visa's global payment system.
Electronic Funds Transfer Act - EFTA
stablished the basic rights, liabilities and responsibilities of consumers who use electronic funds transfer services and of financial institutions that offer such services.
Emerging Payments Policy
this policy should address: Software used; Board approved payment types; Use of security procedures and agreements; Approval of an administrator; Limitations
Address Verification System (AVS)
verifying a cardholder's billing address and other pertinent information, used for mail, telephone, and Internet transactions