Payment Systems

Change Control Policy

Addresses potential changes to the operating environment

Risk assignment

Allocates risk equitably and is a form of risk sharing

Operation Risk

Transaction is altered or delayed due to an unintentional error

Bank of First Deposit

(BOFD) Payees bank or Depository Bank

System Failure

A breakdown in the hardware and/or software supporting the system

Basel III Regulatory Capital

A comprehensive set of reform measures to strengthen the regulation, supervision, and risk management of the banking sector, including both liquidity and capital reforms.

Ancillary Risk

A consequence or by-product of not managing credit, operational, fraud, systemic or compliance Risks

Device Identification

A cookie loaded on the customer's PC to confirm that it is the same PC that was enrolled by the customer and matches the logon ID and password that is being provided.

Charge-backs

A demand by a credit-card provider for a retailer to make good the loss on a fraudulent or disputed transaction

Real time payments (RTP)

A new, core industry infrastructure, like ACH, Fedwire or CHIPS. The goal is for total ubiquity, with every U.S. financial institution connected directly or indirectly. The system is designed for global compatibility

"on-line" payment order

A payment order transmitted directly to or from a Reserve Bank by electronic data transmission, excluding transmission via phone.

Payment System Risk (PSR) Policy

A policy for compliance that should ensure management establishes sound internal operating practices, including compliance with applicable banking laws, and carefully manages retail payment system-related financial risks

API

A set of specifications, standards or conventions that enable programs to exchange information

daylight overdraft

A system which "allows qualifying banks to overdraw on their Federal Reserve accounts in order to make payments via Fedwire. By the end of that particular day, Bank A has an obligation to pay back the Federal Reserve.

Anomoly Detection

A technique that compares current behavior with established patterns of legitimate behavior and looks for anomalies

Risk Testing

A testing program that provides a high degree of assurance for the continuity of critical business processes, including supporting infrastructure, systems, and applications, without compromising production environments

Distributed Ledger Technology (DLT)

A type of asset database that is shared across nodes in a network across sites, geographies or institutions

interprobability

Ability to process payment instructions across payment systems or platforms. Requires the use of common standards and technical compatibility between systems

Dwolla

An Application Programming Interface (API) used to send payments using the ACH Network. It is a closed loop system.

Office of Foreign Assets Control (OFAC)

An agency of the U.S. Treasury, administers a series of laws imposing economic sanctions against targeted hostile foreign countries to further U.S. foreign policy and national security objectives

MasterCard Send

An interoperable global platform that enables funds to be sent quickly and securely via three payment flows

AML

Anti- Money Laundering-

Nonpublic Personal Information

Any information that is not publicly available and that a consumer provides to a financial institution

Strategic Risk

Associated with the financial institution's mission and future business plans

Dual Message Transactions

Authenticated with a signature

ACH Network

Backbone for the electronic movement of money and data, a processing and delivery system that provides for the distribution and settlement among financial institutions of electronic credits and debits, as well as, non-monetary entries with payment related information

Compliance risk management

Being aware of all payment system rules, policies, regulations and applicable U.S. and state law

Systemic risk management

Being aware of all rules, regulations and laws governing the payments industry

ACH Network

Central clearing facility that receives entries from the ODFIs and distributes the entries to the appropriate Receiving Depository Financial Institution

Layered Security Programs

Characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control

Payor

Check Writer

ECCHO Rules

Clearinghouse rules under the Uniform Commercial Code that provide the legal framework for forward check image presentment and return of a check image

COSO

Committee Of Sponsoring Organizations Of Treadway Commission

Retail Payments

Consumer based payments.

Outsourcing

Contracting out; a business practice used by companies to reduce costs or improve efficiency by shifting tasks, operations, jobs or processes to an external contracted third party for a significant period of time

Control Environment

Control systems designed to provide reasonable assurance that appropriately implemented internal controls will prevent or detect: Materially inaccurate, incomplete, or unauthorized transactions; Deficiencies in the safeguarding of assets; Unreliable financial and regulatory reporting; Deviations from laws, regulations, and internal policies

Control activities

Cover all key areas of an organization and address items such as organizational structures, committee compositions and authority levels, officer approval levels, access controls (physical and electronic), audit programs, monitoring procedures, remedial actions, and reporting mechanisms.

CDD

Customer Due Diligence

CIP

Customer Identification Program

Electronic Data Interchange (EDI)

Data format that is used for machine-to-machine exchanges of data and messages or a range of payment and related processes

EFT Mandate

Debt Collection Improvement Act of 1996, the federal government has required that virtually all non-tax related payments made by the federal government be made via electronic funds transfer (EFT).

Business Continuity Planning

Develop, implement, and test appropriate disaster recovery, in order to maintain acceptable retail payment-related customer service levels

Remotely Created Check (RCC)

Does not bear the signature of a person on whose account the check is drawn. In place of the signature, bears the account holder's printed or typed name or a statement that the account holder authorized the check. The account holder can authorize the creation by telephone by providing the appropriate information, including the MICR data

Operational Risk Mgmt

Employ vendor management programs that provide for due diligence of new service providers as well as ongoing monitoring of existing vendors with a focus on data security and business continuity.

Reg DD

Enables consumers to make informed decisions about accounts at depository institutions, requiring depository financial institutions to provide disclosures to their end users.

Risk Monitoring

Ensure that the business continuity planning process remains viable through the incorporation of the BIA and risk assessment into an enterprise-wide BCP and testing program.

Truth in Lending Act

Ensures that credit terms are disclosed in a meaningful way so consumers can compare credit terms more readily and knowledgeably

Messaging

Exchange of data between entities to support a request for or a response to a request about a payment or its status (could include authorization)

Gramm-Leach-Bliley Act (GLBA)

Financial Services Modernization Act of 1999, repealed many aspects of the Glass Steagal Act and allows for commercial banks, securities and insurance companies to onsolidate and offer additional services to their customers

Truncating Bank

Financial institution that creates an image of the original check

Reconverting Bank

Financial institution that produces the substitute check or Image Replacement Document (IRD)

Risk Identification

Finding, recognizing, and describing risks

Business Impact Analysis (BIA)

Flow analysis that involves an assessment and prioritization of those business functions and processes that must be recovered.

System Compromise

Fraud, malicious damage to data, or error

Systemic Risk

Funds transfer system participant is unable to settle its commitments causing other participants to fail

Legal Risk

Occurs from an institution's failure to enact appropriate policies, procedures or controls to ensure it conforms to laws, regulations, contractual arrangements and other legally binding agreements and requirements

Contactless cards

Have an embedded computer chip with financial and personal information used for payment transactions, and they employ RFID technology for payment transmission. They include a microcontroller (or equivalent intelligence) and internal memory and have the ability to secure, store, and provide access to data on the card.

Strategic Risk Management

Having a strategic planning process that addresses its retail payment business, goals and objectives, including supporting IT components

Reg D

Imposes reserve requirements on certain deposits held by depository institutions, including all FDIC-insured banks, insured credit unions, savings banks and mutual savings banks

Verification with non-documentary methods

Include contacting a customer independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source checking references with other financial institutions and obtaining a financial statement

Issue-tracking

Information gathered for the tracking of activities reported is typically provided by the electronic systems or endors used to perform the services

Payment-Related Information

Information that flows directly with a payment to describe its purpose and/or instruct the receiving party how to apply the funds.

Correspondent Bank

Institution providing clearing or settlement services to a Paying Banking or Collecting Bank (Federal Reserve Bank)

Liquidity Risk

Involves the possibility that earnings or capital will be negatively affected by an institution's inability to meet its obligations when they come due

Risk Sharing

Is a form of risk treatment involving the agreed-upon distribution of risk with other parties. Carried out in insurance, hold harmless clauses, or other contractual agreements

OCC Banking Circular 235

Issued to alert national banks to the risks associated with large-dollar payments systems, particularly within the international sector.

Exposure

Level of risk faced by companies involved in financial transactions

MICR

Magnetic Ink Character Recognition

Data Integrity

Maintaining and assuring the accuracy and completeness of data over its life-cycle. This means that data cannot be modified in an unauthorized or undetected manner

Vendor Management

Managing third party service providers or other FIs for payment system products and services

Biometrics

Methods include voice scanning and iris and retinal imaging/finger scan linked to his or her personal identification information.

Open Loop Network

Multi-party network that connects two financial institutions, the issuing financial institution (issuer/ cardholder's bank) and the acquiring financial institution (acquirer/merchant's bank) and manages the flow of value between the two financial institutions. VISA and MasterCard are examples

Financial Market Utilities (FMU)

Multilateral messaging systems that provide the infrastructure for transferring, clearing, and settling payments, securities, and other financial transactions among financial institutions or between financial institutions and a system

Reputation Risk

Negative publicity regarding an institution's business practices leads to a loss of revenue or litigation

Segregation of Duties

No one employee should be able to process a transaction from start to finish. Institution management must identify and mitigate areas where conflicting duties create the opportunity for insiders to commit fraud

Risk Selection

Ongoing credit analysis, including maintaining a credit file on the originator that will include the types of ACH transactions that are authorized, the bank's financial analysis and evaluation of creditworthiness, and approved exposure limits for daily and multi-day settlements

risk management policy

Outlines the high-level principles for the financial institution's management of its key risks: Credit risk; Liquidity risk; Operational risk; Compliance/legal risk; Cross channel risk

Payee

Party due payment

Fraud Risk

Payment transaction is initiated or altered by any party to the transaction in an attempt to misdirect or misappropriate funds with fraudulent intent

Decoupled Debit Cards

Permit a financial institution to issue a debit card to consumers regardless of where their demand deposits or other transaction accounts are held

Check Clearing

Physical path a check follows. Exchange of pymt date/info between FIs in the forward collection process

Interface Points

Points when entities or processes interact with a transaction flow

Internal Controls

Policies and procedures that financial institutions establish to reduce risks and ensure they meet operating, reporting, and compliance objectives

On-boarding

Policy establishing what information is required from new vendors, who gathers the information and how the information is retained is key.

Check Collection

Process of ensuring funds represented by the check are debited from and credited to the appropriate accounts.

UCC4A

Provides a detailed and comprehensive set of rules for determining rights and obligations of both financial institutions and end users handling Wholesale funds transfers

Closed Loop Network

Provides payment services directly to merchants and cardholders by the owner of the network without involving financial institutions as intermediaries. American Express and Discover are two examples

"out-of-wallet" questions/Challenge questions

Questions that a user only knows and a fraudster cannot obtain just with stolen identity.

Underwriting

Receiving payment for the willingness to cover a potential contingent risk

Capital adequacy

Refers to the amount of capital a financial institution has to hold as required by its regulator

USA PATRIOT Act

Regulations require that each financial institution develop and implement a customer identification program (CIP) that is appropriate given the institution's size, location, and type of business

Lending/Credit Policy

Reviewed regularly and revised due to changing circumstances surrounding the borrowing needs of the financial institution's lending accountholders as well as changes that may occur within the financial institution itself

Compliance Risk

Risk that occurs when a party to a transaction fails to comply, either knowingly or inadvertently with payment system rules and policies, regulations and applicable U.S. and state law

Credit Risk

Risk that occurs when a party to a transaction is unable to provide the necessary funds, for settlement to take place on the scheduled date. Especially evident in ACH, Merchant Card and RDC. As well as, returns, as evident with all other retail payment systems, including checks and direct debit.

Consumer Financial Protection Bureau (CFPB)

Rule-making authority and, with respect to entities within its jurisdiction, enforcement authority to prevent unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service

keylogging malware

Software program that records the keystrokes entered on the PC

Microcontroller

Supports the use of improved security features including authenticated information access and information privacy

System Disruption

System is unavailable to process transactions

Reg CC

The Expedited Funds Availability Act (the EFAA) was enacted by Congress in order to curb unnecessary holding of funds by financial institutions and sets forth funds availability schedules based on the type of deposit a customer makes

Paying Bank

The FI associated with the routing number encoded on the MICR line

Financial Penetration

The ability for a hacker to bypass firewalls and access financial IT systems

Enterprise Risk Management (ERM)

The culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value

Transaction Risk

The exchange rate risk associated with the time delay between entering into a contract and settling it

Authentication

The explicit instructions, including: timing, amount, payee, source of funds and other conditions, given by the payer to the payee to transfer funds on a one-time or recurring basis

Risk Acceptance

The informed decision to accept or take a particular risk.

Risk Avoidance

The informed decision to withdraw from or not become involved with an activity in order to void exposure to unwanted or unacceptable risks

Risk Assessment

The overall process of risk identification, analysis, and evaluation

Risk Rating

The primary summary indicator of risk for financial institutions' individual credit exposures. They both shape and reflect the nature of credit decisions that institutions make daily.

Risk Evaluation

The process of comparing risk analysis results to determine is risk is at an acceptable level

Risk Analysis

The process to comprehend the nature of risks and determine the level of risks

UDAAP

Unfair, Deceptive, or Abusive Acts or Practices

Encryption

Used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information.

Cross - channel risk

When movement of fraudulent or illegal payment transactions from one payments channel to another is met with inconsistent risk management practices and lack of information sharing across payment channels about fraud

Venmo

a service of PayPal, Inc., is a person to person (P2P) payment method combining streamlined payments with a social-media overlay. It is an open loop system.

Zelle

owned by Early Warning Services, LLC, is a person to person (P2P) payment method available to U.S. bank account holders only. It is an open loop system.

PIN

personal identification number

Visa Direct

real-time push payment capabilities that utilize Visa's global payment system.

Electronic Funds Transfer Act - EFTA

stablished the basic rights, liabilities and responsibilities of consumers who use electronic funds transfer services and of financial institutions that offer such services.

Emerging Payments Policy

this policy should address: Software used; Board approved payment types; Use of security procedures and agreements; Approval of an administrator; Limitations

Address Verification System (AVS)

verifying a cardholder's billing address and other pertinent information, used for mail, telephone, and Internet transactions