APRP Vocab
Faster Payments Mechanism
"A means or instrument for payments clearing and settlement to occur to clear between parties rapidly and for funds to be made available to the payee either same day or real time"
FMU
"Financial Market Utilities- multilateral messaging systems that provide the infrastructure for transferring, clearing, and settling payments, securities, and other financial transactions among financial institutions or between financial institutions and a system"
Data Integrity
"Maintaining and assuring the accuracy and completeness of data over its life-cycle. This means that data cannot be modified in an unauthorized or undetected manner"
Third party Risk
"Most often arises from greater complexity, ineffective risk management by the bank, and inferior performance by the third party"
Decoupled Debit Cards
"Permit a financial institution to issue a debit card to consumers regardless of where their demand deposits or other transaction accounts are held"
Authentication
"The explicit instructions, including: timing, amount, payee, source of funds and other conditions, given by the payer to the payee to transfer funds on a one-time or recurring basis"
Credit Analysis Techniques
"There are several techniques that can be used when performing credit analysis of a business or organization, including: Credit Policy; Risk Rating; Ongoing Monitoring and Review; Cross-Channel; Prohibited/Restricted Businesses"
Emerging Payments Policy
"This policy is approved by the board annually, or when there are significant changes in emerging technologies Policy should address: Software used; Board approved payment types; Use of security procedures and agreements; Approval of an administrator; Limitations"
Green Book
A financial institution's operating manual and primary source of information when processing federal government ACH transactions
Audit Policy
A financial institution's policy that should address the following objectives, whether or not the audit functions are handled in-house or outsourced: Policy Objective; Scope of work; Authority; Auditing standards; Outsourcing/third parties; External auditor restriction
Business Impact Analysis (BIA)
A flow analysis that involves an assessment and prioritization of those business functions and processes that must be recovered. should also consider the impact of legal and regulatory requirements. should also estimate the maximum allowable downtime for critical business functions and processes and the acceptable level of losses (data, operations, financial, reputation, and market share) associated with this estimated downtime
FFIEC (Federal Financial Institutions Examination Council)
A formal U.S. government interagency body that includes five banking regulators—the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).
System Failure
A breakdown in the hardware and/or software supporting the system
Basel III Regulatory Capital
A comprehensive set of reform measures, developed by the Basel Committee on Banking Supervision (BCBS), to strengthen the regulation, supervision, and risk management of the banking sector, including both liquidity and capital reforms.
Ancillary Risk
A consequence or by-product of not managing credit, operational, fraud, systemic or compliance Risks
Device Identification
A cookie loaded on the customer's PC to confirm that it is the same PC that was enrolled by the customer and matches the logon ID and password that is being provided. Can also mean the use of "one-time" cookies and creates a more complex digital "fingerprint" by looking at a number of characteristics including PC configuration, Internet protocol address, geo-location, and other factors
Enterprise Risk Management (ERM)
A process, effected by an entity's board of directors; management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value
Venmo
A service of PayPal, Inc., is a person to person (P2P) payment method combining streamlined payments with a social-media overlay. It is an open loop system.
API
A set of specifications, standards or conventions that enable programs to exchange information
Direct Access Risk
A situation in which an Originator, Third-Party Sender or Third-Party Service Provider transmits ACH files directly to an ACH Operator using the ODFI's routing number and settlement account and involves a separation of control and responsibility
Charge-backs
A demand by a credit-card provider for a retailer to make good the loss on a fraudulent or disputed transaction
Android Pay
A digital wallet platform developed by Google to power in-app and tap-to-pay purchases on mobile devices, enabling users to make payments with Android phones, tablets or watches. It is an open loop system
Anomaly Detection
A technique that compares current behavior with established patterns of legitimate behavior and looks for anomalies
Business Continuity Testing
A testing program that provides a high degree of assurance for the continuity of critical business processes, including supporting infrastructure, systems, and applications, without compromising production environments
Distributed Ledger Technology (DLT)
A type of asset database that is shared across nodes in a network across sites, geographies or institutions
Interoperability
Ability to process payment instructions across payment systems or platforms. Requires the use of common standards and technical compatibility between systems
Third Party Sender (TPS)
Acts as an intermediary between an ODFI and Originator, and there is no contractual agreement between the ODFI and the Originator.
Change Control Policy
Addresses potential changes to the operating environment
Risk assignment
Allocates risk equitably and is a form of risk sharing
Daylight Overdraft
Also called intraday overdraft, is a system in which "allows qualifying banks to overdraw on their Federal Reserve accounts in order to make payments via Fedwire. By the end of that particular day, Bank A has an obligation to pay back the Federal Reserve.
Credit Risk
Also known as exposure or temporal risk. Arises when a party to a transaction is unable to provide the necessary funds, for settlement to take place on the scheduled date. Especially evident in ACH, Merchant Card and RDC. As well as, returns, as evident with all other retail payment systems, including checks and direct debit.
Office of Foreign Assets Control (OFAC)
An agency of the U.S. Treasury, administers a series of laws imposing economic sanctions against targeted hostile foreign countries to further U.S. foreign policy and national security objectives
AML
Anti- Money Laundering-
Nonpublic Personal Information
Any information that is not publicly available and that a consumer provides to a financial institution
ACH
Automated Clearing House
Addressing
Automated means to route/direct a transaction using a set of data often employing a directory service.
ACH Network
Backbone for the electronic movement of money and data, a processing and delivery system that provides for the distribution and settlement among financial institutions of electronic credits and debits, as well as, non-monetary entries with payment related information
Compliance risk management
Be aware of all payment system rules, policies, regulations and applicable U.S. and state law
Control Environment
Begins with a bank's BOD & senior management, who are responsible for developing effective internal control systems and ensuring all personnel understand and respect the importance of internal controls. Control systems should be designed to provide reasonable assurance that appropriately implemented internal controls will prevent or detect: Materially inaccurate, incomplete, or unauthorized transactions; Deficiencies in the safeguarding of assets; Unreliable financial and regulatory reporting; Deviations from laws, regulations, and internal policies
Wholesale payments
Business or corporate payments
Regulation E
Carries out EFTA. Federal law covering Electronic Funds Transfers. Applies only to consumer payments. It does not apply to corporate electronic funds transfers.
ACH Operator
Central clearing facility that receives entries from the ODFIs and distributes the entries to the appropriate Receiving Depository Financial Institution
Layered Security Programs
Characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control
COSO
Committee Of Sponsoring Organizations Of Treadway Commission
Retail payments
Consumer based payments.
Outsourcing
Contracting out; a business practice used by companies to reduce costs or improve efficiency by shifting tasks, operations, jobs or processes to an external contracted third party for a significant period of time
Federal Reserve Bank Operating Circular 6 (OC6)
Covers FedWire services related to FedWire funds
Federal Reserve Bank Operating Circular 7 (OC7)
Covers FedWire services related to FedWire securities
Federal Reserve Bank Operating Circular 3 (OC3)
Covers exchange of items (paper, image and substitute checks) with the Federal Reserve Bank
Federal Reserve Bank Operating Circular 5 (OC5)
Covers managing the electronic connection with the Federal Reserve Bank. It is the responsibility of financial institutions to manage their connection to the Fed.
Card Products
Credit cards, Debit cards and Prepaid cards
CTR/ SAR
Currency Transaction Report / Suspicious Activity Report
CDD
Customer Due Diligence
CIP
Customer Identification Program
Business Continuity Planning (BCP)
Develop, implement, and test appropriate disaster recovery, in order to maintain acceptable retail payment-related customer service levels
Remotely created check (RCC)
Does not bear the signature of a person on whose account the check is drawn. In place of the signature, bears the account holder's printed or typed name or a statement that the account holder authorized the check. The account holder can authorize the creation by telephone by providing the appropriate information, including the MICR data
EFTPS
Electronic Federal Tax Payment System
EFT
Electronic Funds Transfer
Regulation DD
Enables consumers to make informed decisions about accounts at depository institutions, requiring depository financial institutions to provide disclosures to their end users.
PCI Security Standards
Establishes standards to ensure card payment participants meet minimum levels of security when storing, processing and transmitting cardholder data.
Credit Policy
Establishing this policy is just one part of the credit analysis techniques used by financial institutions
ACH Policy
Every financial institution should have this policy that outlines the financial institution's goals and objectives for its ACH program. The policy should have the approval of the board of directors. Some elements to be considered or be addressed include: • A general statement that the organization will process ACH in accordance with U.S. law and the NACHA Operating Rules • Compliance with NACHA Operating Rules • Outline of the types of ACH products the FI will offer • Any types of prohibited/restricted originators • Internal controls practices to address the risk inherent to offering certain ACH products • Third Party Senders relationships should be addressed • ACH Receipt • ACH Origination • OFAC Requirements"
Messaging
Exchange of data between entities to support a request for or a response to a request about a payment or its status (could include authorization)
Electronic Data Interchange (EDI)
Data format that is used for machine-to-machine exchanges of data and messages or a range of payment and related processes
EFT Mandate
Debt Collection Improvement Act of 1996, the federal government has required that virtually all non-tax related payments made by the federal government be made via electronic funds transfer (EFT).
FRB
Federal Reserve Bank
Expedited Funds Availability Act (EFAA)
Federal law applies to making proceeds of deposits into bank accounts available to depositors.
Electronic Funds Transfer Act (EFTA)
Federal law that established the basic rights, liabilities and responsibilities of consumers who use electronic funds transfer services and of financial institutions that offer such services.
Regulation J
Federal regulation covering Federal Reserve Bank processing of checks and wires. Defines an image plus data as an electronic item.
Regulation P
Federal regulation governing the treatment of nonpublic personal information about consumers by financial institutions.
Settlement
Final payment
Suspicious activity
Financial Institutions should establish fraud detection controls that could prompt additional review and reporting of things like false or erroneous application information, large check deposits on new e-banking accounts, unusual volume or size of funds transfers, multiple new accounts with similar account information or originating from the same Internet address, and unusual account activity initiated from a foreign Internet address. Security- and fraud-related events may require the filing of a SAR with the Financial Crimes Enforcement Network (FinCEN)."
Operational risk management
Financial institutions should employ vendor management programs that provide for due diligence of new service providers as well as ongoing monitoring of existing vendors with a focus on data security and business continuity.
Risk identification
Finding, recognizing, and describing risks
System Compromise
Fraud, malicious damage to data, or error
Systemic Risk
Funds transfer system participant is unable to settle its commitments causing other participants to fail. Financial institutions can manage this risk by being aware of all rules, regulations and laws governing the payments industry
GSE
Government sponsored enterprises
Contactless cards
Have an embedded computer chip with financial and personal information used for payment transactions, and they employ RFID technology for payment transmission. They include a microcontroller (or equivalent intelligence) and internal memory and have the ability to secure, store, and provide access to data on the card.
Verification with non-documentary methods
Include contacting a customer independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source checking references with other financial institutions and obtaining a financial statement
Control Activities
Include the policies & procedures institutions establish to manage risks and ensure predefined control objectives are met. Should cover all key areas of an organization and address items such as organizational structures, committee compositions and authority levels, officer approval levels, access controls (physical and electronic), audit programs, monitoring procedures, remedial actions, and reporting mechanisms.
Federal Reserve Bank Operating Circular 4 (OC4)
Incorporates the NACHA Operating Rules, with certain exceptions and generally conforms to the requirements of UCC 4A. The Circular governs the clearing and settlement of ACH items by Federal Reserve Banks, ODFIs and RDFIs where Fed is the ACH Operator.
ISO
Information Security Officer
Issue-tracking
Information gathered for the tracking of activities reported is typically provided by the electronic systems or endors used to perform the services
Payment-Related Information
Information that flows directly with a payment to describe its purpose and/or instruct the receiving party how to apply the funds.
IP
Internet protocol
Liquidity Risk
Involves the possibility that earnings or capital will be negatively affected by an institution's inability to meet its obligations when they come due
Risk sharing
Is a form of risk treatment involving the agreed-upon distribution of risk with other parties. Carried out in insurance, hold harmless clauses, or other contractual agreements
OCC Banking Circular 235
Issued to alert national banks to the risks associated with large-dollar payments systems, particularly within the international sector.
KYC
Know your customer
Exposure
Level of risk faced by companies involved in financial transations
MICR
Magnetic Ink Character Recognition
Dual controls
Making more than one employee approve the transaction before authorizing the transaction
MIB
Man-in-the browser
MIM
Man-in-the-middle
Cross channel risk monitoring
Management should develop an enterprise wide view of retail payment activities due to cross-channel risk as part of a credit analysis technique as credit risk can be increased by the overall relationship the financial Institution has with a customer
Vendor Management
Managing third party service providers or other FIs for payment system products and services
Biometrics
Methods include voice scanning and iris and retinal imagingfinger scan linked to his or her personal identification information.
Open Loop Network
Multi-party network that connects two financial institutions, the issuing financial institution (issuer/ cardholder's bank) and the acquiring financial institution (acquirer/merchant's bank) and manages the flow of value between the two financial institutions. VISA and MasterCard are examples.
NSS
National Settlement Service
Risk Monitoring and testing
Necessary to ensure that the business continuity planning process remains viable through the incorporation of the BIA and risk assessment into an enterprise-wide BCP and testing program.
Reputation Risk
Negative publicity regarding an institution's business practices leads to a loss of revenue or litigation
Segregation of duties
No one employee should be able to process a transaction from start to finish. Institution management must identify and mitigate areas where conflicting duties create the opportunity for insiders to commit fraud
Legal Risk
Occurs from an institution's failure to enact appropriate policies, procedures or controls to ensure it conforms to laws, regulations, contractual arrangements and other legally binding agreements and requirements
Visa Direct
Offers real-time push payment capabilities that utilize Visa's global payment system. Also offers the capability to push payments to other U.S. debit networks using the Visa Push Payments Gateway Service (PPGS) and the Funds Transfer APIs. PPGS allows originators to send their PushFundsTransactions (OCTs) and PullFundsTransactions (AFTs) to Visa for routing to multiple U.S. debit networks. VisaNet translates and reformats the message into the correct network format, rather than an originator having to develop and maintain transaction formats for each debit network.
E-Sign Act
Officially known as the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq.), gives electronic signatures and documents the same force in law as those done with ink on paper
Risk Selection
Ongoing credit analysis, including maintaining a credit file on the originator that will include the types of ACH transactions that are authorized, the bank's financial analysis and evaluation of creditworthiness, and approved exposure limits for daily and multi-day settlements
ODFI
Originating Depository Financial Institution
Originator
Originating company or individual/ person that has authorized an ODFI (directly or through a Third-Party Sender) to transmit, for the account of that person, a credit, debit or non-monetary entry to the Receiver's account
Risk Management Policy
Outlines the high-level principles for the financial institution's management of its key risks: Credit risk; Liquidity risk; Operational risk; Compliance/legal risk; Cross channel risk
Zelle
Owned by Early Warning Services, LLC, is a person to person (P2P) payment method available to U.S. bank account holders only. It is an open loop system.
31 CFR Part 212
Part of Code of Federal Regulations. Addresses garnishment of accounts relevant to Federal benefit payments.
12 CFR Part 363
Part of Code of Federal Regulations. Also known as Federal Deposit Insurance Corporation Improvement Act (FDICIA). Outlines annual independent audit and reporting requirements for financial institutions. Safety and Soundness.
31 CFR Part 210
Part of Code of Federal Regulations. Covers Government ACH transactions.
31 CFR Part 240
Part of Code of Federal Regulations. Covers Treasury checks.
31 CFR Part 203
Part of Code of Federal Regulations. Deals with electronic or paper collection of federal tax payments.
Compliance Risk
Party to a transaction fails to comply, either knowingly or inadvertently with payment system rules and policies, regulations and applicable U.S. and state law
Fraud Risk
Payment transaction is initiated or altered by any party to the transaction in an attempt to misdirect or misappropriate funds with fraudulent intent
POS
Point of Sale
Interface Points
Points when entities or processes interact with a transaction flow
Internal Controls
Policies and procedures that financial institutions establish to reduce risks and ensure they meet operating, reporting, and compliance objectives
Wire Policy
Policy approved by the board annually, or when there are significant changes in the wire process or systems. Policy should address: Wire software used; Types of wires (domestic vs. international, accountholder vs. non-accountholder); Use of security procedures & accountholder agreements; Approval of an administrator; Wire limits
On-Boarding
Policy establishing what information is required from new vendors, who gathers the information and how the information is retained is key. Risk rating should also be considered. The policy should address the metric that will be used to assess the risk that each vendor brings to the financial institution and what individual or department will be responsible for conducting the assessment
ECCHO Rules
Private clearinghouse rules under the Uniform Commercial Code that provide the legal framework for forward check image presentment and return of a check image
Alternate channel confirmations
Process of encouraging customer participation in fraud detection and increase customer confidence by sending confirmations of certain high-risk activities through additional communication channels such as the telephone, e-mail, or traditional mail
Reconcilements
Provide sufficient accounting reports to allow employees to reconcile individual transactions to daily transaction totals
Regulation D
Imposes reserve requirements on certain deposits held by depository institutions, including all FDIC-insured banks, insured credit unions, savings banks and mutual savings banks
RTGS
Real time gross settlement
RDFI
Receiving Depository Financial Institution
Underwriting
Receiving payment for the willingness to cover a potential contingent risk
Capital adequacy
Refers to the amount of capital a financial institution has to hold as required by its regulator
Underwriting Standards
Relative to electronic ACH payments, includes review of the originators credit exposure. Including a bank's loan policies, including formal underwriting standards and an approval policy for ACH originators. Rejection can include originators that have a history of excessive unauthorized returns, or that do not operate a legitimate business.
RDC
Remote Deposit Capture
Lending/Credit Policy
Reviewed regularly and revised due to changing circumstances surrounding the borrowing needs of the financial institution's lending accountholders as well as changes that may occur within the financial institution itself
Strategic Risk
Risk associated with the financial institution's mission and future business plans
Consumer Financial Protection Bureau (CFPB)
Rule-making authority and, with respect to entities within its jurisdiction, enforcement authority to prevent unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service
SSL
Secure socket layer
Temporal Risk
See 'Exposure'
Peripheral ACH participants
Sending point, Receiving point, Third Party Service Provider, & Third party sender
Security/ Cyber Security/ Data Security Policy
Senior management is responsible for establishing and enforcing a written information security policy including standards, procedures, guidelines and rules of use.
Check/Remote Deposit Capture (RDC) Policy
Sets forth policies and procedures adopted by the FI in regards to risks associated with its offering of RDC services to its accountholders
keylogging malware
Software program that records the keystrokes entered on the PC
SDN
Specially Designated Nationals
Uniform Commercial Code Article 4 (UCC4)
State law that applies to checks. This article governs bank deposits & collections. Applies to consumer & non-consumer transactions.
Uniform Commercial Code Article 3 (UCC3)
State law that applies to checks. This article governs negotiable instruments. Applies to consumer & non-consumer transactions.
Check Clearing for the 21st Century Act (Check 21)
Subpart D to Regulation CC facilitates truncation and image exchange but does not govern it. Creates and governs the use of a substitute check in place of the original item without the agreement of the recipient as a negotiable instrument. Provides warranties and indemnities that flow with a substitute check.
Microcontroller
Supports the use of improved security features including authenticated information access and information privacy
System Disruption
System is unavailable to process transactions
TCH
The Clearing House
Closed Loop Network
Provides payment services directly to merchants and cardholders by the owner of the network without involving financial institutions as intermediaries. American Express and Discover are two examples.
TSPS
Third Party Service Provider
E-Commerce/ Information Technology/ Internet Banking Policy
This policy should express the terms and conditions for accountholders using a website and online banking platform and should include: Encryption standards; User authentication methods; Password requirements; Maximum number of log in attempts; Length of time before the website times out; Incident response plan in case of a data breach
Operational Risk
Transaction is altered or delayed due to an unintentional error
Regulation Z
Truth in Lending Act. Federal regulation ensures that credit terms are disclosed in a meaningful way so consumers can compare credit terms more readily and knowledgeably
UDAAP
Unfair, Deceptive, or Abusive Acts or Practices
USA Patriot Act
Uniting & Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. Broadened the scope of the BSA/AML Act to prevent and detect possible acts of terrorism. Regulations require that each financial institution develop and implement a customer identification program (CIP) that is appropriate given the institution's size, location, and type of business
Challenge Questions
Used as a backup in the event that primary logon authentication technique becomes inoperable or presents an unexpected characteristic. Can include "out-of-wallet' questions, which are questions that a user only knows and a fraudster cannot obtain just with stolen identity.
Encryption
Used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. Can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols
Dwolla
Uses an Application Programming Interface (API) to send payments using the ACH Network. It is a closed loop system.
Address Verification System (AVS)
Verify a cardholder's billing address and other pertinent information, used for mail, telephone, and Internet transactions
VPN
Virtual private network
Regulation CC
Was enacted by Congress in order to curb unnecessary holding of funds by financial institutions. Federal regulation implementing Fed's authority over check collection under the EFAA and sets forth funds availability schedules based on the type of deposit a customer makes. Covers availability of all funds deposited in DDA, collection & return of special checks, special warranties for RCCs and substitute checks.
Cross Channel Risk
When movement of fraudulent or illegal payment transactions from one payments channel to another is met with inconsistent risk management practices and lack of information sharing across payment channels about fraud
Gramm-Leach-Bliley Act (GLBA)
also called the Financial Services Modernization Act of 1999, repealed many aspects of the Glass Steagal Act and allows for commercial banks, securities and insurance companies to consolidate and offer additional services to their customers
Financial Penetration
The ability for a hacker to bypass firewalls and access financial IT systems
Risk Rating
The primary summary indicator of risk for financial institutions' individual credit exposures. They both shape and reflect the nature of credit decisions that institutions make daily.
Risk evaluation
The process of comparing risk analysis results to determine if risk is at an acceptable level
risk management framework
The process of the "security life cycle." NIST describes the steps as: Categorize the Information System, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize Security Controls, Monitor Security Controls
Risk analysis
The process to comprehend the nature of risks and determine the level of risks
Sender Risk
The risk an institution assumes when it makes an irrevocable payment on behalf of its customer through an extension of credit
Mastercard Send
An interoperable global platform that enables funds to be sent quickly and securely via three payment flows
Risk assessments
The overall process of risk identification, analysis, and evaluation
Public Information
An institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public
Apple Pay
A mobile payment and digital wallet service by Apple Inc. that lets users make payments using an iPhone, Apple Watch, iPad or Mac. It is an open loop system.
Receiver
A natural person or an organization that has authorized an Originator to initiate an ACH entry to the Receiver's account with the RDFI. A Receiver may either be a company or a consumer, depending on the type of account held with the RDFI.
Real time payments (RTP)
A new, core industry infrastructure, like ACH, Fedwire or CHIPS. The goal is for total ubiquity, with every U.S. financial institution connected directly or indirectly. The system is designed for global compatibility"
Payment System Risk (PSR) Policy
A policy for compliance that should ensure management establishes sound internal operating practices, including compliance with applicable banking laws, and carefully manages retail payment system-related financial risks
Transaction Risk
The exchange rate risk associated with the time delay between entering into a contract and settling it
Risk acceptance
The informed decision to accept or take a particular risk. Can occur with or without treatment of risk. Without treatment, the risk is accepted as tolerable and falls within the risk appetite. With treatment refers to the risks that are monitored and reviewed to ensure they remain within the risk appetite
Risk avoidance
The informed decision to withdraw from or not become involved with an activity in order to avoid exposure to unwanted or unacceptable risks
