| Booklet:
Retail
Payment Systems Section: Retail Payment Systems Risk Management Subsection: Operational (Transaction) Risk |
|||||||||||||||||||||||||||
Operational risk is the risk of incurring financial loss due to human or technical errors and fraud. Operational risk can arise from the failure to follow or complete one or more steps in the prescribed authorization process. Operational risk includes the risks associated with the failure of communications, the breakdown of data transport or processing, internal control system deficiencies, human errors, or management failure. As a result, the financial institution could experience delays or disruptions in processing, clearing, and settling retail payment transactions, that could lead to credit and liquidity problems at other financial institutions.
Operational risk can also arise from fraud. A financial institution’s exposure to operational risk from fraud is the risk that a wrongful or criminal deception will lead to a financial loss for one of the parties involved. Currency and checks are more vulnerable to loss or direct theft, whereas fraud is the primary concern in bankcard payment transactions. Fraud is a significant concern for ACH, especially one-time ACH debit transactions. The continuing growth of check-to-ACH conversion presents many new fraud risks.
Newer retail payment mechanisms, particularly using the Internet, are also subject to fraud risk. The creation of fraudulent electronic transactions could lead to financial losses if fraudulent balances are successfully exchanged for a readily transferable form of money, such as currency, or other assets.
Operational risk controls should include information system, procedural, administrative, and legal measures to prevent or limit financial loss as a result of operational risk. System measures include monetary and time limits (per transaction, per payment instrument, per client), and personal authentication and encryption techniques to ensure the authenticity of the payer and transaction information integrity. Additional controls include the use of certified tamper-resistant equipment (e.g., EFT/POS terminals), logical access controls to verify transactions, on-line verification of account balances, logging of all transactions and attempts to make a transaction, and the use of serial numbers and check digits.
Procedural measures include appropriate dual custody and separation of duties for critical payment transaction processing and accounting tasks, payment data verification, clear error processing and escalation procedures, and confidential and tamper-resistant mailing procedures for bankcards and other sensitive material. Administrative measures should include IT audit coverage of operational controls, legal controls (including regulatory compliance and agreements), and personnel issues associated with staffing and training.
In the event of unauthorized use of a payment card, the cardholder’s liability is limited to a specified amount if he or she notifies the card issuer of the theft or loss within a set time limit. To limit their own losses from POS card fraud, the bankcard associations require vendors to match the cardholder’s signature on the card with the signature on the payment voucher at the point of sale. The associations have also introduced extensive monitoring and reporting controls to limit fraudulent bankcard activity.
Action
Summary 
Audit
An
effective audit function should include internal and external audit coverage
tailored to the complexity of the institution. Due to the potentially
large retail transaction volumes and associated dollar value when initiating
payments, internal audit coverage is critical for effective oversight
of the financial institution’s retail payment systems. The audit
coverage should be sufficient to validate the internal control environment
surrounding the processing, clearance, and settlement of retail payment
transactions. Auditors should perform an evaluation of the financial institution’s
retail payment system business lines on the basis of overall risk to the
financial institution. Based on the evaluation they should develop an
appropriate schedule of audits. Auditors should review accounting controls
and assess the effectiveness of transaction processing, clearance, and
settlement processing procedures.
The
board of directors should ensure the information technology audit program
tests retail payment system internal controls, management policies, and
procedures. IT audit coverage should include the design and implementation
of retail payment products, and include the supporting information technology
environment encompassing internal data centers, contingency sites, and
network infrastructure. IT audit coverage should also verify the adequacy
of internal controls in applicable business lines responsible for managing
day-to-day retail payment system services. In addition, internal audit
should assess the comprehensiveness of the institution’s vendor
management program and ensure the institution is appropriately managing
vendor risk. 
Action
Summary
Information
Security
Financial institutions must implement the appropriate physical and logical
security controls to ensure retail payment system transactions are processed,
cleared, and settled in an accurate, timely, and reliable manner. Retail
payment systems contain confidential customer information subject to GLBA
section 501(b) security guidelines. The board and management are responsible
for protecting the confidentiality, integrity, and availability of these
systems and data. The privacy risk combined with the funds transfer capability
should cause these systems to rank high in all institutions’ information
security risk assessments. Those risk assessments should consider physical
and logical security controls for the origination, approval, transmission,
and storage of retail payment systems transactions.
Physical controls should limit access to those staff assigned responsibility for supporting the operations and business line centers processing retail payment and accounting transactions. Physical controls should also provide for the ability to monitor and document access to these facilities.
Institution management should assign appropriate logical access controls to staff responsible for retail payment-related services and should base access rights on the need to separate the duties of personnel responsible for originating, approving, and processing the transactions. Appropriate identification and authentication techniques include requiring unique authenticators for each staff member with strong password requirements if the institution has not implemented more robust authentication techniques.
Logical access controls should restrict access on a need-to-know basis and assign access to retail payment applications and data based on functional job duties and requirements. Logical access control should also protect network access. An institution’s risk assessment should require it to protect retail payment systems from unauthorized access through appropriate network configuration, firewalls, or intrusion detection. The assessment should review the security of all third-party service providers as well. Some institutions accomplish this by isolating all payment-related applications and systems from other production applications.
A critical element in ensuring retail payment systems integrity is appropriately identifying and authenticating retail payment system customers. Transaction authorization (e.g., the approval of a funds transfer or guarantee of funds) is an essential precondition leading to the interbank transfer of funds. Financial institutions should establish an adequate internal control environment for the issuance of bankcards and related personal identification numbers (PIN). These controls should minimize bankcard processing errors and fraud and protect the confidentiality of customer and institution information.
The use of newer technologies, including smart cards, wireless phones, and the Internet, presents new security challenges. It is increasingly difficult to implement effective identification and authentication techniques as well as verifying the integrity of the transaction data while preventing customer repudiation.
Many electronic banking applications use Internet-based open network standards and rely on commonly accepted technologies to secure transmissions (e.g., secure socket layer [SSL] or virtual private networking [VPN]). The institution should establish a secure session from the time a consumer enters their personal banking information to the time of final data transmission.
Retail payment systems should incorporate sufficient security procedures and controls to verify the integrity of the data, the confidentiality of the transmission, and the authenticity of the communication partners and data sources. To discourage fraudulent transactions, management should consider implementing multi-factor authentication techniques for sensitive retail payment applications. Using digital certificates, leveraging the PKI (public key infrastructure), and employing biometrics, and card or token-based techniques can provide cost-effective solutions for augmenting traditional technical controls.
Action
Summary
Business
Continuity Planning
Effective business continuity planning is an important component in managing
operational risk. Financial institutions and technology service providers
should develop, implement, and test appropriate disaster recovery and
business continuity plans capable of maintaining acceptable retail payment-related
customer service levels. Business continuity plans should be based on
business impact analyses and the relative importance of retail payment
system products and services to the financial institution.
For financial institutions offering basic retail payment products and services (e.g., bankcard issuance, check item processing, branch ATM access, and Internet banking services), business continuity plans should include appropriate recovery targets for each retail product. The recovery targets should consider the reliance on any third-party vendors in meeting their objectives. Vendor management programs should include provisions for the disruption and restoration of service at service providers, including the consideration of service provider test plans.
For financial institutions and service providers with complex retail payment operations, business continuity plans should enable restoration of service within time frames that are reasonable for internal business units as well as other dependent financial institutions and counter-parties. Financial institutions providing significant card issuing, merchant processing, EFT/POS, ACH, and retail payment-related Internet banking services should also test these plans periodically with customer financial institutions and counter-parties to ensure plans are sufficient.
Action
Summary
Vendor
And Third-Party Management
Some financial institutions rely on third-party service providers and
other financial institutions to provide retail payment system products
and services to their customers. Many retail payment services are directly
related to core processing financial institution operations (e.g., accessing
demand deposit accounts through the use of financial institution-issued
bankcards) and may be run in-house through the use of purchased turn key
systems. However, institutions contract many retail payment-related services
to third parties either to enhance the services performed in-house or
to offer new retail payment services that are otherwise not cost effective.
To ensure retail payment operations are conducted appropriately, financial institutions should have appropriate contract provisions and adequate due diligence processes. They should also monitor service providers for compliance. Effective monitoring should include the review of select retail payment transaction items to ensure they are accurate and processed timely. The integrity and accuracy of retail payment transactions posted to customer accounts depend on the use of proper control procedures throughout all phases of processing, including outsourced functions.
Regardless
of whether the financial institution’s control procedures are manual
or automated, internal controls should address the areas of transaction
initiation, data entry, computer processing, and distribution of output
reports. These control considerations apply to processing checks as well
as electronic bankcard, debit card, and ACH transactions. The financial
institution must also maintain effective control over service provider
access to customer and financial institution information consistent with
GLBA 501(b). Contractual provisions should define the terms of acceptable
access and potential liabilities in the event of fraud or processing errors.
Action
Summary
Operations
Financial institutions should adopt measures that limit operational risks
for the processing, clearing, and settlement of retail payments. Financial
institutions and service providers participating in clearing and settlement
arrangements for retail payments should ensure operational reliability
for timely completion of daily processing through adequate information
systems, internal controls, backup facilities, reliable technology, and
adequate staff training and support. Furthermore, organizations should
adopt business continuity plans to provide solutions and to manage interruptions.
Risk analysis should identify confidential assets, critical operations,
and potential threats. It should also define safeguards and countermeasures
to provide appropriate protection.
Institutions can control fraud risk by using fraud databases and fraud analysis tools. Some bankcard associations and Internet-banking applications use neural network technologies or behavioral fraud analysis. They represent specialized software and hardware designed to identify patterns of behavior, allowing financial institutions to identify suspicious transactions or spending. The bankcard associations have also developed numerous fraud detection and avoidance systems that member financial institutions can use to reduce losses as a result of fraudulent bankcard use. The growth of e-commerce has led many institutions and service providers to develop additional databases to provide early identification of potential fraud.
Institutions
can also mitigate operational risk by identifying and evaluating potential
legal and compliance risks. They can effectively manage operational risk
by establishing the appropriate legal review process for the products
and services offered. The review process should ensure there are defined
roles and responsibilities for retail payment services, specifically for
the financial institution and its customers. Reliance on third parties
for retail payment products and services should also require a thorough
legal review process that supports an effective vendor management program.
Institutions should also enforce the regulations and consumer compliance
mandates that apply to retail payment services (e.g., Regulation E).