| Booklet:
Retail
Payment Systems Section: Retail Payment Systems Risk Management Subsection: Retail Payment Instrument Specific Risk Management ___________Controls |
|||||||||||||||||||||||||||
Action
Summary 
Checks
Return items are a major risk facing institutions that collect checks.
A check will be returned to the depositary financial institution if the
paying financial institution determines not to pay it (return item). Reasons
for returned items include insufficient funds in the account, a closed
account, a stop payment order, a fraudulent signature, or failure of the
paying financial institution.
The Expedited Funds Availability Act (Regulation CC) obligates institutions to make funds available for customer withdrawal in accordance with mandatory schedules. Thus, a depositary financial institution may be required to make funds available to the customer before an unpaid check is returned to the depositary financial institution. When the depositary institution receives a return item, it will charge back its depositing customer’s account for the item even if it has already made the funds available to the depositing customer.
The depositary is exposed to credit risk if the customer does not have sufficient funds in his or her account to cover the returned check. When a paying financial institution returns the item to the depositary, the paying institution does not have to return the item through the same clearing mechanism from which it received the item.
One compensating control for check return items is credit monitoring. Financial institutions should perform a credit assessment of those customers for which they collect large dollar volumes of checks. Financial institutions should also monitor the payment activity of their customers and take appropriate action when credit limits are exceeded. Regulation CC requires that when a paying financial institution decides to return a check of $2,500 or more, it must provide a notice of nonpayment to the depositary financial institution in case the customer tries to withdraw funds represented by the “bad” check.
Using electronic check presentment (ECP) for payment may reduce risk to depositary financial institutions because it permits them to deliver check data to paying financial institutions more quickly than with checks. The shorter delivery time permits paying financial institutions to (1) identify checks that cannot be paid and (2) notify the depositary financial institution about those returned checks using an electronic return notice, up to one day earlier than would occur with the physical exchange of paper checks.
However, check truncation —the conversion of MICR information to electronic form— introduces the risk of unauthorized changes to converted check information in transmission or in storage. Financial institutions should develop and implement appropriate information processing safeguards to mitigate this risk. These safeguards should include logical access controls and separation of duties to minimize potential tampering with electronically converted check information and images during processing, and ensuring the MICR and check image databases are protected from unauthorized access.
Check fraud is a significant factor in losses reported by financial institutions. The leading form of check fraud is check kiting; that is, presenting checks to two or more financial institutions for the purpose of fraudulently obtaining interest-free unauthorized loans. Other types of check fraud include forged, altered, and counterfeit checks. Positive pay is a technique that can reduce check fraud by requesting businesses to send electronic files of information to the institution on all checks the business has issued. The financial institution then compares this information with electronic information regarding checks presented for payment. If a check presented for payment is not included in the positive-pay information, the institution requests the corporation to make a pay/no pay decision.
Credit
Cards
For credit cards, credit losses and fraud losses are two of the most significant
risks to an institution. Credit losses (because of contractual delinquency
and bankruptcy) account for the majority of credit card charge-offs. Fraud
involving credit cards includes unauthorized use of lost or stolen cards,
fraudulent applications, counterfeit or altered cards, and the fraudulent
use of a cardholder’s credit card number for card-not-present transactions.
Consumer compliance regulations and association operating rules provide significant consumer protection for fraudulent transactions. For example, if cardholders timely report the loss of their credit cards, they are responsible, at most, for $50 of the charges resulting from fraud. The issuing financial institution or the merchant pays the costs of any fraud involving credit cards. The merchant should minimally obtain an authorization, a cardholder’s signature, or an electronic imprint of the card (electronic information on the card at the POS). The merchant is required to cover the fraudulent transaction through the chargeback process if it does not follow the minimum procedures. This has become a significant issue for many on-line retailers processing card-not-present transactions. The major bankcard associations, however, are introducing services to reduce the liability of merchants. Under one initiative, issuers will assume losses for fraudulent transactions if the payment was authorized using the bankcard association’s authentication technique.
One
control method financial institutions use to reduce risk is the authorization
process (approval of credit transaction). For example, when the merchant
swipes the bankcard, the issuer can deny authorization of the transaction
if the consumer is over his or her credit limit, is delinquent, or if
the card has been reported as stolen. Financial institutions can also
employ the address verification service (AVS) to verify a cardholder’s
billing address and other pertinent information (used for mail, telephone,
and Internet transactions).
Employing the appropriate underwriting, account management, monitoring,
and collection practices can mitigate credit risk. By setting standards
that reduce the probability of delinquency and fraud, institutions can
more effectively control credit losses.
Debit/ATM
Cards
For debit or ATM cards, there is the risk that unauthorized individuals
will obtain them and make fraudulent transactions. There is also a risk
to customers’ physical safety at ATM locations. Financial institutions
and service providers should mitigate these risks by executing financial
institution-merchant and financial institution-customer contracts that
delineate each party’s liabilities and responsibilities. Institutions
should also establish adequate physical safeguards including the installation
of surveillance cameras and access/entry control devices. State and federal
statutes protect consumers by limiting their liability if they give notice
of lost, stolen, or mutilated cards within a specified period.
ATM stand-in arrangements, while enabling EFT/POS networks to authorize transactions if a card issuer or processor is unable to authorize and process transactions, also increase the potential for fraud since normal credit limit and authorization procedures are not in effect. Stand-in authorization arrangements should include reasonable credit limits and defined terms of duration to limit potential financial loss.
Card/PIN
Issuance
Financial institutions also assume certain fraud-related risks when issuing
credit, debit, and ATM cards, either in-house or under contract to third
parties. Inadequate internal controls or ineffective card and PIN issuance
procedures may result in fraudulent customer transactions. Inappropriate
separation of duties that allow employees access to both customer account
and PIN information exposes the institution to potential employee fraud.
The embossing and encoding of blank plastic card stock, if done in-house, should be performed in a secure area and include blank card stock inventory controls, accounting controls for the number of cards used (including test and reject cards), and dual controls for blank card stock storage. Procedures for the interim storage of card stock and accounting should exist for all cards not under dual control. Adequate controls should also exist for captured cards.
Accountability controls should also be established to ensure all cards initially disbursed from the storage area are delivered to the mail area or destroyed. Returned cards should be handled by a function independent of the mail department. Control cards should be mailed randomly to customers and their delivery validated within a few days to ensure that no theft has taken place.
PIN generation should be performed at the time of card issuance. Active PIN information should be controlled, including encrypting PIN information on storage devices, and access to PIN databases should be restricted on a need to know basis. Staff access to PIN information should be reviewed periodically to confirm access controls are working effectively.
The PIN should not appear in printed form, and staff members should not be able to retrieve or display a customer PIN on-line. PIN mailers should be processed and delivered with the same level of security used for mailing cards, and an active PIN should never be included with the card when mailed to a customer.
The PIN should not be transmitted unencrypted and the PIN system should record the number of unsuccessful PIN entries, restricting access to a customer's account after a limited number of attempts. If a PIN is forgotten, the customer should select a new one rather than having staff retrieve the old one.
For institutions that outsource these functions to third parties, written agreements should define roles and responsibilities and detail control and problem resolution procedures. Effective vendor management should include a periodic review of third-party control environments and relevant internal and external audit reports.
Merchant
Acquiring
For merchant processors, significant operational (transaction) and credit
risks require careful monitoring. Chargebacks can create significant credit
risk to merchant processors if their merchants cannot honor chargebacks
from cardholder disputes. When the merchant is unable to pay its chargebacks
due to bankruptcy or fraud, the acquiring financial institution must cover
the chargeback and pay the issuing bank. Acquiring financial institutions
should carefully manage the merchant portfolio and employ appropriate
underwriting, chargeback processing, and fraud monitoring to mitigate
the risk.
Operational
(transaction) risk is also present in the bankcard clearing process when
sales information is transmitted to card-issuing institutions.
Operational risk can also arise from improper processing of bankcard transactions,
inadequate internal controls, employee error or malfeasance, and other
operational challenges.
EFT/POS
and Credit Card Networks
There should be accurate audit trails for all transactions at each network
switch point. The audit trails should identify the originating terminal
and destination. In order to ensure accurate transaction posting, adequate
procedures should be in place to control transaction activity if the EFT/POS
network becomes inoperable. Also, financial institutions should document
and monitor procedures for balancing and settling transactions to ensure
they adhere to interchange policies. Each participant in the switch should
receive adequate transaction journals and exception reports necessary
to facilitate final settlement for the institution.
A financial institution should establish stand-in processing arrangements with peer financial institutions as part of its disaster recovery and business continuity plans to ensure availability of the service. Additionally, there should be adequate oversight and contract provisions for all outsourced services to ensure continuity of expected service levels. Agreements between switch or network participants should delineate each party's liabilities and responsibilities. The agreements should detail basic control items concerning normal and contingency processing as well as assign responsibility for corrective action. Grievance procedures and arbitration policies are also an important part of participant agreements.
ACH
For ACH credit entries, the ODFI incurs credit risk upon initiating the
entries until its customer funds the account. The RDFI incurs credit risk
if it grants funds availability to its customer prior to the final settlement
of the credit entry. For ACH debit entries, the ODFI incurs credit risk
from the time it grants funds availability to the originator (usually
on the settlement day) until the ACH debit can no longer be returned by
the RDFI. If the transaction is properly authorized, returns must be made
no later than the second banking day following settlement. If not authorized
properly, the financial institution exposure can be up to 60 days from
when it sends a periodic statement to the consumer. An ODFI will normally
charge back a returned ACH debit to the originator. However, the ODFI
may suffer a loss if the originator's account has insufficient funds,
is closed, or is frozen because of bankruptcy or other legal action.
An RDFI should establish prudent overdraft and funds availability policies and practices to mitigate its credit exposures. Credit risk, with respect to a debit entry, arises if the RDFI allows the debit to overdraw its customer's account. To manage its credit exposures, an ODFI (and its service provider) should monitor the creditworthiness of its customers and establish and periodically review ACH exposure limits for them. In addition, an ODFI should implement procedures to monitor ACH entries relative to the originator's exposure limit across multiple settlement dates.
When a financial institution fails to comply with the NACHA rules, it exposes itself to contractual liability and fines. In addition, Regulation E applies to electronic financial services, including ACH transactions. The notice, authorization, and timing requirements of Regulation E are of particular importance. Noncompliance with Regulation E exposes a financial institution to litigation and civil money penalties. Financial institutions should also monitor their compliance with Office of Foreign Assets Control (OFAC) requirements concerning the accounts of blocked parties.
Financial institutions should understand the impact that ACH transaction risk has on their liquidity. For example, an ODFI may not be able to settle (collect) an ACH debit, or an RDFI may not be able to settle an ACH credit because of fraud, service disruption, or the default of an ACH Network participant. This could impair the financial institution’s ability to meet its other obligations without incurring losses. Financial institutions should consider the volume of their uncollected ACH transactions as part of their liquidity risk management practices.
While
a financial institution’s responsibilities do not change with the
use of a third-party for ACH processing, its risk exposure may increase
as a result of third-party direct access to an ACH operator. A third-party
service provider may transmit ACH transactions directly to an ACH operator
using the ODFI routing number, provided it has obtained permission from
the ODFI. However, it is the ODFI that warrants the validity of each entry
transmitted by the service provider, including the basic requirement that
a receiver has authorized all entries. To reduce risk to all parties,
the financial institution should establish controls over third-party service
provider operations. The ODFI should maintain control over its settlement
accounts.
In addition, NACHA rules require third-party service providers performing ACH processing functions on behalf of an ODFI or RDFI to conduct an annual compliance audit covering the requirements of the NACHA rules. The financial institution should review and assess all audits of its service provider’s internal controls.
The NACHA rules require the ODFI to have an agreement with the third-party service provider with direct access to an ACH operator. Although the federal regulators do not enforce the NACHA rules, a financial institution with appropriate risk management will have an agreement. NACHA specifies that the agreement sets out the rights and responsibilities of all parties, including:
|
|
A requirement that the third-party service provider obtain the prior approval of the ODFI before originating ACH transactions for originators under the ODFI routing number. ODFI approval of each originator should be contingent upon the creditworthiness of the originator and the execution of an originator/ODFI agreement; |
|
|
ODFI dollar limits for files that a third-party service provider deposits with the ACH Operator. The service provider should notify the ODFI of any files exceeding established dollar limits before depositing it at the ACH Operator so that the ODFI can either approve it as an exception or hold it until the next day; and |
|
|
A
provision that restricts the third-party service provider's ability
to initiate corrections to files already transmitted to the ACH Operator.
The ODFI should restrict correction capability. If the third party
service provider has the ability to make file corrections, the ODFI
should authorize and approve any changes to the file totals before
the ACH operator releases the file for processing.
|
Internet
and Telephone-initiated ACH
Financial institutions originating ACH debit entries through the Internet
should ensure they are in compliance with NACHA requirements for Internet-initiated
ACH entries. The NACHA rules established a WEB standard entry class (SEC)
code for Internet-initiated ACH debit entries for which a number of requirements
apply. The rules apply to originators and also affect the ODFI and its
service providers. Under these rules, financial institutions must use
the WEB SEC code to identify all ACH debit entries to consumer accounts
that a receiver authorizes through the Internet. This code applies to
both recurring and single entry ACH debits. In addition, an ODFI that
transmits WEB entries must warrant that its originators have met certain
standards.
Financial institutions originating telephone-initiated (TEL) ACH debit transactions for consumers purchasing goods and services should comply with the NACHA rules for the TEL SEC. Although the TEL SEC facilitates the use of one-time automated consumer payments, recent evidence suggests that intentional misuse of the TEL SEC through fraudulent telemarketing practices is resulting in an increasing number of unauthorized consumer ACH debit entries.
Financial institutions offering TEL origination services on behalf of their customers should adopt the appropriate NACHA risk management practices and may be exposed to substantial risk if originating payments for merchants engaged in fraudulent or deceptive business practices.