Examination Procedures

Booklet: Retail Payment Systems
Section: Appendix A: Examination Procedures
Subsection:

Previous Subsection

Next Subsection

EXAMINATION OBJECTIVE: Examiners should use the Retail Payment Systems Examination Procedures to determine the adequacy of the financial institution’s and third-party service provider’s policies, business processes, personnel, and internal control systems used to mitigate the risks of retail payment systems. Retail payment system services include checks and share draft item processing, bankcards, payment cards, automated clearinghouse (ACH), EFT/POS networks, and electronic bill payment and person-to-person payment systems. An examiner should base the scope of the examination on his or her assessment of the risks and risk management practices relating to the financial institution’s retail payment system services. This assessment should consider the formal policies and procedures established to provide these services, as well as the effectiveness of the financial institution’s underlying internal control environment, including information security, business continuity, disaster recovery, and vendor management programs.

Financial institutions are exposed to numerous risks in providing retail payment system services to customers. Depending on the complexity of retail payment system activity, the examination coverage may require an integrated team approach that includes the knowledge and skills of safety and soundness examiners, IT examiners, and credit and compliance specialists.

The examination procedures may be part of either an IT or safety and soundness examination. Examiners can use the examination procedures in their entirety or in a modular fashion to focus on particular retail payment system products or business lines. Depending on the size and complexity of the financial institution or service provider, not all of the procedures are necessary to arrive at a conclusion regarding the quality of risk management practices and performance.

		Tier I objectives and procedures evaluate the effectiveness of the financial institution and service provider’s retail payment systems internal controls and risk management processes that may be relied upon for the purpose of identifying and managing risks.
		Tier II objectives and procedures provide additional validation as warranted by the risks to verify the effectiveness of the financial institution’s and service provider’s retail payment systems function.

TIER I OBJECTIVES AND PROCEDURES

*Objective 1: Determine the scope and objectives of the examination of the retail payment systems function.*
1.	Review past reports for comments relating to retail payment systems. Consider:
		Regulatory reports of examination, including consumer and compliance information.
		Internal control self-assessment completed by business lines.
		Internal and external audit reports including annual attestation letters.
		Regulatory, audit, and information security reports from service providers.
		Trade group, bankcard association, interchange, and clearinghouse documentation relating to services provided by the financial institution, particularly the NACHA required annual security audit and bankcard association self assessments.
		Supervisory strategy documents, including risk assessments.
		Prior examination work papers.

2.	Review past reports for comments relating to the institution’s internal control environment and technical infrastructure. Consider:
		Internal controls, including physical and logical access controls in the data entry area, data center, and item processing operations.
		EFT/POS network controls.
		Inventory of computer hardware, software, and telecommunications protocols used to support check item processing, EFT/POS transaction processing, ACH, and bankcard issuance and acquiring transaction services.


3.	Identify and obtain during discussions with financial institution or service provider management:
		A description of the retail payment system activity performed, including transaction volumes, dollar amounts, and scope of operations, including check item processing, ACH, bankcard issuing and acquiring, clearance, settlement, and EFT/POS network activity.
		The retail payment system functions performed through outsourcing relationships and the financial institution’s level of reliance on those services.
		Any significant changes in retail payment system policies, personnel, products, and services since the last examination, particularly the introduction of new retail payment systems incorporating electronic bill presentment and payment (EBPP), stored-value cards, or P2P payment systems.
		A listing of all clearinghouse settlement arrangements in which the financial institution participates. Evaluate the methodology used by the financial institution in assessing its settlement risk from these arrangements.
		Documentation of any related operational or credit losses incurred, reasons for the losses, and actions taken by management to prevent future losses for each retail payment system.


4.	Review the financial institution’s response to any retail payment systems issues raised at the last examination. Consider:
		Adequacy and timing of corrective action.
		Resolution of root causes rather than specific issues.
		Existence of outstanding issues.

*Objective 2: Determine the quality of oversight and support provided by the board of directors and management.*
1.	Determine the quality and effectiveness of the financial institution’s retail payment systems management function. Consider:
		Data center and network management and the quality of internal controls over internal ATM networks and gateway connectivity to regional and national EFT/POS and bankcard networks.
		Departmental management and the quality of internal controls, including separation of duties and dual control procedures, for bankcard, ATM and debit card, ACH, check items, and electronic banking payment transaction processing, clearance, and settlement activity.
		Departmental management and the quality of GLBA 501(b) compliance policies relating to retail payment system generated customer data.

2.	Assess management’s ability to manage outsourcing relationships with retail payment system service providers and software vendors in order to evaluate the adequacy of terms and conditions, and ensure each party's liabilities and responsibilities are clearly defined. Consider:
		Adequacy of contract provisions including service level, performance agreements, responsibilities, liabilities, and management monitoring.
		Management’s determination of the service provider’s compliance with applicable financial institution and consumer regulations and with third-party requirements (e.g., NACHA, GLBA, bankcard association, and interchange).
		Adequacy of contract provisions for personnel, equipment, and related services.
		Adequacy of provisions to obtain management information systems (MIS) needed to monitor the third-party’s performance appropriately.

3.	Evaluate the adequacy and effectiveness of financial institution and service provider contingency and business continuity planning. Consider:
		Ability to recover transaction data and supporting books and records based on retail payment system business line requirements and time lines.
		Level of testing conducted to ensure adequate preparation.
		Stand-in arrangements established with other financial institutions in the event of an ATM outage.
		Alternative access mechanisms in the event of an outage to main access to bankcard, ACH, and other retail options.

4.	Evaluate retail payment system business line staff. Consider:
		Adequacy and quality of staff resources.
		Effectiveness of policies and procedures outlining department duties, including job descriptions.

*Objective 3: Determine the quality of risk management and support for bankcard issuance and acquiring (merchant processing) activity.*
1.	Evaluate financial institution adherence to bankcard association rules and bylaws and regulatory guidance.

2.	Evaluate whether card issuance processing is outsourced to a third party. If yes, evaluate the vendor management controls in place to govern the activities listed in steps 3 and 4.

3.	Review internal procedures employed for each bankcard product and assess:
		The integrity of plastic card and PIN issuance processing.
		Whether processing includes appropriate separation of functions in card issuance, PIN issuance, control and storage of card stock, and the maintenance of software controlling PIN generation
		Whether the institution has established procedures focusing on controls preventing card fraud and abuse.

4.	Determine whether the audit function periodically performs an inventory of all bankcards at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit).

5.	Review a sample of consumer contracts for each bankcard service to ensure they adequately describe the responsibilities and liabilities of the institution and its customers (compliance with Regulation Z).

6.	Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer bankcard transactions. Consider the adequacy of:
		Financial and accounting controls in place to clear and settle transactions.
		Periodic reconciliation of all account postings.
		Timely clearance or charge-off of missing items or out-of-balance situations.

7.	Evaluate the effectiveness of internal credit monitoring and card authorization performed by the financial institution. Consider the adequacy of:
		Policies and procedures for underwriting, account management, and collection activities.
		Card authorization procedures to mitigate fraudulent use.
		MIS reports and behavioral fraud analysis.

8.	For financial institutions involved in bankcard acquiring (merchant processing) services, determine the appropriateness of controls over merchant services. Consider the adequacy of:
		New merchant approval and acceptance process, termination procedures, and underwriting guidelines for merchant accounts.
		Fraud and credit monitoring procedures for all established merchant accounts.
		Chargeback processing procedures and controls, including the volume, age, and losses associated with merchant chargebacks.
		Agent bank programs (for which the financial institution performs merchant processing for other institutions), and the level of liability assumed by the acquiring financial institution.

*Objective 4: Determine the quality of risk management and support for EFT/POS processing activity.*
1.	Evaluate financial institution compliance with interchange rules and bylaws.

2.	Review internal procedures employed for generating active ATM cards. Consider:
		The integrity of PIN issuance and processing, including appropriate separation of functions between card issuance, PIN issuance, and card stock control and storage.
		The maintenance of software controlling PIN generation. The review should focus on controls preventing card fraud and abuse resulting in financial loss to the institution.

3.	Determine whether the audit function periodically performs an inventory of unused ATM cardstock at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit).

4.	Review a sample of consumer contracts for ATM service to ensure they adequately set forth responsibilities and liabilities of the institution and the customer. Evaluate compliance with applicable regulations.

5.	Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer ATM transactions. Consider whether:
		Appropriate financial and accounting controls are in place to clear and settle ATM transactions.
		Reconciliation is performed periodically for all account postings.

*Objective 5: Determine the quality of risk management and support for ACH processing activity.*
1.	Evaluate financial institution adherence to NACHA and clearinghouse operating rules and regulations.

2.	Review policies and procedures in place to monitor originating customer balances for credit payments (e.g., payroll) to ensure payments are made against collected funds or established credit limits. Also determine that payments in excess of established credit limits are properly authorized.

3.	Determine if the institution treats deposits resulting from ACH transmitted debits on other accounts as uncollected funds until there is reasonable assurance the debits have been paid by the institution on which they were drawn. Also, determine if management monitors drawings against uncollected funds to ensure they are within established guidelines.

4.	Review a sample of contracts authorizing the institution to originate ACH items for customers and determine whether they adequately set forth the responsibilities of the institution and customer. Consider:
		Whether contracted third-party service providers, originating customer entries, are also customers of the financial institution.
		Whether the agreements include recognition of all relevant NACHA requirements.
		Whether ACH clearinghouses to which the financial institution is a member, stipulate the funding arrangements (outgoing), Expedited Funds Availability Act (Regulation CC), UCC4A (credit transfer only), and Electronic Funds Transfers (Regulation E).

5.	Determine if ACH activities are considered in the institution’s overall business continuity plans and insurance program.

6.	Determine if management monitors originating customers for unreasonable numbers of unauthorized ACH debits. If high, this could expose the institution to greater loss.

*Objective 6: Determine the quality of risk management and support for electronic banking related retail payment transaction processing.*
1.	Determine the extent to which the financial institution engages in retail payment systems, including bill payment, stored-value cards, and P2P payments. Consider:
		Strategic plans relating to the introduction of new retail payment system products and services.
		The development of internal pilot programs and partnerships with technology vendors introducing new retail payment systems and delivery channels.
		The extent to which existing Internet and e-banking products and services include new retail payment mechanisms.

2.	Evaluate the financial institution’s ability to manage the development and implementation of new retail payment services, focusing on internal controls effectiveness and consumer compliance provisions. Consider:
		Information security, including identification and authentication systems, in the deployment of any smart cards, EBPP, and P2P product offerings
		Customer disclosure and compliance information to retail payment systems using new technologies.
		Technical resources to effectively manage retail payment systems including Internet technologies, telecommunications protocols, and operations support.

3.	Evaluate the financial institution’s ability to incorporate new retail payment product offerings into its existing retail business lines and determine its effectiveness in including these product offerings in its traditional retail payment operations. Consider:
		The integration of new retail payment product offerings with existing clearance, settlement, and accounting functions.
		Whether the financial institution relies on third-party providers for some or all of these services.

*Objective 7: Determine the quality of risk management and support for checks.*
1.	Determine if the accounting department handles check return item processing appropriately and reconciles all aged items.

2.	Determine whether the institution uses electronic check presentment (ECP) for payment. If yes, consider:
		The effectiveness of the financial institution’s ECP implementation, including logical access controls over electronic files storing MICR and related information.
		Whether the financial institution is using positive pay. Determine whether the logical access controls over the electronic files sent by commercial businesses are adequately controlled.

CONCLUSIONS
1.	Determine the need to conduct Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives.

2.	From the procedures performed, including any Tier II procedures performed:
		Document conclusions related to the quality and effectiveness of the management of the retail payment systems function
		Determine and document to what extent, if any, the examiner may rely upon retail payment systems procedures performed by internal or external audit.

3.	Review your preliminary conclusions with the examiner-in-charge (EIC) regarding:
		Violations of law, rulings, regulations, and third-party agreements.
		Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination.
		Potential impact of your conclusions on the Uniform Rating System for Information Technology (URSIT) composite and component ratings.

4.	Discuss your findings with management and obtain proposed corrective action for significant deficiencies.

5.	Document your conclusions in a memo to the EIC that provides report-ready comments for all relevant sections of the FFIEC report of examination (ROE) and guidance to future examiners. Organize work papers to ensure clear support for significant findings and conclusions.

TIER II OBJECTIVES AND PROCEDURES

Examination Objective: The Tier II Retail Payment Systems Examination Procedures provide additional validation procedures verifying the effectiveness of a financial institution’s internal control processes over ACH processing, EFT/POS network processing, check item processing, electronic banking-related retail payments processing, and bankcard processing, clearance, and settlement. These procedures assist in achieving examination objectives, and examiners may use them in their entirety or selectively. Examiners should coordinate this coverage with other examiners involved in assessing the institution’s information systems, operations, information security, and vendor management effectiveness to ensure there is an adequate understanding of the control environment as it pertains to retail payment business lines and to avoid duplication of effort.

*Objective 1: EFT/POS and Bankcard Agreements and Contracts*
1.	If the financial institution is a participant in a shared EFT/POS network or contracts with a third-party bankcard-issuing or -acquiring processing service providers, consider whether:
		Contracts with regional EFT/POS network switch and gateway operators and bankcard processors clearly set forth the rights and responsibilities of all parties, including the integrity and confidentiality of customer information, ownership of data, settlement terms, contingency and business recovery plans, and requirements for installing and servicing equipment and software.
		Adequate agreements are in place with all vendors supplying services for retail EFT/POS and bankcard operations (plastic cards, ATM equipment and software maintenance, ATM cash replenishment) that clearly define the responsibilities of both the vendor and the institution.
		Agreements include a provision of minimum acceptable control standards, the ability of the institution to audit the vendors operations, periodic submission of financial statements to the institution, and contingency and business recovery plans.
		Contracts and agreements clearly define responsibilities and limits of liability for both the customer and financial institution and include provisions of the Electronic Funds Transfer Act (Regulation E) and the Expedited Funds Availability Act (Regulation CC) for deposit activities.

2.	Determine whether management periodically reviews individual sites providing retail EFT/POS and bankcard services to ensure policies, procedures, security measures, and equipment maintenance requirements are appropriate.

3.	For retail EFT/POS and bankcard transaction processing activities contracted to third-party service providers, assess the adequacy of the review process performed by management regarding annual financial statements and audit reports.

*Objective 2: Personal Identification Numbers (PIN)*
1.	Assess staff access to PIN data. Ensure there is separation of duties between staff responsible for card operations and staff responsible for preparing or issuing bankcards.

2.	Assess the PIN generation process. Ensure there is separation of duties between staff responsible for PIN generation and staff responsible for opening accounts or with access to customer account information

3.	For new PIN issuance, assess the adequacy of control procedures including accountability assigned to staff initiating such transactions.

4.	Assess PIN generation and issuance procedures to determine whether they preclude matching an assigned PIN to a customer’s account number or bankcard.

5.	Assess the threshold for PIN access attempts to customer account information and funds. The threshold parameter should be set at a reasonable number of unsuccessful attempts.

6.	Assess the level of PIN encryption when stored on computer files or transmitted over telecommunication lines.

7.	If resets are allowed, assess the procedures and controls for PIN/password resets. The use of single-use and temporary PIN/password is preferred.

8.	Assess the adequacy of procedures for prohibiting PIN information from being disclosed over the telephone.

9.	Assess staff access to PIN-related databases and determine if management restricts access to authorized personnel. Assess database maintenance activities to ensure management closely supervises and logs staff access.

10.	Assess customer PIN selection criteria, focusing on whether the institution discourages or prevents customers from using common words, sequences of numbers, or words or numbers that can easily identify the customer.

*Objective 3: Information Security*
1.	Evaluate the logical and physical security controls to ensure the availability and integrity of production retail payment systems applications. Consider:
		Whether the physical and logical security controls established for retail payment transaction processing, clearance, and settlement services maintain transaction confidentiality and integrity.
		Whether physical controls limit access to only those staff assigned responsibility for supporting the operations and business line centers processing retail payment and accounting transactions.
		Whether physical controls provide for the ability to monitor and document access to all retail payment operations facilities.

2.	Evaluate the effectiveness of all logical access controls assigned for staff responsible for retail payment-related services. Consider:
		Whether management bases controls on separation-of-duties principles routinely implemented for the processing of financial transactions.
		Whether identification and authentication schemes include requiring unique logon identifiers with strong password requirements.
		Whether management bases access controls on a need-to-know basis.
		Whether management bases assigned access to retail payment applications and data on functional staff job duties and requirements.

3.	Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use.

4.	Assess whether the institution encrypts telecommunications lines used to receive and transmit retail customer and financial institution counter-party data. If not encrypted, evaluate the compensating controls to secure retail payment data in transit.

*Objective 4: Card Issuance*
1.	Assess bankcard issuance activities, and review control procedures. Consider if management:
		Issues bankcards only as requested.
		Periodically inventories bankcards.
		Maintains adequate controls for activating new accounts.

2.	Assess effectiveness of the dual control procedures for blank card stock in each of the encoding, embossing, and mailing steps.

3.	Assess physical access controls for card encoding areas. Management should allow access to authorized personnel only.

4.	Assess whether inventory controls for plastic card stock make them physically secure.

5.	Assess whether management restricts the use of bankcard encoding equipment to authorized personnel only.

6.	Assess procedures for issuing cards from more than one location (e.g., branches) to ensure there are accountability and bankcard control procedures at each card-issuing location.

7.	Assess institution card-mailing procedures. Ensure the institution mails the card and associated PIN to customers in separate envelopes. Also ensure that the return address does not identify the institution.

8.	Assess whether mailing procedures provide for a sufficient period of time in between the card and PIN mailing.

9.	Assess returned card procedures. Determine whether adequate controls are in place to ensure returned cards are not sent to staff with access to, or responsibility for, issuing cards.

10.	Assess whether there is appropriate follow-up to determine whether the correct customer received the card and PIN.

11.	Assess the adequacy of control procedures (e.g., hot card lists and expiration dates) to limit the period of exposure if a card is lost, stolen, or purposely misused.

12.	Establish whether the institution destroys captured and spoiled cards under dual control and maintains records of all destroyed cards.

13.	Assess whether the institution adequately controls test or demonstration cards.

14.	Assess whether management maintains satisfactory controls over the issuance of replacement or additional cards to the customer (e.g., temporary access cards issued to the customer).

15.	Assess the vendor management program to determine whether the institution reviews card issuance services contracted to third parties for compliance with appropriate bankcard control procedures.

*Objective 5: Business Continuity Planning*
1.	Assess the financial institution’s business continuity plans and review the adequacy of these plans for a partial or complete failure of each retail payment system. Determine if the plans include:
		Recovery of all required components linking the institution with third-party network switch, gateway, or related third-party data centers and bankcard processors.
		Information relative to the volume and importance of the retail payment system activity to the institution’s overall operation.
		Provisions for acceptable store and forward procedures to protect against loss or duplication of data and to ensure full recovery within reasonable time periods.
		Stand-in arrangements with other financial institutions included within the plan, allowing for interim bankcard processing in the event of an outage.
		Adequate testing of plans accounting for various recovery scenarios.

*Objective 6: EFT/POS and Bankcard Accounting and Transaction Processing*
1.	Assess the adequacy of reconciliation processes for general ledger accounts related to bankcard and debit card transaction processing activity. Consider whether:
		Accounting reconciles bankcard and ATM transaction origination daily.
		Retail payment system supervisory personnel periodically review reconcilement and exception item reports.
		Accounting periodically reconciles accounts used to control rejects, adjustments, and unpo