|
Booklet:
Wholesale
Payment Systems Section: Intrabank Payment and Messaging Systems Subsection: Funds Transfer Operations (Wire Room) |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
A
financial institution’s funds transfer operation (wire room) is
responsible for originating, transmitting, and receiving payment orders.
In less complex financial institutions, the wire room typically includes
a FedLine PC.
Less complex institutions may also have a core banking package that includes
a funds transfer module, which generates payment orders in a Fedwire Funds
Service format for uploading to the FedLine PC. Staff assigned responsibility
for these activities are generally responsible for other duties and are
not typically dedicated full-time to the wire room function. In most financial
institutions, funds transfer payment order volume does not justify the
costs associated with a full time staff, and the sending and receiving
of payment orders may be a part-time responsibility for one or more people.
For less complex financial institutions, a complete separation of duties
may be difficult to achieve, and compensating controls, including rotation
of duties and internal review procedures covering those payment orders
requiring officer review, should be considered.
Financial institutions generating significant payment order volume usually
have a separate funds transfer department with dedicated staff. Financial
institutions generating a large volume of high value Fedwire Funds Service
payment orders typically use dedicated funds transfer software (developed
in-house or purchased) connected via computer interface to the Federal
Reserve Bank’s Fedwire Funds Service application. The software used
for wire transfers automatically posts transactions to the demand deposit
account and general ledger. The automated function provides an efficient
means to process a large number of payment orders supporting a variety
of business lines.
Payment orders can be received from several different sources including
business areas within the financial institution, as well as from corporate
and individual customers. Payment orders can be initiated by phone, fax,
and online systems. Individuals wishing to wire funds typically do so
at the teller window or contact their loan officer or account representative.
Payment order verification is an important safeguard, and institutions
should, at a minimum, keep accurate records of all payment order requests,
including those initiated by telephone. Institutions should record all
phone calls initiating payment orders for security and audit reasons.
The institutions should maintain the tapes for at least a 30-day period.
After receiving a payment order, the wire room operator keys the payment
order into FedLine (or the payment order is generated through the use
of a third-party software product funds transfer module). Before sending
a payment order to the Federal Reserve Bank, a second staff member should
verify it for accuracy and authorization. Most FedLine PCs have two printers
attached, one that prints copies of all outgoing payment order Fedwire
Funds Service messages and another that prints incoming Fedwire Funds
Service payment order messages. Institutions should maintain a record
of all payment orders for record keeping purposes. The unbroken printout
sheet helps ensure a complete record of all messages; however, institutions
should also verify the sequence numbers of the messages to identify missing
records due to communication problems. The sequence number provides an
audit trail for all funds transfers on the Fedwire Funds Service system.
The institution should have appropriate procedures in place to verify
all processed payment orders. These procedures usually include the use
of code words, call backs, and corporate resolutions authorizing certain
employees to send payment orders. Verification and security procedures
are extremely important in light of the potential for fraud or errors.
A Fedwire Funds Service message is generated either by the application
supporting the business line or by an authorized wire room employee who
enters the message into an on-line terminal. Before transmitting the wire,
it is sent to a second terminal for an independent employee to verify
for accuracy as well as proper authorization. Only after a second staff
member reviews the payment order should a financial institution send it
to the Federal Reserve Bank for processing.
This separation of duties is important to ensure security. The institution’s
internal funds transfer system should maintain data on each day’s
transfers, including wires sent and received, wires listed by amount,
wires listed by sequence number, and wires listed by account holder. Most
software systems maintain the work of several previous days, often the
last 5 to 7 days, to allow on-line access to trace errors and problems.
After the 5 to 7 days, the data is typically archived.
COMPUTER AND NETWORK OPERATIONS SUPPORTING FUNDS TRANSFER
Wholesale funds transfer systems are high risk. Therefore, management
should configure hardware and software components to control access and
support effective monitoring. Management should develop change management
procedures to ensure the integrity of the hardware configurations and
applications software. Operations personnel should have the appropriate
procedures to manage critical payment systems software.
Applications should employ strong user authentication, support user entitlement
(information access and function controls) administration, and provide
audit trails in sufficient detail to support the analysis or investigation
of specific transactions. Management should enable funds transfer activity
logs and designate independent staff members to monitor operations, applications
support, system administration, and security administrators’ activities
associated with the funds transfer system.
Telecommunications systems employed for EFT can range from a dial-up connection
between the institution and payments system (e.g., FedLine) to terminal
connections with institution staff and customers that transmit institution’s
funds transfer system payment orders directly to Fedwire Funds Service
via CI connection. An institution’s information security program
should include access, authentication, and transmission controls surrounding
wire room activities and all terminal connections. Access and authentication
controls may consist of personal identification numbers, passwords, or
other identifying keys such as account numbers, balances, or other financial
data. Financial institutions should use encryption as a means of protecting
data throughout the EFT system. Encrypting data during transmission allows
institutions to scramble the contents of message/payment orders during
transmission and limit the value of the information to an interloper even
if a transmission is intercepted. Nevertheless, financial institutions
should monitor or prevent access to funds transfer activity by data processing
personnel who have access to communications equipment and can monitor
and record data flowing in clear text from encryption devices.