| Booklet:
Retail
Payment Systems Section: Retail Payment Systems Risk Management Subsection: Operational Risk |
|||||||||||||||||||||||||||
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events. Operational risk can arise from a technology failure, human or technical errors in financial models and reporting, or other internal control system deficiencies. In the case of RDC, operational risk (i.e., image/data quality, business continuity, information security, etc.) increases when deposit processing occurs at the customer location which is outside of the financial institution’s direct control. As a result, the financial institution could experience delays or disruptions in processing, clearing, and settling retail payment transactions that could lead to credit and liquidity problems at other financial institutions.
Operational risk can also arise from fraud perpetrated by employees or by external sources. A financial institution is exposed to operational risk from fraud when a wrongful or criminal deception can lead to a financial loss for one of the parties involved. While fraud risk in traditional ACH activity is low, new ACH products and services, such as one-time ACH debits from Internet-based and telemarketing merchants (WEB and TEL) pose considerable fraud potential. With traditional ACH activity, financial institutions have employed strong front-end fraud controls for recurring debits they originate. These controls are typically not present with WEB and TEL transactions. The continuing growth of check-to-ACH conversion, check truncation, and the growing use of RCCs, RDC, and electronically created payment orders present new forms of fraud risks. In these situations, liability typically rests with the financial institution where the check is first deposited or the ACH item is originated. In the case of electronically created payment orders, liability rests with the financial institution that sends the file to the Reserve Bank or other correspondent. As operational processes continue to change, financial institutions will need to enhance their internal controls, as described below, to mitigate operational risk. Existing control mechanisms may not be as effective as necessary.
Newer retail payment mechanisms, particularly using the Internet, also subject customers and financial institutions to fraud risk exposure. All of these highly automated processes typically reflect a reengineering of the existing check processes, and the existing fraud controls may not be adequate. The creation of fraudulent electronic transactions could lead to financial losses if fraudulent balances are successfully exchanged for a readily transferable form of funds, such as currency.
Operational risk controls should include sound information systems, and procedural, administrative and legal measures to prevent or limit financial loss. System measures include monetary and time limits (per transaction, per payment instrument, per client), personal authentication, and encryption techniques to ensure the authenticity and integrity of the payer and transaction information. Additional controls include the use of certified, tamper-resistant equipment (e.g., EFT/POS terminals), logical access controls to verify transactions, online verification of account balances, logging of all transactions and attempts to make a transaction, and the use of serial numbers and check digits.
Financial institutions can create a fraud detection control through a due diligence program for new account acceptance coupled with ongoing, automated monitoring of deposit account transactions. Account monitoring should be facilitated through the use of caps, limits, and triggers to measure activity on an intraday basis. Financial institutions use a variety of automated databases, such as credit bureaus, to review new accounts prior to or soon after opening the accounts. Institutions also use a number of vendor-supported automated algorithms to review deposit account transactions for unusual activity related to kiting or other fraud.
Other procedural measures for reducing fraud include: closely monitoring return rates for all customers, appropriate dual custody and separation of duties for critical payment transaction processing and accounting tasks, payment data verification, clear error processing and escalation procedures, and confidential and tamper-resistant mailing procedures for bankcards and other sensitive material. Account reconcilement processes are vital to early detection of errors and fraud. Administrative measures should include IT audit coverage of operational controls, legal controls (including regulatory compliance and agreements), and personnel issues associated with staffing and training.
In the event of an unauthorized use of a payment card, the cardholder’s liability is limited to a specified amount if he or she notifies the card issuer of the theft or loss within a set time limit. To limit their own losses from POS card fraud, the bankcard companies require vendors to match the cardholder’s signature on the card with the signature on the payment voucher at the POS. The bankcard companies have also introduced extensive monitoring and reporting controls to limit fraudulent activity.
In a broader view of operational risk management, financial institutions should employ vendor management programs that provide for due diligence of new service providers as well as ongoing monitoring of existing vendors. An effective vendor management program will focus on data security and business continuity.
In addition, a more effective approach to mitigate fraud risk may be to view this risk potential across channels. This requires an enterprise view of the range of retail payments activities. Those payments that use multiple payment channels for processing and clearing are subject to an increased level of fraud risk because traditional fraud detection and prevention measures are designed for single channels. Fraud is more likely to migrate to those channels where fraud detection and prevention measures are less developed.
Mitigation of Operational Risk
Financial institutions should adopt measures that limit operational risks arising from the processing, clearing, and settlement of retail payments. Financial institutions and technology service providers participating in clearing and settlement arrangements for retail payments should ensure operational reliability for timely completion of daily processing through adequate information systems, internal controls, backup facilities, reliable technology, and adequate staff training and support. Furthermore, these organizations should adopt business continuity plans to minimize and manage the effects of interruptions. Risk analysis should identify confidential assets, critical operations, and potential threats. It should also define safeguards and countermeasures to provide appropriate protection.
Risk from fraud or error from customers that generate high volumes of RDCs, electronically created payment orders, or RCCs can be managed more effectively with the use of activity and fraud monitoring tools for those customers. Financial institutions that originate large volumes of ACH transactions directly or through third-party service providers should also consider these tools as part of their due diligence. Fraud databases and fraud analysis tools can assist financial institutions in detecting and controlling potential fraud risk. Some bankcard associations and Internet banking applications use neural network technologies or behavioral fraud analysis. These technologies utilize specialized software and hardware designed to identify patterns of behavior that enable financial institutions to identify suspicious transactions or spending. The bankcard companies have also developed numerous fraud detection and avoidance systems that member financial institutions can use to reduce losses as a result of fraudulent bankcard use. The growth of e-commerce has led many financial institutions and service providers to develop additional databases that provide early identification of potential fraud.
Identifying, evaluating, and addressing potential legal and compliance risks associated with new payment systems providers can also help mitigate operational risk. For example, a thorough legal review process can ensure that there are clearly defined roles and responsibilities for the financial institution, its service providers, and its customers. Financial institutions should also comply with the regulations and consumer compliance mandates that apply to retail payment services (e.g., Regulation E).
Financial institutions also should have appropriate risk control functions such as audit, information security, vendor management, and business continuity, as discussed in the following sections.
Action
Summary 
Audit
An effective audit function should include internal and external audit coverage, tailored to the complexity of the financial institution, and based upon an accurate, enterprise-wide assessment of the institution’s risk profile. Due to the potentially large transaction volumes and associated dollar value when initiating payments, internal audit coverage is critical for an effective oversight of the financial institution’s retail payment systems. Auditors should perform an evaluation of the financial institution’s retail payment system business lines on the basis of overall risk to the financial institution. Based on this evaluation, they should develop an appropriate schedule of audits. The audit coverage should be sufficient to validate the internal control environment surrounding the processing, clearance, and settlement of retail payment transactions. Auditors should review accounting controls and assess the effectiveness of transaction processing, clearance, and settlement processing procedures.
The board of directors should ensure the operational and IT audit program tests retail payment system internal controls, management policies, and procedures. IT audit coverage should include the design and implementation of retail payment products, and the supporting IT environment encompassing internal data centers, contingency sites, and network infrastructure. IT audit coverage should verify the adequacy of internal controls in applicable business lines responsible for managing day-to-day retail payment system services. Internal audit should assess the comprehensiveness of the institution’s vendor management program to ensure the institution is appropriately managing vendor risk.
Internal audit should also evaluate payment systems when conducting BSA audits.
Action
Summary
Information
Security
Financial institutions should implement the appropriate physical and logical security controls to ensure retail payment system transactions are processed, cleared, and settled in an accurate, timely, and reliable manner. Retail payment systems contain confidential customer information subject to GLBA section 501(b) security guidelines. Payments data may also be subject to the requirements of the Payment Card Industry Data Security Standard (PCI DSS).
The board and management are responsible for protecting the confidentiality, integrity, and availability of these systems and data. The privacy risk combined with the funds transfer capability should cause these systems to rank high in all institutions’ information security risk assessments. The risk assessments should consider physical and logical security controls for the origination, approval, transmission, and storage of retail payment system transactions.
Physical controls should limit access to sensitive areas to staff assigned responsibility for supporting the operations and business line centers that process retail payment and accounting transactions. Physical controls should also provide for monitoring and documenting access to these facilities.
Management should assign appropriate logical access to staff responsible for retail payment-related services and should base access rights on the need to separate the duties of personnel responsible for originating, approving, and processing the transactions. Appropriate identification and authentication techniques include requiring unique authenticators for each staff member with strong password requirements.
Logical access controls should permit access on a need-to-know basis and should assign access to retail payment applications and data based on functional job duties and requirements. Logical access controls should also protect network access. An institution’s risk assessment should require protection of retail payment systems from unauthorized access through appropriate access controls, network and host configuration, operation, firewalls, and intrusion detection and monitoring. The risk assessment should also review the security of all third-party service providers. Some institutions accomplish this by isolating all payment-related applications and systems from other production applications.
A critical element in ensuring retail payment systems integrity is the appropriate identification and authentication of retail payment system customers. Transaction authorization (e.g., the approval of a funds transfer or guarantee of funds) is an essential precondition leading to the interbank transfer of funds. Financial institutions should establish an adequate internal control environment for the issuance of bankcards and related PIN. These controls can minimize processing errors and fraud and protect the confidentiality of customer and institution information.
The use of newer and emerging technologies presents new security challenges. As new retail payment products and services are developed, it may become necessary to modify methods for customer identification and authentication to ensure their effectiveness.
Many electronic banking applications use Internet-based, open network standards and rely on commonly accepted technologies to secure transmissions (e.g., secure socket layer [SSL] or other virtual private network [VPN]). The institution should establish a secure session before consumers can submit their personal banking information, and should maintain the secure session until the time of final data transmission.
Retail payment systems should incorporate sufficient security procedures and controls to verify the integrity of the data, the confidentiality of the transmission, and the authenticity of the communication partners and data sources. The selection and use of authentication technologies and methods should depend upon the results of a financial institution’s risk assessment process. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. Single factor authentication alone is inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Using digital certificates, leveraging the public key infrastructure (PKI), employing biometrics and card or token-based techniques can provide cost-effective solutions for augmenting traditional technical controls.
Institutions that participate in payment card systems should develop processes to ensure compliance with the PCI DSS. This standard is discussed further in the “Merchant Acquiring” section.
Institutions should have a response program in place that addresses security breaches, including incidents with their third-party servicers. The program should include the investigation, customer notification, if applicable, and reporting processes for regulatory and law enforcement agencies.
Action
Summary
Business
Continuity Planning
Effective business continuity planning is an important component in managing operational risk. Financial institutions and their TSPs should develop, implement, and test appropriate disaster recovery and business continuity plans capable of maintaining acceptable retail payment-related customer service levels. Business continuity plans should be based on business impact analyses and the relative importance of retail payment system products and services to the financial institution.
For financial institutions offering basic retail payment products and services (e.g., bankcard issuance, check item processing, branch ATM access, Internet banking services), business continuity plans should include appropriate recovery targets for each retail product. The recovery targets should consider the reliance on any third-party servicer in meeting their objectives. Vendor management programs should include provisions for the disruption and restoration of service at service providers, including the consideration of service provider test plans.
For financial institutions and service providers with complex retail payment operations, business continuity plans should enable restoration of service within timeframes that are reasonable for internal business units, other dependent financial institutions, and counterparties. Financial institutions providing significant card issuing, merchant processing, EFT/POS, ACH, and retail payment-related Internet banking services should also test these plans periodically with customer financial institutions and counterparties to ensure plans are sufficient.
Action
Summary
Vendor
And Third-Party Management
Some financial institutions rely on third-party service providers and other financial institutions to provide retail payment system products and services to their customers. Many retail payment services are directly related to core processing financial institution operations (e.g., accessing demand deposit accounts through the use of financial institution-issued bankcards) and may be run in-house through the use of purchased turnkey systems. However, financial institutions outsource many retail payment-related services to third parties, including foreign-based, either to enhance the services performed in-house or to offer new retail payment services that are otherwise not cost effective.
To ensure retail payment operations are conducted appropriately, financial institutions should have comprehensive contract provisions and adequate due diligence processes. They should also monitor service providers for compliance with contracts and service level agreements. Effective monitoring should include the review of select retail payment transaction items to ensure they are accurate and processed timely. The integrity and accuracy of retail payment transactions posted to customer accounts depend on the use of proper control procedures throughout all phases of processing, including outsourced functions.
Regardless of whether the financial institution’s control procedures are manual or automated, internal controls should address the areas of transaction initiation, data entry, computer processing, and distribution of output reports. These control considerations apply to processing checks, including through RDC, as well as electronically created payment orders, electronic bankcard, debit card, and ACH transactions. Financial institutions must also maintain effective control over service provider access to customer and financial institution information consistent with GLBA section 501(b). Contractual provisions should define the terms of acceptable access and potential liabilities in the event of fraud or processing errors.