ÿþ<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Examination Procedures</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body bgcolor="#FFFFFF" text="#000066" link="#0033FF" vlink="#006600" alink="#0033FF"> <table width="100%" border="0" cellspacing="0" cellpadding="2"> </table> <table width="98%" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td> <div align="left"></div> <table width="760" border="0" align="left" cellpadding="0" cellspacing="0"> <tr> <td colspan="25" nowrap> <div align="left"><font face="Arial, Helvetica, sans-serif"><b><strong><font face="Arial, Helvetica, sans-serif"><b><strong><font color="#B08709" size="5">Booklet</font></strong></b></font><font color="#B08709" size="5">:</font><font color="#000066" size="5"> </font></strong></b><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><strong><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><strong><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><strong><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><strong><font color="#000066" size="5">Retail Payment Systems</font></strong></font></font></font></font></font></strong></font></font></font></font></font></strong></font></font></font></font></font></strong></font></font></font></font><font size="5" face="Arial, Helvetica, sans-serif"><strong><br> <font face="Arial, Helvetica, sans-serif"><b><strong><font face="Arial, Helvetica, sans-serif"><b><strong><font face="Arial, Helvetica, sans-serif"><font size="5" face="Arial, Helvetica, sans-serif"><strong><font color="#B08709">Section: </font></strong></font></font></strong></b></font></strong></b></font><font color="#000066">Appendix A:</font> </strong></font><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><strong><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><strong><font color="#000066" size="5">Examination Procedures</font></strong></font></font></font></font></strong></font></font><font size="5"><strong><br> </strong></font><font face="Arial, Helvetica, sans-serif"><font size="5" face="Arial, Helvetica, sans-serif"><strong><font color="#FFFFFF">Subsection: </font></strong></font></font><font size="5"><strong><br> </strong></font></font></div></td> </tr> <tr> <td colspan="25" nowrap>&nbsp;</td> </tr> <tr> <td colspan="25" nowrap><table width="374" align="center" cellpadding="2" cellspacing="1"> <tr valign="bottom"> <td width="150"> <div align="center"><em><font color="#000066" size="1" face="Arial, Helvetica, sans-serif"><a href="retail_03g.html" target="_self"><img src="../Images/left10_md_wht.gif" alt="Back Button" width="43" height="28" border="0"></a><br> <a href="retail_03g.html" target="_self">Previous Subsection</a><br> </font></em></div></td> <td width="125"> <div align="center"> <p><em><a href="retail_toc.htm"><img src="../Images/9_blank_md_wht.gif" alt="Link to Table of Contents" width="30" height="30" border="0"></a><br> <font color="#000066" size="1" face="Arial, Helvetica, sans-serif"><a href="retail_toc.htm">Table of Contents</a></font></em></p> </div></td> <td width="150"> <div align="center"><em><font color="#000066" size="1" face="Arial, Helvetica, sans-serif"><a href="retail_05_gloss.html" target="_self"><img src="../Images/right10_md_wht.gif" alt="Next Button" width="43" height="28" border="0"></a><br> <a href="retail_05_gloss.html" target="_self">Next Subsection</a></font></em></div></td> </tr> </table></td> </tr> </table> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><strong>EXAMINATION OBJECTIVE: </strong>Examiners should use the following Tier I and Tier II Retail Payment Systems examination procedures to evaluate the policies and procedures, business processes, personnel, and internal control systems of financial institutions and technology service providers. Retail payment system services include checks and share draft item processing, bankcards, payment cards, ACH, EFT/POS networks, electronic bill payment, person-to-person (P2P) and account-to-account (A2A) payment systems, and many other products and services resulting from emerging advances in technology. The examination scope should be based upon the risk profile of the financial institution or the technology service provider. The risk profile is determined through an assessment of the entity s risk environment and quality of risk management practices. This assessment should consider the formal policies and procedures established to provide these services, as well as the effectiveness of the financial institution s underlying internal control environment, including information security, business continuity, disaster recovery, and vendor management programs.</font></p> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Retail payment services expose financial institutions to numerous risks, including legal, compliance, strategic, operational, credit and liquidity. Depending on the complexity of retail payment system activity, the scope of the examination may require an integrated team approach that includes the knowledge, skills, and expertise of, IT, credit, and compliance specialists.</font></p> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The examination procedures may be part of either an IT or safety and soundness examination. Examiners can use the procedures in their entirety or in a modular fashion to focus on particular retail payment system products, services, or business lines. Depending on the size, complexity and risk profile of the financial institution or technology service provider, not all of the procedures may be necessary to develop overall conclusions. The examination of retail payment services may also support the institution s BSA/AML examination, which requires an evaluation of related risks in retail payment services. </font></p> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The primary objectives of the Tier I procedures are to evaluate the effectiveness of the internal controls and risk management processes implemented by the financial institution or the technology service provider. Examiners should use the Tier II procedures to expand the scope of the examination further if the risk profile or organization s complexity requires additional information to establish comprehensive and accurate examination conclusions.</font></p> <p align="left"><font color="#000066" size="5" face="Arial, Helvetica, sans-serif"><b><strong>TIER I OBJECTIVES AND PROCEDURES</strong></b></font></p> <table width="100%" border="0" cellspacing="0" cellpadding="2"> <tr> <td colspan="4" align="center" valign="baseline"> <p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Objective 1: Assess the level of risk in retail payment systems function</font></em></strong></p></td> </tr> <tr> <td width="17" align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1. </font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine the types of retail payment products and services offered. Consider the following:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The types of customers using the products and services</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The geographic service footprint (e.g., international usage)</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Check processing, particularly check imaging, remotely created checks (RCCs), and remote deposit capture</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">ACH, including third-party originations, TEL, WEB, ARC, POP, and BOC</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Card issuance</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Card processing</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Merchant acquisition and processing</font></td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"> <p align="left">&nbsp;</p> </div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine whether new retail payment products and emerging technologies pose in-creased risk due to the lack of maturity of the respective control environments. Consider:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">New retail payment products and services that have been introduced within the past year.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the institution introduced any existing products into new markets within the past year.</font></div></td> </tr> </table> <table width="100%" border="0" cellspacing="0" cellpadding="2"> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"> <p align="left">&nbsp;</p> </div></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></p></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine if the quality of management and staff, and the staffing levels are adequate for the specific retail payment products and processes the institution provides.</font></div></td> </tr> <tr> <td width="17" align="center" valign="baseline">&nbsp;</td> <td width="13" align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td width="2328" colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Obtain and review the following: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Reports showing staffing levels, turnover, and trends.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Biographies of managers and key staff.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Consider:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The levels of skill and experience of key managers and staff, particularly in terms of the sophistication and complexity of the products, processes, and systems.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the institution has appropriate depth of management and staff.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The adequacy of staffing levels for peak operating periods.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Management and staff turnover.</font></td> </tr> </table> <table width="100%" border="0" cellspacing="0" cellpadding="2"> <tr> <td width="17" align="center" valign="baseline">&nbsp;</td> <td width="13" align="center" valign="baseline">&nbsp;</td> <td width="1164">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine if the quality of process design and control points are adequate for existing retail products, and if these factors are considered for new products. Consider whether: </font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">There is adequate capacity for current and planned transaction volumes.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Processes are clearly designed.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Processes are automated. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">There is a reasonable degree of manual intervention.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Any processes have been re-engineered during the past year. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Processes are outsourced or performed at the customer location. </font></div></td> </tr> <tr> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Evaluate the use of in-house and outsourced data processing systems to support retail payment products and processes. Consider: </font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">How stable are existing systems.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">How current are existing systems.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether there is adequate capacity for current and planned transaction volumes.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the institution uses leading edge technologies or only mature technologies.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">To what extent are systems outsourced.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether outsourcing arrangements are governed by contracts and service level agreements.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether vendors are considered to be industry-recognized leaders.</font></div></td> </tr> <tr> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td colspan="3" align="center" valign="baseline"> <p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Objective 2: Establish the scope and objectives of the examination of the retail payment systems function. </font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1. </font></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Review previous reports of examination for comments relating to retail payment systems. Review: </font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Regulatory reports of examination, including consumer and compliance information. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Prior examination work papers, including any documentation obtained through on-going supervision. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Internal control self-assessments completed by business lines.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Internal and external audit reports, including annual attestation letters.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Regulatory, audit, and information security reports from service providers.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Trade group, bankcard company, interchange, and clearing house documentation relating to services provided by the financial institution, particularly the NACHA required annual security audit and bankcard company self assessments.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Supervisory strategy documents, including risk assessments.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Review past examination reports for comments relating to the institution s internal control environment and technical infrastructure. Review:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The institution s processing architecture, including processing outsourcing arrangements.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Internal controls, including physical and logical access controls in the data entry area, data center, and item processing operations.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Electronic Funds Transfer (EFT)/Point of Sale (POS) network controls. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Comments related to controls over Remote Deposit Capture (RDC).</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Inventory of computer hardware, software, and telecommunications protocols used to support check item processing, EFT/POS transaction processing, ACH, and bankcard issuance and acquiring transaction services.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3. </font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Review the financial institution s risk and control assessments for comments relating to retail payment systems. Review the following risk assessments:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">External and internal audit; </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Management controls;</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Information security; </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Business continuity; </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Regulatory compliance; and</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">BSA/AML.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Identify and obtain during discussions with management of financial institution or service provider:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">A description of the retail payment system activities performed and scope of operations, including check item processing, RDC, lock-box services that provide ACH check conversion or check truncation, ACH, bankcard issuing and acquiring, clearance, settlement, and EFT/POS network activity.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Operational reports for retail payment system activities, including transaction volumes, dollar amounts, and trends. Where possible, compare levels and trends with peer financial institutions. Significant increases may indicate a change in risk to the financial institution and management awareness should be evaluated.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Organization charts of retail lines of business to determine reporting relationships and how the collective retail lines of business are structured and managed. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The retail payment system functions performed through outsourcing relationships and the financial institution s level of reliance on those services.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Any significant changes in retail payment system policies, personnel, products, strategy and services since the last examination, particularly the introduction of new and emerging electronic retail payment systems incorporating RDC, wireless, telephone, web-based purchasing and bill payment, prepaid cards, or P2P and A2A payment systems.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">A listing of all payment processing and clearing house settlement arrangements in which the financial institution participates. Include any bilateral retail payment clearing arrangements the institution may have with other institutions that are outside traditional clearing houses such as FedACH and EPN. Evaluate the methodology used by the financial institution in assessing its operational and settlement risk from these arrangements.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Documentation of any related operational or credit losses incurred, reasons for the losses, and actions taken by management to prevent future losses for each retail payment system.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">A network diagram of the transaction flow from the merchant end of the network, through any intermediary processors, to the financial institution, for all types of payment channels.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p>&nbsp;</p> </div></td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Review the financial institution s response to any retail payment systems issues raised at the last examination and any internal audits conducted since last review. Determine:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Adequacy and timing of corrective action.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Resolution of root causes rather than specific issues.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Existence of outstanding issues.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p>&nbsp;</p> </div></td> <td>&nbsp;</td> </tr> <tr> <td colspan="3" align="center" valign="baseline"> <p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Objective 3: Assess the quality of oversight and support provided by the board of directors and management.</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine the quality and effectiveness of the financial institution s retail payment systems management function. Consider:</font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The alignment of the institution s business plans with its technology and operational plans for retail payment systems. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Data center and network management and the quality of internal controls over internal ATM networks and gateway connectivity to regional, national, and international EFT/POS and bankcard networks.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Departmental management and the quality of internal controls, including separation of duties and dual control procedures, for bankcard, ATM and debit card, ACH, check items, and electronic banking payment transaction processing, clearance, and settlement activity.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Departmental management and the quality of information security and GLBA 501(b) compliance policies relating to retail payment system-generated customer data.</font></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline">&nbsp;</td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess management s ability to manage outsourced relationships with technology service providers. Consider:</font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Process utilized to encrypt transactions while in route between technology service providers and the institution.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Adequacy of contract provisions including service level, performance agreements, responsibilities, liabilities, and management monitoring.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Management s determination of the service provider s compliance with applicable financial institution and consumer regulations and with third-party requirements (e.g., NACHA, GLBA, bankcard company, and interchange).</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Adequacy of contract provisions for personnel, equipment, and related services.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Quality of management information systems (MIS) and reports needed to monitor the technology service provider s performance appropriately.</font></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline">&nbsp;</td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066">3.</font></font></font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066">Evaluate the adequacy and effectiveness of financial institution and service provider contingency and business continuity planning. Consider: </font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Ability to recover transaction data and supporting books and records based on retail payment system business line requirements and time lines.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Level of testing conducted to ensure adequate preparation.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Stand-in arrangements established with other financial institutions in the event of an ATM and/or POS system outage. preventing card fraud and abuse.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Alternative access mechanisms in the event of an outage to primary access to bankcard, ACH, and other retail payment networks.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Evaluate retail payment system business line staff. Consider:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Adequacy and quality of staff resources, including certifications such as an Accredited ACH Professional (AAP).</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Effectiveness of policies and procedures outlining department duties, including job descriptions.</font></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline">&nbsp;</td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> </tr> <tr> <td colspan="3" align="center" valign="baseline"> <p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Objective 4: Assess the quality of policies, procedures, and limits supporting retail payment services.</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></font></font></p></td> <td colspan="2" align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font size="2">Review policies, procedures, and limits for supporting all retail payment services. </font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine if there are written policies.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine if the policies reflect the current business and processes.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine if the policies establish reasonable limits.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="2" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></font></font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Review staff training programs and determine if they are appropriate for supporting policies. </font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="2" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></font></font></p></td> <td colspan="2" align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><font face="Arial, Helvetica, sans-serif"><font size="2">Determine whether the institution monitors compliance with policies, procedures, and limits.</font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine if exception monitoring reports are elevated to appropriate levels of management.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="2" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td colspan="3" align="center" valign="baseline"> <p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Objective 5: Assess the quality of management information systems and reports used to manage retail payment services.</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font><font color="#000066"></font></font></font></p></td> <td colspan="2" align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Review management reports for all retail payment services including reports from service providers. </font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine if the reports are appropriate to the businesses and processes in terms of scope and frequency.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine if the reports are reviewed at the appropriate levels of management.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="2" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td colspan="3" align="center" valign="baseline"> <p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Objective 6: Assess the quality of risk management and support for bankcard issuance and acquiring (merchant processing) activity.</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font><font color="#000066"></font></font></font></p></td> <td colspan="2" align="center" valign="baseline"> <p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Evaluate financial institution adherence to bankcard company rules and bylaws and regulatory requirements.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="2" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Evaluate whether card issuance processing is outsourced to a third party. If yes, evaluate the vendor management controls in place to govern the activities listed in steps 3 and 4.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3. </font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Review internal procedures employed for each bankcard product and assess:</font></div></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The integrity of plastic card and PIN issuance processing.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether processing includes appropriate separation of functions in card issuance, PIN issuance, control and storage of card stock, and the maintenance of software controlling PIN generation.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the institution has established procedures focusing on controls preventing card fraud and abuse.</font></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline">&nbsp;</td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the audit function periodically performs an inventory of all bankcards at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit). </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether management has established inventory systems that include quality control activities such as self-monitoring for data accuracy. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Review a sample of consumer contracts for each bankcard service to ensure they describe adequately the responsibilities and liabilities of the institution and its customers (compliance with Regulation Z). </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">7.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer bankcard transactions. Consider the adequacy of: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Financial and accounting controls in place to clear and settle transactions.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Periodic reconciliation of all account postings.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Timely clearance or charge-off of missing items or out-of-balance situations.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">8.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Evaluate the effectiveness of internal credit monitoring and card authorization performed by the financial institution. Consider the adequacy of: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Policies and procedures for underwriting, account management, and collection activities.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Card authorization procedures to mitigate fraudulent use.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">MIS reports and behavioral fraud analysis.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">9.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> For financial institutions directly involved in, or outsource, bankcard acquiring (merchant processing) services, determine the appropriateness of controls over merchant services and ISO/MSP relationships. Consider the adequacy of: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">New merchant approval and acceptance process, termination procedures, and underwriting guidelines for merchant accounts with particular attention to Web and telephone-based businesses. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Testing of web-based business to validate site s content.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Industry-standard MIS reports to identify negative trends and potential fraudulent activity. Potential indicators of fraud or money laundering include: a large number of manually keyed transactions, even dollar amount transactions, average sale ticket size as compared to history, same dollar amount repeated frequently in a single batch, or continuous or frequent zero balances in DDA account.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The financial institution s use of a front-end fraud detection application either in-house design or purchased.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Credit approval and monitoring procedures for all new and established merchant accounts. Consider use of Dun & Bradstreet reports, bank statements and credit reports.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Chargeback processing procedures and controls, including trend, volume, age, and losses associated with merchant chargebacks.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Agent bank programs (where the financial institution performs merchant processing for other institutions), and the level of liability assumed by the acquiring financial institution.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Protection and storage of cardholder data and compliance with card company rules and guidelines on what data can and cannot be stored.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Programs for requiring and monitoring merchant s and processor s compliance with card company and association standards such as PCI Data Security Standards. Review assessment document and process for completion. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Policies and procedures relating to customer accounts that may have been the subject of security breach at the merchant/ISO location (i.e., reissue cards, monitoring and customer notification).</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td colspan="3" align="center" valign="baseline"><p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Objective 7: Assess the quality of risk management and support for EFT/POS processing activity.</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font><font color="#000066"></font></font></font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Evaluate the financial institution s compliance with interchange rules and bylaws.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline">&nbsp;</td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font><font color="#000066"></font></font></font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Review internal procedures employed for generating active ATM cards. Consider:</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The integrity of PIN issuance and processing, including appropriate separation of functions between card issuance, PIN issuance, and card stock control and storage.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The maintenance of software controlling PIN generation. The review should focus on controls preventing card fraud and abuse resulting in financial loss to the institution.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the audit function periodically performs an inventory of unused ATM card stock at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit). </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Review a sample of consumer contracts for ATM services to ensure they adequately set forth responsibilities and liabilities of the institution and the customer. Evaluate compliance with applicable regulations. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Evaluate the effectiveness of internal clearance and settlement activities as it relates to customer ATM transactions. Consider whether: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Appropriate financial and accounting controls are in place to clear and settle ATM transactions.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Reconciliation is performed periodically for all account postings.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Processes have been established for handling disputed items.</font></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline">&nbsp;</td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> </tr> <tr> <td colspan="3" align="center" valign="baseline"><p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Objective 8: Assess the quality of risk management and support for ACH processing activity.</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Evaluate the financial institution s adherence to NACHA and clearing house operating rules and regulations. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Review operational reports showing monthly or quarterly ACH debit and credit activity and, if possible, compare levels with peer financial institutions. If ACH activity is greater than peer, determine whether institution is an originating institution (ODFI). Obtain reports listing those customers for which they originate and the volumes (number of items and dollars) originated. Be sure to ask for all customers that use the ODFI s originating account number with the Federal Reserve or EPN. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> If the institution has bilateral clearing arrangements with other institutions, review the underlying contracts and determine how the institution monitors compliance with the contracts. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> If the institution uses a technology service provider, determine whether it performed appropriate due diligence prior to engagement and has appropriate contractual agreements governing the relationship. Determine whether the institution monitors compliance with the governing contract. Determine if the institution has an adequate business continuity plan in the event the technology service provider experiences a service disruption. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> If the institution is an ODFI and permits third-party sender payments, determine whether it requires the third-party sender to establish the identity of each originator using commercially reasonable methods to warrant that the originators will assume their responsibilities under NACHA rules and to warrant that it will assume the liabilities of the ODFI. Determine whether the ODFI has established limits and monitoring of the third-party sender s creditworthiness relative to its underlying originators and the nature and type of ACH activity that it warrants. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the ODFI s contractual agreements with each originator clearly define the specific terms for funds availability. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">7.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution has taken steps to ensure that originators are properly educated about their obligations for handling ARC and POP source documentation and all other NACHA rules. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">8.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Review policies and procedures for acquisition of originating customers and determine the appropriateness of these policies for the risk profile and risk management capabilities of the financial institution. Determine whether the policies identify and seek to limit exposure to higher risk customers; such as, adult entertainment and online gambling firms, adult bookstores, escort services, and massage parlors. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">9.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Review policies and procedures in place to monitor originating customer balances for credit payments (e.g., payroll) to ensure payments are made against collected funds or established credit limits and daily caps. Also determine whether payments in excess of established credit limits and daily caps are properly authorized.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">10.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution treats deposits resulting from ACH transmitted debits on other accounts as uncollected funds until there is reasonable assurance the debits have been paid by the institution on which they were drawn. Also, determine whether management monitors drawings against uncollected funds to ensure they are within established guidelines. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">11.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Review a sample of contracts authorizing the institution to originate ACH items for customers and determine whether they adequately set forth the responsibilities of the institution and customer. Determine: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether contracted technology service providers originating customer entries are also customers of the financial institution.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the agreements include recognition of all relevant NACHA requirements.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether ACH clearing houses, of which the financial institution is a member, stipulate the funding arrangements (outgoing), Expedited Funds Availability Act (Regulation CC), UCC Article 4A (credit transfer only), and Electronic Funds Transfers (Regulation E).</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">12.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution has a process in place for monitoring and acting on returned items, that includes third-party vendors, where applicable. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">13.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution uses risk management reports that are appropriate to the ACH activities and level of risk. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">14.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether ACH activities are considered in the institution s overall business continuity plans and insurance program. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">15.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether management monitors originating customers for unreasonable numbers of unauthorized ACH debits. If the volume of unauthorized ACH debits is high, it could expose the institution to greater loss. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">16.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether management has addressed international ACH requirements, where applicable. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td colspan="3" align="center" valign="baseline"><p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Objective 9: Assess the quality of risk management and support for electronic banking related retail payment transaction processing.</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine the extent to which the financial institution engages in retail payment systems, including bill payment, prepaid cards, wireless systems, contactless payment devices, remote check capture, lock-box services that provide ACH check conversion or check truncation, and P2P and A2A payments. Consider: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Strategic plans relating to the introduction of new retail payment system products and services.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The development of internal pilot programs and partnerships with technology service providers introducing new retail payment systems and delivery channels.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The extent to which existing Internet and e-banking products and services include new retail payment mechanisms.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Evaluate the financial institution s ability to manage the development and implementation of new retail payment services, focusing on effectiveness of internal controls and provisions of consumer compliance regulations. Consider: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Information security, including identification and authentication systems, in the deployment of any smart cards, wireless payment devices, EBPP, P2P and A2A product offerings.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Customer disclosure and compliance information for retail payment systems using new technologies.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Technical resources to effectively manage retail payment systems including Internet technologies, telecommunications protocols, and operations support.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Evaluate the financial institution s ability to incorporate new retail payment product offerings into its existing retail business lines and its effectiveness in including these product offerings in its traditional retail payment operations. Consider: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The integration of new retail payment product offerings into existing clearance, settlement, and accounting functions.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the financial institution relies on technology service providers for some or all of these services.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td colspan="3" align="center" valign="baseline"><p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Objective 10: Assess the quality of risk management and support for checks.</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the accounting department handles check return item processing appropriately, reconciling all aged items. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> If the institution offers its customers RDC services, review the appropriateness of: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Due diligence procedures for new and existing retail customers.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Due diligence procedures for new and existing third-party processing customers (ensure processors perform adequate due diligence over their originating retail customers).</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Underlying contracts for:</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assignment of liability in the event of returned, disputed, or fraudulent items.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Limitations or reasonable parameters regarding activity volumes, including returns.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Ongoing transaction activity monitoring procedures.</font></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution uses electronic check presentment (ECP) for payment. If yes, determine: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The effectiveness of the financial institution s ECP implementation, including logical access controls over electronic files storing MICR and related information.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the financial institution is using positive pay. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the logical access controls over the electronic files sent by commercial businesses are adequately controlled.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td colspan="3" align="center" valign="baseline"><p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Objective 11: Assess the quality of risk - management of new and emerging technology risks.</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine the institution s processes for evaluating and deploying new and emerging technologies for retail payment systems. Of particular concern are retail payment products and services that do not use established networks such as ACH, or that extend operational processes to the customer location, as with RDC. Determine: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the institution conducts risk assessments prior to deployment of new and emerging technologies. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the processes involve the institution s compliance functions, including consumer compliance, BSA/AML, GLBA 501(b), and third party requirements (for example, NACHA, MasterCard, and Visa).</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether risk assessment and compliance status are communicated to senior management and the board of directors.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the vendor management program over the technology service providers offering new and emerging technologies for retail payment systems. Determine: </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The adequacy of due diligence performed on the technology service provider.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether management regularly reviews the financial status of the technology service provider.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether management receives independent audits, SAS-70, or data information security reviews performed on the technology service provider.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the information exchanged with the technology service provider is documented and meets the bank s requirements.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the dispute resolution process between the technology service provider and customer is documented and meets the bank s requirements.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether MIS received from the technology service provider is adequate.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td colspan="3" align="center" valign="baseline"><p align="left"><font color="#000066" size="4" face="Arial, Helvetica, sans-serif">CONCLUSIONS</font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font><font color="#000066"></font></font></font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine the need to conduct Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="2" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font><font color="#000066"></font></font></font></p></td> <td colspan="2" align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">From the procedures performed, including any Tier II procedures performed:</font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Document conclusions related to the quality and effectiveness of the management of the retail payment systems function.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine and document to what extent, if any, the examiner may rely upon retail payment system procedures performed by internal or external audit.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="2" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Review your preliminary conclusions with the examiner-in-charge (EIC) regarding:</font></div></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Violations of law, rulings, regulations, and third-party agreements.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Significant issues warranting inclusion as matters requiring board attention in the report of examination.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Potential impact of your conclusions on the Uniform Rating System for Information Technology (URSIT) composite and component ratings.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p></td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Where necessary, communicate relevant conclusions to the EIC for the BSA/AML, or retail credit, or compliance examinations.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline">&nbsp;</td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font><font color="#000066"></font></font></font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Discuss your findings with management and obtain proposed corrective action, within reasonable timeframes, for significant deficiencies.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> <td align="center" valign="baseline">&nbsp;</td> <td><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font><font color="#000066"></font></font></font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Document your conclusions in a memo to the EIC providing report-ready comments for all relevant sections of the FFIEC report of examination (ROE) and guidance to future examiners.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td>&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font><font color="#000066"></font></font></font></p></td> <td colspan="2" align="center" valign="baseline"><p align="left"><font face="Arial, Helvetica, sans-serif"><font size="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Organize work papers to ensure clear support for significant findings and conclusions.</font><font color="#000066"></font></font></font></p></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="2" align="center" valign="baseline">&nbsp;</td> </tr> </table> <p align="left"><font color="#000066" size="5" face="Arial, Helvetica, sans-serif"><b><strong>TIER II OBJECTIVES AND PROCEDURES</strong></b></font></p> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"><strong>Examination Objective: </strong>The Tier II Retail Payment Systems Examination Procedures provide additional validation steps to verify the effectiveness of a financial institution s internal control processes over ACH, EFT/POS network, check item, electronic banking-related retail payments, and bankcard processing, clearance, and settlement. These procedures assist in achieving examination objectives, and examiners may use them in their entirety or selectively, depending upon the scope of the examination and the need for additional verification.</font></p> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Examiners should coordinate this coverage with other examiners involved in assessing the institution s information systems, operations, information security, business continuity planning, and vendor management effectiveness to avoid duplication of effort and to ensure there is an adequate understanding of the control environment as it pertains to retail payment business lines.</font></p> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The procedures provided in this section should not be construed as requirements for control implementation. The selection of controls and control implementation should be guided by the risk profile of the institution. Therefore, the controls necessary for any single institution or any given area may differ from those noted in the following procedures.</font></p> <table width="100%" border="0" cellspacing="0" cellpadding="2"> <tr> <td colspan="4" align="center" valign="baseline"> <p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">A. EFT/POS AND BANKCARD AGREEMENTS AND CONTRACTS</font></em></strong></p></td> </tr> <tr> <td width="18" align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">If the financial institution is a participant in a shared EFT/POS network or if it contracts with third-party bankcard-issuing or -acquiring processing service providers, determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td width="28" align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Contracts with regional EFT/POS network switch and gateway operators and bankcard processors clearly set forth the rights and responsibilities of all parties, including the integrity and confidentiality of customer information, ownership of data, settlement terms, contingency and business recovery plans, and requirements for installing and servicing equipment and software.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Adequate agreements are in place with all technology service providers supplying services for retail EFT/POS and bankcard operations (plastic cards, ATM equipment and software maintenance, ATM cash replenishment) that clearly define the responsibilities of both the service provider and the institution.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Agreements include a provision of minimum acceptable control standards, the ability of the institution to audit the technology service provider s operations, periodic submission of financial statements to the institution, and contingency and business recovery plans.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Contracts and agreements clearly define responsibilities and limits of liability for both the customer and financial institution and include provisions of the Electronic Funds Transfer Act (Regulation E) and the Expedited Funds Availability Act (Regulation CC) for deposit activities.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"> <p align="left">&nbsp;</p></td> </tr> <tr> <td align="center" valign="top"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine whether management periodically reviews individual sites providing retail EFT/POS and bankcard services to ensure policies, procedures, security measures, and equipment maintenance requirements are appropriate.</font></p></td> </tr> <tr> <td align="center" valign="top">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p>&nbsp;</p> </div></td> <td colspan="2">&nbsp;</td> </tr> <tr> <td align="center" valign="top"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="3" align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">For retail EFT/POS and bankcard transaction processing activities contracted to third-party service providers, assess the adequacy of the review process performed by management regarding annual financial statements, audit reports, and Payment Card Industry (PCI) Data Security Standard assessment.</font></p></td> </tr> <tr> <td align="center" valign="top">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p>&nbsp;</p> </div></td> <td colspan="2">&nbsp;</td> </tr> <tr> <td colspan="4" align="center" valign="baseline"> <p align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">B. PERSONAL IDENTIFICATION NUMBERS (PINS)</font></em></strong></p></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"> <p align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess staff access to PIN data. Ensure there is separation of duties between staff responsible for card operations and staff responsible for preparing or issuing bankcards.</font></p></td> </tr> <tr> <td colspan="4" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of the PIN generation process. Ensure there is separation of duties between staff responsible for PIN generation and staff responsible for opening accounts or with access to customer account information.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">For new PIN issuance, assess the adequacy of control procedures including accountability assigned to staff initiating such transactions.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of PIN generation and issuance procedures to determine whether they preclude matching an assigned PIN to a customer s account number or bankcard.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of threshold for PIN access attempts to customer account information and funds. The threshold parameter should be set at a reasonable number of unsuccessful attempts.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the level of PIN encryption when stored on computer files or transmitted over telecommunication lines.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">7.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">If resets are allowed, assess the adequacy of procedures and controls for PIN/password resets. The use of single-use and temporary PIN/password is preferred.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">8.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of procedures for prohibiting PIN information from being disclosed over the telephone.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">9.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess staff access to PIN-related databases and determine if management restricts access to authorized personnel. Assess database maintenance activities to ensure management closely supervises and logs staff access.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">10.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of customer PIN selection criteria, focusing on whether the institution discourages or prevents customers from using common words, social security numbers, sequences of numbers, or words or numbers that can easily identify the customer.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">C. INFORMATION SECURITY</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Evaluate the logical and physical security controls to ensure the availability and integrity of production retail payment systems applications. Determine:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the physical and logical security controls established for retail payment transaction processing, clearance, and settlement services maintain transaction confidentiality and integrity.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether physical controls limit access to only those staff assigned responsibility for supporting the operations and business line centers processing retail payment and accounting transactions.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether physical controls provide for the ability to monitor and document access to all retail payment operations facilities.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Evaluate the effectiveness of all logical access controls assigned for staff responsible for retail payment-related services. Determine:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether management bases controls on separation-of-duties principles routinely implemented for the processing of financial transactions. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether management bases access controls on a need-to-know basis. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether management bases assigned access to retail payment applications and data on functional staff job duties and requirements.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether identification and authentication schemes include requiring unique logon identifiers with strong password requirements.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether displayed credit and debit card account data are partially masked to prevent full account numbers from being copied.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether network servers are satisfactorily hardened against the risk of internal or external hacking.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether servers simply used for data storage are unnecessarily connected to the Internet.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether sensitive customer information stored electronically is encrypted; if so, at what encryption level.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether internal audit or other third-party have conducted a security review.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess whether the institution encrypts telecommunications lines used to receive and transmit retail customer and financial institution counterparty data. If not encrypted, evaluate the compensating controls to secure retail payment data in transit. Assess whether any connecting technology service provider s networks used to transport transactions are transporting transaction data in the clear (not encrypted) or use weak forms of encryption.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess whether merchants use sufficient encryption for wireless sales terminal activity transmitting sensitive customer information.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess whether customer information being stored is beyond that required by industry standards.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">D. CARD ISSUANCE</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess bankcard issuance activities, and review control procedures. Determine whether management:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Issues bankcards only as requested.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Periodically inventories bankcards.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Maintains adequate controls for activating new accounts.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess effectiveness of the dual control procedures for blank card stock in each of the encoding, embossing, and mailing steps.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess adequacy of physical access controls for card encoding areas. Management should allow access to authorized personnel only.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess whether inventory controls for plastic card stock make them physically secure.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess whether management restricts the use of bankcard encoding equipment to authorized personnel only.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess adequacy of procedures for issuing cards from more than one location (e.g., branches) to ensure there are accountability and bankcard control procedures at each card-issuing location.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">7.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess adequacy of institution card-mailing procedures. Ensure the institution mails the card and associated PIN to customers in separate envelopes. Also ensure that the return address does not identify the institution.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">8.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess whether mailing procedures provide for a sufficient time between the card and PIN mailings.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">9. </font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess adequacy of returned card procedures. Determine whether adequate controls are in place to ensure returned cards are not sent to staff with access to, or responsibility for, issuing cards.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">10.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess whether there is appropriate follow-up to determine whether the correct customer received the card and PIN.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">11.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of control procedures (e.g., hot card lists and expiration dates) to limit the period of exposure if a card is lost, stolen, or purposely misused.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">12.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution destroys captured and spoiled cards under dual control and maintains records of all destroyed cards.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">13.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess whether the institution adequately controls test or demonstration cards.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">14.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess whether management maintains satisfactory controls over the issuance of replacement or additional cards to the customer (e.g., temporary access cards issued to the customer).</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">15.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of the vendor management program to determine whether the institution reviews card issuance services contracted to third parties for compliance with appropriate bankcard control procedures.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">E. BUSINESS CONTINUITY PLANNING</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of the financial institution s business continuity plans for a partial or complete failure of each retail payment system. Determine whether the plans include:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Recovery of all required components linking the institution with third-party network switch, gateway, or related third-party data centers and bankcard processors.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Information relative to the volume and importance of the retail payment system activity to the institution s overall operation.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Provisions for acceptable store and forward procedures to protect against loss or duplication of data and to ensure full recovery within reasonable timeframes.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Provisions for secured transport and off-site storage of sensitive customer information.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Stand-in arrangements with other financial institutions, allowing for interim bankcard processing in the event of an outage.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Adequate testing of plans accounting for various recovery scenarios.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">F. EFT/POS AND BANKCARD ACCOUNTING AND TRANSACTION PROCESSING</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of reconciliation processes for general ledger accounts related to bankcard and debit card transaction processing activity. Determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Accounting reconciles bankcard and ATM transaction activities daily.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Retail payment system supervisory personnel periodically review reconcilement and exception item reports.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Accounting periodically reconciles accounts used to control rejects, adjustments, and unposted items.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of the daily settlement process for institutions participating in shared EFT/POS networks or gateway systems.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of transaction reconstruction procedures. Transaction files should be duplicated or otherwise retained for a minimum of 60 days, as required by Regulation E, in order to identify unauthorized transactions.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of the investigative unit in place to address customer inquiries and control non-posted items, rejects, and differences. Management should periodically receive aging reports that list outstanding items.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of separation of duties for the bankcard and EFT/POS account posting process including receipt of transactions, file updates, adjustments, internal reconcilement, preparation of general ledger entries, posting to customers accounts, investigations, and reconcilement with third-party service provider network switches and card processors.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the effectiveness and accuracy of the adjustment process (e.g., changes to deposits and reversals) relating to retail EFT/POS and bankcard transactions processed by staff.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">7.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> For institutions involved in bankcard issuing or acquiring services, determine whether the institution has established:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Proper accounting controls for the balancing, settling, and reconciliation of all bankcard and acquiring accounts under its control.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Appropriate credit and liquidity risk measures for the bankcard and acquiring business lines.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Appropriate controls for the processing of customer or merchant transaction flows.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">G. EFT/POS OPERATIONAL CONTROLS</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the effectiveness of personnel responsible for internal ATM processing. Determine whether there are:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">" Controls prohibiting staff members who originate entries from processing and physically handling cash.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Proper control of all source documents (e.g., checks for deposit) maintained throughout the daily processing cycle relative to</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Input preparation,</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Reconcilement of item counts and totals,</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Output distribution, and</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p>&nbsp;</p> </div></td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td width="1150"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Storage of the instruments.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine whether terminal and operator identification codes are used for all retail ATM and POS transactions.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of controls in place to prevent customer charges from exceeding the available balance in the account or approved overdraft lines.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess the adequacy of access controls for terminals used to change customer credit lines and account information.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether retail EFT equipment keyboards or display units are properly shielded to avoid disclosure of customer IDs or PINs.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether receipt issuance ensures customers receive a receipt showing the amount, date, time, and location for retail EFT transactions in compliance with Regulation E.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">7.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess whether each retail EFT transaction is assigned a sequence number and terminal ID to provide an audit trail.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">8. </font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Assess whether the institution regularly updates hot card or customer suspect lists and distributes them to branch banking locations.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">9.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of verification procedures for telephone-initiated payments or transfers and ensure confirmations are promptly sent to customers and merchants.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">10.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of security devices and access control procedures for EFT/POS, bankcard, and acquiring processing facilities to ensure appropriate physical and logical access controls are in place.</font></div></td> </tr> <tr> <td colspan="4" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">H. ACH ODFI AND RDFI RESPONSIBILITIES</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine if agreements between the ODFI and originators adequately address</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Liabilities and warranties,</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Responsibilities for processing arrangements, and</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Other originator obligations such as security and audit requirements.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the ODFI has established procedures to monitor the creditworthiness of its originator customers on an ongoing basis. Determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The ODFI assigns credit ratings to originators.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Competent credit personnel perform monitoring, independent of ACH operations.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Written agreements with originators require the submission of periodic financial information.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3. </font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine whether the ODFI has established ACH exposure limits for originators. Determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The limit is based on the originator's credit rating and activity levels.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The limit is reasonable relative to the originator&#8217;s exposure across all services (lending, cash management, foreign exchange, etc.). </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Limits have been established for originators whose entries are transmitted to the ACH operator by a service provider.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Written agreements with originators address exposure limits.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">A separate limit for WEB entries and other high-risk ACH transactions, as warranted, has been established.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the ODFI reviews exposure limits periodically. Determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The ODFI adjust limits for changes in an originator&#8217;s credit rating and activity levels.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Increases in an originator&#8217;s ACH debit return volume trigger a re-evaluation of the exposure limit.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The ODFI reviews the limits in conjunction with the review of an originator&#8217;s exposure limit across all services.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the ODFI has implemented procedures to monitor ACH entries initiated by an originator relative to its exposure limit across multiple settlement dates. Determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The monitoring system is automated and accumulates entries for a period at least as long as the average ACH debit return time (60&#8211;75 days).</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Entries in excess of the exposure limit receive prior approval from a credit officer.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">WEB entries and other high-risk ACH transactions (as warranted) are separately accumulated and monitored, yet integrated into the overall ACH transaction monitoring system.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the RDFI&#8217;s overdraft and funds availability policies and practices and determine whether they adequately mitigate its credit exposures to ACH transactions.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">7.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine the adequacy of the ODFI s practices regarding originators annual or more frequent security audits of physical, logical, and network security. Determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The ODFI receives summaries or full audit reports from the originators. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The audits are adequate in scope and performed by independent and qualified personnel.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Corrective actions regarding exceptions are satisfactory.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">8.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine how the ODFI or RDFI manages its relationship with technology service providers. Determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The service provider&#8217;s financial information is obtained and satisfactorily analyzed.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Service-level agreements are established and monitored.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">9.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the ODFI allows technology service providers direct access to an ACH operator. Consider whether agreements between the ODFI and the service providers include:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">A requirement that the service provider obtain the prior approval of the ODFI before originating ACH transactions for originators under the ODFI routing number.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The establishment by the ODFI of dollar limits for files that the service provider deposits with the ACH operator.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">A provision that restricts the service provider&#8217;s ability to initiate corrections to files that have already been transmitted to the ACH operator.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Provisions regarding warranty and liability responsibilities.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Appropriate handling of files (physical and logical access controls). </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">10.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine whether the RDFI has established procedures to deal with consumers&#8217; notifications regarding unauthorized or improperly originated entries or entries where authorization was revoked.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">11.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the RDFI acts promptly on consumers&#8217; stop-payment orders.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">12.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the RDFI has procedures that enable it to freeze proceeds of ACH transactions in favor of blocked parties (under OFAC sanctions) for whom the RDFI holds an account.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">13.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the financial institution considers the volume of its uncollected ACH transactions as part of its liquidity risk management practices.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">14.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Determine whether management and personnel display adequate knowledge and technical skills in managing and performing duties related to ACH transactions.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">15.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Review results from the financial institution&#8217;s NACHA rule compliance audit. Determine:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The independence and competence of the party performing the audit.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether the board or its committee reviewed and approved the audit.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether responsibilities for high-risk entries, such as WEB, were included in the scope.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Whether corrective actions on audit exceptions are satisfactory. </font></td> </tr> <tr> <td colspan="4" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">I. ACH ACCOUNTING AND TRANSACTION PROCESSING</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of logs maintained for ACH payments received from, and delivered to, each customer.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of the balancing procedures used for all ACH payments received and whether they include balancing to the aggregate payments sent to an ACH operator.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution balances all payments received from an ACH operator to the aggregate of payments delivered to customers.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution verifies and authorizes the source of all ACH files received for processing.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution reconciles all general ledger accounts related to ACH activities on a timely basis.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether ACH supervisory personnel perform reconcilement and regularly review exception items.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">7.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the institution reconciles the ACH activity and pending file totals daily with the ACH operator.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">8.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the effectiveness of the reconcilement with third-party service providers preparing ACH transaction files and ensure daily reconciliation.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">9.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the effectiveness of ACH holdover transactions and determine whether the institution adequately controls them.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">10.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether accounting staff reconciles individual outgoing ACH batches before merging them with other ACH transactions.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">11.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether there are separate accounts to control holdovers, adjustments, return items, rejects, etc. and whether they are periodically reconciled.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">12.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the effectiveness of the investigation unit to address customer inquiries and control return items, rejected/unposted items, differences, etc. Determine whether the unit periodically generates aging reports of outstanding items for management.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">13.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess whether management adequately tracks exceptions to credit limit policies and legal contracts.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">14.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether exception reports (e.g., rejects, return items, and aging of open items) receive appropriate management attention.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">15.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of separation of duties throughout the ACH process including origination, data entry, adjustments, internal reconcilement, preparing general ledger entries, posting to customer accounts, investigations, and reconcilement with ACH operators.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">16.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether adjustments (e.g., added payments, stop payments, reroutes, and reversals) to original ACH instructions are received in an area that does not have access to the original data files.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">17.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess whether controls are appropriate for the adjustment process, including authorization (e.g., signature verification and callbacks on telephone instructions) and whether the institution maintains adequate records (e.g., logs and taping of telephone calls) of individuals making requests.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">18.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine the adequacy of the customer profile origination and change request process. Consider whether requests:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Are in writing or equivalent confirmation for online activities.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Identify the originating personnel.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Document supervisory approval.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Are verified by staff unable to make changes.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">J. ACH FUNDING AND CREDIT</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of the process for releasing payments to an ACH operator, and determine whether assurances are obtained that sufficient collected funds (e.g., on deposit or prefunded) or credit facilities are available. The institution should monitor customer intraday and interday positions based on defined thresholds.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> For third-party service providers contracted to process outgoing ACH transactions, determine whether there are procedures to monitor ACH activity and ensure that funds are collected (collected balances, prefunding, credit lines) before the institution settles with the ACH operator.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> For prefunding arrangements in place for customers without credit lines, determine whether management blocks funds (held for disposition) or maintains them in separate accounts until the transaction date.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> For non prefunded arrangements determine whether the institution places blocks on outgoing payments to deposit accounts, applies them as reductions to credit lines, or includes them in the overall funds transfer monitoring process.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">5.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether management approves payments resulting in extensions of credit lines or drawings against uncollected funds and retains documentation to support the approvals. Determine whether the institution performs credit assessments of customers originating large dollar volumes of ACH credit transactions. Credit assessments should also be reviewed periodically to evaluate creditworthiness of the customer and current economic conditions.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">6.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether management treats ACH debits deposited as uncollected funds and whether they monitor any draws against these funds for debits originated by high- risk customers.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline">&nbsp;</td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">7.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether management approves draws against uncollected ACH deposits and maintains documentation to support approvals for debits originated by high-risk customers.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">8.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine the adequacy of Internet and telephone ACH transaction processing procedures and determine whether there are appropriate authentication controls and procedures to ensure the proper identities of parties invoking ACH transactions.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">9.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Assess the adequacy of management s risk assessment of ACH services in terms of the importance of this function to the overall corporate treasury services function.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">10.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Ensure that the financial institution obtains and analyzes all audits conducted by the ACH service provider, pursuant to the NACHA rule compliance audit requirement.</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">K. WEB AND TELEPHONE-INITIATED ACH TRANSACTIONS</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the financial institution has adopted adequate policies and procedures regarding ACH transactions involving Internet-initiated (WEB) entries. Determine whether they:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Are in writing and are approved by the board or a designated committee.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Adequately address ODFI or RDFI responsibilities.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Establish management accountability.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Include a process to monitor policy compliance.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Include a mechanism for periodic reviews and updates.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the ODFI has implemented telephone-initiated (TEL) ACH entries. Determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">There are significant return rates for these transactions.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The institution adheres to NACHA guidelines concerning merchant management and their business practices.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Written agreements are in place with all originators submitting TEL transactions, and include adequate consumer (receiver) authentication and authorization.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The institution makes tape recordings of all consumer oral authorizations. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The institution provides written notice to the consumer, prior to settlement date for the TEL entry, confirming the terms of the oral authorization.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">3.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the ODFI requires its originator to employ a commercially reasonable method to authenticate the consumer/business. Determine whether:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Documentation of the method is adequate.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">The frequency of the review of commercially reasonable standards is sufficient.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">4.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Determine whether the ODFI conducts risk assessments of its originators and whether they reflect a reasonable exercise of business judgment. Consider whether the risk assessment includes evaluations of:</font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Receiver authorizations.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Originator&#8217;s Internet security capability, including;</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Commercially reasonable fraudulent transaction detection systems and routing number verification,</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline">&nbsp;</td> <td valign="baseline"><div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Secure customer Internet sessions, and </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p>&nbsp;</p> </div></td> <td valign="baseline"> <div align="center"><img src="Images/dash%202.gif" width="5" height="7"></div></td> <td><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Annual (or more frequent) security audits based on risk. </font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Frequency of risk assessments.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td align="center" valign="baseline"> <div align="center"> <p><font size="2" face="Arial, Helvetica, sans-serif"><img src="../Images/bullet.gif" alt="Bullet" width="11" height="11"></font></p> </div></td> <td colspan="2"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">Documentation and approval standards.</font></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td colspan="4" align="center" valign="baseline"><div align="left"><strong><em><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">L. ACH CONTINGENCY PLANS</font></em></strong></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">1.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif"> Evaluate the adequacy of the ACH contingency plan; determine whether the financial institution has tested it and whether it includes provisions for partial or complete failure of the system or communication lines between the institution, ACH operators, customers, and associated data centers. </font></div></td> </tr> <tr> <td align="center" valign="baseline">&nbsp;</td> <td colspan="3" align="center" valign="baseline"><div align="left"></div></td> </tr> <tr> <td align="center" valign="baseline"><font color="#000066" size="2" face="Arial, Helvetica, sans-serif">2.</font></td> <td colspan="3" align="center" valign="baseline"><div align="left"><