National Check Payments Certification. Fraud, Risk, and Risk Mitigation Part II. Copyright 2015 by the Electronic Check Clearing House Organization

Transcription

1 NCP 2016 Exam Cycle Core Training Series Session 11 National Check Payments Certification Fraud, Risk, and Risk Mitigation Part II Copyright 2015 by the Electronic Check Clearing House Organization NOTICES This training course may provide an introduction to or summary of various aspects of check payments and the legal and rules framework for check image exchange. Responsibility for compliance with image exchange rules, and/or the legal, operational and regulatory requirements applicable to check image exchange, remains at all times with the financial institution participating in check image exchange and/or the individual or company using a check image exchange service. This presentation and the information contained herein is not intended as legal or compliance advice or recommendation to any person or company. This document could include technical inaccuracies or typographical errors and individual users are responsible for verifying any information found in this presentation and related live webinar or webinar playback. Financial institutions should consult with their legal counsel regarding legal and operational requirements applicable to any check image exchange program they may offer or in which they participate. These materials may not be reproduced or published, in whole or in part, without the express permission of ECCHO. Copyright 2015 by the Electronic Check Clearing House Organization (Certain contributed content subject to third party copyrights) National Check Payments Certification 2 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 1

2 NCP Exam Registration Reminder Free ECCHO / NCP study aids upon registration! P.R.E.P. Guide: 300+ pages of information, training guide, sample exam Question of the Day: Summary available now New daily question & detailed answer to prior day s question delivery beginning in January NCP Roadmap Direction on establishing a personal study plan JumpStart Reading Program Links to all references Exam Fees: $400 ECCHO member $500 non-eccho member Not sure about membership? Check current status at: o Enter name in search box on left National Check Payments Certification 3 Session Topics FFIEC Guidance IT Examination Handbook Retail Payments Risk Business Continuity Planning National Check Payments Certification 4 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 2

3 FFIEC Guidance FFIEC Guidance FFIEC IT Examination Handbook Outlines considerations for identifying and assessing risks to retail payment systems Strategic Risk Reputation Risk Credit Risk Liquidity Risk Legal/ Compliance Risk Operational Risk National Check Payments Certification 6 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 3

4 Strategic Risk Risk associated with financial institution s mission and future business plans Plans for entering new business lines Expanding existing services through mergers and acquisitions Enhancing infrastructure National Check Payments Certification 7 Strategic Risk Examples: Market expansion New products / services RDC, mobile RDC o Can expose the bank to additional fraud/risk New technologies May expose financial institutions to increased risks o Internet banking services o Electronic bill presentment o Bankcard issuing programs o Third party processing arrangements National Check Payments Certification 8 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 4

5 Strategic Risk Managing Strategic Risk Planning that addresses retail payment business goals and objectives including supporting IT components Third-party service providers Comprehensive planning / vendor management Vendor agreements National Check Payments Certification 9 Reputation Risk When negative publicity regarding an institution's business practices leads to loss of revenue or litigation Perceived / real breaches in ability to conduct business securely and responsibly Must manage customer expectations Institution s regulatory and consumer protection obligations National Check Payments Certification 10 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 5

6 Reputation Risk Examples: Risk associated with activities of 3rd-party service provider Operational failures System disruptions Lack of appropriate security / privacy policies resulting in release of customer information Data breach with debit/credit card data Legal disputes that delay or prevent the resolution of payment settlement Negative publicity with regard to litigation National Check Payments Certification 11 Reputation Risk Managing Reputation Risk Proper oversight of 3rd-party service providers Enterprise-wide, comprehensive Business Continuity Plan (BCP) in the event of unexpected service disruption Adequate security controls for physical/ electronic data Clear establishment of roles, responsibilities in customer contracts/ agreements National Check Payments Certification 12 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 6

7 Credit Risk Party will not settle an obligation for full value Should be compared to an extension of credit Could be ACH Merchant card Remote deposit processes What happens if you have a delayed settlement issues? National Check Payments Certification 13 Credit Risk Examples: Financial institution supplies funds on behalf of a merchant Provisional settlement does not occur for several days Returned items Until timeframe elapses when item can be returned o Midnight deadline for checks o 60 days exposure for returns in ACH environment» From date of settlement Large volume merchant relationships Legal disputes that delay or prevent the resolution of payment settlement National Check Payments Certification 14 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 7

8 Credit Risk Managing Credit Risk Credit administration processes for due diligence and ongoing monitoring: Require limits (deposit and transaction) Require pre-funding for credit originators Adequate risk-based reserves for debit originators Specific procedures for chargebacks Financial benchmarks and reporting Credit checks and background checks Clear establishment of roles, responsibilities, etc in customer contracts/ agreements National Check Payments Certification 15 Liquidity Risk Current/potential risk to earnings or capital when financial institution cannot meet its obligations when due without incurring unacceptable losses National Check Payments Certification 16 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 8

9 Liquidity Risk Examples: Financial institution cannot settle an obligation for full value when due but rather at some unspecified time in the future May cause other financial institutions to be unable to settle their exchanges; the domino effect Operational failures impacting settlement timeframes Legal disputes that delay or prevent the resolution of payment settlement National Check Payments Certification 17 Liquidity Risk Managing Liquidity Risk Appropriate management oversight of 3rdparty service providers Enterprise-wide, comprehensive Business Continuity Plan (BCP) in the event of unexpected service disruption Financial benchmarks and reporting Credit checks and background checks Clear establishment of roles, responsibilities, etc in customer contracts/ agreements National Check Payments Certification 18 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 9

10 Legal / Compliance Risk Failure to comply with statutory obligations, existing consumer protection statutes, regulations, and case law governing retail payment transactions Unclear terms in agreements National Check Payments Certification 19 Legal / Compliance Risk Examples: Failure to comply with: Bylaws and contractual agreements established with bankcard networks, clearinghouses, other clearing and settlement counterparties Consumer protection statutes, regulations, and case law in regard to payment transactions Rights of the parties are unclear Payment participant declares bankruptcy, and the court rules in an unexpected way Customer contracts/ agreements unclear Do not clearly establish roles, responsibilities, etc o Particularly with regard to RDC National Check Payments Certification 20 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 10

11 Legal / Compliance Risk Managing Legal / Compliance Risk Clear establishment of roles, responsibilities, etc. in customer contracts/ agreements Financial institution management oversight of third-party service providers Adequate security controls for physical and electronic data to protect customer info Ensure due diligence for new products and services Financial institution should fully understand the laws and rules that apply to payments it handles, and the associated risks and liabilities National Check Payments Certification 21 Operational Risk Inadequate or failed internal processes, people and systems, or external events System failures Human error National Check Payments Certification 22 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 11

12 Operational Risk Examples: Technology failure Hardware, software, communication systems Human or technology errors in financial models and reporting Other internal control deficiencies or failures Image or data quality Business Continuity failure Information security New products or technology for which traditional fraud measures are not sufficient Remote Deposit Capture, mobile RDC Remotely created checks One-time ACH transactions such as TEL or WEB Increased use of check-to-ach conversion National Check Payments Certification 23 Operational Risk Managing Operational Risk Qualified/ Trained Staff Financial institution management oversight of third-party service providers Enhanced internal controls Strong fraud controls for existing and new products Monitoring and Auditing National Check Payments Certification 24 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 12

13 Business Continuity Planning Business Continuity Planning Establishes basis for financial institution to recover and resume business processes when operations are disrupted unexpectedly To proactively mitigate risk of service disruptions Enterprise-wide BCP strategy Minimize financial losses to the institution Serve customers and financial markets with minimal disruptions Mitigate negative effects of disruptions on business operations National Check Payments Certification 26 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 13

14 Business Continuity Planning Components include guidelines for: Personnel Communications Technology Issues Facilities Electronic payment systems Liquidity concerns Financial disbursement Manual operations National Check Payments Certification 27 Business Continuity Planning Four main steps in the BCP development process Business Impact Analysis Risk Assessment Risk Management Risk Monitoring and Testing National Check Payments Certification 28 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 14

15 Business Continuity Planning Business Impact Analysis (BIA) Identification of potential impact of uncontrolled nonspecific events on business functions and processes Risk Assessment Analysis of threats based upon business impact Prioritization of potential disruptions based on severity Risk Management Identification, assessment, and reduction of risk to an acceptable level Development, implementation, and maintenance of a written, enterprise-wide BCP Risk Monitoring and Testing Incorporate BIA and Risk Assessment findings into the BCP Regular assessment and revision National Check Payments Certification 29 Step #1 Business Impact Analysis Identify potential impact of uncontrolled nonspecific events on business functions and processes Three primary goals of impact analysis First Determine Criticality For every critical business function o Determine impact of a disruption o Ex: In a series of 20 steps, is this step #1 (critical) or step #20 (not as important) Second Estimate Maximum Downtime What is the maximum downtime bank can tolerate and remain viable? National Check Payments Certification 30 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 15

16 Step #1 Business Impact Analysis Three primary goals of impact analysis (continued) Third Evaluate Resource Requirements Determine required resources to resume critical operations o What are related interdependencies? Resources and other dependencies can include: Facilities Personnel Hardware / Other Equipment Software Data files Vital records Third-party relationships National Check Payments Certification 31 Step #2 Risk Assessment Assess/analyze threats based upon business impact Prioritization of potential disruptions based on severity Assessment a critical step Has significant impact on success of business continuity planning efforts Evaluate BIA assumptions using various threat scenarios Analyzing threats based upon impact to Institution Customers / Community Financial markets Prioritize potential business disruptions based upon severity Perform gap analysis to compare existing BCP to: Current policies and procedures What should be implemented based upon findings National Check Payments Certification 32 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 16

17 Step #3 Risk Management Identification, assessment, and reduction of risk to an acceptable level Have written, published enterprise-wide BCP Develop, implement and maintain procedures For example, Procedures for continuity teams Current contact lists of critical personnel Communication process for internal and external stakeholders Critical versus non-critical functions, services, processes Relocation strategies to alternate facilities Procedures to handle unanticipated expenses National Check Payments Certification 33 Step #3 Risk Management Enterprise-wide BCP Based upon BIA and Risk Assessment results: Describe types of events that could prompt declaration of disaster and process to invoke BCP Document and disseminate to employees Review/approve by Board, Senior Management Review periodically o At least annually National Check Payments Certification 34 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 17

18 Step #3 Risk Management Types of Events that could invoke BCP Hardware/equipment malfunctioned or destroyed Critical personnel are unavailable or out of contact Critical buildings, facilities, or geographic regions not accessible Software and data corrupted or not accessible Vital records not available Third-party services not available Utilities not available (power, telecommunications) Liquidity needs cannot be met National Check Payments Certification 35 Step #4 Risk Monitoring and Testing Incorporate findings of BIA and Risk Assessment into the BCP Regular assessment and revision Regular Enterprise-wide Testing Program Roles and responsibilities for implementation Testing schedule Annual /more frequent tests as needed Analysis of testing program and results Evaluation by Board and Senior Management Assessment by independent party Revise BCP and/or testing program based upon: Changes in business operations Audit and examination recommendations Test results National Check Payments Certification 36 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 18

19 BCP and Risk Management Greater Attention on Need for Effective Business Continuity Planning Increased terrorism concerns Catastrophic natural disasters Threat of a pandemic Potential for area-wide disasters that could affect an entire region Anticipate and Plan for the Unexpected Critical versus non-critical business processes Specific Plan Documented plan for threat scenarios Continually Revise Address lessons learned from past disasters to update BCP National Check Payments Certification 37 Managing Risk Who s job is it to manage risk? Everybody: board members, employees, management Identify risk Measure and manage Build systems to control and monitor risk Know your risk appetite Create an environment where businesses are willing to take risk Some risk is good Ensure consistency Establish risk management team Include staff from every area National Check Payments Certification 38 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 19

20 Questions National Check Payments Certification 39 Recommended Resources FFIEC References: FFIEC - Retail Payment Systems Feb-2010: FFIEC Supplement to Authentication in an Internet Banking Environment Oct-2005: 11%20%28FFIEC%20Formated%29.pdf FFIEC - Supervisory Guidance for Remote Deposit Capture 1/14/2009: National Check Payments Certification 40 Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 20

21 Angie Smith, AAP, NCP SVP, Professional Development Events Fraud, Risk, and Risk Mitigation Part II Thank You! Electronic Check Clearing House Organization 3710 Rawlins Street; Suite 1075 Dallas, Texas NOTICE This NCPC Program document contains copyrighted materials of its publisher. These materials may not be reproduced or published, in whole or in part, without the express permission of ECCHO Copyright 2015 by the Electronic Check Clearing House Organization Copyright 2015 by ECCHO (Certain contributed content subject to third party copyrights) 21