Going All In on Board Reporting February 13, 2014 10:15 A.M to 11:15 A.M. Tony DaSilva, AAP, CISA Senior Examiner, Federal Reserve Bank of Atlanta Rajiv Donde President, Laru Technologies Peter Davey, AAP VP & Director, Enterprise Payments, Capital One 2014 EastPay. All Rights Reserved
Disclaimer This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice. You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature. Image source: Thinkstock 2014 EastPay. All Rights Reserved
Guidance on Management and Board Reporting for ACH and RDC Tony DaSilva, AAP, CISA Senior Examiner Federal Reserve Bank of Atlanta
Disclaimer The views and opinions expressed in this presentation are those of the individual presenter and do not necessarily represent the views and directives of the Federal Reserve Bank of Atlanta, the Federal Reserve System. The content of the presentation should not be construed as regulatory guidance.
Board and Management Issues Nonexistent or Limited Board Level ACH and RDC Risk Tolerances and Reporting Insufficient Data and Analysis in Senior Management Reporting Type and Nature of ACH and RDC Activity Customer Activity Analysis Including Habitual Limit Violators, Profitability, Volumes, Return Rates Limited MIS Capabilities of ACH and RDC Software
Top Five Examination Findings 1) Lack of Senior Management & Board Oversight 2) Lack of Adequate MIS and Reporting 3) Lack of Monitoring 4) Inappropriate Approval Process (separation of duties) 5) Inadequate Limits or No Limits 2014 EastPay. All Rights Reserved
High-Level Regulatory Requirements Regulatory Body Office of the Comptroller of the Currency (OCC) Regulatory Summary OCC 2006-39 - ACH Risk Management Program: Board Reporting Board awareness through periodic reporting whether ACH activities remain within Board-approved risk parameters and achieving appropriate financial results OCC 2006-39 - Third Party Service Providers: Third Party Senders - Written Agreements Board-approved third-party sender risk parameters, inclusion in formal written agreements that define obligations and liabilities, information requirements, and requirement for originator approvals OCC - Merchant Processing: Profit Analysis Periodic notice to the Board and senior leadership of the merchant processing operation's profitability OCC 2006-39 - ACH Risk Management Program: Systems and Controls Board-approved risk tolerances for the types of businesses and activities for ACH transactions. OCC - Merchant Processing: Risk Management Develop and implement a comprehensive risk management process to manage the risk of merchant services that is appropriate with the size of our program OCC BC 235 - International Payments Systems Risk: Centralized Review Process Senior management centralized review for awareness and monitoring of domestic and international payment risk exposure OCC BC 235 - International Payments Systems Risk: Policies and Practices Implement policies and practices for participation in large dollar payments systems 2014 EastPay. All Rights Reserved
High-Level Regulatory Requirements Regulatory Body Federal Financial Institutions Examination Council (FFIEC) Regulatory Summary IT Wholesale Payments: Board and Management Control Capital One must develop and implement wire policies to enable the Board of Directors to provide administrative direction for Capital One s wire payment function Payments Board Requirements Compliance with Federal Reserve s Payment Systems Risk Policy. Board understanding of processing transactions on own, customer, and respondent accounts Payments Board Requirements Compliance with Federal Reserve s Payment Systems Risk Policy. Manage Fed accounts effectively, prudent use of daylight overdraft, periodically review daylight overdraft activity to ensure operation within the established guidelines. Remote Deposit Capture (RDC) Guidance Board approval of plans, policies, and significant expenditures, review periodic performance and risk management reports on the implementation and ongoing operation of RDC systems and services National Automated Clearing House Association (NACHA) ACH Operating Rules Board or board-approved committee or its designee must approve Direct Access Debit Participant relationships. 2014 EastPay. All Rights Reserved
High-Level Regulatory Requirements Regulatory Body Federal Reserve Bank Regulatory Summary Payment Systems Risk Policy - Risk Framework Board establishes prudent limits on daylight overdrafts in its Federal Reserve accounts, periodically reviews daylight overdrafts levels to ensure Capital One operates within the Board-approved guidelines, and Board appointment of a committee of directors or retain responsibility to focus on payment systems and use of intraday credit as outlined in the Federal Reserve s Payments Systems Risk Policy. Payment Systems Risk Policy Board Review & Debit Cap Resolutions Board annual approval and resolution for daylight overdraft limit Payment Systems Risk Policy - De Minimis Cap Status Submit to the Federal Reserve Bank at least once in each 12-month period a copy of a resolution of the bank s or holding company s Board approving the use of daylight credit up to the de minimis level of 40 percent of the capital measure. Payment Systems Risk Policy - Examiner Review File Maintain a file for examiner review including: (1) an executed copy of Board resolution adopting the net debit cap and (2) status reports made available to the Board regarding compliance with Payment Systems Risk resolution or policy 2014 EastPay. All Rights Reserved
ACH related MIS should include: Portfolio-wide ACH origination volume compared to capital ACH returns ACH contract aging Customer distribution by risk rating Customer-specific ACH origination volume trends ACH return trends Unauthorized Return types, volume, $, and % to total transaction Volume Rules/contract violations Times over limit Changes in risk rating Contract date Note: If available, profitability analysis may be appropriate.
ACH MIS Reporting Lower Risk and Lower Volume Track daily, multi-day exposure limits Track ACH volume and return trends and compare to capital Identify and track customer-specific originations and returns (risk-based and/or volume-based threshold) Identify and track highest risk ACH originators ACH originator list with SEC code restrictions, limits, ACH line review date, and agreement date Track ACH over limits and exceptions Higher Risk and Higher Volume All from lower risk plus: ACH originations and returns by debits, credits, SEC type, third-party sender, originator Track ACH reserve adequacy High-risk ACH originator risk ranking report High-risk ACH, tracking returns by SEC types and return code
Remote Deposit Capture related MIS should include: Portfolio-wide RDC volume compared to total deposits RDC returns to RDC deposits RDC contract aging Customer distribution by risk rating Customer-specific RDC volume trends RDC return trends Times over limit Duplicate deposits Image quality issues Rules/contract violations Changes in risk rating Contract date Note: If available, profitability analysis may be appropriate.
Payments Resources FRB Financial Services Website: www.frbservices.org FRS Payments System Risk Policy: www.federalreserve.gov/paymentsystems/psr FFIEC Payments Handbooks: www.ffiec.gov OCC ACH Risk Management Guidance: www.occ.treas.gov/ftp/bulletin/2006-39.pdf NACHA - The Electronic Payments Association: www.nacha.org Payments Study: www.frbservices.org/retail/pdf/2004paymentresearchreport.pdf Check 21: www.ffiec.gov/exam/check21/default.htm
MIS Overview BOD Reporting Premise Sample Reports Rajiv Donde President Laru Technologies
Information Systems (MIS) Premise Data Transformation Data Information Knowledge Transaction Data Collated Data / Grouping / Categorization Trends, Cause and Effect ACH Transactions Activity Organization by SEC, industry, Risk Lessons for Business - Basis for policy Operations Did transactions get through? Management Are there deviations from or exceptions to policy? Board Members Are our program policies working?
An Attack Example What s wrong here?
Data Transformation A transaction was out of trend New receivers were present.
BOD Reporting Premise BOD reporting is meant to facilitate a dynamic process between Discovery Realization policy and and of implementation identification intended of Discovery unintended consequences Compliance and identification of consequences with RDFI external Profitability unintended? (Billing reports) Compliance Limits Better risk / Profitability consequences Perspective??(Volume (Billing rules reports) characterization and with external report) Limits? (Volume reward characterization ratio rules and report) Unhealthy regulations Concentration? regulations Industry SEC Code (OCC, FFIEC) (OCC, Compliance FFIEC) with Realization of intended consequence s Better risk / reward ratio Compliance with established policies SEC Return Code rates TPPP Return Rule violations rates Risk Category TPPP Rule violations Risk Category established policies RDFI Perspective
Data to support Cost/Benefit Analysis Know How You re Covering the Cost Assess What Your Program is Costing
SEC Code Activity Recurring and Non-Recurring Payment Types Know if you have more Recurring or Non-Recurring Transactions
TPPP Activity Review Reveal Sub-Originator Activity.
Change Report See Threshold Changes Monthly
Limit Management Assign Dynamic Limits
NACHA Rule Violations Uncover NACHA Rule Violators
Review Behavioral Actions of an Entire Risk Group Activity by Risk Category OCC 2006-39
Activity by Industry Analysis by Industry Classification
Conclusion Measurement precedes Management Banks are in the business of risk management Strong MIS is critical!
Payments Board Reporting: How to make it relevant to your Board Peter Davey VP & Director, Enterprise Payments Capital One
Still not convinced that Board Reporting is important? The OCC published proposed rulemaking on January 16, 2014 regarding heightened expectations for Large Banks, but the same guidance holds true for all FI s The proposal centers around 5 key points that will give regulators more teeth in regulating risk management practices of Financial Institutions: 1. One of the primary fiduciary roles of the board of directors is to ensure that the institution operates in a safe and sound manner 2. Large institutions will be required to have a well-defined personnel management program that ensures appropriate staffing levels, provides for orderly succession and provides compensation tools to motivate and retain talent that does not encourage risk taking
Still not convinced that Board Reporting is important? (contd.) 3. Institutions should define and communicate acceptable risk appetite across the organization including measurements that: address capital needed, earnings or liquidity, the amount of risk for each business and for each key risk category monitored 4. Develop reliable oversight programs that include strong audit and risk management functions as well as comparing performance to OCC standards and other FI s; ensuring the appropriate actions are taken to address gaps 5. Ensure the board of directors have a thorough understanding of an institution s risk profile in order to ask probing questions of management and ensure senior management is prudently addressing risks
The health of your payments environment is larger than just a few key regulatory metrics Issues and Opportunities Throughout the Payments Value Chain Are your processes for Initiation, Processing & Fulfillment, Clearing & Settlement and Reconciliation operating as expected? Have you set thresholds that those processes can be monitored against? Vendor Management and Outsourcing Relationships Do you have your key/strategically important vendors identified? How are you reporting on your vendor management program? Are large portions of your operations outsourced? Have you mapped key controls that your vendor performs on your behalf? Do you have Third Party Senders banking with you or operating on your behalf?
The health of your payments environment is larger than just a few key regulatory metrics Event, Fraud and Audit Metrics Have you established thresholds for losses and impact? How are you reporting outages, customer complaints, regulatory complaints? Are you making sure the board is aware of Audit results, upcoming exams (external or internal)? Regulatory & Rules Compliance Have you mapped key regulatory and rules guidance to controls? How are you reporting up the effectiveness or breakdown in those controls? Are folks aware and prepared for upcoming rules or regulatory changes? Have you assessed the net impact of the change and adjusted your revenue, losses etc?
It is important to make sure you are presenting the right information to the right people and they know why! Before developing your full report it may be best to get on the board or Senior Executive agenda to discuss: Why you are required to report to them (hint: Use Tony s Summary Slides) What are their responsibilities as it concerns reviewing the report Determine how often you would recommend reporting Educating them as to the types of products, services that are offered and what businesses utilize payments Organizations may have Board and/or Board Committee s The Board Committee may have the power to make changes and then report to the board in summary form For privately held Financial Institutions or Financial Institution holding companies there may be more coordination required
Our approach was to make sure we took a broad view of payments and then provide a summary of how payments are performing Overall Status and rationale can help to be a quick indicator of where problems are or how well things are going An individual summary score for each channel will help to identify where more discussion is needed Failures of key metrics and regulatory requirements should be brought to the first page Indicating key accomplishments and upcoming milestones will help to remind executives that this is a journey
For each payment channel we created a score card that includes required regulatory data and key elements A summary of key components will help the reader to understand pertinent information It is important to level set what elements are covered in the assessment Context setting through transaction data may be helpful Assessment of key payments value chain elements will help show you have a complete view Setting appropriate thresholds will help to make your report more quantitative and defensible Make sure you highlight the regulatory related metrics
Even if everything is going well in your institution it is important to highlight the activities that are needed to maintain a well-managed environment When you may not be in a Green status you will want to ensure your executives know what actions are being taken to get there Risk management is a journey and ever evolving; It is important to let executives know that work is required even when there aren t burning issues Even if things are going well, you may want to highlight industry changes or areas that need to be assessed
Implementing board reporting in a disbursed governance model can lead to confusion if not managed appropriately Payments processes aren t the only items your board needs to be aware of so you may need to coordinate with other groups to ensure consistency and avoid duplication Compliance may be able to help identify the other groups that already or should have board commitments Sometimes it may be necessary to report the same metrics in multiple forums so you will want to make sure alignment If there is already a good cadence to present key metrics to your board you will want to make sure you understand when they happen and what format they use Not every organization may have a centralized payments governance group so you may need to identify who takes the lead (Product, Ops, IT) Regardless of who is primarily responsible you will need input from multiple areas Even if you automate your reporting or have a central group aggregate, you need to ensure the business is involved in the review
Questions? 2014 EastPay. All Rights Reserved
Contact The Presenter Tony DaSilva, AAP, CISA Senior Examiner Federal Reserve Bank of Atlanta tony.dasilva@atl.frb.org Rajiv Donde President Laru Technologies rdonde@larutech.com Peter Andrew Davey, AAP VP & Director, Enterprise Payments Capital One peter.davey@capitalone.com 2014 EastPay. All Rights Reserved
www.eastpay.org 800-681-4224 General Information info@eastpay.org Audit and Risk audit@eastpay.org Education education@eastpay.org 2014 EastPay. All Rights Reserved
Follow Us on Twitter @EastPay https://twitter.com/eastpay 2014 EastPay. All Rights Reserved