PUERTO RICO PAYMENTS SYMPOSIUM Identifying Key Risk Indicator EPOCPR Services
Agenda for Today Background History Regulators & Risk Management Let s have fun Regulators & Risk Assessment ACH Risks Categories So Where Do We Start? Risk Assessment Tools ACH EPOCPR Services 2
ACH Historical Background NewpaymentneedssuchasWEBandTELandsame day ACH is closer than ever. ACH transactions have experienced exponential growth. As the awareness of risk management has grown, Regulators and NACHA have published Federal Regulator Letters, Guidance and Rules and Regulations. Is the FI s responsibility to be familiar and comply with the Federal Regulator s Letters, Guidance and Rules and Regulations and follow their recommendations as it may apply to the FI role (ODFI or RDFI) in the ACH operations. EPOCPR Services 3
Regulators & Risk Management Banks that participate in the ACH network, as well as their service providers, should have in place systems and controls to mitigate the risks associated with ACH activities. A strong risk management program begins with clearly defined objectives, a welldeveloped business strategy, and clear risk parameters (OCC bulletin 2006 39) Risk management is the process of identifying, measuring, monitoring, and managing risk. Risk exists whether the institution maintains information and technology services internally or elects to outsource them. Regardless of which alternative they choose, management is responsible for managing risk in all outsourcing relationships. Accordingly, institutions should establish and maintain an effective risk management process for initiating and overseeing all outsourced operations. (FFIEC IT Examination Handbook) EPOCPR Services 4
Let s Have Fun EPOCPR Services 5
Let s Have Fun EPOCPR Services 6
Regulators & Risk Assessment The ACH Rules requires that all Participating Depository Financial Institution must: To conduct, an assessment of the risks of its ACH activities every year; Implement, a risk management program on the basis of such an assessment; and, Comply with the requirements of its regulator(s) with respect to such assessment and risk management program. (Article One, Subsection 1.2.4 Risk Assessments) EPOCPR Services 7
What can a Financial Institution do to mitigate the risks associated to ACH Operations? The Regulators believe that the Financial Institutions can mitigate many of the risks associated with electronic payments origination and processing, and must: Identify and assess the nature of risks associated to the ACH operation. Establish controls for Originators, TPSP/TPS and direct access to the ACH Operator. Establish an effective Vendor Management program as required by Regulators. Use existing risk management programs as leverage rather than monitoring risk in a silo environment; Compliance, Audit and Risk resources need to be involved on the Management risk effort. The Board and Management should establish an appropriate risk tolerance, effective reporting, employee training. Reporting to the Board of Directors metrics and trends analyses on ACH volume, returns, operational losses and transactions types with explanations and variances from previous reports. Reporting to the Board metrics and trends analyses in regard to the composition of the FI s Originators and Third Party Senders portfolios. EPOCPR Services 8
Which Retail Payments Products Does Your Financial Institution Offer? ACH products such as BOC, RCK, POP, WEB, TEL, IAT? Does the FI offer mobile banking and mobile payments? Does the FI offer credit cards, stored value cards, or merchant card acquiring services? Does the FI offer new products or services in addition to well established products? Is the FI a first to market leader with retail payment products? Do FI personnel and expertise align with payment channels and product offerings? What is the contribution of payments products to the total revenue and net income? What is the FI reliance on this revenue? Is this revenue dependent on a small number of customers? Does the FI include the risk management cost and risk exposures in the evaluation of fee income? EPOCPR Services 9
ACH Risk Categories The ACH network and Regulators define the following categories of risk related to the processing of ACH Entries: Credit risk It s the risk that a party to a payment transaction will not be able to settlement the payment of the transaction. There is credit risk for both debit and credit origination. There is additional risk related to the origination of ACH debits due to the consumer s right of adjustment under the NACHA Operating Rules and Regulation E. Operational risk It s the risk that a transaction is altered or delayed due to clerical errors or hardware and/or software failures. Fraud risk It s the risk that a payment transaction is initiated or altered in an attempt to misdirect or misappropriate funds due to embezzlement by a financial institution, a company employee, an intruder who has gained unauthorized access to a system, or by a user originating unauthorized transactions. EPOCPR Services 10
ACH Risk Categories (Continued) Systemic Risk (Settlement/Liquidity) It s the risk posed to the reliability and soundness of the payment system as a whole. One example is the inability of one system participant to settle its commitments that causes other participants to be unable to settle their commitments. Reputational Risk The risk that arises from adverse publicity related to a negative financial event, resulting in a loss of business. Sources of reputational risk include word of mouth, media coverage and news publications. Compliance (legal/regulatory) risk It s the risk that a party to a transaction fails to comply, either knowingly or inadvertently with the NACHA Operating Rules & policies and applicable U.S. and state law and other regulations. EPOCPR Services 11
ACH Risk Categories (Continued) 1. Credit Risk Start with the Business Strategy and the risk appetite the FI is willing to take with regards to the ACH operation. Each Financial Institution should establish underwriting standards and approval policies for ACH origination that enable the FI to document the required information for approving a new Originator or to expand an existing customer. Risk taker vs Risk oppose. In either case, you must consider the following risk factors: Does the RDFI make available to its customers funds prior to settlement of the credit Entries? Does the ODFI initiate credit Entries prior to having funds available on the Originator s account? Does the ODFI make available to its customers funds on ACH debit files before the transaction can no longer be returned? Does the Originator have a history of excessive unauthorized Returns? Does the FI s underwriting standards define desirable, prohibited, and restricted Originators? Does the FI implement a business case prior to engaging in a high risk merchant or Third Party Sender? EPOCPR Services 12
ACH Risk Categories (Continued) How to mitigate Credit Risk? Perform credit and financial analysis for Originators, Third Party Vendors and Third Party Senders Ensure that Originators and TPS agreements are maintained and updated Policies and Procedures should address high risk Originators and SEC codes Establish exposure limits with exception approval requirements Make use of ACH activity monitoring and reporting Establish pre funding and reserve requirements EPOCPR Services 13
ACH Risk Categories (Continued) 2. Fraud Risk This is the risk associated to the attempt to misdirect or incorrect appropriation of the funds. It could be performed by a company employee, an intruder who has gained access to a system or application, or an Originator sending unauthorized transactions. For all transactions that involve the exchange of critical banking information, specific data security standards and system controls have to be in place. Effective Technology Environment Risk Management requires a direct specific approach to identify, measure, and manage the technology associated with risk. The FFIEC Examination Handbook provides guidance to assess most risks associated with technology. FIs should maintain consistent and effective controls over the technology used especially in the key control functions of Information Security and Business Continuity. EPOCPR Services 14
ACH Risk Categories (Continued) ACH related systems should be included in the FI s Information Security programs. An FI that provides Internet Banking Applications needs to ensure that their online ACH services comply with OCC Bulletin 2005 35.(Authentication over the Internet Banking), also with OCC Bulletin 2006 35 (frequently asked questions). This program should include: Customer Access The FI needs to ensure all Originators use dual control and privacy on the initial set up of the ACH application. Employee Access The FI should minimize and monitor the number of employees accessing their systems. Segregation of Duties ACH Staff should have limited access to the ACH transactions support functions. Data Security Sound risk related data security controls should exist across all ACH related systems, applications and processes. Policies and Procedures should address data transit and storage. Properly Authenticated source data is accepted. Purging data, encrypting, and destroying trace data are some of the key practices that the FI should employ. FI should implement the appropriate physical and logical controls, such as controls on:» Corporate account takeover» Service providers and external networks» Storage of ACH payment information EPOCPR Services 15
ACH Risk Categories (Continued) Business Continuity Plan FI should ensure that business continuity tested plans are consistent with the criticality and complexity of the ACH operations. ACH Activities ACH activities should be included on every FI Business Continuity Plan, and categorized within all the applications in the FI and give them the importance that they need. ACH Activities should resume their normal functionality in no less that 24hrs, in case of a disaster. EPOCPR Services 16
ACH Risk Categories (Continued) 3. Compliance Risk: As the awareness of risk management has grown, Regulators and NACHA have published Financial Institution Letters, Guidance, and Rules and Regulations that FIs must be in compliance with. Does the FI have an adequate BSA/AML, KYC, GLBA, and OFAC screening policies and procedures in place? Is there an effective Vendor Management Program, that includes a due diligence process for selecting third party service providers, and an oversight process for monitoring them? Does the FI request from TPSP / TPS an annual ACH Audit and / or SSAE16 as part of the VMP? Does the ACH Agreement include all required regulatory and compliance language set forth by Regulators and NACHA, including the right to audit? Are customer claims and exceptions processed in a timely manner? Is there an employee training program to ensure knowledge and readiness of the ACH staff? EPOCPR Services 17
ACH Risk Categories (Continued) How to Mitigate the Compliance Risk: OFAC screening policies and procedures Conduct Due Diligence for all Originators and TPS with suspicious activities Perform annual audits and ACH Risk Assessments Ensure that all Originator agreements and TPS contracts address regulatory and compliance issues and contain regulatory language Ensure proper monitoring of exceptions reports Ensure employees have proper training EPOCPR Services 18
ACH Risk Categories (Continued) 4. Liquidity Risk or Systemic Risk: Relates to the possibility for a transaction not to settle, causing other participants to be unable to settle their commitments. There are requirements to implement specified in the NACHA Operating Rules and under UCC Article 4A. A RDFI has the option to reverse an ACH credit payment that have been made available to its Corporate Customer (Provisional Credit). Systemic Risk is closely related to credit risk How do we mitigate this Risk? Monitor the volumes and trends for each Originator Identifying peaks in usage (examples Christmas Bonus, Dividend Payments) Use of prefunding and reserve accounts Use of the seasonal or temporary increase of limits Monitor velocity activity Federal Reserve s Payment System Risk Policy on Daylight Credit Guide includes controls that minimize the possibility of financial institutions failing due to ACH exposures Both ACH Operators have established risk management policies and procedures to almost eliminate the possibility of Systemic Risk EPOCPR Services 19
ACH Risk Categories (Continued) 5. Operational Risk: The FI may decide not to process ACH Entries in house but rather outsource the service with a Third Party Service Provider. An FI must be aware that it s still responsible for all Entries sent to the ACH Processor by the TPSP on behalf of the FI. Does the FI have an adequate and comprehensive Vendor Management Program? Does the FI ensure that all its employees have the proper training and expertise? Has the FI established an effective program to monitor the Service Level Agreements? Has the FI established an effective system to monitor daily and report any issue? Does the FI ensure the proper access controls, user authentication and separation of duties regarding the ACH Operation? Does the FI have adequate Contingency and Business Continuity plans in place and are these periodically tested? Does the FI perform Annual ACH Audit as NACHA requires, and also perform the Risk Assessment on an annual basis? EPOCPR Services 20
ACH Risk Categories (Continued) How to mitigate the Operational Risk? Proper due diligence Background checks Used of Fraud Detection Software Verification and Validation of each Transmission Follow the credit policies A deep underwriting and financial analysis Establish proper reserves for debit Originators Enforce updated agreements for all Originators and TPS Monitor activity and exceptions reports on daily basis Comply with NACHA and Operators Rules/ Regulations Defined objectives, develop business strategies Develop Policies and Procedures that define the responsibilities and internal controls Periodic reports to the Board EPOCPR Services 21
ACH Risks Categories (Continued) 6 Reputational and Cross Channel Risk These are called Ancillary Risks. Reputational Risk : Occurs when a customer losses the confidence in a financial institution or the Network is compromised. To Reduce the Reputational Risk : The Institution should use Know your Customer principles, including Third Parties. ODFIs should exercise due diligence to determine whether the relationship is appropriate. Some tasks to be performed: Visit the Originator s physical location Request and verify business references Perform a credit analysis Review samples of the products Review information on companies with industry resources Review Originator s sales history Review Originator s refund policies Verify customer service phone number Check history of return rates and determine remedial plans if the Originator has high return rates EPOCPR Services 22
ACH Risk Categories (Continued) 6 Reputational and Cross Channel Risk These are called Ancillary Risks. Cross Channel Risk occurs when fraudulent or illegal transactions move from one payment system to another. How to avoid Cross Channel Risk It is important that the ODFI understand the business activity of the Originator in order to ensure that it is using the correct payment type that serves their needs. Also is important to address the Originator that is not using the appropriately use of any payment type. EPOCPR Services 23
So, where do we start identifying ACH risk? 1. Originator Selection Originator selection will be influenced by the FI s underwriting guidelines for credit and/or debit origination and Risk Selection, and the Know Your Customer policy in place. Is there an adequate Know Your Customer program that is revised at least every year? Prior to signing an a Service Agreement, is a background check of the Originator required? Has the Board approved risk policy(ies) defining underwriting guidelines for credit and/or debit origination and Risk Selection? Are permissible Standard Entry Class (SEC) types listed? Has there been a background check to validate each Originator? Has there been a creditworthiness evaluation, including financial analysis? Have Authorization procedures been set up? Have exposure limits been set, with separate limits for high risk activity such as WEB and TEL? Have procedures been established for monitoring exposure limits across multiple settlement dates? Has the ODFI reviewed the Originator s sales history? EPOCPR Services 24
Has Originator s documentation been reviewed, such as: tax id, or social security number? Has over limit situation approvals and monitoring been set up? Does the agreement include allowing the FI to audit the Originator s procedures? Has the Originator ever been involved in questionable business practices? Does the expected volume of ACH Entries to be originated reasonably compare with the business volume activity? Does the Originator have in place sound internal controls that guarantee that only authorized personal will originate ACH Entries? EPOCPR Services 25
So, where do we start identifying ACH risk? 2. Knowledge and Readiness With regards to the ACH services offered by the FI, is the knowledge of Management / Board adequate and the readiness of management and employee adequate to execute the task associated to the services rendered? Is ACH staff sufficient and trained properly; any AAPs? Do they participate on ACH training at least once a year? Does the risk policy(ies) approved by the Board define the overall ACH Strategic Plan and objectives? Does the risk policy(ies) approved by the Board provide clear direction to management regarding compliance with appropriate rules and regulations? Do ACH personnel have adequate tools to process and oversee transaction volumes and dollar values? Has the FI conducted the annual ACH compliance Audit as directed by the NACHA Operating Rules? Has the ODFI conducted a Risk Assessment of its ACH Activities and implemented risk management program based on the results of such assessment? EPOCPR Services 26
So, where do we start identifying ACH risk? 3. NACHA RULES Rule amendment effective June 18, 2010 requires that all participating DFI s conduct a Risk Assessment of their ACH activities, and implement Risk Management Programs based on the results of such assessments. Assess the nature of the Risk Perform appropriate KYC due diligence Establish controls for Originators, Third Parties, Direct Access to ACH Operator Adequate management, information and reporting systems EPOCPR Services 27
Identifying Key Risk Indicators So, where do we start identifying ACH risk? 4. FFIEC IT Examination Handbook (Retail Payment System Booklet) Provides guidance to examiners, financial institutions and technology service providers (TPSPs) on identifying and controlling risk Tier 1 Evaluate the effectiveness of the internal controls and risk management processes implemented Strategic Plan Audits Staff Policies and Procedures Compliance with NACHA Operating Rules. EPOCPR Services 28
Identifying Key Risk Indicators So, where do we start identifying ACH risk? Tier 2 Goes deeper into the complexity of the organization and requires additional information Information Security Business Continuity ACH ODFI and RDFI ACH Accounting and Transaction Processing ACH Funding and Credit WEB and TEL ACH Contingency Planning EPOCPR Services 29
Identifying Key Risk Indicators So, where do we start identifying ACH risk? 5. Policies should addressed these: Objective of the program Approved new Products and Services Prohibited Originators Third Party Senders Exposure limits Contracts and Agreements OFAC, PATRIOT Act, BSA/AML UCC4A provisions Third Party Service Providers Direct Access to ACH Operator File Delivery Data Breach Audits EPOCPR Services 30
So, where do we start identifying ACH Risk? Before an Institution engages in a high risk ACH activity, the Board of Directors should consider the risks associated with these activities. They should provide clear direction on whether or to what extent the bank will compromise on the activity. The bank should have strong systems to monitor and control risk. The system should be able to identify high levels of unauthorized returns Identify variances on Originator profiles and volumes Verify the proper use of the SEC Codes For TEL and Web transactions ensure that they are within the FI risk tolerance EPOCPR Services 31
So, where do we start identifying ACH Risk? 6. Third Party Service Provider: The use of a TPSP adds complexity and increases the Risk associated with credit, reputation, compliance among others. Although the use of a Third Party Service Provider may reduce the processing cost of the ACH Operation, this could increase the risk because the FI bank remains legally responsible. An FI must be aware that it is still responsible for all Entries sent to the ACH Operator by the TPSP on behalf of the FI Management should have a effective monitoring program to oversee all the activity that is conducted through the FI FIs should identify and validate the type of business the TPSP is doing They should make a background check on the TPSP including owners, and financial capacity EPOCPR Services 32
So, where do we start identifying ACH Risk? 7. For Third Party Senders : Institutions that initiate ACH transactions for TPS should know which Originators they are initiating Entries for. These FIs should require specific information from the TPS on the Originator customers such as: Originator s name Taxpayer ID Principal business activity Geographic location Validate if it is a legitimate business Bank management should establish written agreements and SLAs with the TPS The Bank should establish a system to audit periodically each TSP EPOCPR Services 33
So, where do we start identifying ACH risk? 8. Originator Agreements should include but not limited to: Set forth the responsibilities of all parties Bind to the NACHA Operating Rules Funding arrangements, SEC Codes permitted Regulation CC Regulation UCC 4A Regulation E EPOCPR Services 34
So, where do we start identifying ACH risk? 9. Third Party Sender Agreements : ODFI approval of all Originators Exposure limits per Originator An exposure limit for the TPS A way to identify each Originator Third Party Sender ACH audit is now required EPOCPR Services 35
So, where do we start identifying ACH risk? 10. Vendor Management Program: Assess the ability to manage outsourced relationships with technology services provider: Encrypt transactions while in route between service provider and institution Contract provisions Personnel Equipment Contingency Planning Measure what seems to be inadequate performance Appropriate Sanctions EPOCPR Services 36
So, where do we start identifying ACH risk? 11. ACH Accounting : Balancing procedures General ledger ACH activity with warehouse files totals Separate accounts for return Entries Separation of duties EPOCPR Services 37
So, where do we start identifying ACH risk? 12. ACH Funding : Perform balance check before sending the files to the Operator Prefunding (determine if needed) EPOCPR Services 38
A ACH Risk Assessment Tool 2014 Please contact TCH PA for more information ACH 2014 Electronic Payments & Operations Consultants V1.0» To initiate your Risk Assess» ODFI EPOCPR Services 39
A QUESTIONS?????? CONTACTUS@EPOCPR.COM Mayra.suarez@epocpr.com Hector.burgos@epocpr.com» ODFI EPOCPR Services 40