OCC 2004-14
OCC Bulletin
Subject: FFIEC Information Technology
Examination Handbook
Description: Retail Payment Systems
Booklet
Date: March 31, 2004

TO:	Chief Executive Officers of All National
Banks, Federal Branches and Agencies, Technology
Service Providers and Software Vendors, Department
and Division Heads, and All Examining Personnel

The Federal Financial Institutions Examination Council
(FFIEC) has issued the "Retail Payment Systems (RPS)
Booklet" to provide updated guidance on the risks
and risk management practices applicable to financial
institutions' retail payment activities, including checks,
card-based electronic payments, and other electronic
payment media.  The booklet is the seventh in a series
that will completely update and replace the 1996 FFIEC
Information Systems (IS) Examination Handbook.  


Retail Payment Systems Booklet

The banking industry plays a key role in retail payments.
Financial institutions face increasing challenges as
these systems shift from paper-based to electronic
transactions.  Electronic payments are creating new
products and services and gaining greater acceptance
from consumers.  These changes increase risk to banks
and require effective oversight to ensure the
confidentiality of information, system and data integrity,
system availability, and regulatory compliance.  This
booklet complements other FFIEC guidance such as the
"E-Banking Booklet" published in August 2003 and provides
a detailed discussion of risk management specifically
for retail payment systems.

The RPS booklet presents retail payment systems guidance
in three parts, followed by examination procedures, a
glossary, and references.  

* Retail Payment Systems Overview-This section describes
the three major categories of retail payment instruments:
checks, card-based electronic payments, and other electronic
payments (e.g., person-to-person, electronic benefits transfer,
and the automated clearinghouse payments).

* Payment Instruments, Clearing, and Settlement-The second
section describes the retail payment system instruments
typically offered by banks and the roles of various payment
system participants, including third parties.  Generic
diagrams showing the typical payment flows and clearing
and settlement arrangements for each of the retail payment
instruments described are also included.
 
* Retail Payment Systems Risk Management-The third section
describes the risks associated with various retail payment
systems and instruments and presents the risk management
practices that banks should have in place to mitigate those
risks. The section concludes with specific controls
appropriate to a number of retail payment instruments.
Management action summaries are included throughout this
section to provide a snapshot of the risks and risk management
practices described in the text.

The RPS booklet emphasizes that banks engaged in retail payment
systems should establish an appropriate risk management process
that identifies, measures, and limits risks.  Bank management
and its board should manage and mitigate the identified risks
through effective internal and external audit, physical and
logical information security, business continuity planning,
vendor management, operational controls, and legal measures.
Banks should tailor their risk management strategies to the
nature and complexity of their participation in retail payment
systems, including any support they offer to clearance and
settlement systems.  Institutions must comply with federal
and state laws as well as with clearinghouse, bankcard
association, and regulatory requirements associated with retail
payment transactions. 

The RPS booklet rescinds chapters 20, "Retail EFT (ATM and
POS)," and 21, "Automated Clearing House (ACH)," in the 1996
FFIEC Information Systems (IS) Examination Handbook.

Electronic versions of the RPS and other updated FFIEC booklets
are available at www.ffiec.gov/guides.htm.  To accommodate banks
with limited access to the Internet, the OCC will also include
this booklet in the next release of e-files, the CD-based 
library of OCC publications provided to all national banks.
Any bank that is not able to download the booklets may order
printed copies.  Please send your request to the Office of
the Comptroller of the Currency, 250 E Street, SW, Mail
Stop 4-8, Washington, DC 20219.  If you need assistance
obtaining a copy, please contact the OCC's Communications
Division at (202) 874-4700.

Other questions regarding this booklet should be directed
to your OCC supervisory office or the Bank Information
Technology Division at (202) 874-4740.



____________________________________
Mark L. O'Dell
Deputy Comptroller, Operational Risk Department