Welcome » IT Booklets » Retail Payment Systems » Appendix A: Examination Procedures
EXAMINATION OBJECTIVE: Examiners should use the following Tier I and Tier II Retail Payment Systems examination procedures to evaluate the policies and procedures, business processes, personnel, and internal control systems of financial institutions and technology service providers. Retail payment system services include checks and share draft item processing, bankcards, payment cards, ACH, EFT/POS networks, electronic bill payment, person-to-person (P2P) and account-to-account (A2A) payment systems, and many other products and services resulting from emerging advances in technology. The examination scope should be based upon the risk profile of the financial institution or the technology service provider. The risk profile is determined through an assessment of the entity's risk environment and quality of risk management practices. This assessment should consider the formal policies and procedures established to provide these services, as well as the effectiveness of the financial institution's underlying internal control environment, including information security, business continuity, disaster recovery, and vendor management programs.
Retail payment services expose financial institutions to numerous risks, including legal, compliance, strategic, operational, credit and liquidity. Depending on the complexity of retail payment system activity, the scope of the examination may require an integrated team approach that includes the knowledge, skills, and expertise of, IT, credit, and compliance specialists.
The examination procedures may be part of either an IT or safety and soundness examination. Examiners can use the procedures in their entirety or in a modular fashion to focus on particular retail payment system products, services, or business lines. Depending on the size, complexity and risk profile of the financial institution or technology service provider, not all of the procedures may be necessary to develop overall conclusions. The examination of retail payment services may also support the institution's BSA/AML examination, which requires an evaluation of related risks in retail payment services.
The primary objectives of the Tier I procedures are to evaluate the effectiveness of the internal controls and risk management processes implemented by the financial institution or the technology service provider. Examiners should use the Tier II procedures to expand the scope of the examination further if the risk profile or organization's complexity requires additional information to establish comprehensive and accurate examination conclusions.
Objective 1: Assess the level of risk in retail payment systems function. 1. Determine the types of retail payment products and services offered. Consider the following:
2. Determine whether new retail payment products and emerging technologies pose in-creased risk due to the lack of maturity of the respective control environments. Consider:
3. Determine if the quality of management and staff, and the staffing levels are adequate for the specific retail payment products and processes the institution provides.
4. Determine if the quality of process design and control points are adequate for existing retail products, and if these factors are considered for new products. Consider whether:
5. Evaluate the use of in-house and outsourced data processing systems to support retail payment products and processes. Consider:
Objective 2: Establish the scope and objectives of the examination of the retail payment systems function. 1. Review previous reports of examination for comments relating to retail payment systems. Review:
2. Review past examination reports for comments relating to the institution's internal control environment and technical infrastructure. Review:
3. Review the financial institution's risk and control assessments for comments relating to retail payment systems. Review the following risk assessments:
4. Identify and obtain during discussions with management of financial institution or service provider:
5. Review the financial institution's response to any retail payment systems issues raised at the last examination and any internal audits conducted since last review. Determine:
Objective 3: Assess the quality of oversight and support provided by the board of directors and management. 1. Determine the quality and effectiveness of the financial institution's retail payment systems management function. Consider:
2. Assess management's ability to manage outsourced relationships with technology service providers. Consider:
3. Evaluate the adequacy and effectiveness of financial institution and service provider contingency and business continuity planning. Consider:
4. Evaluate retail payment system business line staff. Consider:
Objective 4: Assess the quality of policies, procedures, and limits supporting retail payment services.
1. Review policies, procedures, and limits for supporting all retail payment services.
2. Review staff training programs and determine if they are appropriate for supporting policies.
3. Determine whether the institution monitors compliance with policies, procedures, and limits.
Objective 5: Assess the quality of management information systems and reports used to manage retail payment services.
1. Review management reports for all retail payment services including reports from service providers.
Objective 6: Assess the quality of risk management and support for bankcard issuance and acquiring (merchant processing) activity.
1. Evaluate financial institution adherence to bankcard company rules and bylaws and regulatory requirements.
2. Evaluate whether card issuance processing is outsourced to a third party. If yes, evaluate the vendor management controls in place to govern the activities listed in steps 3 and 4.
3. Review internal procedures employed for each bankcard product and assess:
4. Determine whether the audit function periodically performs an inventory of all bankcards at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit).
5. Determine whether management has established inventory systems that include quality control activities such as self-monitoring for data accuracy.
6. Review a sample of consumer contracts for each bankcard service to ensure they describe adequately the responsibilities and liabilities of the institution and its customers (compliance with Regulation Z).
7. Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer bankcard transactions. Consider the adequacy of:
8. Evaluate the effectiveness of internal credit monitoring and card authorization performed by the financial institution. Consider the adequacy of:
9. For financial institutions directly involved in, or outsource, bankcard acquiring (merchant processing) services, determine the appropriateness of controls over merchant services and ISO/MSP relationships. Consider the adequacy of:
Objective 7: Assess the quality of risk management and support for EFT/POS processing activity.
1. Evaluate the financial institution's compliance with interchange rules and bylaws.
2. Review internal procedures employed for generating active ATM cards. Consider:
3. Determine whether the audit function periodically performs an inventory of unused ATM card stock at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit).
4. Review a sample of consumer contracts for ATM services to ensure they adequately set forth responsibilities and liabilities of the institution and the customer. Evaluate compliance with applicable regulations.
5. Evaluate the effectiveness of internal clearance and settlement activities as it relates to customer ATM transactions. Consider whether:
Objective 8: Assess the quality of risk management and support for ACH processing activity.
1. Evaluate the financial institution's adherence to NACHA and clearing house operating rules and regulations.
2. Review operational reports showing monthly or quarterly ACH debit and credit activity and, if possible, compare levels with peer financial institutions. If ACH activity is greater than peer, determine whether institution is an originating institution (ODFI). Obtain reports listing those customers for which they originate and the volumes (number of items and dollars) originated. Be sure to ask for all customers that use the ODFI's originating account number with the Federal Reserve or EPN.
3. If the institution has bilateral clearing arrangements with other institutions, review the underlying contracts and determine how the institution monitors compliance with the contracts.
4. If the institution uses a technology service provider, determine whether it performed appropriate due diligence prior to engagement and has appropriate contractual agreements governing the relationship. Determine whether the institution monitors compliance with the governing contract. Determine if the institution has an adequate business continuity plan in the event the technology service provider experiences a service disruption.
5. If the institution is an ODFI and permits third-party sender payments, determine whether it requires the third-party sender to establish the identity of each originator using commercially reasonable methods to warrant that the originators will assume their responsibilities under NACHA rules and to warrant that it will assume the liabilities of the ODFI. Determine whether the ODFI has established limits and monitoring of the third-party sender's creditworthiness relative to its underlying originators and the nature and type of ACH activity that it warrants.
6. Determine whether the ODFI's contractual agreements with each originator clearly define the specific terms for funds availability.
7. Determine whether the institution has taken steps to ensure that originators are properly educated about their obligations for handling ARC and POP source documentation and all other NACHA rules.
8. Review policies and procedures for acquisition of originating customers and determine the appropriateness of these policies for the risk profile and risk management capabilities of the financial institution. Determine whether the policies identify and seek to limit exposure to higher risk customers; such as, adult entertainment and online gambling firms, adult bookstores, escort services, and massage parlors.
9. Review policies and procedures in place to monitor originating customer balances for credit payments (e.g., payroll) to ensure payments are made against collected funds or established credit limits and daily caps. Also determine whether payments in excess of established credit limits and daily caps are properly authorized.
10. Determine whether the institution treats deposits resulting from ACH transmitted debits on other accounts as uncollected funds until there is reasonable assurance the debits have been paid by the institution on which they were drawn. Also, determine whether management monitors drawings against uncollected funds to ensure they are within established guidelines.
11. Review a sample of contracts authorizing the institution to originate ACH items for customers and determine whether they adequately set forth the responsibilities of the institution and customer. Determine:
12. Determine whether the institution has a process in place for monitoring and acting on returned items, that includes third-party vendors, where applicable..
13. Determine whether the institution uses risk management reports that are appropriate to the ACH activities and level of risk.
14. Determine whether ACH activities are considered in the institution's overall business continuity plans and insurance program.
15. Determine whether management monitors originating customers for unreasonable numbers of unauthorized ACH debits. If the volume of unauthorized ACH debits is high, it could expose the institution to greater loss.
16. Determine whether management has addressed international ACH requirements, where applicable.
Objective 9: Assess the quality of risk management and support for electronic banking related retail payment transaction processing.
1. Determine the extent to which the financial institution engages in retail payment systems, including bill payment, prepaid cards, wireless systems, contactless payment devices, remote check capture, lock-box services that provide ACH check conversion or check truncation, and P2P and A2A payments. Consider:
2. Evaluate the financial institution's ability to manage the development and implementation of new retail payment services, focusing on effectiveness of internal controls and provisions of consumer compliance regulations. Consider:
3. Evaluate the financial institution's ability to incorporate new retail payment product offerings into its existing retail business lines and its effectiveness in including these product offerings in its traditional retail payment operations. Consider:
Objective 10: Assess the quality of risk management and support for checks.
1. Determine whether the accounting department handles check return item processing appropriately, reconciling all aged items.
2. If the institution offers its customers RDC services, review the appropriateness of:
3. Determine whether the institution uses electronic check presentment (ECP) for payment. If yes, determine:
Objective 11: Assess the quality of risk - management of new and emerging technology risks.
1. Determine the institution's processes for evaluating and deploying new and emerging technologies for retail payment systems. Of particular concern are retail payment products and services that do not use established networks such as ACH, or that extend operational processes to the customer location, as with RDC. Determine:
2. Assess the vendor management program over the technology service providers offering new and emerging technologies for retail payment systems. Determine:
1. Determine the need to conduct Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives.
2. From the procedures performed, including any Tier II procedures performed:
3. Review your preliminary conclusions with the examiner-in-charge (EIC) regarding:
4. Discuss your findings with management and obtain proposed corrective action, within reasonable timeframes, for significant deficiencies.
5. Document your conclusions in a memo to the EIC providing report-ready comments for all relevant sections of the FFIEC report of examination (ROE) and guidance to future examiners.
6. Organize work papers to ensure clear support for significant findings and conclusions.
Examination Objective: The Tier II Retail Payment Systems Examination Procedures provide additional validation steps to verify the effectiveness of a financial institution's internal control processes over ACH, EFT/POS network, check item, electronic banking-related retail payments, and bankcard processing, clearance, and settlement. These procedures assist in achieving examination objectives, and examiners may use them in their entirety or selectively, depending upon the scope of the examination and the need for additional verification.
Examiners should coordinate this coverage with other examiners involved in assessing the institution's information systems, operations, information security, business continuity planning, and vendor management effectiveness to avoid duplication of effort and to ensure there is an adequate understanding of the control environment as it pertains to retail payment business lines.
The procedures provided in this section should not be construed as requirements for control implementation. The selection of controls and control implementation should be guided by the risk profile of the institution. Therefore, the controls necessary for any single institution or any given area may differ from those noted in the following procedures.
he Tier II Retail Payment Systems Examination Procedures provide additional validation procedures verifying the effectiveness of a financial institution's internal control processes over ACH processing, EFT/POS network processing, check item processing, electronic banking-related retail payments processing, and bankcard processing, clearance, and settlement. These procedures assist in achieving examination objectives, and examiners may use them in their entirety or selectively. Examiners should coordinate this coverage with other examiners involved in assessing the institution's information systems, operations, information security, and vendor management effectiveness to ensure there is an adequate understanding of the control environment as it pertains to retail payment business lines and to avoid duplication of effort.
A. EFT/POS and Bankcard Agreements and Contracts
1. If the financial institution is a participant in a shared EFT/POS network or if it contracts with third-party bankcard-issuing or -acquiring processing service providers, determine whether:
2. Determine whether management periodically reviews individual sites providing retail EFT/POS and bankcard services to ensure policies, procedures, security measures, and equipment maintenance requirements are appropriate.
3. For retail EFT/POS and bankcard transaction processing activities contracted to third-party service providers, assess the adequacy of the review process performed by management regarding annual financial statements, audit reports, and Payment Card Industry (PCI) Data Security Standard assessment.
B. Personal Identification Numbers (PINs)
1. Assess staff access to PIN data. Ensure there is separation of duties between staff responsible for card operations and staff responsible for preparing or issuing bankcards.
2. Assess the adequacy of the PIN generation process. Ensure there is separation of duties between staff responsible for PIN generation and staff responsible for opening accounts or with access to customer account information.
3. For new PIN issuance, assess the adequacy of control procedures including accountability assigned to staff initiating such transactions.
4. Assess the adequacy of PIN generation and issuance procedures to determine whether they preclude matching an assigned PIN to a customer's account number or bankcard.
5. Assess the adequacy of threshold for PIN access attempts to customer account information and funds. The threshold parameter should be set at a reasonable number of unsuccessful attempts.
6. Assess the level of PIN encryption when stored on computer files or transmitted over telecommunication lines.
7. If resets are allowed, assess the adequacy of procedures and controls for PIN/password resets. The use of single-use and temporary PIN/password is preferred.
8. Assess the adequacy of procedures for prohibiting PIN information from being disclosed over the telephone.
9. Assess staff access to PIN-related databases and determine if management restricts access to authorized personnel. Assess database maintenance activities to ensure management closely supervises and logs staff access.
10. Assess the adequacy of customer PIN selection criteria, focusing on whether the institution discourages or prevents customers from using common words, social security numbers, sequences of numbers, or words or numbers that can easily identify the customer.
C. Information Security
1. Evaluate the logical and physical security controls to ensure the availability and integrity of production retail payment systems applications. Determine:
2. Evaluate the effectiveness of all logical access controls assigned for staff responsible for retail payment-related services. Determine:
3. Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use.
4. Assess whether the institution encrypts telecommunications lines used to receive and transmit retail customer and financial institution counterparty data. If not encrypted, evaluate the compensating controls to secure retail payment data in transit. Assess whether any connecting technology service provider's networks used to transport transactions are transporting transaction data in the clear (not encrypted) or use weak forms of encryption.
5. Assess whether merchants use sufficient encryption for wireless sales terminal activity transmitting sensitive customer information.
6. Assess whether customer information being stored is beyond that required by industry standards.
D. Card Issuance
1. Assess bankcard issuance activities, and review control procedures. Determine whether management:
2. Assess effectiveness of the dual control procedures for blank card stock in each of the encoding, embossing, and mailing steps.
3. Assess adequacy of physical access controls for card encoding areas. Management should allow access to authorized personnel only.
4. Assess whether inventory controls for plastic card stock make them physically secure.
5. Assess whether management restricts the use of bankcard encoding equipment to authorized personnel only.
6. Assess adequacy of procedures for issuing cards from more than one location (e.g., branches) to ensure there are accountability and bankcard control procedures at each card-issuing location.
7. Assess adequacy of institution card-mailing procedures. Ensure the institution mails the card and associated PIN to customers in separate envelopes. Also ensure that the return address does not identify the institution.
8. Assess whether mailing procedures provide for a sufficient time between the card and PIN mailings.
9. Assess adequacy of returned card procedures. Determine whether adequate controls are in place to ensure returned cards are not sent to staff with access to, or responsibility for, issuing cards.
10. Assess whether there is appropriate follow-up to determine whether the correct customer received the card and PIN.
11. Assess the adequacy of control procedures (e.g., hot card lists and expiration dates) to limit the period of exposure if a card is lost, stolen, or purposely misused.
12. Determine whether the institution destroys captured and spoiled cards under dual control and maintains records of all destroyed cards.
13. Assess whether the institution adequately controls test or demonstration cards.
14. Assess whether management maintains satisfactory controls over the issuance of replacement or additional cards to the customer (e.g., temporary access cards issued to the customer).
15. Assess the adequacy of the vendor management program to determine whether the institution reviews card issuance services contracted to third parties for compliance with appropriate bankcard control procedures.
E. Business Continuity Planning
1. Assess the adequacy of the financial institution's business continuity plans for a partial or complete failure of each retail payment system. Determine whether the plans include:
F. EFT/POS and Bankcard Accounting and Transaction Processing
1. Assess the adequacy of reconciliation processes for general ledger accounts related to bankcard and debit card transaction processing activity. Determine whether:
2. Assess the adequacy of the daily settlement process for institutions participating in shared EFT/POS networks or gateway systems.
3. Assess the adequacy of transaction reconstruction procedures. Transaction files should be duplicated or otherwise retained for a minimum of 60 days, as required by Regulation E, in order to identify unauthorized transactions.
4. Assess the adequacy of the investigative unit in place to address customer inquiries and control non-posted items, rejects, and differences. Management should periodically receive aging reports that list outstanding items.
5. Assess the adequacy of separation of duties for the bankcard and EFT/POS account posting process including receipt of transactions, file updates, adjustments, internal reconcilement, preparation of general ledger entries, posting to customers accounts, investigations, and reconcilement with third-party service provider network switches and card processors.
6. Assess the effectiveness and accuracy of the adjustment process (e.g., changes to deposits and reversals) relating to retail EFT/POS and bankcard transactions processed by staff.
7. For institutions involved in bankcard issuing or acquiring services, determine whether the institution has established:
G. EFT/POS Operational Controls
1. Assess the effectiveness of personnel responsible for internal ATM processing. Determine whether there are:
2. Determine whether terminal and operator identification codes are used for all retail ATM and POS transactions.
3. Assess the adequacy of controls in place to prevent customer charges from exceeding the available balance in the account or approved overdraft lines.
4. Assess the adequacy of access controls for terminals used to change customer credit lines and account information.
5. Determine whether retail EFT equipment keyboards or display units are properly shielded to avoid disclosure of customer IDs or PINs.
6. Determine whether receipt issuance ensures customers receive a receipt showing the amount, date, time, and location for retail EFT transactions in compliance with Regulation E.
7. Assess whether each retail EFT transaction is assigned a sequence number and terminal ID to provide an audit trail.
8. Assess whether the institution regularly updates hot card or customer suspect lists and distributes them to branch banking locations.
9. Assess the adequacy of verification procedures for telephone-initiated payments or transfers and ensure confirmations are promptly sent to customers and merchants.
10. Assess the adequacy of security devices and access control procedures for EFT/POS, bankcard, and acquiring processing facilities to ensure appropriate physical and logical access controls are in place.
H. ACH ODFI and RDFI Responsibilities
1. Determine whether agreements between the ODFI and originators adequately address
2. Determine whether the ODFI has established procedures to monitor the creditworthiness of its originator customers on an ongoing basis. Determine whether:
3. Determine whether the ODFI has established ACH exposure limits for originators. Determine whether:
4. Determine whether the ODFI reviews exposure limits periodically. Determine whether:
5. Determine whether the ODFI has implemented procedures to monitor ACH entries initiated by an originator relative to its exposure limit across multiple settlement dates. Determine whether:
6. Assess the RDFI's overdraft and funds availability policies and practices and determine whether they adequately mitigate its credit exposures to ACH transactions.
7. Determine the adequacy of the ODFI's practices regarding originators' annual or more frequent security audits of physical, logical, and network security. Determine whether:
8. Determine how the ODFI or RDFI manages its relationship with technology service providers. Determine whether:
9. Determine whether the ODFI allows technology service providers direct access to an ACH operator. Consider whether agreements between the ODFI and the service providers include:
10. Determine whether the RDFI has established procedures to deal with consumers' notifications regarding unauthorized or improperly originated entries or entries where authorization was revoked.
11. Determine whether the RDFI acts promptly on consumers' stop-payment orders.
12. Determine whether the RDFI has procedures that enable it to freeze proceeds of ACH transactions in favor of blocked parties (under OFAC sanctions) for whom the RDFI holds an account.
13. Determine whether the financial institution considers the volume of its uncollected ACH transactions as part of its liquidity risk management practices.
14. Determine whether management and personnel display adequate knowledge and technical skills in managing and performing duties related to ACH transactions.
15. Review results from the financial institution's NACHA rule compliance audit. Determine:
I. ACH Accounting and Transaction Processing
1. Assess the adequacy of logs maintained for ACH payments received from, and delivered to, each customer.
2. Assess the adequacy of the balancing procedures used for all ACH payments received and whether they include balancing to the aggregate payments sent to an ACH operator.
3. Determine whether the institution balances all payments received from an ACH operator to the aggregate of payments delivered to customers.
4. Determine whether the institution verifies and authorizes the source of all ACH files received for processing.
5. Determine whether the institution reconciles all general ledger accounts related to ACH activities on a timely basis.
6. Determine whether ACH supervisory personnel perform reconcilement and regularly review exception items.
7. Determine whether the institution reconciles the ACH activity and pending file totals daily with the ACH operator.
8. Assess the effectiveness of the reconcilement with third-party service providers preparing ACH transaction files and ensure daily reconciliation.
9. Assess the effectiveness of ACH holdover transactions and determine whether the institution adequately controls them.
10. Determine whether accounting staff reconciles individual outgoing ACH batches before merging them with other ACH transactions.
11. Determine whether there are separate accounts to control holdovers, adjustments, return items, rejects, etc. and whether they are periodically reconciled.
12. Assess the effectiveness of the investigation unit to address customer inquiries and control return items, rejected/unposted items, differences, etc. Determine whether the unit periodically generates aging reports of outstanding items for management.
13. Assess whether management adequately tracks exceptions to credit limit policies and legal contracts.
14. Determine whether exception reports (e.g., rejects, return items, and aging of open items) receive appropriate management attention.
15. Assess the adequacy of separation of duties throughout the ACH process including origination, data entry, adjustments, internal reconcilement, preparing general ledger entries, posting to customer accounts, investigations, and reconcilement with ACH operators.
16. Determine whether adjustments (e.g., added payments, stop payments, reroutes, and reversals) to original ACH instructions are received in an area that does not have access to the original data files.
17. Assess whether controls are appropriate for the adjustment process, including authorization (e.g., signature verification and callbacks on telephone instructions) and whether the institution maintains adequate records (e.g., logs and taping of telephone calls) of individuals making requests.
18. Determine the adequacy of the customer profile origination and change request process. Consider whether requests:
J. ACH Funding and Credit
1. Assess the adequacy of the process for releasing payments to an ACH operator, and determine whether assurances are obtained that sufficient collected funds (e.g., on deposit or prefunded) or credit facilities are available. The institution should monitor customer intraday and interday positions based on defined thresholds.
2. For third-party service providers contracted to process outgoing ACH transactions, determine whether there are procedures to monitor ACH activity and ensure that funds are collected (collected balances, prefunding, credit lines) before the institution settles with the ACH operator.
3. For prefunding arrangements in place for customers without credit lines, determine whether management blocks funds (held for disposition) or maintains them in separate accounts until the transaction date.
4. For non prefunded arrangements determine whether the institution places blocks on outgoing payments to deposit accounts, applies them as reductions to credit lines, or includes them in the overall funds transfer monitoring process.
5. Determine whether management approves payments resulting in extensions of credit lines or drawings against uncollected funds and retains documentation to support the approvals. Determine whether the institution performs credit assessments of customers originating large dollar volumes of ACH credit transactions. Credit assessments should also be reviewed periodically to evaluate creditworthiness of the customer and current economic conditions.
6. Determine whether management treats ACH debits deposited as uncollected funds and whether they monitor any draws against these funds for debits originated by high- risk customers.
7. Determine whether management approves draws against uncollected ACH deposits and maintains documentation to support approvals for debits originated by high-risk customers.
8. Determine the adequacy of Internet and telephone ACH transaction processing procedures and determine whether there are appropriate authentication controls and procedures to ensure the proper identities of parties invoking ACH transactions.
9. Assess the adequacy of management's risk assessment of ACH services in terms of the importance of this function to the overall corporate treasury services function.
10. Ensure that the financial institution obtains and analyzes all audits conducted by the ACH service provider, pursuant to the NACHA rule compliance audit requirement.
K. Web and Telephone-Initiated ACH Transactions
1. Determine whether the financial institution has adopted adequate policies and procedures regarding ACH transactions involving Internet-initiated (WEB) entries. Determine whether they:
2. Determine whether the ODFI has implemented telephone-initiated (TEL) ACH entries. Determine whether:
3. Determine whether the ODFI requires its originator to employ a commercially reasonable method to authenticate the consumer/business. Determine whether:
4. Determine whether the ODFI conducts risk assessments of its originators and whether they reflect a reasonable exercise of business judgment. Consider whether the risk assessment includes evaluations of:
L. ACH Contingency Plans
1. Evaluate the adequacy of the ACH contingency plan; determine whether the financial institution has tested it and whether it includes provisions for partial or complete failure of the system or communication lines between the institution, ACH operators, customers, and associated data centers.
2. Based on the volume and importance of ACH activity, evaluate whether the plan is reasonable and whether it provides for a reasonable recovery period.
3. Determine whether the institution duplicates or retains transaction files for input reconstruction for a minimum of 24 hours. Note that NACHA rules require the retention of all entries, including return and adjustment entries, transmitted to and received from the ACH for a period of six years after the date of transmittal.
4. Determine whether data and program files are adequately secured, retained, and backed up at off-premises facilities, including secured transport mechanisms for those resources.
5. Determine whether the center has established and tested procedures to recover and restore data under various contingency scenarios.
6. Determine whether the frequency and methods of testing contingency plans are adequate.
M. Check 21
(A more comprehensive set of examination procedures that are designed to test transactions can be found at the FFIEC Check 21 InfoBase at www.ffiec.gov/exam/check21/default.htm.)
1. Determine whether:
2. If a financial institution has begun to image checks or retrieve imaged checks pursuant to Check 21, determine whether the institution has the following:
3. If the financial institution is a reconverting institution pursuant to Check 21, determine whether it has the following:
4. If the financial institution accepts RCCs from retail business customers or payment processing customers, assess the appropriateness of, and adherence to, policies and procedures regarding customer due diligence, customer contracts, third-party service provider's due diligence, and activity/transaction monitoring. Consider the following elements relative to the institution's retail customers, its payment processing customers, and any processors' retail customers:
N. Remote Deposit Capture Risk Management
1. Identify the key elements of the RDC environment.
2. Assess the RDC strategic planning and the risk assessment process.
3. Customer due diligence and suitability.
4. Vendor Management
5. Contracts and Agreements
6. Insurance
7. Physical and Logical Access Controls
8. Separation of Duties
9. Oversight and Monitoring
10. Training
11. Change Management
12. Records Management
Assess the process by which financial institution management verifies customer compliance with contract requirements related to the secure retention, storage, and destruction requirements for physical deposit items and electronic files.
13. Business Continuity Planning (BCP)
14. Fraud
O. Vendor Management
Assess the adequacy of vendor management program over a service provider that provides a new and emerging retail payment technology. (Select one or more projects involving the development and deployment of a new and emerging retail payment technology and complete the following procedures.)
1. Review documentation supporting the business case for the application
2. Assess the extent to which the institution
3. Evaluate whether the institution's due diligence considers the following:
4. Verify that the contract appropriately addresses:
5. Review service level agreements to ensure they are adequate and measurable. Determine whether:
6. Evaluate the institution's periodic monitoring of the service provider relationship(s), including: