Welcome » IT Booklets » Wholesale Payment Systems » Appendix A: Examination Procedures » Tier II Examination Objectives and Procedures
Overall Objective: The Tier II examination procedures for Wholesale Payment Systems provide for additional verification procedures to evaluate the effectiveness of the financial institution's internal control processes over its wholesale payment systems, including Fedwire Funds Service funds transfer and book entry securities, CHIPS, SWIFT, payment messaging systems, net settlement, clearing and settlement systems, internally developed and off-the-shelf funds transfer systems, and web-based payment systems. These procedures are designed to assist in achieving examination objectives, and may be used in their entirety or selectively. Examiners should coordinate this coverage with other examiners involved in assessing the institution's information systems, operations, and information security effectiveness to ensure there is an adequate understanding of the control environment as it pertains to the bank's wholesale payment systems.
Objective 1: Determine if management and the board have enacted sufficient controls over funds transfer activity. 1. Determine if management and the board provide administrative direction for the funds transfer function. Ascertain whether:
2. Determine if the board and management have developed sufficient policies and procedures to ensure that the following are reviewed:
3. Determine if the board and senior management develop and support adequate user access procedures and controls for funds transfer requests. Assess whether the institution:
4. Determine if management maintains authorization lists from its customers that use the funds transfer system. Verify:
5. Determine if the institution has dual control procedures that pro-hibit persons who receive transfer requests from transmitting or ac-counting for those requests. Objective 2: Determine the adequacy of the internal and external audit reviews of the funds transfer area. 1. Review the internal and external audit function to determine if the scope and frequency of audit review for the funds transfer area is adequate. Review:
2. Obtain and review internal and external audit reports to ensure they provide an adequate appraisal of the funds transfer function to management.
3. Review management's response to audit reports to ensure the institution takes prompt and appropriate corrective action. Ensure there is adequate tracking and resolution of outstanding exceptions. Objective 3: Determine if there are adequate written documents outlining the funds transfer operating procedures. 1. Obtain the institution's written procedures for employees in the incoming, preparation, data entry, balance verification, transmission, accounting, reconciling and security functions of the funds transfer area. Determine if management reviews and approves the procedures periodically. Determine if the procedures address:
Objective 4: Determine the adequacy of institution controls over funds transfer requests. 1. Determine if institution personnel use standard, sequentially numbered forms to initiate funds transfer requests.
2. Determine if the institution has an approved request authentication system. 3. Determine if the institution has adequate security procedures for requests received from customers via telex, on-line terminals, telephone, fax, or written instructions. Determine if management:
4. Determine if the institution records incoming and outgoing telephone transfer requests. Also determine if the institution notifies the customer that calls are recorded (e.g., through written contracts, audible signals).
5. Determine if the institution maintains sequence control internally for requests processed by the funds transfer function.
6. Ascertain whether the financial institution records transfer requests in a log or another bank record prior to execution.
7. Determine if the institution has guidelines for the information to be obtained from a customer making a funds transfer request. The request should contain:
Objective 5: Determine if there are adequate controls over the institution's use of test keys for authentication. 1. Determine if all message and transfer requests that require testing are authenticated with a test key. If so determine whether:
2. Obtain and review management's test key user access list to determine if:
Objective 6: Determine if agreements concerning funds transfer activities with customers, correspondent banks, and service providers are adequate and clearly define rights and responsibilities. 1. Obtain any material agreements or contracts concerning funds transfer services between the financial institution and correspondent banks, service providers and operators (e.g., Federal Reserve Bank and CHIPS). Review the agreements to determine if they:
2. Obtain a sample of customer agreements regarding funds transfer activity and review it for compliance with applicable sections of the Uniform Commercial Code. Consider if:
Objective 7: Review the institution's payment processing and accounting controls to determine the integrity of funds transfer data and the adequacy of the separation of duties. 1. Review the institution's reconcilement policies and procedures as they relate to the funds transfer department. Determine if:
2. Determine if the institution's daily processing policies and procedures are adequate to ensure data integrity and independent review of funds transfer activity. Determine if:
3. Determine if there is adequate oversight of the funds transfer department. Ensure:
4. Determine if the institution has documented any operational or credit losses that it has incurred, the reason the losses occurred, and actions taken by management to prevent future loss occurrences. 5. Determine if the institution maintains adequate records as required by the Currency and Foreign Transactions Reporting Act of 1970 (also known as the Bank Secrecy Act) and the USA PATRIOT Act. Objective 8: Determine the adequacy of the institution's personnel policies governing the funds transfer function. 1. Obtain and review the institution's personnel policies to assess the procedures and controls over hiring new employees. Determine if:
2. Assess management's personnel policies regarding current employees in the funds transfer department. Determine if:
Objective 9: Determine if the institution has enacted sufficient physical and logical security to protect the data security of the funds transfer department. 1. Obtain, review, and test the policies and procedures regarding the physical security of the funds transfer department. Determine if:
2. Obtain and review policies and procedures regarding wire transfer password controls to determine if they are adequate. Consider whether:
3. Review funds transfer system user access profiles to ensure that:
4. Review the institution's access controls to determine if terminals in the funds transfer area are shut down or locked out when not in use or after business hours. Determine:
5. Determine if the institution's training program adequately protects the integrity of funds transfer data. Ensure:
Objective 10: Review the adequacy of backup, contingency, and business continuity plans for the funds transfer function. 1. Obtain the institution's written contingency and business continuity plans for Obtain the institution's written contingency and business continuity plans for partial or complete failure of the systems and/or communication lines between the bank and correspondent bank, service provider, CHIPS, Federal Reserve Bank, and data centers. Consider if:
2. Review the institution's policies and procedures regarding back-up systems. Assess whether:
Objective 11: Determine if the institution adequately monitors intraday and overnight overdrafts. Ensure that management applies appropriate credit standards to customers that incur overdrafts. 1. Determine if management has developed procedures to approve customer use of daylight or overnight overdrafts including assigning appropriate approval authority to officers. Obtain and review a list of officers authorized to approve overdrafts and their approval authority, a current list of borrowers authorized to incur daylight and overnight overdrafts, and a sample of overdraft activity. Determine if:
2. Review the institution's policies and procedures regarding overdrafts to ensure it prohibits transfers of funds against accounts that do not have collected balances or preauthorized credit availability. Determine if:
3. If required as a participant of a net settlement system, determine whether management sets and approves bi-lateral credit limits on a formal credit analysis.
4. If the institution is an Edge Act Corporation, determine whether intraday and overnight overdrafts comply with Regulation K. Objective 12: Review and determine the adequacy of the institution's controls over incoming funds transfers. 1. Review policies and procedures regarding incoming funds transfers. Select a sample of incoming funds transfers and review them to determine if:
Objective 13: Determine if the institution complies with the Federal Reserve Policy Statement on Payments System Risk. 1. Determine if the institution incurs overdrafts in its Federal Reserve account. If so, consider if:
Objective 14: Review the institution's policies and procedures regarding the release of payment orders to assess the adequacy of controls. 1. Determine whether all incoming and outgoing payment orders and messages are received in the funds transfer area. 2. Obtain a sample of payment orders. Determine if the payment orders are:
3. Determine if current lists of authorized signatures are maintained in the wire transfer area. Ensure the lists indicate the amount of funds that individuals are authorized to release. 4. Assess whether there are adequate dual controls over the review of payment orders and message requests. Determine whether an independent employee reviews the requests for the propriety of the transaction and for future dates, especially on multiple transaction requests. Objective 15: Coordinate the review of wholesale payment systems with examiners in charge of reviewing other information technology risks. 1. In discussion with other examiners, ensure that management applies corporate-wide, information technology policies and procedures (i.e. development and acquisition, operational security, environmental controls, etc.) to the funds transfer department. If any discrepancies exist, determine their severity and document any corrective actions.