Welcome » IT Booklets » Retail Payment Systems » Appendix A: Examination Procedures
EXAMINATION OBJECTIVE: Examiners should use the
following Tier I and Tier II Retail Payment Systems examination
procedures to evaluate the policies and procedures, business
processes, personnel, and internal control systems of financial
institutions and technology service providers. Retail payment
system services include checks and share draft item processing,
bankcards, payment cards, ACH, EFT/POS networks, electronic bill
payment, person-to-person (P2P) and account-to-account (A2A)
payment systems, and many other products and services resulting
from emerging advances in technology. The examination scope should
be based upon the risk profile of the financial institution or the
technology service provider. The risk profile is determined through
an assessment of the entity's risk environment and quality of risk
management practices. This assessment should consider the formal
policies and procedures established to provide these services, as
well as the effectiveness of the financial institution's underlying
internal control environment, including information security,
business continuity, disaster recovery, and vendor management
Retail payment services expose
financial institutions to numerous risks, including legal,
compliance, strategic, operational, credit and liquidity. Depending
on the complexity of retail payment system activity, the scope of
the examination may require an integrated team approach that
includes the knowledge, skills, and expertise of, IT, credit, and
The examination procedures may be part
of either an IT or safety and soundness examination. Examiners can
use the procedures in their entirety or in a modular fashion to
focus on particular retail payment system products, services, or
business lines. Depending on the size, complexity and risk profile
of the financial institution or technology service provider, not
all of the procedures may be necessary to develop overall
conclusions. The examination of retail payment services may also
support the institution's BSA/AML examination, which requires an
evaluation of related risks in retail payment services.
The primary objectives of the Tier I
procedures are to evaluate the effectiveness of the internal
controls and risk management processes implemented by the financial
institution or the technology service provider. Examiners should
use the Tier II procedures to expand the scope of the examination
further if the risk profile or organization's complexity requires
additional information to establish comprehensive and accurate
Objective 1: Assess the level of risk in retail
payment systems function.
1. Determine the types of retail payment products and
services offered. Consider the following:
2. Determine whether new retail payment products and emerging
technologies pose in-creased risk due to the lack of maturity of
the respective control environments. Consider:
3. Determine if the quality of management and staff, and the
staffing levels are adequate for the specific retail payment
products and processes the institution provides.
4. Determine if the quality of process design and control points
are adequate for existing retail products, and if these factors are
considered for new products. Consider whether:
5. Evaluate the use of in-house and outsourced data processing
systems to support retail payment products and processes.
Objective 2: Establish the scope and objectives of
the examination of the retail payment systems function.
1. Review previous reports of examination for comments
relating to retail payment systems. Review:
2. Review past examination reports for comments relating to the
institution's internal control environment and technical
3. Review the financial institution's risk and control
assessments for comments relating to retail payment systems. Review
the following risk assessments:
4. Identify and obtain during discussions with management of
financial institution or service provider:
5. Review the financial institution's response to any retail
payment systems issues raised at the last examination and any
internal audits conducted since last review. Determine:
Objective 3: Assess the quality of oversight and
support provided by the board of directors and management.
1. Determine the quality and effectiveness of the financial
institution's retail payment systems management function.
2. Assess management's ability to manage outsourced
relationships with technology service providers. Consider:
3. Evaluate the adequacy and effectiveness of financial
institution and service provider contingency and business
continuity planning. Consider:
4. Evaluate retail payment system business line staff.
Objective 4: Assess the quality of policies,
procedures, and limits supporting retail payment
1. Review policies, procedures, and limits for supporting all
retail payment services.
2. Review staff training programs and determine if they are
appropriate for supporting policies.
3. Determine whether the institution monitors compliance with
policies, procedures, and limits.
Objective 5: Assess the quality of management
information systems and reports used to manage retail payment
1. Review management reports for all retail payment services
including reports from service providers.
Objective 6: Assess the quality of risk management
and support for bankcard issuance and acquiring (merchant
1. Evaluate financial institution adherence to bankcard company
rules and bylaws and regulatory requirements.
2. Evaluate whether card issuance processing is outsourced to a
third party. If yes, evaluate the vendor management controls
in place to govern the activities listed in steps 3 and 4.
3. Review internal procedures employed for each bankcard product
4. Determine whether the audit function periodically performs an
inventory of all bankcards at each location owned or operated by
the institution and that each location is included in the audit
program, either directly or indirectly (e.g., as part of a branch
5. Determine whether management has established inventory
systems that include quality control activities such as
self-monitoring for data accuracy.
6. Review a sample of consumer contracts for each bankcard
service to ensure they describe adequately the responsibilities and
liabilities of the institution and its customers (compliance with
7. Evaluate the effectiveness of internal clearance and
settlement activity as it relates to customer bankcard
transactions. Consider the adequacy of:
8. Evaluate the effectiveness of internal credit monitoring and
card authorization performed by the financial institution.
Consider the adequacy of:
9. For financial institutions directly involved in, or
outsource, bankcard acquiring (merchant processing) services,
determine the appropriateness of controls over merchant services
and ISO/MSP relationships. Consider the adequacy of:
Objective 7: Assess the quality of risk management
and support for EFT/POS processing activity.
1. Evaluate the financial institution's compliance with
interchange rules and bylaws.
2. Review internal procedures employed for generating active ATM
3. Determine whether the audit function periodically performs an
inventory of unused ATM card stock at each location owned or
operated by the institution and that each location is included in
the audit program, either directly or indirectly (e.g., as part of
a branch audit).
4. Review a sample of consumer contracts for ATM services to
ensure they adequately set forth responsibilities and liabilities
of the institution and the customer. Evaluate compliance with
5. Evaluate the effectiveness of internal clearance and
settlement activities as it relates to customer ATM transactions.
Objective 8: Assess the quality of risk management
and support for ACH processing activity.
1. Evaluate the financial institution's adherence to NACHA and
clearing house operating rules and regulations.
2. Review operational reports showing monthly or quarterly ACH
debit and credit activity and, if possible, compare levels with
peer financial institutions. If ACH activity is greater than
peer, determine whether institution is an originating institution
(ODFI). Obtain reports listing those customers for which they
originate and the volumes (number of items and dollars)
originated. Be sure to ask for all customers that use the
ODFI's originating account number with the Federal Reserve or
3. If the institution has bilateral clearing arrangements with
other institutions, review the underlying contracts and determine
how the institution monitors compliance with the
4. If the institution uses a technology service provider,
determine whether it performed appropriate due diligence prior to
engagement and has appropriate contractual agreements governing the
relationship. Determine whether the institution monitors
compliance with the governing contract. Determine if the
institution has an adequate business continuity plan in the event
the technology service provider experiences a service
5. If the institution is an ODFI and permits third-party sender
payments, determine whether it requires the third-party sender to
establish the identity of each originator using commercially
reasonable methods to warrant that the originators will assume
their responsibilities under NACHA rules and to warrant that it
will assume the liabilities of the ODFI. Determine whether
the ODFI has established limits and monitoring of the third-party
sender's creditworthiness relative to its underlying originators
and the nature and type of ACH activity that it warrants.
6. Determine whether the ODFI's contractual agreements with each
originator clearly define the specific terms for funds
7. Determine whether the institution has taken steps to ensure
that originators are properly educated about their obligations for
handling ARC and POP source documentation and all other NACHA
8. Review policies and procedures for acquisition of originating
customers and determine the appropriateness of these policies for
the risk profile and risk management capabilities of the financial
institution. Determine whether the policies identify and seek
to limit exposure to higher risk customers; such as, adult
entertainment and online gambling firms, adult bookstores, escort
services, and massage parlors.
9. Review policies and procedures in place to monitor
originating customer balances for credit payments (e.g., payroll)
to ensure payments are made against collected funds or established
credit limits and daily caps. Also determine whether payments
in excess of established credit limits and daily caps are properly
10. Determine whether the institution treats deposits
resulting from ACH transmitted debits on other accounts as
uncollected funds until there is reasonable assurance the debits
have been paid by the institution on which they were drawn.
Also, determine whether management monitors drawings against
uncollected funds to ensure they are within established
11. Review a sample of contracts authorizing the
institution to originate ACH items for customers and determine
whether they adequately set forth the responsibilities of the
institution and customer. Determine:
12. Determine whether the institution has a process in
place for monitoring and acting on returned items, that includes
third-party vendors, where applicable..
13. Determine whether the institution uses risk management
reports that are appropriate to the ACH activities and level of
14. Determine whether ACH activities are considered in the
institution's overall business continuity plans and insurance
15. Determine whether management monitors originating
customers for unreasonable numbers of unauthorized ACH
debits. If the volume of unauthorized ACH debits is high, it
could expose the institution to greater loss.
16. Determine whether management has addressed
international ACH requirements, where applicable.
Objective 9: Assess the quality of risk management
and support for electronic banking related retail payment
1. Determine the extent to which the financial institution
engages in retail payment systems, including bill payment, prepaid
cards, wireless systems, contactless payment devices, remote check
capture, lock-box services that provide ACH check conversion or
check truncation, and P2P and A2A payments. Consider:
2. Evaluate the financial institution's ability to manage the
development and implementation of new retail payment services,
focusing on effectiveness of internal controls and provisions of
consumer compliance regulations. Consider:
3. Evaluate the financial institution's ability to incorporate
new retail payment product offerings into its existing retail
business lines and its effectiveness in including these product
offerings in its traditional retail payment operations.
Objective 10: Assess the quality of risk management
and support for checks.
1. Determine whether the accounting department handles check
return item processing appropriately, reconciling all aged
2. If the institution offers its customers RDC services, review
the appropriateness of:
3. Determine whether the institution uses electronic check
presentment (ECP) for payment. If yes, determine:
Objective 11: Assess the quality of risk -
management of new and emerging technology risks.
1. Determine the institution's processes for evaluating and
deploying new and emerging technologies for retail payment
systems. Of particular concern are retail payment products
and services that do not use established networks such as ACH, or
that extend operational processes to the customer location, as with
2. Assess the vendor management program over the technology
service providers offering new and emerging technologies for retail
payment systems. Determine:
1. Determine the need to conduct Tier II procedures for
additional validation to support conclusions related to any of the
Tier I objectives.
2. From the procedures performed, including any Tier II
3. Review your preliminary conclusions with the
examiner-in-charge (EIC) regarding:
4. Discuss your findings with management and obtain proposed
corrective action, within reasonable timeframes, for significant
5. Document your conclusions in a memo to the EIC providing
report-ready comments for all relevant sections of the FFIEC report
of examination (ROE) and guidance to future examiners.
6. Organize work papers to ensure clear support for significant
findings and conclusions.
Examination Objective: The Tier II Retail
Payment Systems Examination Procedures provide additional
validation steps to verify the effectiveness of a financial
institution's internal control processes over ACH, EFT/POS network,
check item, electronic banking-related retail payments, and
bankcard processing, clearance, and settlement. These
procedures assist in achieving examination objectives, and
examiners may use them in their entirety or selectively, depending
upon the scope of the examination and the need for additional
Examiners should coordinate this coverage with other examiners
involved in assessing the institution's information systems,
operations, information security, business continuity planning, and
vendor management effectiveness to avoid duplication of effort and
to ensure there is an adequate understanding of the control
environment as it pertains to retail payment business lines.
The procedures provided in this section should not be construed
as requirements for control implementation. The selection of
controls and control implementation should be guided by the risk
profile of the institution. Therefore, the controls necessary for
any single institution or any given area may differ from those
noted in the following procedures.
he Tier II Retail Payment Systems Examination Procedures provide
additional validation procedures verifying the effectiveness of a
financial institution's internal control processes over ACH
processing, EFT/POS network processing, check item processing,
electronic banking-related retail payments processing, and bankcard
processing, clearance, and settlement. These procedures assist in
achieving examination objectives, and examiners may use them in
their entirety or selectively. Examiners should coordinate this
coverage with other examiners involved in assessing the
institution's information systems, operations, information
security, and vendor management effectiveness to ensure there is an
adequate understanding of the control environment as it pertains to
retail payment business lines and to avoid duplication of
A. EFT/POS and Bankcard Agreements and
1. If the financial institution is a participant in a shared
EFT/POS network or if it contracts with third-party
bankcard-issuing or -acquiring processing service providers,
2. Determine whether management periodically reviews individual
sites providing retail EFT/POS and bankcard services to ensure
policies, procedures, security measures, and equipment maintenance
requirements are appropriate.
3. For retail EFT/POS and bankcard transaction processing
activities contracted to third-party service providers, assess the
adequacy of the review process performed by management regarding
annual financial statements, audit reports, and Payment Card
Industry (PCI) Data Security Standard assessment.
B. Personal Identification Numbers (PINs)
1. Assess staff access to PIN data. Ensure there is
separation of duties between staff responsible for card operations
and staff responsible for preparing or issuing bankcards.
2. Assess the adequacy of the PIN generation process.
Ensure there is separation of duties between staff responsible for
PIN generation and staff responsible for opening accounts or with
access to customer account information.
3. For new PIN issuance, assess the adequacy of control
procedures including accountability assigned to staff initiating
4. Assess the adequacy of PIN generation and issuance procedures
to determine whether they preclude matching an assigned PIN to a
customer's account number or bankcard.
5. Assess the adequacy of threshold for PIN access attempts to
customer account information and funds. The threshold
parameter should be set at a reasonable number of unsuccessful
6. Assess the level of PIN encryption when stored on computer
files or transmitted over telecommunication lines.
7. If resets are allowed, assess the adequacy of procedures and
controls for PIN/password resets. The use of single-use and
temporary PIN/password is preferred.
8. Assess the adequacy of procedures for prohibiting PIN
information from being disclosed over the telephone.
9. Assess staff access to PIN-related databases and determine if
management restricts access to authorized personnel. Assess
database maintenance activities to ensure management closely
supervises and logs staff access.
10. Assess the adequacy of customer PIN selection
criteria, focusing on whether the institution discourages or
prevents customers from using common words, social security
numbers, sequences of numbers, or words or numbers that can easily
identify the customer.
C. Information Security
1. Evaluate the logical and physical security controls to ensure
the availability and integrity of production retail payment systems
2. Evaluate the effectiveness of all logical access controls
assigned for staff responsible for retail payment-related
3. Evaluate the security procedures for periodic password
changes, the encryption of password files, password suppression on
terminals, and automatic shutdown of terminals not in use.
4. Assess whether the institution encrypts telecommunications
lines used to receive and transmit retail customer and financial
institution counterparty data. If not encrypted, evaluate the
compensating controls to secure retail payment data in
transit. Assess whether any connecting technology service
provider's networks used to transport transactions are transporting
transaction data in the clear (not encrypted) or use weak forms of
5. Assess whether merchants use sufficient encryption for
wireless sales terminal activity transmitting sensitive customer
6. Assess whether customer information being stored is beyond
that required by industry standards.
D. Card Issuance
1. Assess bankcard issuance activities, and review control
procedures. Determine whether management:
2. Assess effectiveness of the dual control procedures for blank
card stock in each of the encoding, embossing, and mailing
3. Assess adequacy of physical access controls for card encoding
areas. Management should allow access to authorized personnel
4. Assess whether inventory controls for plastic card stock make
them physically secure.
5. Assess whether management restricts the use of bankcard
encoding equipment to authorized personnel only.
6. Assess adequacy of procedures for issuing cards from more
than one location (e.g., branches) to ensure there are
accountability and bankcard control procedures at each card-issuing
7. Assess adequacy of institution card-mailing procedures.
Ensure the institution mails the card and associated PIN to
customers in separate envelopes. Also ensure that the return
address does not identify the institution.
8. Assess whether mailing procedures provide for a sufficient
time between the card and PIN mailings.
9. Assess adequacy of returned card procedures. Determine
whether adequate controls are in place to ensure returned cards are
not sent to staff with access to, or responsibility for, issuing
10. Assess whether there is appropriate follow-up to determine
whether the correct customer received the card and PIN.
11. Assess the adequacy of control procedures (e.g., hot
card lists and expiration dates) to limit the period of exposure if
a card is lost, stolen, or purposely misused.
12. Determine whether the institution destroys captured
and spoiled cards under dual control and maintains records of all
13. Assess whether the institution adequately controls
test or demonstration cards.
14. Assess whether management maintains satisfactory
controls over the issuance of replacement or additional cards to
the customer (e.g., temporary access cards issued to the
15. Assess the adequacy of the vendor management program
to determine whether the institution reviews card issuance services
contracted to third parties for compliance with appropriate
bankcard control procedures.
E. Business Continuity Planning
1. Assess the adequacy of the financial institution's business
continuity plans for a partial or complete failure of each retail
payment system. Determine whether the plans include:
F. EFT/POS and Bankcard Accounting and Transaction
1. Assess the adequacy of reconciliation processes for general
ledger accounts related to bankcard and debit card transaction
processing activity. Determine whether:
2. Assess the adequacy of the daily settlement process for
institutions participating in shared EFT/POS networks or gateway
3. Assess the adequacy of transaction reconstruction
procedures. Transaction files should be duplicated or
otherwise retained for a minimum of 60 days, as required by
Regulation E, in order to identify unauthorized transactions.
4. Assess the adequacy of the investigative unit in place to
address customer inquiries and control non-posted items, rejects,
and differences. Management should periodically receive aging
reports that list outstanding items.
5. Assess the adequacy of separation of duties for the bankcard
and EFT/POS account posting process including receipt of
transactions, file updates, adjustments, internal reconcilement,
preparation of general ledger entries, posting to customers
accounts, investigations, and reconcilement with third-party
service provider network switches and card processors.
6. Assess the effectiveness and accuracy of the adjustment
process (e.g., changes to deposits and reversals) relating to
retail EFT/POS and bankcard transactions processed by staff.
7. For institutions involved in bankcard issuing or acquiring
services, determine whether the institution has established:
G. EFT/POS Operational Controls
1. Assess the effectiveness of personnel responsible for
internal ATM processing. Determine whether there are:
2. Determine whether terminal and operator identification codes
are used for all retail ATM and POS transactions.
3. Assess the adequacy of controls in place to prevent customer
charges from exceeding the available balance in the account or
approved overdraft lines.
4. Assess the adequacy of access controls for terminals used to
change customer credit lines and account information.
5. Determine whether retail EFT equipment keyboards or display
units are properly shielded to avoid disclosure of customer IDs or
6. Determine whether receipt issuance ensures customers receive
a receipt showing the amount, date, time, and location for retail
EFT transactions in compliance with Regulation E.
7. Assess whether each retail EFT transaction is assigned a
sequence number and terminal ID to provide an audit trail.
8. Assess whether the institution regularly updates hot card or
customer suspect lists and distributes them to branch banking
9. Assess the adequacy of verification procedures for
telephone-initiated payments or transfers and ensure confirmations
are promptly sent to customers and merchants.
10. Assess the adequacy of security devices and access
control procedures for EFT/POS, bankcard, and acquiring processing
facilities to ensure appropriate physical and logical access
controls are in place.
H. ACH ODFI and RDFI Responsibilities
1. Determine whether agreements between the ODFI and originators
2. Determine whether the ODFI has established procedures to
monitor the creditworthiness of its originator customers on an
ongoing basis. Determine whether:
3. Determine whether the ODFI has established ACH exposure
limits for originators. Determine whether:
4. Determine whether the ODFI reviews exposure limits
periodically. Determine whether:
5. Determine whether the ODFI has implemented procedures to
monitor ACH entries initiated by an originator relative to its
exposure limit across multiple settlement dates. Determine
6. Assess the RDFI's overdraft and funds availability policies
and practices and determine whether they adequately mitigate its
credit exposures to ACH transactions.
7. Determine the adequacy of the ODFI's practices regarding
originators' annual or more frequent security audits of physical,
logical, and network security. Determine whether:
8. Determine how the ODFI or RDFI manages its relationship with
technology service providers. Determine whether:
9. Determine whether the ODFI allows technology service
providers direct access to an ACH operator. Consider whether
agreements between the ODFI and the service providers include:
10. Determine whether the RDFI has established procedures
to deal with consumers' notifications regarding unauthorized or
improperly originated entries or entries where authorization was
11. Determine whether the RDFI acts promptly on consumers'
12. Determine whether the RDFI has procedures that enable
it to freeze proceeds of ACH transactions in favor of blocked
parties (under OFAC sanctions) for whom the RDFI holds an
13. Determine whether the financial institution considers
the volume of its uncollected ACH transactions as part of its
liquidity risk management practices.
14. Determine whether management and personnel display
adequate knowledge and technical skills in managing and performing
duties related to ACH transactions.
15. Review results from the financial institution's NACHA
rule compliance audit. Determine:
I. ACH Accounting and Transaction
1. Assess the adequacy of logs maintained for ACH payments
received from, and delivered to, each customer.
2. Assess the adequacy of the balancing procedures used for all
ACH payments received and whether they include balancing to the
aggregate payments sent to an ACH operator.
3. Determine whether the institution balances all payments
received from an ACH operator to the aggregate of payments
delivered to customers.
4. Determine whether the institution verifies and authorizes the
source of all ACH files received for processing.
5. Determine whether the institution reconciles all general
ledger accounts related to ACH activities on a timely basis.
6. Determine whether ACH supervisory personnel perform
reconcilement and regularly review exception items.
7. Determine whether the institution reconciles the ACH activity
and pending file totals daily with the ACH operator.
8. Assess the effectiveness of the reconcilement with
third-party service providers preparing ACH transaction files and
ensure daily reconciliation.
9. Assess the effectiveness of ACH holdover transactions and
determine whether the institution adequately controls them.
10. Determine whether accounting staff reconciles
individual outgoing ACH batches before merging them with other ACH
11. Determine whether there are separate accounts to
control holdovers, adjustments, return items, rejects, etc. and
whether they are periodically reconciled.
12. Assess the effectiveness of the investigation unit to
address customer inquiries and control return items,
rejected/unposted items, differences, etc. Determine whether
the unit periodically generates aging reports of outstanding items
13. Assess whether management adequately tracks exceptions
to credit limit policies and legal contracts.
14. Determine whether exception reports (e.g., rejects,
return items, and aging of open items) receive appropriate
15. Assess the adequacy of separation of duties throughout
the ACH process including origination, data entry, adjustments,
internal reconcilement, preparing general ledger entries, posting
to customer accounts, investigations, and reconcilement with ACH
16. Determine whether adjustments (e.g., added payments,
stop payments, reroutes, and reversals) to original ACH
instructions are received in an area that does not have access to
the original data files.
17. Assess whether controls are appropriate for the
adjustment process, including authorization (e.g., signature
verification and callbacks on telephone instructions) and whether
the institution maintains adequate records (e.g., logs and taping
of telephone calls) of individuals making requests.
18. Determine the adequacy of the customer profile
origination and change request process. Consider whether
J. ACH Funding and Credit
1. Assess the adequacy of the process for releasing payments to
an ACH operator, and determine whether assurances are obtained that
sufficient collected funds (e.g., on deposit or prefunded) or
credit facilities are available. The institution should
monitor customer intraday and interday positions based on defined
2. For third-party service providers contracted to process
outgoing ACH transactions, determine whether there are procedures
to monitor ACH activity and ensure that funds are collected
(collected balances, prefunding, credit lines) before the
institution settles with the ACH operator.
3. For prefunding arrangements in place for customers without
credit lines, determine whether management blocks funds (held for
disposition) or maintains them in separate accounts until the
4. For non prefunded arrangements determine whether the
institution places blocks on outgoing payments to deposit accounts,
applies them as reductions to credit lines, or includes them in the
overall funds transfer monitoring process.
5. Determine whether management approves payments resulting in
extensions of credit lines or drawings against uncollected funds
and retains documentation to support the approvals. Determine
whether the institution performs credit assessments of customers
originating large dollar volumes of ACH credit transactions.
Credit assessments should also be reviewed periodically to evaluate
creditworthiness of the customer and current economic
6. Determine whether management treats ACH debits deposited as
uncollected funds and whether they monitor any draws against these
funds for debits originated by high- risk customers.
7. Determine whether management approves draws against
uncollected ACH deposits and maintains documentation to support
approvals for debits originated by high-risk customers.
8. Determine the adequacy of Internet and telephone ACH
transaction processing procedures and determine whether there are
appropriate authentication controls and procedures to ensure the
proper identities of parties invoking ACH transactions.
9. Assess the adequacy of management's risk assessment of ACH
services in terms of the importance of this function to the overall
corporate treasury services function.
10. Ensure that the financial institution obtains and
analyzes all audits conducted by the ACH service provider, pursuant
to the NACHA rule compliance audit requirement.
K. Web and Telephone-Initiated ACH
1. Determine whether the financial institution has adopted
adequate policies and procedures regarding ACH transactions
involving Internet-initiated (WEB) entries. Determine whether
2. Determine whether the ODFI has implemented
telephone-initiated (TEL) ACH entries. Determine whether:
3. Determine whether the ODFI requires its originator to employ
a commercially reasonable method to authenticate the
consumer/business. Determine whether:
4. Determine whether the ODFI conducts risk assessments of its
originators and whether they reflect a reasonable exercise of
business judgment. Consider whether the risk assessment
includes evaluations of:
L. ACH Contingency Plans
1. Evaluate the adequacy of the ACH contingency plan; determine
whether the financial institution has tested it and whether it
includes provisions for partial or complete failure of the system
or communication lines between the institution, ACH operators,
customers, and associated data centers.
2. Based on the volume and importance of ACH activity, evaluate
whether the plan is reasonable and whether it provides for a
reasonable recovery period.
3. Determine whether the institution duplicates or retains
transaction files for input reconstruction for a minimum of 24
hours. Note that NACHA rules require the retention of all
entries, including return and adjustment entries, transmitted to
and received from the ACH for a period of six years after the date
4. Determine whether data and program files are adequately
secured, retained, and backed up at off-premises facilities,
including secured transport mechanisms for those resources.
5. Determine whether the center has established and tested
procedures to recover and restore data under various contingency
6. Determine whether the frequency and methods of testing
contingency plans are adequate.
M. Check 21
(A more comprehensive set of examination procedures that are
designed to test transactions can be found at the FFIEC Check 21
InfoBase at www.ffiec.gov/exam/check21/default.htm.)
1. Determine whether:
2. If a financial institution has begun to image checks or
retrieve imaged checks pursuant to Check 21, determine whether the
institution has the following:
3. If the financial institution is a reconverting institution
pursuant to Check 21, determine whether it has the following:
4. If the financial institution accepts RCCs from retail
business customers or payment processing customers, assess the
appropriateness of, and adherence to, policies and procedures
regarding customer due diligence, customer contracts, third-party
service provider's due diligence, and activity/transaction
monitoring. Consider the following elements relative to the
institution's retail customers, its payment processing customers,
and any processors' retail customers:
N. Remote Deposit Capture Risk Management
1. Identify the key elements of the RDC environment.
2. Assess the RDC strategic planning and the risk assessment
3. Customer due diligence and suitability.
4. Vendor Management
5. Contracts and Agreements
7. Physical and Logical Access Controls
8. Separation of Duties
9. Oversight and Monitoring
11. Change Management
12. Records Management
Assess the process by which financial institution management
verifies customer compliance with contract requirements related to
the secure retention, storage, and destruction requirements for
physical deposit items and electronic
13. Business Continuity Planning (BCP)
O. Vendor Management
Assess the adequacy of vendor management program over a
service provider that provides a new and emerging retail payment
technology. (Select one or more projects involving the
development and deployment of a new and emerging retail payment
technology and complete the following procedures.)
1. Review documentation supporting the business case for the
2. Assess the extent to which the institution
3. Evaluate whether the institution's due diligence considers
4. Verify that the contract appropriately addresses:
5. Review service level agreements to ensure they are adequate
and measurable. Determine whether:
6. Evaluate the institution's periodic monitoring of the service
provider relationship(s), including: