Welcome » IT Booklets » Retail Payment Systems » Introduction
The FFIEC IT Examination Handbook (IT
Handbook), "Retail Payment Systems Booklet" (booklet),
provides guidance to examiners, financial institutions, and
technology service providers (TSPs) This booklet uses the terms "institution"
and "financial institution" to describe an insured bank, savings
association, and credit union, as well as TSPs providing services
to a financial institution. on
identifying and controlling risks associated with retail payment
systems and related banking activities. This
booklet references specific services and brand names including
those trademarked by their respective companies. These
references are intended solely to provide a retail payment systems
overview and should not be construed as an FFIEC endorsement of any
product or service noted herein.
Financial institutions accept, collect, and process a variety of
payment instruments and participate in clearing and settlement
systems. In some cases, financial institutions perform all of
these tasks. However, independent third parties are
increasingly involved in this process, introducing new risks that
affect the security of financial institutions. Financial
institutions, acting either in consortiums or independently, remain
the core providers to businesses and consumers for most retail
payment instruments and services. Federal
government-affiliated providers and operators, such as the Federal
Reserve Banks (Reserve Banks), also compete with numerous financial
institutions and private sector firms in providing various services
in support of retail payments.
Recently, a number of new payment instruments have emerged that
are largely or wholly electronic. Electronic payment systems
offer efficiency gains by allowing for rapid and convenient
transmission of payment information among system
participants. However, the emergence of a new payment
mechanism can also enable the rapid propagation of fraud, money
laundering, and operational disruption if data is
compromised. Another trend associated with emerging payments
is the increased participation of nonbank third parties in retail
payment systems and a lengthened transaction chain, which may
increase risk in payment processes. Management of retail
payments risk is increasingly difficult and requires diligent
oversight of third-party service providers.
Much of the guidance in this booklet, involving traditional
retail payment systems, has not been revised significantly because
of the maturity of these systems in the product life cycle.
Mature payment systems are better understood, whereas emerging
payment systems require a closer look to better understand the
risks and associated controls. New guidance is offered for
remotely created checks (RCCs), electronically created payment
orders, automated clearing house (ACH) transactions, The Check
Clearing for the 21st Century Act (Check 21),
and Merchant Card Processing due to recent developments in these
areas. Also, this booklet includes a new section that covers
some emerging technologies in retail payment systems.
Additional emphasis is placed on the need for improved operational,
credit, legal, and compliance risk processes for retail payment
products, especially for the deployment of remote and
Internet-based check and ACH capture systems.
Examination guidance for Retail Payment Systems is provided in
three sections, followed by examination procedures, a glossary, and
This booklet includes a number of references to other IT
Handbook booklets, including "Information Security," "Business
Continuity Planning," "Audit," "Outsourcing Technology Services,"
"Electronic Banking," and "Wholesale Payment Systems." Also,
there are references to FFIEC guidance for Bank Secrecy Act
examinations that are relevant to retail payment systems and for
Check 21. In addition to describing the IT risks and
controls, the booklet also discusses certain credit and liquidity
risks that may also be present when providing retail payment
services. A full review of a particular financial
institution's retail payment system environment will require an
interdisciplinary team of examiners with experience in operational,
credit, liquidity, and compliance risks.
Examiners should use the examination procedures for evaluating
the risks and risk management practices at financial institutions
offering retail payment system products and services. These
procedures address services and products of varied complexity;
therefore, examiners should adjust the procedures, as appropriate,
for the scope of the examination and the risk profile of the
institution. The procedures may be used independently or in
combination with procedures from other IT Handbook
booklets and agency-specific handbooks and guidance documents.