A  B  C  D  E  F  G  H  I  K  L  M  N  O  P  R  S  T  U  V  W  Z  


Acceptable use policyA document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet.
Acceptance CriteriaPre-established standards or requirements a product or project must meet.
AccessThe ability to physically or logically enter or make use of an IT system or area (secured or unsecured). The process of interacting with a system.
Account Balancing Monitoring System (ABMS)The Federal Reserve's computing system providing reserve account information to the Federal Reserve Banks and depository institutions on an intraday basis. ABMS serves both as an informational source and a monitoring tool. This information includes opening balances, funds and securities transfers, accounting activity, and depository institutions cap and collateral limits.
Account-To-Account Payment (A2A)Payment system that allows the consumer to direct transfer of funds from one account to another account at a different financial institution.
Acquirer FeeFee paid to the acquirer of the merchant sales draft. The acquirer of the sales draft collects a merchant discount fee (or processing fee) from the merchant for the costs associated with processing the transaction.
Acquiring Bank and AcquirerSee Merchant acquirer.
Address Verification Service (AVS)Bankcard company service that verifies the customer-provided billing address matches the billing address on their credit card account. The bankcard companies will not support merchants that opt for not using AVS if those transactions are disputed and will charge the merchant an additional 1.25% on those sales.
Administrator privilegesComputer system access to resources that are unavailable to most users. Administrator privileges permit execution of actions that would otherwise be restricted.
Agent BankA member of a bankcard company that agrees to participate in an acquirer's merchant processing program. The agent may be liable for losses incurred on its merchant accounts. An agent is usually a small financial institution that wants to offer merchant processing services as a customer service. Agent banks that only refer merchants to an acquiring financial institution's program are known as referral banks.
Aggregate Short PositionThe sum of a Settlement Member's short positions, each such short position expressed in its base currency equivalent and adjusted by the applicable haircut.
Aggregate Short Position LimitIn respect of a Settlement Member, the maximum aggregate short position that such Settlement Member is permitted to incur at any time.
AgilityIn IT systems, the ability to rapidly incorporate new technologies or changes to technologies allowing an organization to adapt to changing business needs.
Air-gapped environmentSecurity measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically.
Anomalous activityActivity that deviates from normal. The result of the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.
Antivirus/anti-malware softwareA program that monitors a computer or network to identify all types of malware and prevent or contain malware incidents.
ApplicationSoftware that performs automated functions for a user. Examples include home banking, word processing and payroll. Distinguished from operating system or utility software.
Application controlsControls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.
Application developmentThe process of designing and building code to create a computer program (software) used for a particular type of job.
Application programming interface (API)A system access point or library function that has a well-defined syntax and is accessible from application programs or user code to provide well-defined functionality.NIST Glossary
Software code that allows two or more programs to communicate with each other.FFIEC Adapted for Supervisory Purposes
Application systemAn integrated set of computer programs designed to serve a well- defined function and having specific input, processing, and output activities (e.g., general ledger, manufacturing resource planning, human resource management).
AssetIn computer security, a major application, general-support system, high-impact program, physical plant, mission-critical system, personnel, equipment, or a logically-related group of systems.
Asynchronous replicationData is first written to the primary storage area (store) and then copied to the secondary storage area (forward) at predefined intervals, which is useful over smaller bandwidth connections and longer distances where latency could occur.FFIEC Developed for Supervisory Purposes
Asynchronous transfer modeThe method of transmitting bits of data one after another with a start bit and a stop bit to mark the beginning and end of each data unit. Can also mean automated teller machine.
Attack signatureA specific sequence of events indicative of an unauthorized access attempt.
Audit charterA document approved by the board of directors that defines the IT audit function's responsibility, authority to review records, and accountability.
Audit planA description and schedule of audits to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work and includes other items such as budget, resource allocation, schedule dates, and type of report issued.
Audit programThe audit policies, procedures, and strategies that govern the audit function, including IT audit.
AuthenticationThe process of verifying the identity of an individual user, machine, software component, or any other entity.
Authorization (ACH)A written or oral agreement between the originator and a receiver that allows payments processed through the ACH network to be deposited in, or withdrawn from, the receiver's account at a financial institution.
Automated Clearing House (ACH)An electronic clearing system in which a data processing center handles payment orders that are exchanged among financial institutions, primarily via telecommunications networks. ACH systems process large volumes of individual payments electronically. Typical ACH payments include salaries, consumer and corporate bill payments, interest and dividend payments, and Social Security payments.
Automated Clearing House (ACH) OperatorA central clearing facility that depository financial institutions use to transmit and receive ACH entries. ACH operators are typically a Federal Reserve Bank or a private-sector organization that operates on behalf of a depository financial institution.
Automated ControlsSoftware routines designed into programs to ensure the validity, accuracy, completeness, and availability of input, processed, and stored data.
Automated Teller Machine (ATM)An electronic funds transfer (EFT) terminal that allows customers using a PIN-based debit (ATM) card to initiate transactions (e.g., deposits, withdrawals, account balance inquiries).
AvailabilityWhether or how often a system is available for use by its intended users. Because downtime is usually costly, availability is an integral component of security.


Back Office Conversion (BOC)Under NACHA rules, BOC allows retailers and billers that accept checks at the point-of-sale or at manned bill payment locations to convert eligible checks to ACH debits in the back-office.
BandwidthTerminology used to indicate the transmission or processing capacity of a system or of a specific location in a system (usually a network system) for information (text, images, video, sound). Bandwidth is usually defined in bits per second (bps) but also is usually described as either large or small. Where a full page of English text is about 16,000 bits, a fast modem can move approx. 15,000 bps. Full-motion, full-screen video requires about 10,000,000 bps, depending on compression.
Bank Identification Number/Interbank Card Company (BIN/ICA)A series of assigned numbers used to identify the settling financial institution for both acquiring and issuing bankcard transactions.
Bank Secrecy ActThe Currency and Foreign Transactions Reporting Act, also known as the Bank Secrecy Act (BSA), and its implementing regulation, 31 CFR 103, is a tool the U.S. government uses to fight drug trafficking, money laundering, and other crimes. Congress enacted the BSA to prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of money derived from, criminal activity.
BankcardA general-purpose credit card, issued by a financial institution under agreement with the bankcard associations (Visa and MasterCard), which customers can use to purchase goods and services and to obtain cash against a line of credit established by the bankcard issuer.
Bankcard CompaniesVisa and MasterCard International, Inc. are bankcard companies established as bank service companies. Financial institutions must be members of a bankcard company in order to offer their credit card services. The companies have established membership rights and obligations, and membership is limited to financial institutions.
BaselineA documented version of a hardware component, software program, configuration, standard, procedure, or project management plan. Baseline versions are placed under formal change controls and should not be modified unless the changes are approved and documented.
Baseline configurationA set of specifications for a system, or configuration item (CI) within a system, that has been formally reviewed and agreed on at a given point in time and that can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, or changes.
Batch ProcessingThe transmission or processing of a group of related payment instructions.
BenchmarkA standard, or point of reference, against which things may be compared or assessed.
Bilateral Key SecurityA multi-level data encryption system, based on the exchange of Bilateral Keys, allowing users of SWIFT to create, send, and receive SWIFT messages. Bilateral Keys are unique authenticator keys possessed by only the two parties (either the provider or recipient of a message) involved and provide confirmation in both directions of the legitimacy of a message sent via SWIFT.
Bits per second (BPS)A measurement of how fast data moves from one place to another. A 28.8 modem can move 28,800 bits per second.
Black holingA method typically used by ISPs to stop a DDoS attack on one of its customers. This approach to block DDoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic.
Border routerA device located at the organization's boundary to an external network.
Buffer overflowA condition at an interface under which more input can be placed into a buffer or data-holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially-crafted code that allows them to gain control of a system.
Business continuityThe capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruption.ISO 22300:2018(en)
Business continuity management (BCM)The process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.FFIEC Developed for Supervisory Purposes
Business continuity plan (BCP)The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.NIST Glossary
A comprehensive written plan(s) to maintain or resume business in the event of a disruption.FFIEC Adapted for Supervisory Purposes
Business impact analysis (BIA)An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.NIST Glossary
Management’s analysis of an entity’s requirements, functions, and interdependencies used to characterize contingency needs and priorities in the event of a disruption.FFIEC Adapted for Supervisory Purposes


Card IssuerA financial institution that issues general-purpose credit cards carrying one of the two bankcard company logos. The issuing financial institution establishes the credit relationship with the consumer.
Card Verification Code (CVC2)Numeric security code printed on the back of MasterCard credit cards. CVC2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS. (See Address verification service).
Card Verification Value (CVV2)Three-digit security number that is printed on the back of most Visa credit cards. CVV2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS.
Cash LetterA group of checks accompanied by a paper listing sent to a clearinghouse, a Federal Reserve Bank, or another institution. A cash letter contains a number of negotiable items, mostly checks, accompanied by a letter that lists the amounts and instructions for transmittal to another bank. May also be called a transmittal letter. An incoming cash letter is one that is received by an institution from a clearinghouse, a Federal Reserve Bank, or another institution and contains checks written on accounts at the institution that were cashed elsewhere. An outgoing cash letter is one that is being sent to a clearinghouse, a Federal Reserve Bank, or another institution and contains checks deposited at the institution, which are written on accounts at other institutions.
Change managementThe broad processes for managing organizational change. Change management encompasses planning, oversight or governance, project management, testing, and implementation.
ChargebackA transaction generated when a cardholder disputes a transaction or when the merchant does not follow bankcard company procedures. The issuer and acquirer research the facts to determine which party is responsible for the transaction. If the merchant is unable to pay, the acquirer will have to cover the chargeback.
CheckA written order from one party (payer) to another (payee) requiring the payer's financial institution to pay a specified sum on demand to the payee or to a third party specified by the payee
Check 21 ActFormally known as the Check Clearing for the 21st Century Act. Creates a new document, the IRD (image replacement document or substitute check) that is the legal equivalent of the original check and should be accepted as such. The act does not require institutions to accept electronic images instead of checks or IRDs, but does require the acceptance of IRDs instead of paper checks. The exchange of electronic images is optional and will be done by agreements between individual institutions, groups of institutions, or clearinghouses.
Check ClearingThe movement of a check from the depository institution where it was deposited to the institution on which it was written. The funds move in the opposite direction, with a corresponding credit and debit to the involved accounts.
Check ImageElectronic or digital image of an original check that is created by a depositor, a bank or other participant in the check collection process. Check images can be exchanged electronically by financial institutions, printed for customer statement purposes, displayed on Internet banking websites, and used to create substitute checks.
Check TruncationThe practice of holding a check at the institution where it was deposited (or at an intermediary institution) and electronically forwarding the essential information on the check to the institution on which it was written. A truncated check is not returned to the writer.
ChecksumA mathematical value that is assigned to a file and used to “test” the file at a later date to verify that the data contained in the file has not been maliciously or erroneously changed.
ClassificationCategorization (e.g., "confidential," "sensitive," or "public") of the information processed by the service provider on behalf of the receiver company.
ClearanceThe process of transmitting, reconciling, and in some cases, confirming payment orders or financial instrument transfer instructions prior to settlement.
Clearing CorporationAlso known as a clearing house or clearing house association. A central processing mechanism whereby members agree to net, clear, and settle transactions involving financial instruments. Clearing corporations fulfill one or all of the following functions: Net many trades so that the number and the amount of payments that have to be made are minimized, determine money obligations among traders, and guarantee that trades will go through by legally assuming the risk of payments not made or securities not delivered. The latter function is implied when it is stated that the clearing corporation becomes the "counterpart" to all trades entered into its system.
Clearing House AssociationsVoluntary associations, formed by financial institutions that establish an exchange for checks drawn on them. Typically, institutions participating in check clearing houses use the Federal Reserve's National Settlement Service for the checks exchanged each business day.
Clearing House Interbank Payment Systems (CHIPS)A "real time," multilateral, final payments system for large dollar value, business-to-business payment transactions between domestic or foreign institutions that have offices located in the United States. CHIPS is run by CHIP Co. LLC, a subsidiary of The Clearing House Payments Company, LLC.
Cloud computingGenerally a migration from owned resources to shared resources in which client users receive information technology services on demand from third-party service providers via the Internet "cloud." In cloud environments, a client or customer relocates its resources — such as data, applications, and services — to computing facilities outside the corporate firewall, which the end user then accesses via the Internet.
Cloud storageA model of data storage in which the digital data is stored in logical pools, the physical storage spans multiple servers (and often locations), and the physical environment is typically owned and managed by a hosting company.
ClusteringConnecting two or more computers together in such a way that enables them to act as a single computer. Clustering is used for parallel processing, load balancing, and fault tolerance.
CodeSoftware program instructions.
Cold siteA backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event that the user has to move from their main computing location to an alternate site.NIST Glossary
Commercial off-the-shelf (COTS)COTS products include software and hardware products that are ready-made and available for sale to the general public. COTS products are typically installed in existing systems and do not require customization. Also known as "shrink-wrap" applications.
Commercially ReasonablePractices and procedures in widespread use in the business community generally considered to represent prudent and reasonable business methods.
Compensating controlA management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.
Computer securityTechnological and managerial procedures applied to computer systems to ensure the availability, integrity, and confidentiality of information managed by the computer system.
ConfidentialityAssuring information will be kept secret, with access limited to appropriate persons.
Configuration managementThe management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, testing, test fixtures, and test documentation throughout the development and operational life of the system.
ConsumerUsually refers to an individual engaged in non-commercial transactions.
Consumer AccountA deposit account held by a participating depository financial institution and established by a natural person primarily for personal, family, or household use and not for commercial purposes.
Consumer informationFor purposes of the Information Security Standards, “consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report that is maintained by or on behalf of a financial institution for a business purpose, such as information that an institution obtains about a loan applicant or a prospective employee from a consumer report.
Contingency planA plan that is maintained for disaster response, backup operations, and post-disaster recovery to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency situation.NIST Glossary
ControlThe means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature.
Control requirementsProcess used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.
Control self-assessmentA technique used to internally assess the effectiveness of risk management and control processes.
Conversion planA plan that details transition planning and implementation issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.
Corrective controlA mitigating technique designed to lessen the impact to the institution when adverse events occur.
Correspondent BankAn institution, acting on behalf of other institutions, that can settle the checks they collect for other institutions (respondents) by using accounts on their books or by sending a wire funds transfers. Generally, a provider of banking and payment services to other financial institutions.
Courtesy amount recognition (CAR)The numeric amount of a check.
Credit CardA card indicating the holder has been granted a line of credit. It enables the holder to make purchases or withdraw cash up to a prearranged ceiling. The credit granted can be settled in full by the end of a specified period or can be settled in part, with the balance taken as extended credit. Interest is charged based on the terms of the credit card agreement and the holder is sometimes charged an annual fee.
Credit EntryAn entry to the record of an account that represents the transfer or placement of funds into the account.
CrisisAbnormal and unstable situation that threatens the organization’s strategic objectives, reputation or viability.Business Continuity Institute Disaster Recovery Journal Glossary
Crisis managementThe process of managing an entity’s preparedness, mitigation response, continuity, or recovery in the event of an unexpected significant disruption, incident, or emergency.FFIEC Developed for Supervisory Purposes
Critical financial marketsFinancial markets whose operations are critical to the economy. Critical financial markets provide the means for financial institutions to adjust their cash and securities positions and those of their customers in order to manage liquidity, market, and other risks to their organizations. Critical financial markets also provide support for the provision of a wide range of financial services to businesses and consumers in the United States and support the implementation of monetary policy. Examples of critical financial markets include federal funds, foreign exchange, and commercial paper; U.S. government and agency securities; and corporate debt and equity securities.FFIEC Developed for Supervisory Purposes
Critical system (infrastructure)The systems and assets, whether physical or virtual, that are so vital that the incapacity or destruction of such may have a debilitating impact.
Currency BalanceAs at the time calculated, the current amount (positive or negative) of a particular eligible currency included in an account, as indicated on the books and records of CLS Bank. A currency balance is not a separate account.
CustomerFor purposes of the Information Security Standards, “customer” means a consumer with whom a financial institution has a continuing relationship under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. In the case of a credit union, a customer relationship will exist between a credit union and certain consumers that are not the credit union’s members.
Customer informationA term used in the Information Security Standards to mean any record containing non-public personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution.
Customer information systemsFor purposes of the Information Security Standards, “customer information systems” means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.
Cyber attackAn attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network. An attack, via cyberspace, targeting an institution for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
Cyber eventA cybersecurity change or occurrence that may have an impact on organizational operations (including mission, capabilities, or reputation).
Cyber incidentActions taken through the use of computer networks that result in an actual or potentially-adverse effect on an information system or the information residing therein.
Cyber resilienceThe ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.
Cyber threatAn internal or external circumstance, event, action, occurrence, or person with the potential to exploit technology-based vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.
CybersecurityThe process of protecting consumer and bank information by preventing, detecting, and responding to attacks.


DataA representation of information as stored or transmitted.NIST Glossary
A physical or digital representation of information processed, stored (at rest), or transmitted (in transit).FFIEC Adapted for Supervisory Purposes
Data centerA facility that houses virtual and/or physical information technology infrastructure(s) (e.g., computer, server, and networking systems and components) designed to store, process, and serve large amounts of data in support of an entity’s strategic and business objectives. A data center may be a dedicated facility or an area or room, that contains computer, server and networking systems and components, and may be private or shared (e.g., a co-location facility).FFIEC Developed for Supervisory Purposes
Data classification programA program that categorizes data to convey required safeguards for information confidentiality, integrity, and availability; establishes controls required based on value and level of sensitivity.
Data corruptionErrors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data.
Data integrityThe property that data has not been destroyed or corrupted in an unauthorized manner; Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.
Data loss prevention (DLP) programA comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data wherever it is stored, used, or in transit over the network and at the perimeter.
Data miningThe process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.
Data mirroringThe act of copying data from a database at a primary location to a database at a secondary location in or near real time.FFIEC Developed for Supervisory Purposes
Data replicationThe process of copying data, usually with the objective of maintaining identical sets of data in separate locations.FFIEC Developed for Supervisory Purposes
Data synchronizationThe simultaneous comparison and reconciliation of interdependent data files, to ensure that the files contain the same information.FFIEC Developed for Supervisory Purposes
DatabaseA repository of information or data, which may or may not be a traditional relational database system.NIST Glossary
A repository of information or data organized to be accessed, managed, and updated.FFIEC Adapted for Supervisory Purposes
Daylight overdraftA daylight overdraft occurs at any point in the business day when the balance in an institution's account becomes negative. Daylight overdrafts can occur in accounts at Federal Reserve Banks as well as at private financial institutions. Daylight credit can also arise in the form of net debit positions of participants in private payment systems. A daylight overdraft occurs at a Federal Reserve Bank when there are insufficient funds in an institution's Federal Reserve Bank account to cover outgoing funds transfers or incoming book-entry securities transfers. An overdraft can also be the result of other payment activity processed by the Federal Reserve Bank, such as check or automated clearinghouse transactions.
Debit cardA payment card issued as either a PIN-based debit (ATM) card or as a signature-based debit card from one of the bankcard associations. A payment card issued to a person for purchasing goods and services through an electronic transfer of funds from a demand deposit account rather than using cash, checks, or drafts at the point-of-sale.
Debit entryAn entry to the record of an account to represent the transfer or removal of funds from the account.
Deep packet inspectionThe capability to analyze network traffic to compare vendor-developed profiles of benign protocol activity against observed events to identify deviations.
Defense-in-depthInformation security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.
Deferred net settlementSee "National Settlement Service".
DeliverableA project goal or expectation. Deliverables include broadly-defined, project or phase requirements and specifically-defined tasks within project phases.
Demilitarized zone (DMZ)A computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.
DepositoryAn institution that holds funds or marketable securities for safekeeping. Depositories may be privately or publicly operated and allow securities transfers through book-entry and offer funds accounts permitting funds transfers as a means of payment.
Depository bankThe institution at which a check is first deposited. While this term is often used interchangeably with "depository," "depositary" is a term of art in laws and regulations related to check processing.
Depository bank (Check 21)Also known as Bank of First Deposit (BOFD). The first bank to which a check is transferred even though it is also the paying bank or the payee. A check deposited in an account is deemed to be transferred to the financial institution holding the account into which the check is deposited, even though the check is physically received and endorsed first by another financial institution.
Detection deviceA device designed to recognize an event and alert management when events occur.
Detective controlA mitigating technique designed to recognize an event and alert management when events occur.
DeviceA generic term for any machine or component that attaches to a computer or connects to a network.
Dictionary attackDiscovery of authenticators by encrypting likely authenticators and comparing the actual encrypted authenticator with the newly encrypted possible authenticators.
Digital certificateThe electronic equivalent of an ID card that authenticates the originator of a digital signature.
Digital subscriber line (DSL)A technology that uses existing copper telephone lines and advanced modulation schemes to provide high-speed telecommunications to businesses and homes.
Direct access storage device (DASD)A magnetic disk storage device historically used in mainframe environments. DASD may also include hard drives used in personal computers.
Direct data feedA process used by information aggregators to gather information directly from a website operator rather than copying it from a displayed webpage.
Direct debitElectronic transfer, usually through ACH, out of an individual's checking (or savings) account to pay bills, such as mortgage payments, insurance premiums, and utility payments. Also referred to as "direct payment."
Direct depositElectronic deposits or credit, usually through ACH, to an individual's deposit account. Common uses of direct deposit include payroll payments, Social Security benefits, and income from investments such as CDs, annuities, and mutual funds.
Direct presentmentDepositary banks can present checks directly to the paying institution. The paying institution may be the depositary bank (no settlement is needed), or, if not, may settle on the books of the Federal Reserve, using the Federal Reserve's national settlement service.
DisasterSituation where widespread human, material, economic, or environmental losses have occurred, which exceeded the ability of the affected organization, community, or society to respond and recover using its own resources.ISO 22300:2018(en)
Disaster recoveryThe process, policies, and procedures related to preparing for recovery or continuation of technology infrastructure, systems, and applications, which are vital to an organization after a disaster or outage. Disaster recovery focuses on the information or technology systems that support business functions, as opposed to business continuity, which involves planning for keeping all aspects of a business functioning in the midst of disruptive events. Disaster recovery is a subset of business continuity.Business Continuity Institute Disaster Recovery Journal Glossary
DisruptionAn unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).NIST Glossary
An anticipated or unplanned event that causes operations to degrade or fail for an unacceptable length of timeFFIEC Adapted for Supervisory Purposes
Distributed denial of service (DDoS)A type of attack that makes a computer resource or resources unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the concerted efforts of a group that intends to affect an institution's reputation by preventing an Internet site, service, or application from functioning efficiently.
Distributed environmentA computer system with data and program components physically distributed across more than one computer.
Domain Name System security extensions (DNSSEC)A technology that was developed to, among other things, protect against such attacks by digitally 'signing' data so you can be assured it is valid.
Due diligence for service provider selectionTechnical, functional, and financial review to verify a third-party service provider's ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.


E-BankingThe remote delivery of new and traditional banking products and services through electronic delivery channels.
Electronic Benefits Transfer (EBT)A type of EFT system involving the transfer of public entitlement payments, such as welfare or food stamps, through direct deposit or point-of-sale technology (see POS). The recipient can be given an identification card, similar to a benefit card, and a PIN allowing access to the benefits through an electronic network.
Electronic bill presentment and payment (EBPP)An electronic alternative to traditional bill payment, allowing a merchant or utility to present its customers with an electronic bill and the payer to pay the bill electronically. EBPP systems usually fall within two models: direct and consolidation-aggregation. In the direct model, the merchant or utility generates an electronic version of the consumer's billing information, and notifies the consumer of a pending bill, generally via e-mail. The consumer can initiate payment of the electronically presented bill using a variety of payment mechanisms, typically a credit card. In the consolidation-aggregation model, the consumer's bills are consolidated by a consolidator acting on behalf of merchants and utilities (or aggregated on behalf of the consumer), combining data from multiple bills and presenting a single source for the consumer to initiate payment. Some consolidators present bills at their own web sites, typically most support the aggregation of bills by consumer service providers such an Internet portals, financial institutions, and brokerage web sites.
Electronic check conversionThe process by which a check is used as a source of information for the check number, the customer's account number, and the number that identifies the financial institution. The information is used to make a one-time electronic payment from the customer's account -- an electronic fund transfer. The check itself is not the method of payment.
Electronic check presentment (ECP)Check truncation methodology in which the paper check's MICR line information is captured and stored electronically for presentment. The physical checks may or may not be presented after the electronic files are delivered, depending on the type of ECP service that is used.
Electronic commerce (E-Commerce)A broad term encompassing the remote procurement and payment by businesses or consumers of goods and services through electronic systems such as the Internet.
Electronic data capture (EDC)Process used for capturing and transferring the encoded information on the magnetic strip from a bankcard or debit card at the point-of-sale to the processor's database.
Electronic funds transfer (EFT)A generic term describing any transfer of funds between parties or depository institutions through electronic data systems.
Electronic Funds Transfer Act (EFTA)The Electronic Funds Transfer Act and Regulation E are designed to ensure adequate disclosure of basic terms, costs, and rights relating to electronic fund transfer (EFT) services provided to consumers. Institutions offering EFT services must disclose to consumers certain information, including: initial and updated EFT terms, transaction information, periodic statements of activity, the consumer's potential liability for unauthorized transfers, and error resolution rights and procedures. EFT services include automated teller machines, telephone bill payment, point-of-sale transfers in retail stores, fund transfers initiated through the Internet, and pre-authorized transfers to or from a consumer's account.
Electronically-created payment ordersThese are payment orders received by merchants from consumers, typically by telephone or the Internet. These payment orders are processed through the check processing system although they were not initiated as paper checks. These payment orders are not subject to check law and are not warranted by the Federal Reserve Banks.
E-mail serverA computer that manages e-mail traffic.
Emergency managementSee crisis management.
Emergency responseActions taken in response to a disaster warning or alert to minimize or contain the eventual negative effects, and those taken to save and preserve lives and provide basic services in the immediate aftermath of a disaster impact, for as long as an emergency situation prevails.Business Continuity Institute Disaster Recovery Journal Glossary
EncryptionA data security technique used to protect information from unauthorized inspection or alteration. Information is encoded so that data appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using an encryption key.
End userAn individual who will utilize a product or program.
End-of-lifeAll software products have life cycles. End-of-life refers to the date when a software development company no longer provides automatic fixes, updates, or online technical assistance for the product.
End-point securityRefers to a methodology of protecting the corporate network when accessed with remote devices, such as laptops, or other wireless and mobile devices. Each device with a remote connection to the network creates a potential entry (or exit) point for security threats.
End-to-end process flowDocument that details the flow of the processes, considering automated and manual control points, hardware, databases, network protocols, and real-time versus periodic processing characteristics.
Enterprise architectureThe overall design and high-level plan that describes an institution's operational framework and includes the institution's mission, stakeholders, business and customers, work flow and processes, data processing, access, security, and availability.
Enterprise-wideAcross an entire organization, rather than a single business department or function.
EventOccurrence or change of a particular set of circumstances.NIST Glossary
An occurrence or change in circumstances that may affect operations. An event can be physical, cyber, or a combination of bothFFIEC Developed for Supervisory Purposes
ExerciseA simulation of an emergency designed to validate the viability of one or more aspects of an IT plan.NIST Glossary
A task or activity done to practice or test a procedure. There are many different types of exercises, depending on the intended goals and objectives. An exercise may involve performing duties in a simulated environment and can be discussion-based or simulation-based. FFIEC Adapted for Supervisory Purposes
Expedited Funds Availability Act (EFAA)See Regulation CC.
ExploitA technique or code that uses a vulnerability to provide system access to the attacker. An exploit is an intentional attack to impact an operating system or application program.
ExposureThe potential loss to an area due to the occurrence of an adverse event.
Exposure limitIn reference to the settlement of operating services, this is the maximum amount an ACH originator is allowed to originate. This amount can be based on the originator's credit rating, historical or predicted funding requirements, and the type of obligation.
Extensible Markup Language (XML)XML (Extensible Markup Language) is a "metalanguage", a language for describing other languages – which lets you design your own customized markup languages for different types of documents. It is designed to improve the functionality of the Web by providing more flexible and adaptable information identification.
External connectionsAn information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.


FailoverThe capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system. NIST Glossary
Federal Reserve BanksThe Federal Reserve Banks provide a variety of financial services including retail and wholesale payments. The Federal Reserve Bank operates a nationwide system for clearing and settling checks drawn on depository institutions located in all regions of the United States.
FedwireThe Federal Reserve Bank's nationwide real time gross settlement electronic funds and securities transfer network. Fedwire® is a credit transfer system. Each funds transfer is settled individually against an institution's reserve or clearing account on the books of the Federal Reserve. The transaction is considered an irrevocable payment as it is processed.
Fedwire Funds ServiceThe Federal Reserve Banks' high-speed electronic funds transfer system. As a real-time gross settlement system, the Fedwire® Funds Service processes and settles individual payments between participants immediately in central bank money. Once processed, these payments are final.
Fedwire Securities ServiceThe Federal Reserve Banks' high-speed electronic payments system for maintaining securities accounts and for effecting securities transfers. The Fedwire® Securities Service provides a real-time, delivery-versus-payment (DVP), gross settlement system that allows for the immediate, simultaneous transfer of securities against payment. Once processed, securities transfers are final.
Fibre channelA high performance serial link supporting its own, as well as higher-level protocols such as the small computer system interface, high performance parallel interface framing protocol and intelligent peripheral interface. The Fibre Channel standard addresses the need for very fast transfers of large amounts of information. The fast (up to 1 Giga byte per second) technology can be converted for LAN technology by adding a switch specified in the Fibre Channel standard that handles multipoint addressing. Fibre Channel gives users one port that supports both channel and network interfaces, unburdening the computers from large number of input and output (I/O) ports. Fibre Channel provides control and complete error checking over the link.
File transfer protocol (FTP)A standard high-level protocol for transferring files from one computer to another, usually implemented as an application level program.
FIN (Financial Application)The SWIFT application within which all SWIFT user-to-user messages are input and output.
FinalityIrrevocable and unconditional transfer of payment during settlement.
Financial EDI (FEDI)Financial electronic data interchange. An instrument for settling invoices by initiating payments, processing remittance data and automating reconciliation, through the exchange of electronic messages.
Financial Services Information Sharing and Analysis Center (FS-ISAC)A nonprofit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information.
FirewallA hardware or software link in a network that relays only data packets clearly intended and authorized to reach the other side.
FloatFunds held by an institution during the check-clearing process before being made available to a depositor. Interest may be earned on these funds.
FlowchartsTraditional flowcharts involve the use of geometric symbols, such as diamonds, ovals, and rectangles to represent the sequencing of program logic. Software packages are available that automatically chart programs or enable a programmer to chart a program without the need to draw it manually.
Frame relayA high-performance wide area network protocol that operates at the physical and data link layers of the Open Systems Interconnect (OSI) reference model. Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth. Frame relay uses existing T-1 and T-3 lines and provides connection speeds from 56 Kbps to T-1.
FramingA frame is an area of a webpage that scrolls independently of the rest of the webpage. Framing generally refers to the use of a standard frame containing information (like company name and navigation bars) that remains on the screen while the user moves around the text in another frame.
Full duplexA communications channel that carries data in both directions.
Full-scale exerciseA simulation involving a full use of available resources (e.g., hardware, software, personnel, communications, utilities, and processing from an alternate site) at the same time. FFIEC Developed for Supervisory Purposes
Functional requirementsThe business, operational, and security features an organization wants included in a program.
Functionality testingTesting that verifies that an implementation of some function operates correctly.NIST Glossary


Gateway serverA computer (server) that connects a private network to the private network of a servicer or other business.
General controlsControls, other than application controls, that relate to the environment within which application systems are developed, maintained, and operated, and that are therefore applicable to all the applications at an institution. The objectives of general controls are to ensure the proper development and implementation of systems, and the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IT strategy and an IT security policy, the organization of IT staff to separate conflicting duties and planning for disaster prevention and recovery.
GovernanceIn computer security, governance means setting clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations. Governance includes specifying a framework for decision making, with assigned decision rights and accountability, intended to consistently produce desired behaviors and actions.
Gramm-Leach-Bliley Act (GLBA)The act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions.


HackerAn individual who attempts to break into a computer without authorization.
HaircutWith respect of an eligible currency, the percentage increase of a negative currency balance or reduction of a positive currency balance and is based on (a) the volatility of the historic foreign exchange movements in the applicable eligible currency determined by CLS Bank and (b) an add-on component.
HardeningThe process of securing a computer's administrative functions or inactivating those features not needed for the computer's intended business purpose.
HardwareThe physical elements of a computer system; the computer equipment as opposed to the programs or information stored in a machine.
HashA fixed length cryptographic output of variables, such as a message, being operated on by a formula or cryptographic algorithm.
Hash TotalsA numerical summation of one or more corresponding fields of a file that would not ordinarily be summed. Typically used to detect when changes in electronic information have occurred.
High availabilityA failover feature to ensure availability during device or component interruptions.NIST Glossary
Ability of a system to be continuously operational for a desirably long length of time and to maintain a minimum amount of downtime during device or component interruptions. Availability can be measured relative to "100% uptime" or "never failing."FFIEC Adapted for Supervisory Purposes
HijackingThe use of an authenticated user's communication session to communicate with system components.
Homing beaconsDevices that send messages to the institution when they connect to a network and that enable recovery of the device.
HopEach step of a trip a data packet takes from its origination to its destination. For example, on the Internet a data packet may go through several routers before reaching its final destination.
HostA computer that is accessed by a user from a remote location.
Host bus adapter (HBA)A host bus adapter provides I/O processing and physical connectivity between a server and storage. As the only part of a storage area network that resides in a server, HBAs also provide a critical link between the storage area network and the operating system and application software.
HostingSee "Website Hosting".
Hot siteA fully operational off-site data processing facility equipped with hardware and software, to be used in the event of an information system disruption.NIST Glossary
HubSimple devices that pass all data traffic in both directions between the LAN sections they link. Hubs forward every message they receive to the other sections of the LAN, even those that do not need to go there.
HVACHeating, ventilation, and air conditioning.
HyperlinkAn item on a webpage that, when selected, transfers the user directly to another location in a hypertext document or to another webpage, perhaps on a different machine. Also simply called a "link."
Hypertext Markup Language (HTML)A set of codes that can be inserted into text files to indicate special typefaces, inserted images, and links to other hypertext documents.
HypervisorA piece of software that provides abstraction of all physical resources (such as central processing units, memory, network, and storage) and thus enables multiple computing stacks (consisting of an operating system, middleware and application programs) called virtual machines to be run on a single physical host.


I/O (Acronym)Input/output.
Image archive (Check 21)Database for storage and easy retrieval of check images.
Image capture (Check 21)The process of digitizing both sides of physical items and their assorted MICR information as they are processed at the Federal Reserve Bank. Also includes storage of the images for up to 60 days.
Image exchange (Check 21)Exchange of some or all of the digitized images of a check.
Implementation planA plan that details project management requirements and issues to be addressed during the period between the execution of an outsourcing agreement and the full production use of the outsourced services.
IncidentAn occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.NIST Glossary
Incident managementThe process of identifying, analyzing, and correcting disruptions to operations and preventing future recurrences. The goal of incident management is to limit the disruption and restore operations as quickly as possible.FFIEC Developed for Supervisory Purposes
Incident responseThe response of an organization to a disaster or other significant event that may significantly impact the organization, its people, or its ability to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery plan, performing damage assessment, and any other measures necessary to bring an organization to a more stable status.Business Continuity Institute Disaster Recovery Journal Glossary
Incident response planA plan that defines the action steps, involved resources, and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather, or workplace violence.
Indemnifying bank (Check 21)A financial institution that transfers, presents, or returns a substitute check or a paper or electronic representation of a substitute check for which it receives consideration. The financial institution shall indemnify the recipient and any subsequent recipient (including a collecting or returning financial institution, the depository financial institution, the drawer, the drawee, the payee, the depositor, and any endorser) for any loss incurred by any recipient of a substitute check if that loss occurred due to the receipt of a substitute check instead of the original.
IndependenceSelf-governance, freedom from conflict of interest and undue influence. The IT auditor should be free to make his or her own decisions, not influenced by the organization being audited, or by its managers and employees.
Independent sales organizationA non-financial institution organization that provides a variety of merchant processing functions on behalf of the acquirer. These functions include soliciting new merchant accounts, arranging for terminal purchases or leases, and providing backroom services. An Independent sales organization is also referred to as a member service provider (MSP). The acquirer must register all Independent sales organization/MSPs with the bankcard associations.
Information securityThe process by which an organization protects the creation, collection, storage, use, transmission, and disposal of information.
Information systemsElectronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information. Information systems can include networks (computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems). Other examples are backup tapes, mobile devices, and other media.
Information technologyAny services or equipment, or interconnected system(s) or subsystem(s) of equipment that comprise the institution's IT architecture or infrastructure. It can include computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources.
InfrastructureSystem of facilities, equipment, and services needed for the operation of an organization.ISO 22300:2018(en)
InstructionMeans (i) any instruction submitted by a Member through the submission process directing CLS Bank to settle certain payment entitlements and obligations arising pursuant to an FX transaction eligible for settlement in CLS Bank and (ii) any instructions resulting from the split of Settlement Eligible Instructions.
Integrated exerciseA simulation to test the effectiveness of the continuity plans for a business line or major function that incorporates more than one component or module, including external dependencies.FFIEC Developed for Supervisory Purposes
Integrated Systems Digital Networking (ISDN)A hierarchy of digital switching and transmission systems that provides voice, data, and image in a unified manner. Integrated Systems Digital Networking (ISDN) is synchronized so that all digital elements communicate in the same protocol at the same speed.
IntegrityAssurance that information is trustworthy and accurate; ensuring that information will not be accidentally or maliciously altered or destroyed (see “Data integrity”).
Interbank checksChecks that are not "on-us." They are cleared and settled either by direct presentment, a clearinghouse association, a correspondent bank, or a Federal Reserve Bank.
InterchangeExchange of transactions between financial institutions participating in a bank card network, based on a common set of rules. Card interchange allows a financial institution's customers to use a bank credit card at any card honoring merchant and to gain access to multiple ATM systems from a single ATM.
Interchange feesFees paid by one financial institution to another to cover handling costs and credit risk in a financial institution card transaction. Interchange fees generally flow toward the institution funding the transaction and assuming the risk. In a credit card transaction, the interchange fee is paid by the merchant acquirer accepting the merchant's sales draft to the card-issuing institution, which, in turn, passes the fee to its merchants. In EFT/POS transactions, interchange flows in the opposite direction: the card-issuing institution (or customer) pays the fee to the terminal-owning institution. When a transaction is an off-line debit sale, the card-issuing institution collects an interchange fee from the merchant, rather than from the customer, unlike in an EFT/POS transaction, where the customer pays the interchange fee. Interchange revenue is derived from fees set by the card associations. Depending on the card association, fees can range from 1% to 3% of the value of the transaction. Interchange revenue is recognized as a card issuer's second largest revenue line item.
InterconnectivityThe state or quality of being connected together. The interaction of a financial institution's internal and external systems and applications and the entities with which they are linked.
InterdependenciesWhen two or more departments, processes, functions, or third-party providers interact to successfully complete a task, business function, or process.FFIEC Developed for Supervisory Purposes
InterfaceComputer programs that translate information from one system or application into a format required for use by another system or application.
Internal "trusted" zoneA channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include SSLIP security and a secure physical connection.
International Organization for Standardization (ISO)An independent, non-governmental, international organization that brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards.
InternetThe global system of interconnected computer networks that use the Internet protocol suite (TCP/IP) to link billions of devices worldwide.
Internet service provider (ISP)A company that provides its customers with access to the Internet (e.g., AT&T, Verizon, CenturyLink).
Internet Small Computer System Interface (iSCSI)An Internet protocol based storage networking standard for linking data storage facilities, used to facilitate. iSCSI is data transfers over intranets and to manage storage over long distances.
InteroperabilityThe ability of a system to work with or use the parts or equipment of another system.
Interoperability standards/protocolsCommonly agreed on standards that enable different computers or programs to share information. Example: HTTP (Hypertext Transfer Protocol) is a standard method of publishing information as hypertext in HTML format on the Internet.
Intrusion detectionTechniques that attempt to detect unauthorized entry or access into a computer or network by observation of actions, security logs, or audit data; detection of break-ins or attempts, either manually or via software expert systems that operate on logs or other information available on the network.
Intrusion detection system (IDS)Software or hardware product that detects and logs inappropriate, incorrect, or anomalous activity. It gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from within the organizations). IDS are typically characterized based on the source of the data they monitor: host or network. A host-based IDS uses system log files and other electronic audit data to identify suspicious activity. A network-based IDS uses a sensor to monitor packets on the network to which it is attached.
Intrusion prevention systems (IPS)A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its target.
IPv6 (Acronym)Version 6 of the Internet Protocol.
ISAC (Acronym)Information Sharing and Analysis Center.
IT architectureA subset of enterprise architecture, with detail to support data processing and access, including fundamental requirements for centralized or distributed computing, real or virtual servers, devices and workstations, and networking design. Architecture plans may also exist for data (information), security, and applications.
IT governanceAn integral part of governance that consists of the leadership and organizational structures and processes that ensure that the institution's IT sustains and extends the organization's strategies and objectives.
IT strategic planA comprehensive blueprint that guides the organization's technology management and contains high-level goals and plans for all areas of information technology that affect the business, not just the infrastructure. The plan should include areas that impact technology management, including cost management, human capital management, hardware and software management, third-party management, risk management, and all other considerations in the enterprise IT environment.
IT system inventoryA list containing information about the information resources owned or operated by an organization.
IterativeRepetitive or cyclical. Iterative software development involves the completion of project tasks or phases in repetitive cycles. Tasks and phase activities are repeated until a desired result is achieved.


Key fobA small portable device equipped with chip technology allowing the holder the ability to access network systems, such as those used for payments, and to store personal data.
KioskA publicly accessible computer terminal that permits customers to directly communicate with the financial institution via a network.


LAN (Acronym)Local Area Network.
Large value funds transfer systemA wholesale payment system used primarily by financial institutions in which large values of funds are transferred between parties. Fedwire® and CHIPS are the two large-value transfer systems in the United States.
Last mileCommunications technology that bridges the transmission distance between the telecommunication service provider and the entity.FFIEC Developed for Supervisory Purposes
LatencyTime delay in processing voice packets.NIST Glossary
Time delay in processing voice and data packets.FFIEC Adapted for Supervisory Purposes
Legacy systemsA term commonly used to refer to existing computers systems and applications with which new systems or applications must exchange information.
Legal amount recognition (LAR)The handwritten dollar amount of the check.
Life-cycle processThe multi-step process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system.
Limited-scale exerciseA simulation involving applicable resources (personnel and systems) to recover targeted business processes.FFIEC Developed for Supervisory Purposes
LockboxDeposit mechanism used by commercial firms and businesses to facilitate their deposit transaction volume. Typically, commercial firms and businesses direct customers to send payments directly to a financial institution address or post office box controlled by the institution. Financial institution personnel record payments received and prepare deposit slips, and subsequent processing proceeds as with other deposit taking activities.
LockoutThe action of temporarily revoking network or application access privileges, normally due to repeated unsuccessful logon attempts.
LogA record of information or events in an organized system, usually sequenced in the order in which the events occurred.
Logical accessAbility to interact with computer resources granted using identification, authentication, and authorization.
Logical access controlsThe policies, procedures, organizational structure, and electronic access controls designed to restrict access to computer software and data files.
Long positionIn respect of a currency balance that is greater than zero, the amount by which such currency balance is greater than zero. A position that appreciates in value if market prices increase. When one buys a currency, their position is long.


Magnetic ink character recognition (MICR)Magnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check.
MainframeAn industry term for a large computer, typically used for the commercial applications of businesses and other large-scale computing purposes. Generally, a mainframe is associated with centralized rather than distributed computing.
MalwareSoftware designed to secretly access a computer system without the owner’s informed consent. The expression is a general term (short for malicious software) used to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware includes computer viruses, worms, Trojan horses, spyware, dishonest adware, ransomware, crimeware, most rootkits, and other malicious and unwanted software or programs.
Management information systems (MIS)A general term for the computer systems in an enterprise that provide information about its business operations.
Man-in-the-middle attackPlaces the attacker's computer in the communication line between the server and the client. The attacker's machine can monitor and change communications.
Matched instructionsTwo Instructions in which the information set forth in a specific CLS Bank Rule is matched in accordance with the parameters and procedures set forth in the CLS Bank Rules.
MatchingWith respect to compared and non-compared transactions, the process of comparing the trade or settlement details provided by counterparties to ensure they agree with respect to the terms of the transaction. Also called comparison checking.
Maximum tolerable downtime (MTD)The amount of time mission/business process can be disrupted without causing significant harm to the organization’s mission.NIST Glossary
The total amount of time the system owner or authorizing official is willing to accept for a business process disruption, including all impact considerations.FFIEC Adapted for Supervisory Purposes
MediaPhysical objects that store data, such as paper, hard disk drives, tapes, and compact disks (CDs).
Merchant acquirerBankcard association members that initiate and maintain contractual agreements with merchants for the purpose of accepting and processing bankcard transactions.
Merchant processingActivity for the acceptance and settlement of bankcard products and transactions from merchants through the payment system.
MetricA quantitative measurement.
MiddlewareSoftware that connects two or more software components or applications. It is another term for an application programmer interface or API, and it allows programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services.
MidrangeComputers that are more powerful and capable than personal computers but less powerful and capable than mainframe computers.
MilestoneA major project event.
Millions of instructions per second (MIPS)A general measure of computing performance and, by implication, the amount of work a larger computer can do.
MirroringA process that copies data to multiple disks over a computer network in real time or close to real time. Mirroring reduces network traffic, ensures better availability of the website or files, or enables the site or downloaded files to arrive more quickly for users close to the mirror site.
MnemonicA symbol or expression that can help someone remember something. For example, the phrase "Hello! My name is Bill. I'm 9 years old." might help an individual remember a secure 10-character password of "H!MniBI9yo."
Mobile deviceA portable computing and communications device with information-storage capability. Examples include notebook and laptop computers, cellular telephones and smart phones, tablets, digital cameras, and audio recording devices.
Mobile financial servicesThe products and services that a financial institution provides to its customers through mobile devices.
Multi-factor authenticationThe process of using two or more factors to achieve authentication. Factors include something you know (e.g., password or personal identification number); something you have (e.g., cryptographic identification device or token); and something you are (e.g., biometric).
Multilateral netting settlement systemMultilateral netting is an arrangement among three or more parties to net their obligations. In these settlement systems transfers are irrevocable but are only final after the completion of end-of-day-settlement.


NACHA - The Electronic Payments AssociationThe national association that establishes the rules and procedures governing the exchange of ACH payments.
National Institute of Standards and Technology (NIST)An agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards. NIST developed a voluntary cybersecurity framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructures.
National Settlement Service (NSS)Also referred to as Deferred Net Settlement. The Federal Reserve Banks' multilateral settlement service. NSS is offered to depository institutions that settle for participants in clearinghouses, financial exchanges, and other clearing and settlement groups. Settlement agents acting on behalf of those depository institutions electronically submit settlement files to the Federal Reserve Banks. Files are processed on receipt, and entries are automatically posted to the depository institutions' Reserve Bank accounts. Entries are final when posted.
Net debit capThe maximum dollar amount of uncollateralized daylight overdrafts that an institution is authorized to incur in its Federal Reserve account. The net debit cap is generally equal to an institution's capital times the cap multiple for its cap category.
NetworkTwo or more computer systems grouped together to share information, software, and hardware.
Network activity baselineA base for determining typical utilization patterns so that significant deviations can be detected.
Network administratorThe individual responsible for the installation, management, and control of a network.
Network attached storage (NAS)NAS systems usually contain one or more hard disks that are arranged into logical, redundant storage containers much like traditional file servers. NAS provides readily available storage resources and helps alleviate the bottlenecks associated with access to storage devices.
Network backboneThe main communication channel of a network that interconnects one or more network segments and provides a path for the exchange of data between devices. A backbone can span any geographic area.FFIEC Developed for Supervisory Purposes
Network diagramA description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines.
Network securityThe protection of computer networks and their services from unauthorized entry, modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. Network security includes providing for data integrity.
Non-public personal informationFor purposes of the Information Security Standards, non-public personal information means (i) “personally identifiable financial information”; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any “personally identifiable financial information” that is not publicly available.
Non-repudiationEnsuring that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.


Object codeSoftware program instructions compiled (translated) from source code into machine-readable formats.
Office of Foreign Asset Control (OFAC)The Office of Foreign Assets Control, United States Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.
Office of Foreign Assets Control (OFAC)The Office of Foreign Assets Control, Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.
Offsite rotationUsed for backup and/or disaster recovery; moving a copy of the most current database, information, file, or tape to an offsite storage facility to be used only in an emergency.
On-us checksChecks that are deposited into the same institution on which they are drawn.
Open market operationsThe buying and selling of government securities in the open market in order to expand or contract the amount of money in the banking system.
Operating systemA system that supports and manages software applications. Operating systems allocate system resources, provide access and security controls, maintain file systems, and manage communications between end users and hardware devices.
Operational IT planTypically, the plans that are made by front-line, or low-level, IT managers. Operational IT plans are focused on the specific procedures and processes that implement the larger strategic plan.
Operational resilienceThe ability of systems to resist, absorb, and recover from or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of ability to perform mission-related functions.NIST Glossary
The ability of an entity’s personnel, systems, telecommunications networks, activities, or processes to resist, absorb, and recover from or adapt to an incident that may cause harm, destruction, or loss of ability to perform mission-related functions.FFIEC Adapted for Supervisory Purposes
Operational riskThe risk of failure or loss resulting from inadequate or failed processes, people, or systems.
Originating depository financial institution (ODFI)A participating financial institution that originates entries at the request of and by agreement with its originators in accordance with the provisions of the NACHA rules.
OriginatorA person that has authorized an ODFI to transmit a credit or debit entry to the deposit account of a receiver at an RDFI.
OutageThe interruption of systems, infrastructure, support services, or essential business functions, which may result in the entity’s inability to provide services for some period of time. The amount of time lost from an outage may result in downtime. Conversely, downtime may cause an outage.FFIEC Developed for Supervisory Purposes
Out-of-bandActivity outside of the primary means of interfacing with the customer. For example, if a user is performing activity online, he or she may be authenticated through a one-time password sent via text message.
OutsourcingThe practice of contracting through a formal agreement with a third-party(ies) to perform services, functions, or support that might otherwise be conducted in-house.FFIEC Developed for Supervisory Purposes


PacketThe data unit that is routed from source to destination in a packet-switched network.
PasswordsA secret sequence of characters that is used as a means of authentication.
PatchSoftware code that replaces or updates other code. Frequently patches are used to correct security flaws.
PatchingSoftware code that replaces or updates other code. Frequently patches are used to correct security flaws.
Paying bankA paying bank is the institution where a check is payable and to which it is sent for payment.
PaymentA transfer of value.
Payment systemThe mechanism, the rules, institutions, people, markets, and agreements that make the exchange of payments possible.
Payments System Risk Policy (PSR)The Federal Reserve's Payments System Risk (PSR) policy addressing the risks that payment systems present to the Federal Reserve Banks, the banking system, and to other sectors of the economy.
Payroll card accountA bank account that is established directly or indirectly by an employer on behalf of an employee to which an electronic funds transfers the employee's wages or compensation on a recurring basis. The payroll card, often branded by one of the credit/debit card associations, provides the employee access to the funds.
PCI Security Standards CouncilThe governing body, representing key participants of the payment card industry, which establishes and maintains security standards for payment cards.
Peer-to-peer (P2P)Peer-to-peer communication, the communications that travel from one user's computer to another user's computer without being stored for later access on a server. E-mail is not a P2P communication since it travels from the sender to a server, and is retrieved by the recipient from the server. On-line chat, however, is a P2P communication since messages travel directly from one user to another.
Penetration testThe process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others.
Personal digital assistant (PDA)A pocket-sized, special-purpose personal computer that lacks a conventional keyboard.
Personally identifiable financial informationFor purposes of the Information Security Standards, personally identifiable financial information means information (i) a consumer provides to a financial institution to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service between the financial institution and a consumer; or (iii) that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service, such as account balance information, payment history, overdraft history, and credit or debit card purchase information; or the fact that an individual is one of the financial institution’s customers.
Person-to-person (P2P) paymentOnline payments using electronic mail messages to invoke a transfer of value between the parties over existing proprietary networks as on-us transactions.
PhaseA project segment.
PhishingA digital form of social engineering that uses authentic-looking—but bogus—e-mail to request information from users or direct them to fake websites that request information.
Plain old telephone system (POTS)Basic telephone service.
PlatformThe underlying computer system on which applications programs run. A platform consists of an operating system, the computer system's coordinating program, which in turn is built on the instruction set for a processor or microprocessor, and the hardware that performs logic operations and manages data movement in the computer.
Point-of-sale (POS) networkA network of institutions, debit cardholders, and merchants that permit consumers to make direct payment electronically at the place of purchase. The funds are withdrawn from the account of the cardholder.
PolicyA document that records a high-level principle or an agreed-upon course of action; overall intention and direction as formally expressed by management.
Pop-up boxA dialog box that automatically appears when a person accesses a webpage.
PortEither an endpoint to a logical connection or a physical connection to a computer.
Positive payA technique that can reduce check fraud by requesting businesses to send electronic files of information to the financial institution on all checks the business has issued.
Presentment feeA fee that an institution receiving a check may impose on the institution that presents the check for payment. No presentment fee may be charged for checks presented by 8 a.m. local time.
Preventive controlA mitigating technique designed to prevent an event from occurring.
Principle of least privilegeThe security objective of granting users only the access needed to perform official duties.
Private branch exchange (PBX)A telephone system within an enterprise that switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines.
Private key infrastructure (PKI)The use of public key cryptography in which each customer has a key pair (e.g., a unique electronic value called a public key and a mathematically-related private key). The private key is used to encrypt (sign) a message that can only be decrypted by the cor-responding public key or to decrypt a message previously encrypted with the public key. The public key is used to decrypt a message previously encrypted (signed) using an individual's private key or to encrypt a message so that it can only be decrypted (read) using the intended recipient's private key.
Private label cardSee "Store Card".
PrivilegeThe level of trust with which a system object is imbued.
Privileged accessIndividuals with the ability to override system or application controls.
ProjectA task involving the acquisition, development, or maintenance of a technology product.
Project managementPlanning, monitoring, and controlling an activity.
Proof of deposit (POD)The verification of the dollar amount written on a negotiable instrument being deposited.
ProtocolA format for transmitting data between devices.
Proxy serverAn Internet server that controls client computers' access to the Internet. Using a proxy server, a company can stop employees from accessing undesirable websites, improve performance by storing webpages locally, and hide the internal network's identity so monitoring is difficult for external users.
Public keySee "PKI".


Real time gross settlement (RTGS) SystemA type of payments system operating in real time rather than batch processing mode. It provides immediate finality of transactions. Gross settlement refers to the settlement of each transfer individually rather than netting. FedwireÒ is an example of a real time gross settlement system.
Real-time network monitoringImmediate response to a penetration attempt that is detected and diagnosed in time to prevent access.
ReceiverAn individual, corporation, or other entity that has authorized a company or an originator to initiate a credit or debit entry to a transaction account belonging to the receiver held at its RDFI.
Receiving depository financial institution (RDFI)Any financial institution qualified to receive debits or credits through its ACH operator in accordance with the ACH rules.
Reciprocal agreementAn agreement that allows two organizations to back up each other.NIST Glossary
An agreement that allows two entities (or two internal business groups) with compatible systems and functionality that allows each one to recover at the other’s location.FFIEC Adapted for Supervisory Purposes
Reconverting bank (Check 21)The financial institution that creates a substitute check. With respect to a substitute check that was created by a person that is not a financial institution, the reconverting bank is the first financial institution that transfers, presents, or returns that substitute check or, in lieu thereof, the first paper or electronic representation of that substitute check. The reconverting bank warrants that (1) the substitute check is the legal equivalent of the original check; and (2) the original check cannot be presented again in any form so the customer pays the check only once.
Recovery point objective (RPO)The point in time to which data must be recovered after an outage.NIST Glossary
The point in time to which data used by an activity is restored to enable the resumption of business functions. The RPO is expressed backward in time from the point of disruption and can be specified in increments of time (e.g., minutes, hours, or days).FFIEC Adapted for Supervisory Purposes
Recovery service levelsCollectively, terms that define the speed, quality, and quantity of recovery capability in response to a disaster, including recovery time objective, recovery point objective, timely notification, percentage of normal production service level agreements (SLAs) that will be delivered during recovery mode, etc.
Recovery siteAn alternate location for processing information (and possibly conducting business) in an emergency. Usually distinguished as "hot" sites that are fully configured centers with compatible computer equipment and "cold" sites that are operational computer centers without the computer equipment.
Recovery time objective (RTO)The overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business processes.NIST Glossary
Red teamA group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. The red team's objective is to improve enterprise information assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders in an operational environment.
Redundant array of independent disks (RAID)The use of multiple hard disks to store the same data in different places. By placing data on multiple disks, I/O operations can overlap in a balanced way, improving performance. Since multiple disks increase the mean time between failures (MTBF), storing data redundantly also increases fault-tolerance.
Regulation CCA regulation (12 CFR 229) promulgated by the Board of Governors of the Federal Reserve System regarding the availability of funds and the collection of checks. The regulation governs the availability of funds deposited in checking accounts and the collection and return of checks.
Regulation EA regulation (12 CFR 205) promulgated by the Board of Governors of the Federal Reserve System to ensure consumers a minimum level of protection in disputes arising from electronic fund transfers.
Regulation ZRegulation Z, the Truth in Lending Act (TILA) (12 CFR 226) promulgated by the Board of Governors of the Federal Reserve System. The regulation prescribes uniform methods for computing the cost of credit, disclosing credit terms, and resolving errors on certain types of credit accounts.
Remittance cardsPayment cards that are typically used to facilitate cross-border movement of funds by individuals and for person-to-person transactions.
Remote accessAccess to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).NIST Glossary
Remote deletionsUse of a technology to remove data from a portable device without touching the device.
Remote deposit capture (RDC)A service that enables users at remote locations to scan digital images of checks and transmit the captured data to a financial institution or a merchant that is a customer of a financial institution.
Remotely created check (RCC)A check that is drawn on a customer account at a financial institution, is created by the payee, and does not bear a signature in the format agreed to by the paying financial institution and customer. RCCs are also known as "demand drafts," "telechecks," "preauthorized drafts," "paper drafts," or "digital checks."
Removable mediaPortable electronic storage media, such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device and which is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CD), thumb drives, pen drives, and similar storage devices.
Replay attackThe interception of communications, such as an authentication communication, and subsequently impersonation of the sender by retransmitting the intercepted communication.
RepudiationThe denial by one of the parties to a transaction of participation in all or part of that transaction or of the content of the communication.
Reserve accountA non-interest-earning balance account institutions maintain with the Federal Reserve Bank or with a correspondent bank to satisfy the Federal Reserve's reserve requirements. Reserve account balances play a central role in the exchange of funds between depository institutions.
Reserve requirementsThe percentage of deposits that a depository institution may not lend out or invest and must hold either as vault cash or on deposit at a Federal Reserve Bank. Reserve requirements affect the potential of the banking system to create transaction deposits.
Residual riskThe amount of risk remaining after the implementation of controls.
ResilienceThe ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.NIST Glossary
ResourceAny enterprise asset that can help the organization achieve its objectives.
Retail paymentsPayments, typically small, made in the goods and services market.
Retention requirementRequirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.
Return (ACH)Any ACH entry that has been returned to the ODFI by the RDFI or by the ACH operator because it cannot be processed. The reason for each return is included with the return in the form of a "return reason code." (See the NACHA "Operating Rules and Guidelines" for a complete reason code listing.)
RiskThe potential that events, expected or unanticipated, may have an adverse effect on a financial institution's earnings, capital, or reputation.
Risk analysisThe process of identifying risks, determining their probability and impact, and identifying areas needing safeguards.
Risk assessmentA prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.
Risk identificationThe process of determining risks and existing safeguards. It generally includes inventories of systems and information necessary to operations and defines the potential threats to systems and operations.
Risk managementThe total process required to identify, control, and minimize the impact of uncertain events. The objective of a risk management program is to reduce risk and obtain and maintain appropriate management approval at predefined stages in the life cycle.
Risk measurementA process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. The result of risk measurement leads to the prioritization of potential risks based on severity and likelihood of occurrence.
Risk mitigationThe process of reducing risks through the introduction of specific controls and risk transfer. It includes the implementation of appropriate controls to reduce the potential for risk and bring the level of risk in line with the board's risk appetite.
RloginRemote login. A UNIX utility that allows a user to login to a remote host on a network, as if it were directly connected, and make use of various services. Remote login is an information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.
Rogue wireless accessAn unauthorized wireless node on a network.
RouterA hardware device that connects two or more networks and routes incoming data packets to the appropriate network.
RoutingThe process of moving information from its source to the destination.
Routing numberAlso referred to as the ABA number. A nine-digit number (eight digits and a check digit) that identifies a specific financial institution.


SandboxA restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.
SAS 70 reportAn audit report of a servicing institution prepared in accordance with guidance provided in the American Institute of Certified Public Accountant's Statement of Auditing Standards Number 70. Replaced by SSAE 16.
ScalabilityA term that refers to how well a hardware and software system can adapt to increased demands. For example, a scalable network system would be one that can start with just a few nodes but can easily expand to thousands of nodes. Scalability can be a very important feature because it means the entity can invest in a system with confidence they will not quickly outgrow it.
ScenarioA sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives.NIST Glossary
Scenario analysisThe process of analyzing possible future events by considering alternative possible outcomes.
ScorecardA dashboard of performance measures.
ScriptA file containing active content; for example, commands or instructions to be executed by the computer.
Secure shellNetwork protocol that uses cryptography to secure communication, remote command line log-in, and remote command execution between two networked computers.
Secure Socket Layer (SSL)A protocol that is used to transmit private documents through the Internet.
Security architectureA detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.
Security auditAn independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.
Security breachA security event that results in unauthorized access of data, applications, services, networks, or devices by bypassing underlying security mechanisms.
Security eventAn event that potentially compromises the confidentiality, integrity, availability, or accountability of an information system.
Security logA record that contains log-in and logout activity and other security-related events and that is used to track security-related information on a computer system.
Security postureThe security status of an enterprise's networks, information, and systems based on information security and assurance resources (e.g., people, hardware, software, and policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.
Security procedure agreementAn agreement between a financial institution and a Federal Reserve Bank whereby the financial institution agrees to certain security procedures if it uses an encrypted communications line with access controls for the transmission or receipt of a payment order to or from a Federal Reserve Bank.
Security violationAn instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.
Sensitive customer informationA customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log into or access the customer’s account, such as user name and password or password and account number.
ServerA computer or other device that manages a network service. An example is a print server, which is a device that manages network printing.
Service level agreementDefines the specific responsibilities of the service provider and sets the customer expectations.NIST Glossary
A formal agreement between two parties that records: a common understanding about products or services to be delivered, priorities, responsibilities, guarantees, and warranties between the parties. In addition, the agreement describes the nature, quality, security, availability, scope, and timeliness of delivery and response of the parties, the point(s) of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved, and may include other measurable objectives. The agreement should cover not only expected day-to-day situations, but also unexpected or adverse events, as the need for the service may vary.FFIEC Adapted for Supervisory Purposes
Service providerFor purposes of the Information Security Standards, service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to a financial institution.
SettlementThe final step in the transfer of ownership involving the physical exchange of securities or payment. In a banking transaction, settlement is the process of recording the debit and credit positions of the parties involved in a transfer of funds. In a financial instrument transaction, settlement includes both the transfer of securities by the seller and the payment by the buyer. Settlements can be "gross" or "net." Gross settlement means each transaction is settled individually. Net settlement means parties exchanging payments will offset mutual obligations to deliver identical items (e.g., dollars or EUROS), at a specified time, after which only one net amount of each item is exchanged.
Settlement date (ACH)The date on which an exchange of funds with respect to an entry is reflected on the books of the Federal Reserve Bank.
Settlement eligible instructionsSee "Matched Instructions".
Shadow ITA term used to describe IT systems or applications used inside institutions without explicit approval.
Short positionIn respect of a currency balance that is less than zero, the amount by which such currency balance is less than zero. An investment position that benefits from a decline in market price. When one sells a currency their position is short.
Short position limitIn respect of an eligible currency, the maximum short position a Settlement Member may have at any time in that eligible currency and, unless otherwise reduced pursuant to the CLS Bank Rules, shall equal (i) the total amount of all available committed liquidity facilities in such eligible currency (or such lesser amount that CLS Bank may determine from time to time) minus (ii) the amount of the largest available committed liquidity facility among such liquidity facilities (after taking into account any amounts already drawn.
Single-Entry (ACH)A one-time transfer of funds initiated by an originator in accordance with the receiver’s authorization for a single ACH credit or debit to the receiver's consumer account.
Small Computer Systems Interface (SCSI)Small computer systems interface (pronounced "scuzzy"). A standard way of interfacing a computer to disk drives, tape drives, and other devices that require high-speed data transfer. Also, a secondary SAN protocol that allows computer applications to talk to storage devices.
Smart cardsA card with an embedded computer chip on which information can be stored and processed.
SniffingThe passive interception of data transmissions.
Social engineeringA general term for trying to trick people into revealing confidential information or performing certain actions.
Source codeSoftware program instructions written in a format (language) readable by humans.
Spear phishingAn attack targeting a specific user or group of users, and attempts to deceive the user into performing an action that launches an attack, such as opening a document or clicking a link. Spear phishers rely on knowing some personal piece of information about their target, such as an event, interest, travel plans, or current issues. Sometimes this information is gathered by hacking into the targeted network.
Spiral developmentAn iterative project management model that focuses on the identification of project and product risks and the selection of project management techniques that best control the identified risks.
SpoofingA form of masquerading where a trusted IP address is used instead of the true IP address as a means of gaining access to a computer system.
SpotThe most common foreign exchange transaction. Spot or spot date refers to the spot transaction value date that requires settlement within two business days, subject to value date calculation.
SQL injection attackAn exploit of target software that constructs structure query language (SQL) statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database.
Sreen scrapingA process used by information aggregators to gather information from a customer's website, whereby the aggregator accesses the target site by logging in as the customer, electronically reads and copies selected information from the displayed webpage(s), then redisplays the information on the aggregator's site. The process is analogous to "scraping" the information off the computer screen.
Standard Entry Class (SEC) codeThree-character code in an ACH company/batch header record used to identify the payment type within an ACH batch.
Stateful inspectionA firewall inspection technique that examines the claimed purpose of a communication for validity. For example, a communication claiming to respond to a request is compared to a table of outstanding requests.
Storage area network (SAN)A high-speed special-purpose network (or sub-network) that connects different types of data storage devices with associated data servers on behalf of a larger network of users.
Storage virtualizationThe process of taking many different physical storage networks and devices, and making them appear as one "virtual" entity for purposes of management and administration.
Store cardA credit card issued by a financial institution for a specific merchant or vendor that does not carry a bankcard association logo. Store cards can only be used at the merchant or vendor whose name appears on the front of the card.
Stored-value cardA card-based payment system that assigns a value to the card. The card's value can be stored on the card itself (i.e., on the magnetic stripe or in a computer chip) or in a network database. As the card is used for transactions, the transaction amounts are subtracted from the card's balance. As the balance approaches zero, some cards can be "reloaded" through various methods and others are designed to be discarded. These cards are often used in closed systems for specific types of purchases.
Substitute check (Check 21)Also known as the Image Replacement Document (IRD). A paper reproduction of an original check that (1) contains an image of the front and back of the original check; (2) bears a MICR line that, except as provided under ANS X9.100-140, contains all the information appearing on the MICR line of the original check when it was issued and any additional information that was encoded on the original check's MICR line before an image of the original check was captured; (3) conforms in paper stock, dimension, and otherwise with ANS X9.100-140; and (4) is suitable for automated processing in the same manner as the original check. The Federal Reserve Board of Governors can by rule or order determine different standards.
Supply chain risk managementThe implementation of processes, tools, or techniques to minimize the adverse impact of attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.NIST Glossary
The implementation of processes, tools, or techniques to minimize the adverse impact of attacks that allow the adversary to exploit vulnerabilities inserted prior to installation. This is done in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).FFIEC Adapted for Supervisory Purposes
Suspicious activity report (SAR)Reports required to be filed by the Bank Secrecy Act when a financial institution identifies or suspects fraudulent activity.
SwitchA device that connects more than two LAN segments that use the same data link and network protocol.
Synchronous Optical NETwork (SONET)SONET is a standard for telecommunications transmissions over fiber optic cables. SONET is self-healing so that if a break occurs in the lines, it can use a back-up redundant ring to ensure that the transmission continues. SONET networks can transmit voice and data over optical networks.
Synchronous replicationData is written to both primary and secondary storage areas at the same time to ensure that multiple copies of the data are current and identical. This method is used for critical business functions where latency is unacceptable, and little or no data loss can be tolerated.FFIEC Developed for Supervisory Purposes
Systeminstitutions in which large values of funds are transferred between parties. Fedwire® and CHIPS are the two large-value transfer systems in the United States.
System administrationThe process of maintaining, configuring, and operating computer systems.
System resourcesCapabilities that can be accessed by a user or program either on the user's machine or across the network. Capabilities can be services, such as file or print services, or devices, such as routers.
Systems Development Life Cycle (SDLC)An approach used to plan, design, develop, test, and implement an application system or a major modification to an application system.


T-1 lineA special type of telephone line for digital communication and transmission. T-1 lines provide for digital transmission with signaling speed of 1.544Mbps (1,544,000 bits per second). This is the standard for digital transmissions in North America. Usually delivered on fiber optic lines.
Tabletop exerciseA discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario.NIST Glossary
A discussion-based exercise where personnel meet in a classroom setting or in breakout groups to validate a component(s) of the business continuity plan(s) by discussing their roles and responsibilities. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario.FFIEC Adapted for Supervisory Purposes
Tactical planTypically, a short-term plan that establishes the specific steps needed to implement a company's strategic plan. These plans are often created by mid-level managers.
TelecommunicationsThe exchange of information over significant distances by electronic means.
TelnetAn interactive, text-based communications session between a client and a host. It is used mainly for remote login and simple control services to systems with limited resources or to systems with limited needs for security.
TestAn evaluation tool that uses quantifiable metrics to validate the operability of a system or system component in an operational environment specified in an IT plan.NIST Glossary
A type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment.FFIEC Adapted for Supervisory Purposes
Test keyInternal controls used to verify the authenticity of incoming wire requests involve the use of test keys. A test key is a formula used to develop or interpret test codes or test words. Test codes or words consist of a series of numbers signifying different types of information and usually precede the text of the message. As an example, a test code may contain a bank number, the amount of the transaction, and a number indicating the day and week of the month. As an additional precaution, many test codes contain a variable (sequence number) based on the number of messages received.
Third-party relationshipAny business arrangement between a financial institution and another entity, by contract or otherwise.
Third-party senderA special subset of a technology service provider that is authorized to transmit ACH files on behalf of an originator. Typically, the ODFI must rely upon warranties by the third- party sender regarding the originators' identity and credit worthiness, which places additional risks on the ODFI.
Third-party service providerAny third party to whom a financial institution outsources activities that the institution itself is authorized to perform, including a technology service provider.
Third-party service provider (ACH)A third party, other than the ODFI or RDFI, that performs any function on behalf of the ODFI or the RDFI related to ACH processing. These functions would include the creation and sending of ACH files or acting as a sending or receiving point on behalf of a participating depository financial institution.
Threat intelligenceThreat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.NIST Glossary
TokenA small device with an embedded computer chip that can be used to store and transmit electronic information. A soft token is a software-based token.
TopologySee "Network diagram".
Total cost of ownership (TCO)The true cost of ownership of a computer or other technology system that includes original cost of the computer and software, hardware and software upgrades, maintenance, technical support, and training.
Transmission control protocol/Internet protocol (TCP/IP)A communication standard for transmitting data packets from one computer to another. TCP/IP is used on the Internet and other networks. The two parts of TCP/IP are TCP, which deals with constructions of data packets, and IP, which routes them from machine to machine.
TriggerAn event that causes the system to initiate a response. Note: Also known as a triggering event.NIST Glossary
An event that prompts a response from management or an automated system. Also known as a triggering event.FFIEC Adapted for Supervisory Purposes
Trojan horseMalicious code that is hidden in software that has an apparently beneficial or harmless use.
Truncating bank (Check 21)The financial institution that truncates the original check. If a person other than a financial institution truncates the original check, the truncating bank is the first financial institution that transfers, presents, or returns, in lieu of such original check, a substitute check or, by agreement with the recipient, information relating to the original check (including data taken from the MICR line of the original check or an electronic image of the original check), whether with or without the subsequent delivery of the original check.
Trusted zoneA channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include secure socket layer, internet protocol security and a secure physical connection.
TunnelThe path that encapsulated packets follow in an Internet VPN.


U.S. Computer Emergency Readiness Team (US-CERT)US-CERT is part of the U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center. US-CERT is a partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation's Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation.
Uniform Resource Locator (URL)Abbreviation for "Uniform (or Universal) Resource Locator." A way of specifying the location of publicly available information on the Internet, in the form: protocol://machine:port number/filename. Often the port number and/or filename are unnecessary.
Uninterruptible power supply (UPS)A device that allows your computer to keep running for at least a short time when the primary power source is lost. A UPS may also provide protection from power surges. A UPS contains a battery that "kicks in" when the device senses a loss of power from the primary source allowing the user time to save any data they are working on and to exit before the secondary power source (the battery) runs out. When power surges occur, a UPS intercepts the surge so that it doesn't damage your computer.
USA Patriot ActThe USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law Pub.L. 107-56), commonly known as the "Patriot Act", was enacted by Congress to deter and punish terrorist acts in the United States and around the world by enhancing the law enforcement investigatory tools of both domestic law enforcement and foreign intelligence agencies.
User IdentificationThe process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).
UtilityA program used to configure or maintain systems, or to make changes to stored or transmitted data.


Very early smoke detection alert (VESDA)A system that samples the air on a continuing basis and can detect fire at the pre-combustion stage.
Virtual local area network (VLAN)Logical segmentation of a LAN into different broadcast domains.
Virtual machineA software emulation of a physical computing environment.
Virtual MallAn Internet website offering products and services from multiple vendors or suppliers.
Virtual private network (VPN)A computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.
VirusMalicious code that replicates itself within a computer.
Voice over Internet Protocol (VoIP)The transmission of voice telephone conversations using the Internet or Internet Protocol networks.
VulnerabilityA hardware, firmware, or software flaw that leaves an information system open to potential exploitation; a weakness in automated system security procedures, administrative controls, physical layout, internal controls, etc., that could be exploited to gain unauthorized access to information or to disrupt critical processing.
Vulnerability AnalysisSystematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Vulnerability AssessmentSystematic examination of systems to identify, quantify, and prioritize the security deficiencies of the systems.


Warehouse attackThe compromise of systems that store authenticators.
Warm siteAn environmentally conditioned work space that is partially equipped with information systems and telecommunications equipment to support relocated operations in the event of a significant disruption.NIST Glossary
WEB SEC codeAn ACH debit entry initiated by an originator resulting from the receiver's authorization through the Internet to make a transfer of funds from a consumer account of the receiver.
WeblinkingThe use of hyperlinks to direct users to webpages of other entities.
WebsiteA webpage or set of webpages designed, presented, and linked together to form a logical information resource and/or transaction initiation function.
Website hostingThe service of providing ongoing support and monitoring of an Internet-addressable computer that stores webpages and processes transactions initiated over the Internet.
Wireless application protocol (WAP)A data transmission standard to deliver wireless markup language (WML) content.
Wireless gateway serverA computer (server) that transmits messages between a computer network and a cellular telephone or other wireless access device.
Wireless phoneSee "Cellular Telephone".
Work programA series of specific, detailed steps to achieve an audit objective.
WorkstationAny computer connected to a local-area network.
WormA self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is primarily because of security vulnerabilities on the target computers.
WORM (Acronym)Write once, read many times. A type of optical disk where a computer can save information once, can then read that information, but cannot change it.


Zero-day attackAn attack on a piece of software that has a vulnerability for which there is no known patch.