The FFIEC IT Examination Handbook (IT Handbook), "Retail Payment Systems Booklet" (booklet), provides guidance to examiners, financial institutions, and technology service providers (TSPs) This booklet uses the terms "institution" and "financial institution" to describe an insured bank, savings association, and credit union, as well as TSPs providing services to a financial institution. on identifying and controlling risks associated with retail payment systems and related banking activities. This booklet references specific services and brand names including those trademarked by their respective companies. These references are intended solely to provide a retail payment systems overview and should not be construed as an FFIEC endorsement of any product or service noted herein.
Financial institutions accept, collect, and process a variety of payment instruments and participate in clearing and settlement systems. In some cases, financial institutions perform all of these tasks. However, independent third parties are increasingly involved in this process, introducing new risks that affect the security of financial institutions. Financial institutions, acting either in consortiums or independently, remain the core providers to businesses and consumers for most retail payment instruments and services. Federal government-affiliated providers and operators, such as the Federal Reserve Banks (Reserve Banks), also compete with numerous financial institutions and private sector firms in providing various services in support of retail payments.
Recently, a number of new payment instruments have emerged that are largely or wholly electronic. Electronic payment systems offer efficiency gains by allowing for rapid and convenient transmission of payment information among system participants. However, the emergence of a new payment mechanism can also enable the rapid propagation of fraud, money laundering, and operational disruption if data is compromised. Another trend associated with emerging payments is the increased participation of nonbank third parties in retail payment systems and a lengthened transaction chain, which may increase risk in payment processes. Management of retail payments risk is increasingly difficult and requires diligent oversight of third-party service providers.
Much of the guidance in this booklet, involving traditional retail payment systems, has not been revised significantly because of the maturity of these systems in the product life cycle. Mature payment systems are better understood, whereas emerging payment systems require a closer look to better understand the risks and associated controls. New guidance is offered for remotely created checks (RCCs), electronically created payment orders, automated clearing house (ACH) transactions, The Check Clearing for the 21st Century Act (Check 21), www.ffiec.gov/exam/check21/. and Merchant Card Processing due to recent developments in these areas. Also, this booklet includes a new section that covers some emerging technologies in retail payment systems. Additional emphasis is placed on the need for improved operational, credit, legal, and compliance risk processes for retail payment products, especially for the deployment of remote and Internet-based check and ACH capture systems.
Examination guidance for Retail Payment Systems is provided in three sections, followed by examination procedures, a glossary, and references:
- Retail Payment Systems Overview-The first section of the booklet presents an overview of retail payment systems, grouping retail payment instruments in various categories, including: checks, card-based electronic payments, and other electronic payments, such as person-to-person (P2P), electronic benefits transfer (EBT), and ACH.
- Payment Instruments, Clearing, and Settlement-The second section of the booklet describes the retail payment system instruments typically offered by financial institutions and the roles of various payment system participants, including third parties. Diagrams showing the typical payment flows and clearing and settlement arrangements for each of the retail payment instruments described are also included. See "Nonbanks in the Payments System," March 6, 2003, and "A Guide to the ATM and Debit Card Industry," April 7, 2003, describing payment flows and clearing and settlement arrangements at: www.kansascityfed.org/home/subwebnav.cfm?level=3&theID=10724&SubWeb=10658#2003.
- Retail Payment Systems Risk Management-The third section describes the risks associated with various retail payment systems and instruments, using the regulatory risk categories: reputation, strategic, credit, liquidity, settlement, legal/compliance, and operational/transaction risk. This section also presents the risk management practices financial institutions should implement in order to mitigate the risks described, and it concludes with specific controls appropriate to a number of retail payment instruments. Management action summaries for selected risks and functions are also included in this section, providing a snapshot of the risks and risk management practices described in the text.
This booklet includes a number of references to other IT Handbook booklets, including "Information Security," "Business Continuity Planning," "Audit," "Outsourcing Technology Services," "Electronic Banking," and "Wholesale Payment Systems." Also, there are references to FFIEC guidance for Bank Secrecy Act examinations that are relevant to retail payment systems and for Check 21. In addition to describing the IT risks and controls, the booklet also discusses certain credit and liquidity risks that may also be present when providing retail payment services. A full review of a particular financial institution's retail payment system environment will require an interdisciplinary team of examiners with experience in operational, credit, liquidity, and compliance risks.
Examiners should use the examination procedures for evaluating the risks and risk management practices at financial institutions offering retail payment system products and services. These procedures address services and products of varied complexity; therefore, examiners should adjust the procedures, as appropriate, for the scope of the examination and the risk profile of the institution. The procedures may be used independently or in combination with procedures from other IT Handbook booklets and agency-specific handbooks and guidance documents.
Retail Payment Systems Overview