Retail Payment Systems Risk Management
Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks.
Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and logical information security, business continuity planning, vendor management, operational controls, and legal measures.
Risk management strategies should reflect the nature and complexity of the institution's participation in retail payment systems, including any support they offer to clearing and settlement systems. Management should develop risk management processes that capture not only operational risks, but also credit, liquidity, strategic, reputational, legal, and compliance risks, particularly as they engage in new retail payment products and systems. Management should also develop an enterprise wide view of retail payment activities due to cross-channel risk. These risk management processes should consider the risks posed by third-party service providers.
Financial institutions should tailor their risk management strategies to the nature and complexity of their participation in retail payment systems, including any support they offer to clearing and settlement systems. Financial institutions must comply with federal and state laws and regulations, as well as with operating rules of clearing houses and bankcard networks. From the initiation of a retail payment transaction to its settlement, financial institutions are exposed to certain risks. For individual retail payment transactions, risks resulting from compliance issues and potential operational failures including fraud are always present. Operational failures can increase costs, reduce earnings opportunities, and impair an institution's ability to reflect its financial condition accurately. Participation in retail payment systems may expose financial institutions to credit, liquidity, and operational risk, particularly during settlement activities. In addition, a financial institution's credit, liquidity, and operational risks may be interdependent with payment system operators and third parties.
Risk profiles vary significantly based on the size and complexity of the financial institution's retail payment system products and services, IT infrastructure, and dependence on third parties. All financial institutions should maintain an effective internal control environment commensurate with the level of retail payment products and services offered. Effective internal controls should include financial, accounting, technical, procedural, and administrative controls necessary to minimize risks in the retail payment transaction, clearing, and settlement processes. These measures reduce operational and credit risks, ensure individual transactions are valid, and mitigate processing and other errors. Effective controls also ensure supporting IT and network infrastructure promote retail payment transaction integrity, confidentiality, and availability. Financial institutions engaging in retail payment system services should be aware of the risks inherent in the activity.
Financial institutions have always offered a variety of retail payment services; however, recent technological advances are expanding the opportunities for the development of innovative payment products and services. Financial institutions should recognize the reputation and strategic risk of newer products and services, which may lack consumer acceptance. Often, participants will also face uncertainty regarding how state and federal laws and regulations will apply to new payment systems. The ongoing shift from paper to electronic payments is increasing the participation of nonbanks in various payment functions, such as payment processing. Financial institutions should have a comprehensive and effective vendor and third-party service provider risk management and oversight program. See the IT Handbook Outsourcing Technology Services Booklet.
Emerging Network Technologies
Payment System Risk (PSR) Policy