Operational Risk

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events.  Operational risk can arise from a technology failure, human or technical errors in financial models and reporting, or other internal control system deficiencies.  In the case of RDC, operational risk (i.e., image/data quality, business continuity, information security, etc.) increases when deposit processing occurs at the customer location which is outside of the financial institution's direct control.  As a result, the financial institution could experience delays or disruptions in processing, clearing, and settling retail payment transactions that could lead to credit and liquidity problems at other financial institutions.

Operational risk can also arise from fraud perpetrated by employees or by external sources.  A financial institution is exposed to operational risk from fraud when a wrongful or criminal deception can lead to a financial loss for one of the parties involved.  While fraud risk in traditional ACH activity is low, new ACH products and services, such as one-time ACH debits from Internet-based and telemarketing merchants (WEB and TEL) pose considerable fraud potential.  With traditional ACH activity, financial institutions have employed strong front-end fraud controls for recurring debits they originate.  These controls are typically not present with WEB and TEL transactions.  The continuing growth of check-to-ACH conversion, check truncation, and the growing use of RCCs, RDC, and electronically created payment orders present new forms of fraud risks.  In these situations, liability typically rests with the financial institution where the check is first deposited or the ACH item is originated.  In the case of electronically created payment orders, liability rests with the financial institution that sends the file to the Reserve Bank or other correspondent.  As operational processes continue to change, financial institutions will need to enhance their internal controls, as described below, to mitigate operational risk.  Existing control mechanisms may not be as effective as necessary.

Newer retail payment mechanisms, particularly using the Internet, also subject customers and financial institutions to fraud risk exposure.  All of these highly automated processes typically reflect a reengineering of the existing check processes, and the existing fraud controls may not be adequate.  The creation of fraudulent electronic transactions could lead to financial losses if fraudulent balances are successfully exchanged for a readily transferable form of funds, such as currency.

Operational risk controls should include sound information systems, and procedural, administrative and legal measures to prevent or limit financial loss.  System measures include monetary and time limits (per transaction, per payment instrument, per client), personal authentication, and encryption techniques to ensure the authenticity and integrity of the payer and transaction information.  Additional controls include the use of certified, tamper-resistant equipment (e.g., EFT/POS terminals), logical access controls to verify transactions, online verification of account balances, logging of all transactions and attempts to make a transaction, and the use of serial numbers and check digits.

Financial institutions can create a fraud detection control through a due diligence program for new account acceptance coupled with ongoing, automated monitoring of deposit account transactions.  Account monitoring should be facilitated through the use of caps, limits, and triggers to measure activity on an intraday basis.  Financial institutions use a variety of automated databases, such as credit bureaus, to review new accounts prior to or soon after opening the accounts.  Institutions also use a number of vendor-supported automated algorithms to review deposit account transactions for unusual activity related to kiting or other fraud.

Other procedural measures for reducing fraud include:  closely monitoring return rates for all customers, appropriate dual custody and separation of duties for critical payment transaction processing and accounting tasks, payment data verification, clear error processing and escalation procedures, and confidential and tamper-resistant mailing procedures for bankcards and other sensitive material.  Account reconcilement processes are vital to early detection of errors and fraud.  Administrative measures should include IT audit coverage of operational controls, legal controls (including regulatory compliance and agreements), and personnel issues associated with staffing and training.

In the event of an unauthorized use of a payment card, the cardholder's liability is limited to a specified amount if he or she notifies the card issuer of the theft or loss within a set time limit.  To limit their own losses from POS card fraud, the bankcard companies require vendors to match the cardholder's signature on the card with the signature on the payment voucher at the POS.  The bankcard companies have also introduced extensive monitoring and reporting controls to limit fraudulent activity.

In a broader view of operational risk management, financial institutions should employ vendor management programs that provide for due diligence of new service providers as well as ongoing monitoring of existing vendors.  An effective vendor management program will focus on data security and business continuity.

In addition, a more effective approach to mitigate fraud risk may be to view this risk potential across channels.  This requires an enterprise view of the range of retail payments activities.  Those payments that use multiple payment channels for processing and clearing are subject to an increased level of fraud risk because traditional fraud detection and prevention measures are designed for single channels.  Fraud is more likely to migrate to those channels where fraud detection and prevention measures are less developed.

Mitigation of Operational Risk

Financial institutions should adopt measures that limit operational risks arising from the processing, clearing, and settlement of retail payments.  Financial institutions and technology service providers participating in clearing and settlement arrangements for retail payments should ensure operational reliability for timely completion of daily processing through adequate information systems, internal controls, backup facilities, reliable technology, and adequate staff training and support.  Furthermore, these organizations should adopt business continuity plans to minimize and manage the effects of interruptions.  Risk analysis should identify confidential assets, critical operations, and potential threats.  It should also define safeguards and countermeasures to provide appropriate protection.

Risk from fraud or error from customers that generate high volumes of RDCs, electronically created payment orders, or RCCs can be managed more effectively with the use of activity and fraud monitoring tools for those customers.  Financial institutions that originate large volumes of ACH transactions directly or through third-party service providers should also consider these tools as part of their due diligence.  Fraud databases and fraud analysis tools can assist financial institutions in detecting and controlling potential fraud risk.  Some bankcard associations and Internet banking applications use neural network technologies or behavioral fraud analysis.  These technologies utilize specialized software and hardware designed to identify patterns of behavior that enable financial institutions to identify suspicious transactions or spending.  The bankcard companies have also developed numerous fraud detection and avoidance systems that member financial institutions can use to reduce losses as a result of fraudulent bankcard use.  The growth of e-commerce has led many financial institutions and service providers to develop additional databases that provide early identification of potential fraud.

Identifying, evaluating, and addressing potential legal and compliance risks associated with new payment systems providers can also help mitigate operational risk.  For example, a thorough legal review process can ensure that there are clearly defined roles and responsibilities for the financial institution, its service providers, and its customers.    Financial institutions should also comply with the regulations and consumer compliance mandates that apply to retail payment services (e.g., Regulation E).

Financial institutions also should have appropriate risk control functions such as audit, information security, vendor management, and business continuity, as discussed in the following sections.


Previous Section
Legal (Compliance) Risk
Next Section