Tier I Examination Objectives and Procedures
EXAMINATION OBJECTIVE: Examiners should use the Wholesale Payment Systems Examination Procedures to determine the adequacy of the financial institution's payment system risk policies and wholesale payment business processes, including personnel and internal control systems used to mitigate the risks associated with wholesale payment systems. Wholesale payment system services include Fedwire Funds Servicefunds transfer and book-entry securities; CHIPS; SWIFT; payment messaging systems; net settlement, clearing and settlement systems; internally developed and off-the-shelf funds transfer systems; and web-based payment systems. The examiner's assessment of risk and risk management practices relating to a financial institution's wholesale payment system service should help determine the extent of testing and which procedures to perform. The assessment should consider the effectiveness of formal policies and procedures as well as the financial institution's underlying internal control environment including information security, business continuity and disaster recovery, and management of wholesale payment services outsourced to third parties.
Financial institutions are exposed to numerous credit, liquidity, reputation, legal, and operational risks in provisioning wholesale payment system services to counter parties and performing related processing, clearance, and settlement functions in-house and with third parties. Depending on the financial risks, IT related operational (transactional) risks, compliance risks, and complexity of wholesale payment system activity, the examination may require an integrated team approach that includes the knowledge and skills of safety and soundness examiners and IT examiners.
Examiners may incorporate the Examination Procedures as part of either an IT or safety and soundness examination. The Examination Procedures can also be used in its entirety, or can be used in modular fashion, focusing on particular wholesale payment system products or business lines. Depending on the size and complexity of the financial institution or service provider, examiners may tailor the use of the examination procedures. In many cases, they can eliminate certain procedures and still arrive at a conclusion regarding the quality of risk management practices and performance. The examination procedures are structured as follows:
- Tier I objectives and procedures, which evaluate the effectiveness of the financial institution and service provider's wholesale payment systems, internal controls, and risk management processes that may be relied on for the purpose of identifying and managing risks.
- Tier II objectives and procedures, which provide additional validation as warranted by the risks to verify the effectiveness of the financial institution and service provider's wholesale payment systems function.
Objective 1: Determine the scope and objectives of the examination of the wholesale payment systems function.
1. Review past reports for comments relating to wholesale payment systems. Consider:
- Regulatory reports of examination.
- Internal and external audit reports.
- Regulatory reports on and, audit, and information security reports from/on service providers.
- Trade group, card association, interchange, and clearing house documentation relating to services provided by the financial institution.
- Supervisory strategy documents, including risk assessments.
- Examination work papers.
2. Review past reports for comments relating to the institution's internal control environment and technical infrastructure. Consider:
- Internal controls including logical access controls, data center operations, and physical security controls.
- Wholesale EFT network controls.
- Inventory of computer hardware, software, and telecommunications protocols used to support wholesale EFT transaction processing.
3. During discussions with financial institution and service provider management:
- Obtain a thorough description of the wholesale payment system activities performed, including transaction volumes, transaction dollar amounts, and scope of operations, including Fedwire Funds Service, CHIPS, SWIFT, and all wholesale payment messaging systems in use.
- Review the financial institution's payment system risk policy and evaluate its compliance with net debit caps and other internally generated self-assessment factors.
- Identify any wholesale payment system functions performed via outsourcing relationships and determine the financial institution's level of reliance on those services.
- Identify any significant changes in wholesale payment system policies, personnel, products, and services since the last examination.
4. Review the financial institution's response to any wholesale payment systems issues raised at the last examination. Consider:
- Adequacy and timing of corrective action.
- Resolution of root causes rather than specific issues.
- Existence of outstanding issues.
Objective 2: Determine the quality of oversight and support provided by the board of directors and management.
1. Determine the quality and effectiveness of the financial institution's wholesale payment systems management function. Consider:
- Data center and network controls over backbone networks and connectivity to counter parties.
- Departmental controls, including separation of duties and dual control procedures, for funds transfer, clearance, and settlement activities.
- Compliance with the Federal Reserve's Payment System Risk policies and procedures.
- Physical and logical security controls designed to ensure the authenticity, integrity, and confidentiality of wholesale payments transactions.
2. Assess management's ability to manage outsourcing relationships with service providers and software vendors contracted to provide wholesale payment system services. Evaluate the adequacy of terms and conditions, and whether they ensure each party's liabilities and responsibilities are clearly defined. Consider:
- Adequacy of contract provisions including service level and performance agreements.
- Compliance with applicable financial institution and third party (e.g. Federal Reserve, CHIPS, SWIFT) requirements.
- Adequacy of contract provisions for personnel, equipment, and related services.
3. Evaluate the adequacy and effectiveness of financial institution and service provider contingency and business recovery plans. Consider:
- Ability to recover transaction data and supporting books and records based on wholesale payment system business line requirements.
- Ability to return to normal operations once the contingency condition is over.
- Confidentiality and integrity of interbank and counter party data in transit and storage.
4. Evaluate wholesale payment system business line staff. Consider:
- Adequacy of staff resources.
- Hiring practices.
- Effective policies and procedures outlining department duties.
- Adequacy of accounting and financial controls over wholesale payment processing, clearance, and settlement activity.
5. Review the disaster recovery plan for the funds transfer system (FTS) to ensure it is reasonable in relation to the volume of activity, all units of the FTS are provided for in the plan, and the plan is regularly tested.
Objective 3: Determine the quality of risk management and support for Payment System Risk policy compliance.
1. Review policies and procedures in place to monitor customer balances for outgoing payments to ensure payments are made against collected funds or established intraday or overnight overdraft limits and payments resulting in excesses of established uncollected or overdraft limits are properly authorized.
2. Review a sample of contracts authorizing the institution to make payments from customers' accounts to ensure they adequately set forth responsibilities of the institution and the customer, primarily regarding provisions of the Uniform Commercial Code Article 4A (UCC4A) related to authenticity and timing of transfer requests.
Objective 4: Determine the quality of risk management and support for internal audit and the effectiveness of the internal audit program for wholesale payment systems.
1. Review the audit program to ensure all functions of the FTS are covered. Consider:
- Payment order origination (funds transfer requests).
- Message testing.
- Customer agreements.
- Payment processing and accounting.
- Personnel policies.
- Physical and data security.
- Contingency plans.
- Credit evaluation and approval.
- Incoming funds transfers.
- Federal Reserve's Payment Systems Risk Policy.
2. Review a sufficient sample of supporting audit work papers necessary to confirm that they support the execution of procedures established in step 1 above.
3. Review all audit reports related to the FTS and determine the current status of any exceptions noted in the audit report.
1. Determine the need to proceed to Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives.
2. From the procedures performed, including any Tier II procedures performed:
- Document conclusions related to the quality and effectiveness of the retail payment systems function.
- Determine and document to what extent, if any, the examiner may rely upon wholesale payment systems procedures performed by internal or external audit.
3. Review your preliminary conclusions with the EIC regarding:
- Violations of law, rulings, regulations, and third party agreements.
- Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination.
- Potential impact of your conclusions on URSIT composite and component ratings.
4. Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the FFIEC Report of Examination and guidance to future examiners.
5. Organize work papers to ensure clear support for significant findings and conclusions.
Appendix A: Examination Procedures
Tier II Examination Objectives and Procedures