Tier II Examination Objectives and Procedures
Overall Objective: The Tier II examination procedures for Wholesale Payment Systems provide for additional verification procedures to evaluate the effectiveness of the financial institution's internal control processes over its wholesale payment systems, including Fedwire Funds Service funds transfer and book entry securities, CHIPS, SWIFT, payment messaging systems, net settlement, clearing and settlement systems, internally developed and off-the-shelf funds transfer systems, and web-based payment systems. These procedures are designed to assist in achieving examination objectives, and may be used in their entirety or selectively. Examiners should coordinate this coverage with other examiners involved in assessing the institution's information systems, operations, and information security effectiveness to ensure there is an adequate understanding of the control environment as it pertains to the bank's wholesale payment systems.
Objective 1: Determine if management and the board have enacted sufficient controls over funds transfer activity.
1. Determine if management and the board provide administrative direction for the funds transfer function. Ascertain whether:
- The directors and senior management are informed regarding the nature and magnitude of risks with the institution's funds transfer activities.
- Management is informed of new systems designs and available hardware for the wire transfer system.
- The board of directors and/or senior management regularly review and approve any funds transfer limits, and if so, when the limits were last reviewed.
- Senior management and the board monitor customers with large intraday or overnight overdrafts and analyze the overdrafts along with all other credit exposure to the customer.
2. Determine if the board and management have developed sufficient policies and procedures to ensure that the following are reviewed:
- Transaction volumes.
- Adequacy of personnel and equipment.
- Customer creditworthiness.
- Funds transfer risk.
3. Determine if the board and senior management develop and support adequate user access procedures and controls for funds transfer requests. Assess whether the institution:
- Maintains a current list of employees approved to initiate funds transfer requests.
- Has developed and approved an organization plan that shows the structure of the funds management department and limits the number of employees who can initiate or authorize transfer requests.
- Has a list of authorized employee signatures maintained in a secure environment.
- Regularly reviews staff compliance with credit and personnel procedures, operating instructions, and internal controls.
- Requires its senior management receive and review activity and quality control reports which disclose unusual or unauthorized activities and access attempts
4. Determine if management maintains authorization lists from its customers that use the funds transfer system. Verify:
- Management advises customers to limit the number of authorized signers.
- There are dual controls or other protections over customer signature records.
- The authorization list also identifies authorized sources of requests (e.g., telephone, fax, memo, etc.).
- The customer authorization establishes limits over the amount each signer is authorized to transfer.
5. Determine if the institution has dual control procedures that pro-hibit persons who receive transfer requests from transmitting or ac-counting for those requests.
Objective 2: Determine the adequacy of the internal and external audit reviews of the funds transfer area.
1. Review the internal and external audit function to determine if the scope and frequency of audit review for the funds transfer area is adequate. Review:
- Whether internal auditors have expertise or training in funds transfer operations and controls.
- The frequency and scope of internal and external audit reviews of the funds transfer function.
- Whether the internal and external audits provide substantive testing or quantitative measurements of the following areas:
- Personnel policies.
- Operating policies (including segregation of duty and dual controls).
- Customer agreements.
- Contingency plans.
- Physical security.
- Logical security (user access, authentication, etc.).
- Sample tests for message and recordkeeping accuracy.
- Balance verification and overdraft approval.
2. Obtain and review internal and external audit reports to ensure they provide an adequate appraisal of the funds transfer function to management.
3. Review management's response to audit reports to ensure the institution takes prompt and appropriate corrective action. Ensure there is adequate tracking and resolution of outstanding exceptions.
Objective 3: Determine if there are adequate written documents outlining the funds transfer operating procedures.
1. Obtain the institution's written procedures for employees in the incoming, preparation, data entry, balance verification, transmission, accounting, reconciling and security functions of the funds transfer area. Determine if management reviews and approves the procedures periodically. Determine if the procedures address:
- Control over test words, signature lists, and opening and closing messages.
- Origination of funds transfer transactions and the modification and deletion of payment orders or messages.
- Review of rejected payment orders or messages.
- Verification of sequence numbers.
- End of day accounting for all transfer requests and message traffic.
- Controls over message or payment orders received too late to process in the same day.
- Controls over payment orders with future value dates.
- Supervisory review of all adjustments, reversals, reasons for reversals and open items.
Objective 4: Determine the adequacy of institution controls over funds transfer requests.
1. Determine if institution personnel use standard, sequentially numbered forms to initiate funds transfer requests.
2. Determine if the institution has an approved request authentication system.
3. Determine if the institution has adequate security procedures for requests received from customers via telex, on-line terminals, telephone, fax, or written instructions. Determine if management:
- Developed policies and procedures to verify the authenticity of requests (e.g., call backs, customer authentication, signature verification).
- Maintains a current record of authorized signers for customer accounts.
4. Determine if the institution records incoming and outgoing telephone transfer requests. Also determine if the institution notifies the customer that calls are recorded (e.g., through written contracts, audible signals).
5. Determine if the institution maintains sequence control internally for requests processed by the funds transfer function.
- Review a sample of incoming and outgoing messages to determine if they are time stamped or sequentially numbered for control. If not, determine if the institution maintains an unbroken copy of all messages received via telex or other terminal printers during a business day.
- Determine if the sequence records and unbroken copies are reviewed and controlled by an employee independent of the equipment operations.
6. Ascertain whether the financial institution records transfer requests in a log or another bank record prior to execution.
- Review the logs to determine if supervisory personnel review the record of transfer requests daily.
- Select a sample of the transfer request log entries and compare them to funds transfer requests for accuracy.
7. Determine if the institution has guidelines for the information to be obtained from a customer making a funds transfer request. The request should contain:
- The account name and number.
- A sequence number.
- The amount to be transferred.
- The person or source initiating the request.
- The time and date.
- Authentication of the source of the request.
- Instructions for payment.
- Bank personnel authorization for large dollar amounts.
Objective 5: Determine if there are adequate controls over the institution's use of test keys for authentication.
1. Determine if all message and transfer requests that require testing are authenticated with a test key. If so determine whether:
- The institution maintains an up-to-date test key file.
- An agreement between the bank and the customer stipulates that test key formulas incorporate a variable (e.g., sequence number).
- There is a procedure in place for an employee (independent of testing the authenticity of transfer requests) to issue and cancel test keys.
- Test codes are verified by an employee who does not receive the initial transfer request.
2. Obtain and review management's test key user access list to determine if:
- There are dual controls or other protections over files containing test key formulas.
- Only authorized personnel have access to the test key area or to terminals used for test key purposes.
Objective 6: Determine if agreements concerning funds transfer activities with customers, correspondent banks, and service providers are adequate and clearly define rights and responsibilities.
1. Obtain any material agreements or contracts concerning funds transfer services between the financial institution and correspondent banks, service providers and operators (e.g., Federal Reserve Bank and CHIPS). Review the agreements to determine if they:
- Establish responsibilities and accountability among all parties.
- Establish recovery time objectives in the event of failure.
- Outline the other party's liability for actions of its employees.
2. Obtain a sample of customer agreements regarding funds transfer activity and review it for compliance with applicable sections of the Uniform Commercial Code. Consider if:
- Agreements adequately describe security procedures as defined by UCC Article 4A Sections 201 and 202.
- The bank obtains written waivers from its customers if they choose security procedures that are different from what is offered by the bank, as indicated in UCC Article 4A Section 202(c).
- Agreements with customers establish cut-off times for receipt and processing of payment orders and canceling or amending payment orders as noted in UCC Article 4A Section 106.
Objective 7: Review the institution's payment processing and accounting controls to determine the integrity of funds transfer data and the adequacy of the separation of duties.
1. Review the institution's reconcilement policies and procedures as they relate to the funds transfer department. Determine if:
- The funds transfer department prepares a daily reconcilement of funds transfer activity (incoming and outgoing) by dollar amount and number of messages.
- The funds transfer department performs end-of-day reconcilements for messages sent to and received from intermediaries (e.g., Federal Reserve Bank, servicers, correspondents, and clearing facilities).
- The daily reconcilements account for all pre-numbered forms, including cancellations.
- Supervisory personnel review the reconcilements of funds transfer and message requests on a daily basis.
- The staff responsible for balancing and reconciling daily activity is independent of the receiving, processing, and sending functions.
- The funds transfer department verifies that work sent to and received from other institution departments agree with its totals.
- The institution accepts transfer requests after the close of business or with a future value date, and whether there are appropriate processing controls.
2. Determine if the institution's daily processing policies and procedures are adequate to ensure data integrity and independent review of funds transfer activity. Determine if:
- Supervisory personnel and the originator initial all general ledger tickets or other supporting documents.
- The institution reviews all transfer requests to determine that they have been properly processed.
- Independent wire transfer personnel verify key fields before transmission.
- Staff members independent of entering the messages release funds transfer messages.
- Employees not involved in the receipt, preparation, or transmittal of funds review all reject and/or exception reports.
3. Determine if there is adequate oversight of the funds transfer department. Ensure:
- An independent institution department (e.g., accounting or correspondent banking) reviews and reconciles the Federal Reserve Bank, correspondent bank, and clearing house statements used for funds transfer activities to determine if:
- They agree with the funds transfer departments records.
- They identify and resolve any open funds transfer items.
- Open statement items, suspense accounts, receivables/payables, and inter-office accounts related to funds transfer activity are controlled outside of the funds transfer operations.
- Management receives periodic reports on open statement items, suspense accounts, and inter-office accounts that include:
- Aging of open items.
- The status of significant items.
- Resolution of prior significant items.
- An officer reviews and approves corrections, overrides, open items, reversals, and other adjustments.
4. Determine if the institution has documented any operational or credit losses that it has incurred, the reason the losses occurred, and actions taken by management to prevent future loss occurrences.
5. Determine if the institution maintains adequate records as required by the Currency and Foreign Transactions Reporting Act of 1970 (also known as the Bank Secrecy Act) and the USA PATRIOT Act.
Objective 8: Determine the adequacy of the institution's personnel policies governing the funds transfer function.
1. Obtain and review the institution's personnel policies to assess the procedures and controls over hiring new employees. Determine if:
- The bank conducts screening and background checks on personnel hired for sensitive positions in the funds transfer department.
- The bank prohibits new employees from working in sensitive areas of the funds transfer operation without close supervision.
- The institution limits or excludes temporary employees from working in sensitive areas without close supervision.
2. Assess management's personnel policies regarding current employees in the funds transfer department. Determine if:
- Management obtains statements of indebtedness of employees in sensitive positions of the funds transfer function.
- Employees are subject to unannounced rotation of responsibilities.
- Relatives of employees in the funds transfer function are precluded from working in the institution's bookkeeping, audit, data processing, and/or funds transfer departments.
- The institution enforces a policy that requires employees to take a minimum number of consecutive days as part of their annual vacation.
- There are policies and procedures to reassign departing employees from sensitive areas of the funds transfer function and to remove user access profiles of terminated employees as soon as possible.
Objective 9: Determine if the institution has enacted sufficient physical and logical security to protect the data security of the funds transfer department.
1. Obtain, review, and test the policies and procedures regarding the physical security of the funds transfer department. Determine if:
- Management restricts access to the funds transfer area to authorized personnel. Identify and assess the physical controls (e.g., locked doors, sign-in sheets, terminal locks, software locks, security guards) that prevent unauthorized physical access.
- There is an up-to-date funds transfer area visitors log and whether visitors are required to sign in and be accompanied while in restricted areas.
- There are adequate controls over the physical keys used to access key areas and key equipment within the funds transfer department.
2. Obtain and review policies and procedures regarding wire transfer password controls to determine if they are adequate. Consider whether:
- Management requires operators to change their passwords at reasonable intervals.
- Management controls access to master password files ensuring that no one has access to employee passwords.
- Passwords are suppressed on all terminal displays.
- Policy requires that passwords meet certain strength criteria so they are not easily guessed.
- Management maintains required generic system account passwords under dual control.
- Terminated or transferred employees access is removed as soon as possible.
- Access levels and who has passwords is periodically reviewed for appropriateness.
3. Review funds transfer system user access profiles to ensure that:
- User access levels correspond to job description.
- Management appropriately limits user access to the funds transfer system and periodically reviews the access limits for accuracy.
- There are adequate separation of duties and access controls between funds transfer personnel and other computer areas or programs.
4. Review the institution's access controls to determine if terminals in the funds transfer area are shut down or locked out when not in use or after business hours. Determine:
- The adequacy of time out controls.
- The adequacy of time of day controls.
- Whether supervisory approval is required for access during non-work hours.
5. Determine if the institution's training program adequately protects the integrity of funds transfer data. Ensure:
- The institution conducts training in a test environment that does not jeopardize the integrity of live data or memo files.
- There are adequate controls to protect the confidentiality of data housed in the test environment.
- There are procedures and controls to prevent the inadvertent release of test data into the production environment, thus transferring live funds over the system.
Objective 10: Review the adequacy of backup, contingency, and business continuity plans for the funds transfer function.
1. Obtain the institution's written contingency and business continuity plans for Obtain the institution's written contingency and business continuity plans for partial or complete failure of the systems and/or communication lines between the bank and correspondent bank, service provider, CHIPS, Federal Reserve Bank, and data centers. Consider if:
- The procedures, at a minimum, ensure recovery by the opening of the next day's processing depending on the criticality of this function to the institution.
- The contingency plans are reviewed and tested regularly.
- Management has distributed these plans to all funds transfer personnel.
- There are procedures to secure sensitive information and equipment before evacuation (if time permits) and security personnel adequately restrict further access to the affected areas.
- The plan includes procedures for returning to normal operations after a contingency.
2. Review the institution's policies and procedures regarding back-up systems. Assess whether:
- The institution maintains adequate back-up procedures and supplies for events such as equipment failures and line malfunctions.
- Supervisory personnel approve the acquisition and use of back-up equipment.
Objective 11: Determine if the institution adequately monitors intraday and overnight overdrafts. Ensure that management applies appropriate credit standards to customers that incur overdrafts.
1. Determine if management has developed procedures to approve customer use of daylight or overnight overdrafts including assigning appropriate approval authority to officers. Obtain and review a list of officers authorized to approve overdrafts and their approval authority, a current list of borrowers authorized to incur daylight and overnight overdrafts, and a sample of overdraft activity. Determine if:
- Management has established limits for each customer allowed to incur intraday and overnight overdrafts.
- The institution has assigned overdraft approval authority to officers with appropriate credit authority. Ensure that:
- Payments that exceed the established limits are referred to an officer with appropriate credit authority for review and approval before release.
- Payments made in anticipation of the receipt of covering funds are approved by an officer with appropriate authority.
- Management assesses all of a customer's credit facilities and affiliated relationships in determining overdraft limits.
- The institution routinely reviews and updates the institution and customer limits as well as officer approval authority.
2. Review the institution's policies and procedures regarding overdrafts to ensure it prohibits transfers of funds against accounts that do not have collected balances or preauthorized credit availability. Determine if:
- Supervisory personnel monitor funds transfer activities during the business day to ensure that payments in excess of approved limits are not executed without proper approval.
- An intraday record is kept for each customer showing opening collected and uncollected balances, transfers in and out, and whether the collected balances are sufficient at the time payments are released.
- The cause of any violations of overnight overdraft limits is identified and documented.
- Intraday exposures are limited to amounts expected to be received the same day.
- Adequate follow-up is made to obtain the covering funds in a timely manner.
3. If required as a participant of a net settlement system, determine whether management sets and approves bi-lateral credit limits on a formal credit analysis.
4. If the institution is an Edge Act Corporation, determine whether intraday and overnight overdrafts comply with Regulation K.
Objective 12: Review and determine the adequacy of the institution's controls over incoming funds transfers.
1. Review policies and procedures regarding incoming funds transfers. Select a sample of incoming funds transfers and review them to determine if:
- The institution maintains separation of duties over receipt of instructions, posting to a customer's account, and mailing customer credit advices.
- OFAC verification is performed.
- There are adequate audit trails maintained from receipt through posting the transfer to a customer's account.
- Procedures ensure accuracy of accounting throughout the process.
- Customer advices are issued in a timely manner.
- Any funds transfer requests received via telex, telephone or fax are authenticated prior to processing.
Objective 13: Determine if the institution complies with the Federal Reserve Policy Statement on Payments System Risk.
1. Determine if the institution incurs overdrafts in its Federal Reserve account. If so, consider if:
- The institution has reviewed and complied with the Payment System Risk program (i.e., the institution selected an appropriate net debit cap).
- The institution has elected a de minimis or self-assessed net debit cap and ensure that the examination evaluates the adequacy of records supporting the accuracy of the de minimis or self-assessed rating.
Objective 14: Review the institution's policies and procedures regarding the release of payment orders to assess the adequacy of controls.
1. Determine whether all incoming and outgoing payment orders and messages are received in the funds transfer area.
2. Obtain a sample of payment orders. Determine if the payment orders are:
- Logged as they enter the funds transfer department.
- Time stamped or sequentially numbered for control.
- Reviewed for signature authenticity.
- Reviewed for test verification, if applicable.
- Reviewed to determine whether personnel who initiated each funds transfer have the authority to do so.
3. Determine if current lists of authorized signatures are maintained in the wire transfer area. Ensure the lists indicate the amount of funds that individuals are authorized to release.
4. Assess whether there are adequate dual controls over the review of payment orders and message requests. Determine whether an independent employee reviews the requests for the propriety of the transaction and for future dates, especially on multiple transaction requests.
Objective 15: Coordinate the review of wholesale payment systems with examiners in charge of reviewing other information technology risks.
1. In discussion with other examiners, ensure that management applies corporate-wide, information technology policies and procedures (i.e. development and acquisition, operational security, environmental controls, etc.) to the funds transfer department. If any discrepancies exist, determine their severity and document any corrective actions.
Tier I Examination Objectives and Procedures
Appendix B: Glossary