Internal and Operational Controls
Management should consider implementing a variety of specific measures to mitigate or limit operational risks, such as authentication and encryption techniques to ensure the authenticity of the payer and payee as well as prevent unauthorized access to information in transit; and edit checks and automated balancing to verify the integrity of the information relative to the payment order and funds transfer transaction. Additional controls include the use of certified tamper resistant equipment, logical access controls to verify transactions, verification of account balances, and the logging of all transactions and attempts to make a transaction.
Additional internal control measures that management should employ to mitigate wholesale payment system risk include:
- Dual custody and separation of duties for critical payment transaction processing and accounting tasks;
- Payment data verification;
- Clear error processing and problem resolution procedures; and
- Confidential and tamper resistant mailing procedures for bankcards and other sensitive material.
The operational controls for funds transfer operations require clearly defined procedures establishing a control environment which provides for the authorization and authentication of transactions. Financial institutions should establish effective operational controls that identify and document:
- The original payment instructions from the corporate or individual customer to the financial institution and other pertinent information (e.g., account officer, branch manager, terminal entry identity, automated interface identification);
- Every transfer point of data for each step of the manual process (e.g., account officer, message receipt, authentication, data entry, and payment release); and
- Every transfer point of data for each step of an automated process (e.g., SWIFT and Telex, message preparation, data entry, and payment release).
Basic internal controls should be in effect to maintain overall integrity for any funds transfer operation. However, depending on the complexity and volume of operations, certain steps may not be applicable for some institutions. Recommended control objectives for a wholesale funds transfer system include:
- Verifying the accuracy and completeness of the outgoing instruction;
- Protecting original instructions from loss or alteration;
- Authenticating the identity and authority of the sender;
- Ensuring collected balances are available and held for the outgoing payments;
- Ensuring the original unaltered outgoing instruction is entered into the internal accounting system;
- Maintaining a physically secure environment; and
- Maintaining appropriate separation of duties for employees involved in the payment process.
Financial institutions should have funds transfer policies and procedures addressing both the processing of funds transfer messages and the related standards for creating and maintaining source documents. Policies and procedures should include documentation describing all interfaces between the funds transfer application and other back office and customer-related banking processes, and should address the controls relating to crediting, debiting, and reconciling customer and institution account balances. Policies and procedures should also document institution specific compliance requirements to address federal and state regulations including OFAC verification procedures.
Operational (Transaction) Risk