FFIEC part 2

Question 1

What are the major topics that the manuals and/or booklets of the FFICE cover?

Answer 1

Retail Payments Systems

Bank Secrecy Act/Anti-Money Laundering Examination Manual

Information Security

Mobile Financial Services

Authentication and Access to Financial Institution Services and Systems

Supervisory Guidance for Remote Deposit Capture

Business Continuity Management

Interagency Guidance: Third Party Relationships

Question 2

What does FFIEC stand form?

Answer 2

Federal Financial Institutions Examination Council

Question 3

What does the FFIEC do?

Answer 3

Prescribes uniform principles, standards, and report forms for the federal examination of financial institutions for financial regulators.

Make recommendations to promote uniformity.

The FFIEC is not itself a regulation.

Question 4

What are the different governing bodies that the FFIEC provides unform priniciples and standards for?

Answer 4

Board of Governors of the Federal Reserve System (FRB)

Federal Deposit Insurance Corporation (FDIC)

National Credit Union Administration (NCUA)

Office of the Comptroller of the Currency (OCC)

State Liaison Committee (SLC)

Consumer Financial Protection Bureau (CFPB)

Question 5

How does the FFIEC make recommendations to promote uniformity in the supervision of financial institutions?

Answer 5

It does so through guidance designed to

• Guide bank examiners during examination process; and
• Assist financial institutions to:
• Identify risks, and
• Evaluate adequacy of controls and risk management practices

Question 6

What does the Retail Payment Systems - IT Examination Handbook provide?

Answer 6

Identifies and controls risks related to retail payment systems and other related banking activities.

Question 7

What are the 6 risks identifies by the FFIEC Retail Payment Systems handbook?

Answer 7

SCROLL

Strategic Risk
Credit Risk
Reputation Risk
Operational Risk
Legal/Compliance Risk
Liquidity Risk

Question 8

Summarize the different topics covered in the Retail Payment Systems IT Examination Boodk.

Answer 8

Know the FFIEC Guidance

Know Your Customer (KYC)

Establish appropriate risk-based guidelines for customers/vendor selection

Have strong agreements

Know and anticipate the risks with RDC

• Legal/compliance risks
• Reputational risks
• Operational risks

Measure/monitor/review reports

Include senior management in reporting

Understand types of risk in retail payments and how to manage and monitor each

Question 9

What does the FFIEC warn regarding third paries?

Answer 9

They introduce new risks.

Question 10

What services do retail payment systems provide?

Answer 10

checks and share draft item processing

bankcards,

payment cards

ACH

EFT/POS networks

electronic bill payment

person to person (P2P) and A2A account to account payment systems

many others as technology advances…

Question 11

What shoudl the Examination Scope be based on?

Answer 11

the risk profile of the financial institution or the technology service provider

Question 12

What determines the risk profile?

Answer 12

an assessment of the entity’s risk environment and quality of risk management practices.

Question 13

What is the underlying Tier I Objective?

Answer 13

To evaluate the effectiveness of
the internal controls and risk
management processes
implemented by the financial
institution or service provider

Question 14

What is the underlying Tier II Objective?

Answer 14

To expand the scope of the
examination further if the risk
profile or complexity of the
organization requires additional
information

Question 15

List all of Tier I objectives

Answer 15

1 Assess the LEVEL of risk in retail payment systems function

2 ESTABLISH the SCOPE and OBJECTIVES of the examination of the retail payment systems functions.

3 Assess the QUALITY OF OVERSIGHT and support provided by the board of directors and management

4 Assess the QUALITY OF POLICIES, procedures and limits supporting retail payment services.

5 Assess QUALITY OF MANAGEMENT INFORMATION SYSTEMS and reports used to manage retail payment services

6 Assess the QUALITY OF RISK MANAGEMENT t and support for BANKCARD ISSUANCE and acquiring (merchant processing activity)

7 Assess the QUALITY OF RISK MANAGEMENT and support for EFT/POS PROCESSING

8 Assess the QUALITY OF RISK management and support for ACH PROCESSING activity.

9 Assess the QUALITY OF RISK MANAGEMENT AND SUPPORT for electronic banking related retail payment transaction processing.

10 Asses the QUALITY OR RISK MANAGEMENT and support for CHECKS

11 Assess the QUALITY OF RISK MANAGEMENT of new and emerging technologies.

Question 16

Describe Tier II Retail Payment Systems Examination Procedures.

Answer 16

The Tier II Retail Payment Systems Examination Procedures provide additional validation steps to verify the effectiveness of a financial institution’s internal control processes over ACH, EFT/POS network, check item, electronic banking-related retail payments, and bankcard processing, clearance, and settlement

Question 17

What does the BSA/AML Examination Manual provide?

Answer 17

Provides guidance on identifying and controlling risks associated with money laundering and terrorist financing

Question 18

What does the FFIEC BSA/AML Examination Manual include?

Answer 18

Suspicious Activity Reporting (SAR)

Currency Transaction Reporting

Correspondent Accounts (Foreign)

Automated Clearing House Transactions

Third-Party Payment Processors

Question 19

What requirements must the BSA/AML compliance program provide?

Answer 19

Internal Controls
- policies, procedures
- regulatory updates
- incorporating dual controls and segregation of duties

Independent testing
- Conducted by bank personnel or by an outside party
- Testing to ensure the internal controls are aligned with the bank’s risk profile

BSA compliance officer
- Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance

Training for appropriate personnel
- Should include examples of money laundering and suspicious activity monitoring and reporting
- Document training program

Question 20

What are the BSA/AML: Money Laundering Steps

Answer 20

Placement

Layering

Integration

Question 21

Placement

Answer 21

First and most vulnerable stage of laundering money

Goal is to introduce unlawful proceeds into the financial system without attracting attention of financial institutions or law enforcement

Question 22

Layering

Answer 22

Second stage which involves moving funds around the financial system - often in complex series of transactions to create confusion and complicate the paper trail

Question 23

Integration

Answer 23

Goal once funds are in the financial system and insulated through layering stage

Create the appearance of legality through additional transactions

Question 24

The information technology examination handbook provides guidance to examiners for:

Answer 24

Assessing level of security risks

Question 25

What do Information Security programs need?

Answer 25

Strong board and senior management support. Ability for institution's board/management to continually review as new threats, technologies, and business conditions arise.

Question 26

What doe security issues arise from?

Answer 26

* Disclosure of information to unauthorized individuals * Unavailability or degradation of services * Misappropriation or theft of information or services * Modification or destruction of systems or information * Records that are not timely, accurate, complete, or consistent

Question 27

What does Appendix E: MFS from April 20216 address?

Answer 27

MFS Technologies Risk Identification Risk Measurement Risk Mitigation Monitoring and Reporting

Question 28

What doe MFS stand for?

Answer 28

Mobile Financial Services?

Question 29

What is MFS?

Answer 29

Mobile financial services (MFS) are the products and services that a financial institution provides to its customers through mobile devices.

Question 30

What are SMS?

Answer 30

SMS technology are messages transmitted unencrypted over widely used telecommunications.

Question 31

What are SMS risks?

Answer 31

vulnerable to spoofing may mislead customers into revealing financial institution account information .

Question 32

What is Authentication and Access to Financial Institution Services and Systems?

Answer 32

It provides examples of effective risk management principles for access and authentication Acknowledges risks with cybersecurity threat landscape and reinforces need to effectively authenticate user.

Question 33

Name the separate sections of the What is Authentication and Access to Financial Institution Services and Systems manual.

Answer 33

Guidance threat landscape Risk assessment Layered security Multi-factor authentication as part of layered security Monitoring, logging, reporting email systems and internet browsers call center and IT help desk authentication Data aggregators User awareness and education Customer and user identification

Question 34

What does the RDC Risk Management manual outline?

Answer 34

Outlines considerations for identifying and assessing new transaction delivery system risks.

Question 35

What should senior management understand prior to implementing RDC services?

Answer 35

Identify and assess the legal, compliance, reputation, and operational risks associated with new system Ensure RDC is compatible with institution’s business strategies Understand return on investment Understand ability to manage the risks inherent in RDC

Question 36

Describe the supervisory guidance of RDC.

Answer 36

Agreements KYC customer Due Diligence/suitability Vendor Due Diligence - Ensure sound vendor management processes. Business continuity - ensure ability to recover disruption Information Security - security of nonpublic records Separation of duties RDC training for customers Measure and monitor activities review and operational risk management File monitoring customer monitoring to ensure customer is in compliance with operational risks Performance measuring management - reporting to management and board, transaction reporting of errors, duplicates, rejects, etc.

Question 37

What should RDC agreements entail?

Answer 37

Roles and responsibilities of all parties types of items allowed governing laws, regulations and rules such as funds availability policy, collateral, warranty claims for encoding erros and indemnity claims Such also include customer consideterations technology eligibility security and retention requirements for original items Repair considerations: accurately represent MICR

Question 38

What are the conditions required for the RDC Indemnity to apply?

Answer 38

Paper bank suffers a loss presence of restrictive endorsement on original checks inconsistent with the means of deposit (for example: for mobile deposit only)

Question 39

What risks does the RDC Indemnity bring?

Answer 39

Indemnity places risk of multiple deposits of same item on remote deposit capture RDC Bank provides indemnity under certain conditions for duplicate presentments of the RDC check.

Question 40

What other risks does the RDC indemnity bring, in regard to restrictive endorsements?

Answer 40

Does the agreement require restrictive endorsements? Are reviews conducted to verity presence of restrictive endorsements. Are there procedures for the RDC indemnity claim process to both make a claim or disclaim a claim? - is staff educated on process - are disclaim processes understood?

Question 41

What are retail payment systems?

Answer 41

* Identify and control risks associated with retail payment systems and related banking activities *Mobile payments discussed in section on Emerging Retail Payment Technologies *Numerous terms defined in Glossary (Appendix B) for mobile/online payments

Question 42

What does retail payment systems include oversight over?

Answer 42

*Check-based payments (RCCs, ECI, RDC, etc.) *ACH network *Card-based electronic payments *Emerging retail payment technologies