Embed Size (px)
Citation preview
THE PAYMENTS INSTITUTE — July 16-19, 2017
Emory Conference Center Hotel, Emory University, Atlanta, Georgia
Jessica Washington, AAP
Payments Risk Expert
Federal Reserve Bank of Atlanta
Principles of Payments Risk
Management
2
Agenda
• What is Risk?
• Types of Risk
• Specific to Payment Channel
• Risk management lifecycle
• Risk Frameworks
• Best Practices
• Elements of risk, including strategic,
liquidity, reputational, fraud, credit,
transactional, compliance, operational,
cross channel
• ACH, check, wire transfer and card
payment channels
• Disaster recovery and contingency
planning
Learning Objectives
3
What is Risk?
Noun
(in business) the forecasting and evaluation of
financial risks together with the identification of
procedures to avoid or minimize their impact.
6
7
prob·a·bil·i·typräbəˈbilədē/the extent to which
something is probable;
the likelihood of
something happening
or being the case.
noun: probability
"the rain will make the probability of their arrival even
greater"
Impossible 0<P<1 Certain
Independence- An Outcome
Multiplication Rule- Two events multiplies
Variance & Standard Deviation
Covariance
Correlation
Normal Distribution– fat tailed?
P = Probable
8
9
10
Types of
payRisk
11
i. Operational Risk
ii. Credit Risk
iii. Liquidity Risk
iv. Strategic Risk
v. Reputational Risk
vi. Legal Risk
Categories or Types
12
vii. Compliance Risk
viii. Cross-Channel Risk
ix. Fraud Risk
x. Systemic Risk
xi. Third-Party Risk
xii. Counterparty Risk
Financial Risks
• Interest rate
– Deposit terms and rates
• Price
– Non-interest income
• Liquidity or Cash Flow
• Funding
13
Liquidity
• Deposit operations provide overwhelming
majority of funding for loan operations
• Funding models
• Interest rates and pricing impact liquidity
• Critical to success of the bank
– Many recent failures were liquidity driven
14
Management Risk
• Strategic risk
• Credit
– Deposit operations
• Reputation
– Customer service
• Business/Legal
– Contracts/Agreements
15
Strategic Risk
• Flawed or failed strategies
– Organizational structure
– Customers
• Vetting & Validation of Products
• Deployment of technology
• Impacts on financial performance
• Procedures
• Changes
• Communications16
Reputation Risk
• Not only who you are but who you do
business with
• Loss of customer confidence
• Impact on earnings
• Loss of shareholder values
• Complaint databases
17
Credit Risk
• The obvious
• The not-so-obvious
• Broad implications for
– Deposit operations
– Wire transfer
– ACH origination
– Remote Deposit Capture
18
19
Credit Risk
Two pronged approach to credit risk management
1. Front end
– Develop policies regarding the types of businesses it is willing to accept for payments processing
– Establish limits that reflect the risk of return items and the potential loss
– Conduct due diligence on potential customers focusing on the nature of the business and the financial condition
2. Ongoing
– Execute a monitoring program commensurate with the customer’s risk to ensure the customer operates within expectations and limits
– Act quickly to minimize disruption and loss
20
Who - Underwriting Considerations
• Exposure Limit Request Form
• New client or existing client?
• Return to sales/cash management contact
• Company Information
– Line of Business
– Years in Business
– Number of Employees/Customers
– Ownership information
• Relationship Information
– Number of years
– Average Deposit Balances
– Number NSF (last 12 months)
• Credit Rating
21
When – Setting Exposure Limits
• Controlling credit risk in the availability to settlement
gap
– Pre-funding – Requires funding at time of processing
• Ensures availability in bank’s favor
• May create competitive pressures
– Balanced Files – Offset contained in file
• May actually increase risk when offset not onus
– Account Reserves – Holding a percentage of funds
• May be in the form of collateral or structured availability
schedule
Operational Risk
• Transactional
• Compliance
• Fraud
22
• “Operational risk is
embedded in virtually every
activity a financial institution
engages in, from check
processing to trading
activities, and the more
complex the institution or
process, the greater the risk
of operational failure.”• Thomas Curry, Comptroller
of the Currency, March 4,
2013
23
Examples
• Internal fraud
• External fraud
• Customer or client interactions
• Financial products
• Business practices
• Damage to physical plant
• Business interruption
• System failures
• Execution and delivery of commitments
• Process management
• Employment practices
• Workplace safety
24
Manifestations
• Failures of:
– Manual processes
– Automated processes
– Interaction of processes with faulty data
• One time events
• Cascading of multiple failures over time
25
Key Decision
• How to allocate capital to operational risk
• Challenge:
– Operational risk has no naturally occurring
monetary measurement; therefore,
– No profit incentive exists to effective motivate
increased efforts to reduce operational risk
– Ergo: justifying “up” is very difficult
• Overall Impacts to Payments
– ACH Network
– Card Networks
– Check/Image Clearing
• Emerging Payment Types
– Real-Time
– Card Networks
– Zelle (https://www.zellepay.com/)
Impact of Service Disruptions
26
Transactional Risk
• Sheer volume of transactions
• Multiple points of entry into legacy
systems
• Transaction Characteristics
• Parties
• Settlement Speed
• Finality
27
• Reliance on:
– Vendors
– Customers
– Partners
– Inter-operability of systems
• Ability to pass on liability
• Reputational aspect
Third-Party or Counter-Party
28
• Trends
• Threats
• Prevention
• Mitigation
Fraud
29
Fraud Alerts / Card Controls
• Trend: Deputizing the customer/member
– Fraud Alerts
– Card Controls
• Customer/Member can:
– Turn debit card on/off
– Set locations where the card can be used
– Set spending limits
– Control use by transaction and merchant types
– Similar functionality on some credit cards (e.g. Discover’s “Freeze It”)
Compliance Risk
• Rules & Guidance Applicable to Specific
Payment Systems
– ECCHO Rules (https://www.eccho.org/)^
– NACHA Operating Rules (www.nacha.org)
– Clearinghouse & Bankcard Network Operating Rules
– Federal Financial Institution Examination Council
(FFIEC) Handbook (http://ithandbook.ffiec.gov/it-
booklets.aspx)
• Regulatory Requirements for Incident
Reporting– Data Breach
– Suspicious Activity31
• Currency & Foreign Transactions Reporting
Act of 1970
• Federal Regulations – Regulation E
– Regulation J
– Regulation CC
– Regulation DD
• Bank Secrecy Act/Anti-Money Laundering
(BSA/AML) Examination Manual
• Office of Foreign Assets Control (OFAC)
• Federal Reserve Bank Operating Circular 3
Laws & Regulations Applicable
to Specific Payment Systems
32
Legal Risks
• Role of Client/Customer Agreements
– Overall Impacts to Payments
– ACH Network
– Card Networks
– Check/Image Clearing
– Emerging Payment Types
– Real-Time
– Card Networks
– Zelle (https://www.zellepay.com/)
33
• Financial crisis of 2008
• Probability of breakdowns in an entire
system
• Evidenced by co-movements (correlation)
among most or all the parts
Systemic Risk
34
Enterprise Risk
• Risk of loss across the entire financial institution
resulting from inadequate or failed controls relating
to:– Internal processes
– People
– Systems
– External Events
• Techniques and methodologies– Inherent vs. Residual Risk
– Detected vs. Preventive Controls
– Controls vs. Mitigants
Cross-Channel Risk
Risk associated with deposit accounts by way of multiple points of access —branch, ATM, call
center, debit card, online banking, check, ACH, wire, etc., or the presence of multiple risk types.
•Legal
•Reputational
•Operational
•Compliance
•Fraud
•Liquidity
36
Payments are now more complex
Cash
Checks
Wire
ATM’s
DebitCards
CreditCards
ACH
RemoteDeposit
Virtual/Cloud
Mobile
Digital Currency
Traditional Payments:(Almost) All Electronic
38
Mix of Electronic Payments:
Volume Inversely Related to Value
39
• Debit & Credit
• Returns & Return Rate Levels
• Consumers & Commercial
• International & Domestic
• Requiring ODFIs to register their Direct
Access Status
• ACH Data Breach Board Policy
• Terminated Originator Database
• Third-Party & Direct Access Registration
ACH
40
• Authentication
• Authorization
• Encryption
• SEC Codes
• Annual Audit & Risk Assessment
ACH
41
• Prevention (Debits): Increasingly, FIs are
offering their corporate customers:
• ACH Debit Block
• ACH Debit Filter
• ACH Positive Pay
ACH
42
• Debit via Access Device (kinda)
• Consumer & Commercial
• ATM v. POS v. eCommerce
• Prepaid- Gift, EBT, General Purpose
• Debit
• Credit
• Digital Wallets
• Tokenization
• EMV
• Chargebacks
Card
43
• Debit only
• Consumer & Commercial
• Returns & Adjustments
• Private clearinghouses
• Remote Deposit Capture
• Mobile Capture
• Remotely Created Checks (RCC)
• Electronic Payment Orders (EPO)
Check
44
• Credit push
• Final/ irrevocable
• Real-Time (ish)
• Consumer & Commercial
• Large-Dollar
Wire
45
What can criminals do if they access your
Online Banking credentials?
Answer:
Anything you can do
• Drain Funds
• ACH
• Checks
• Wires
• Consumer & Business
Account Takeover
46
Account Takeover Red FlagsFile or Wire Exceeds Exposure Limits
Unusual log-in activity (failed attempts, etc)
Transactions on unusual days or multiple transactions in short
period of time
Unusual Activity (Wires vs ACH, 2 ACH Files in 1 day, etc)
Report of unauthorized activity
New Admin Credentials created
Report from Users their authority was changed47
MitigationHow to avoid potential loss
Origination calendars
Reasonable exposure limits
Client education
Static IP or IP address authentication
Layered security
Behavioral analytics and/or transaction analytics
Out of Band Authentication
48
Risk Management Lifecycle
49
50
Risk MANAGEMENT
Identify Analysis
ControlFinancing
Result Analysis
51
The five basic risk management
principles are risk identification, risk
analysis, risk control, risk financing and
claims management can be applied to
most any situation or problem.
Risk Appetite
1. Identify and
understand your
major risks
2. Decide
which risks
are natural
3. Determine
capacity and
tolerance for risk
4. Embed risk
in all decisions
& processes
5. Align
strategies and
the organization
around risk
• Documenting
• Process Flows
• Sampling
Testing
53
54
Effective Procedures to Support
Policies
1. Risk Identification
2. Credit/Underwriting
3. Monitoring
• Third Parties
• IT Infrastructure
• Size/Complexity of Payment System
Products & Services
Risk Profile Impacts
55
• Identification
• Reporting
• Issue-tracking
• Escalation
• Resolution
• Validation
• COSO
(https://www.coso.org/Pages/default.aspx)
• NIST (https://www.nist.gov/cyberframework)
Risk Management Framework
56
• Issue Relevance
• Big Picture
• Cross-channel
• Information Sharing
• Technology-based Risk Scoring
Applications
– Neural Networks
– Behavioral Fraud Analysis
Trend Analysis Methodologies &
Applications
57
• Payment History
• Behavior
• Purchase Type
• Delivery Information
Anomalous Transaction
Detection Systems Capabilities
58
• Credit Analysis Techniques
• Internal & External Fraud Databases &
Analysis Tools
• Risk & Trend Analysis/Evaluation
Methodologies
– Correlation
– Predictive Modeling
– Interdependencies
– Prioritization
– Cost-benefit
Risk Analysis
59
• Scope & Frequency
• Scope & Complexity of FI’s Activities
• Regulatory Requirements
• Business Complexities
• Transaction Type
Risk Assessment Factors
60
• Recovery & Restoration of Data
• Maintaining Communications
• Alternative Power Sources
• Backup Sites
• Recovery Strategy
• Testing
Business
Continuity/Contingency Plans
61
• Financial
• Technical
• Procedural and Administrative
• Processing & Settlement of Retail &
Wholesale Payments
– Segregation of Duties
– Input to Output Reconcilement
– Management Review
– Authentication Requirements for Transfer
Initiation
Types & Applications of Internal
Controls
62
• Audit Standards & Practices
• Authentication Methods to Verify Identity
• Capital Adequacy Relative to the Value of
Payments across Multiple Systems
• Processes & Procedures to Detect &
Prevent Fraud and Abusive, Unfair and/or
Deceptive Transactions (UDAAP)
Other Internal Controls
63
Physical & Information Security
64
• Data Breaches
• Alteration
• Destruction
• How do systems differ by payment type
Policies, Procedures &
Detection Systems
65
• Procedures: Receive, Store, Transmit and
Destroy Payments and Associated Data
– Security
– Data Breach Protection
– PCI (https://www.pcisecuritystandards.org/)
– OC5 (https://www.frbservices.org/files/regulations/pdf/operating_circular
_5_06302016.pdf)
Data
66
• Record Retention, Destruction &
Discoverability
• Computer Hardware, Software &
Telecommunications Protocols Used for
Payments Processing Support
• Payments Network Infrastructure &
Connectivity
More Data
67
• Password Complexity & Strength
• Corporate & Consumer Authentication
• Access Rights & Privileges
• Segregation of Staff Access to Account
Information
• Sensitive Data Retention Policies/Rules
• Encryption
• Access Control of Secure Areas & Documents
• Visitor Monitoring & Control
Data Security Procedures,
Techniques & Access Controls
68
• Locked Storage Space
• Key Inventory
• Clean Desk Policy
• Vendors
Physical Storage & Security of Data
69
Retail Payments Risk ForumVisit us:
http://www.frbatlanta.org
Visit our blog:
http://www.takeonpayments.frbatlanta.org
70
71
Examination Considerations
• Management and Board Oversight
– Does management understand their payments’ strategy?
– Does management understand the risk of products offered?
– What is the risk appetite?
– Is there adequate due diligence for third party processors, third party senders, and their originators?
• Policies, procedures, limits
– Are they in line with the business strategy?
– Are policies and procedures written and clear?
– Do they accurately depict and support the actual process?
– How are procedures and exposure limits monitored & enforced?
• Risk monitoring & management information systems
– Have adequate risk assessments been performed?
– Are Operational and Performance reports available and adequate?
– Are credit and transaction monitoring reports available and adequate?
– What does senior management receive?
72
Examination Considerations
• Controls
– Separation of duties for account opening: application & credit review, receipt of instruction, data entry, identity and signature verification, posting initial funds
– Separation of duties for processing transactions: receipt of instruction, confirmation, execution, accounting, reconcilement & reporting
– Independent review of account or transaction exceptions, overdrafts
– Independent review of dormant accounts
– Limited access to customer PINs
– Straight forward process design: minimize manual interfaces
– Data security: including encryption of data that moves to or resides at 3rd party processors
– Define, implement, and monitor appropriate levels of System access. System access should mirror separation of duties.
– Business continuity: how does the bank deal with System or 3rd party problems
73
Red Flags
• Lack of written policies, procedures, exposure limits:
– Absence of these often indicates sloppy or inexperienced management
– Lack clear authorities
• Separation of duties problems:
– Staff who accept customer instructions also execute transactions
– Staff who execute transactions also confirm transactions
– Staff who accept instructions or execute or confirm transactions, also have accounting or reconcilement responsibilities
– Employees have too much or unnecessary system access
• Staff or management turnover:
– Unless there is a deep and experienced staff, problems typically occur quickly
• High or increasing number of failed transactions or returns
– Look for reports of returns by customer, failed transactions, or payments that fail to settle
– These may indicate staff problems, spikes in business volumes, system problems
74
Red Flags
• Some un-reconciled items:
– Some stale items
– Most Payment & Settlement Systems have specific rules regarding timeliness of settlement and stale items are usually not tolerated
• No internal audits, or NACHA audits
• High levels of customer complaints:
– Loss of key customer business
– Increases in customer complaints and unauthorized returns
– Breaches in internal service level agreements
– Lawsuits
– Customers complain for a reason– Understand the nature of the complaints and look for patterns
– How did management respond to the complaints?
– How quickly did management resolve the complaints?
75
Jessica Washington, AAP
Payments Risk Expert
Retail Payments Risk Forum
Federal Reserve Bank of Atlanta
404-498-7113
Presenter Contact Information:
