Feds Update ACH Fraud Guidance
FFIEC Issues Revised Retail Payment Systems BookletThe Federal Financial Institutions Examination Council (FFIEC) is out with its new Retail Payment Systems Booklet, which includes updated guidance for examiners, financial institutions and technology service providers on the risks and risk-management practices applicable to institutions' retail payment systems, including checks, electronic payments related to credit and debit cards, and ACH transactions.
As the booklet does not establish any new major policy initiatives, examiners will begin using the booklet immediately, says Donald Saxinger, FDIC's Acting Chief, Technology Supervision Branch, Division of Supervision and Consumer Protection.
"For the most part, the guidance and discussions of management practices are conditions that should already be in place," Saxinger says.
The revised booklet addresses changes in technology and provides guidance on the Check Clearing for the 21st Century Act of 2004. It also expands guidance on merchant card processing and ACH activities, as well as a more in-depth discussion of the increased risks posed by these activities and some of the risk management tools that financial institutions can use to stop them.
The new edition does have some additional discussion of emerging payment systems developments such as remotely created checks and remote deposit capture. There also is increased emphasis on risk management practices related to third parties in the payments arena.
Guidance for ACH Transactions
When asked about the increase in ACH fraud transactions hitting business customers, Saxinger says, "While there is yet no silver bullet to this problem, the booklet addresses some of the key areas that should be considered in a layered approach to stemming this problem."
Among the key points:
- Effective internal control environments to minimize risks in retail payment transactions (page 43.)
- Authentication, security procedures and controls sufficient to verify the integrity of the data, the confidentiality of the transmission, and the authenticity of the communication partners, based on the FFIEC guidance "Authentication in an Internet Banking Environment" issued in 2005, (page 57).
- Educating your corporate customers and other risk considerations are discussed in a new section titled "Risk Considerations for Business Banking EFT Payments" (page 65).
Remote Deposit Capture
The increased use of remote capture by businesses and consumers points to the need for institutions to remain compliant, while at the same time meeting the needs of customers using this banking service.
The potential for risk exposure in this area is great, notes Debra Geister, Lexis-Nexis Director of Fraud Prevention and Compliance Solutions. "Some of this expanded guidance is in response to the growing area of remote deposit capture," she says. "This is an area that has a lot of potential for risk exposure in the demand deposit accounts (DDA) business."
Geister says she believes that regulators are trying to help reduce the risk of this type of product. "I am sure that it is no secret that we have seen challenges in ACH fraud and also money laundering from foreign sources. Many financial institutions are still trying to get their new International ACH Transaction (IAT) regulation processes in place as well."
Saxinger says while the RPS booklet addresses remote deposit capture, the guidance issued by the FFIEC in early 2009 on "Risk Management of Remote Deposit Capture" also should be in an institution's resource kit for evaluating the risk management issues if you are considering using this technology.
Also new in this booklet is the work program associated with the RDC guidance. "Work programs such as this are used by examiners in assessing your risk management practices, but also could be used by financial institutions and other service providers as a self assessment tool," he says.
Financial institutions should not limit themselves to the guidance or the work program as the definitive requirement for effective risk management, Saxinger says. "All reasonable methods for managing risk should be considered for the risk management of remote deposit capture or any other technology, product, or service."