Subject: FFIEC Information Technology Examination Handbook
Date: February 25, 2010
To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers and Software Vendors, Department and Division Heads, and All Examining Personnel
Description: Retail Payment Systems Booklet
The guidance attached to this bulletin continues to apply to federal savings associations.
The The Federal Financial Institutions Examination Council (FFIEC) has released an updated Retail Payment Systems Booklet (booklet), which replaces the version issued in March 2004. The booklet is one of 12 that, in total, comprise the FFIEC IT Examination Handbook.
The updated booklet incorporates developments in various aspects of retail payments activities since the first edition was issued and provides guidance on the risks and risk-management practices applicable to national banks. The booklet’s enterprise-wide perspective makes it a valuable tool to an entire organization in addition to an information technology department.
Significant revisions to the booklet include the following:
Check 21 – The booklet addresses changes in technology and provides guidance on the Check Clearing for the 21st Century Act of 2004 (Check 21). This act became effective on October 28, 2004, after the first edition of this booklet was published.
Evolution of Electronic Check Collection – The booklet discusses several possible models for electronic check collection that are emerging in the wake of the passage of Check 21. Three different services that may use either image or MICR-transmission technologies include: remotely created checks, remote deposit capture, and electronically created payment orders. There is an in-depth discussion of these practices, the risks they pose, and the risk-management tools that banks can use to mitigate them. The booklet also includes examination procedures to supplement the recently issued interagency guidance on remote deposit capture (OCC Bulletin 2009-4).
The Automated Clearinghouse (ACH) – The booklet provides expanded guidance on ACH. The National Automated Clearinghouse Company (NACHA) and the two principal ACH operators – the Federal Reserve Banks and EPN – have clear expectations that financial institutions manage the related risks, particularly when the institutions engage in riskier ACH activities. The booklet provides an in-depth discussion of the increased risks posed by ACH activities and some of the risk-management tools financial institutions can use to mitigate them.
NACHA Rule and Product Changes – NACHA has mandated several important rule changes to expand the use of the ACH network and to improve risk management. Financial institutions and their technology service providers should have processes in place to ensure compliance with the rules listed in the booklet and for changes to those rules going forward.
Emerging Retail Payment Technologies – This new section discusses new technologies (i.e., contactless payment cards, biometrics for payment initiation and authentication, proximity payments) and several types of emerging network technologies (i.e., infrared, radio frequency identification, Bluetooth).
Merchant Acquiring – The booklet provides expanded guidance on merchant card processing. Operational and data integrity risks can arise from improper processing of bankcard transactions, inadequate internal controls, employee error or malfeasance, and other challenges inherent when processing within a multi-participant environment. The booklet discusses the increased risks posed by activities related to merchant acquiring and some of the risk-management tools that financial institutions can use to mitigate them.
Appendix C – This new appendix includes a schematic of retail payments access channel and payment methods.
An electronic version of the Retail Payment Systems Booklet is available at http://ithandbook.ffiec.gov/it-booklets/retail-payment-systems.aspx. To accommodate banks with limited access to the Internet, the Office of the Comptroller of the Currency (OCC) will also include the booklet in the next release of e-files, the CD-based library of OCC publications provided to all national banks. Any bank that is not able to download the booklet may order a printed copy. Please send a written request by mail to the Office of the Comptroller of the Currency, 250 E Street SW, Mail Stop 2-3, Washington, DC 20219, or by fax at (202) 874-5263. If you need assistance, please contact the OCC’s Communications Division at (202) 874-4700.
Questions regarding this bulletin should be directed to your supervisory office or the Bank Information Technology Division at (202) 874-4740.
Deputy Comptroller for Operational Risk