All Exam Topic Areas Flashcards
1
Q
Risk that a party to a transaction cannot provide the necessary funds as contracted for settlement to take place on the scheduled date.
A
Credit Risk
2
Q
Risk that a transaction is altered or delayed due to an unintentional error.
A
Operational Risk
3
Q
Risk that a payment transaction will be initiated or altered in an attempt to misdirect or misappropriate funds.
A
Fraud Risk
4
Q
Risk that the inability or unwillingness of one funds transfer system participant to settle its commitments will cause other participants to be unable to settle their commitments.
A
Systemic Risk
5
Q
Risk that occurs when a party to a transaction fails to comply, either knowingly or inadvertently, with payment system rules and policies, regulations and applicable U.S. and state law.
A
Compliance Risk
6
Q
Risk that occurs when an ODFI permits an Originator or Third-Party to use its routing number to send files directly to the ACH Operator.
A
Direct Access Risk
7
Q
Risk that occurs when a negative publicity regarding a financial institution’s business practices leads to a revenue loss or litigation.
A
Reputation Risk
8
Q
Risk that arises from a financial institution relying upon outside parties to perform services or activities on its behalf.
A
Third-Party Risk
9
Q
Risk that occurs from an institution’s failure to enact appropriate policies, procedures or controls to ensure it conforms to laws, regulations, contractual arrangements and other legally binding agreements and requirements.
A
Legal Risk
10
Q
Risk associated with foreign exchange.
A
Transaction Risk
11
Q
Current and potential risk to earnings or capital arising from a financial institution’s inability to settle an obligation for full value when it is due.
A
Liquidity Risk
12
Q
Risk might arise from making poor business decisions, from the substandard execution of decisions, from inadequate resource allocation or from failure to respond well to changes in the business environment.
A
Strategic Risk
13
Q
Risk that occurs because of theft from deposit accounts by way of multiple access points.
A
Cross-Channel Risk
14
Q
Risk to each party of a contract that the counterparty will not live up to its contractual obligations.
A
Counterparty Risk
15
Q
Process of planning, organizing, leading and controlling the activities of an organization to minimize the effects of risk on that organization.
A
Enterprise Risk Management (ERM)
16
Q
Voluntary private-sector organization formed in 1985 dedicated to improving the quality of financial reporting.
A
Committee of Sponsoring Organizations (COSO)
17
Q
Governs the provisions of intraday credit (daylight overdrafts) in accounts at the Reserve Banks.
A
Federal Reserve Board’s Payments System Risk (PSR) Policy
18
Q
Examples of operational risk with ACH payments.
A
(1) Missed transmission deadlines; (2) Hardware/software failures and loss of power; (3) Clerical errors; (4) Inadequate procedures; (5) Inadequate training
19
Q
Examples of operational risk with card payments.
A
(1) Processing risks; (2) Employee and/or service provider errors; (3) Hardware and software failure, including service provider
20
Q
Examples of operational risk with check payments processed through Remote Deposit Capture (RDC).
A
(1) Faulty equipment; (2) Inadequate procedures; (3) Inadequate training; (4) Poor image quality; (5) Resubmission of file or redeposit of physical items; (6) Technology-related issues, such as failure to maintain compatible and integrated IT systems; (7) Reliability of RDC vendor
21
Q
Examples of operational risk with wire payments.
A
(1) System failure caused by breakdown in hardware/software; (2) System disruption; (3) System compromise; (4) Inadequate procedures; (5) Inadequate training
22
Q
Examples of operational risk with emerging payments.
A
(1) Inadequate procedures; (2) Inadequate training; (3) Reliability of vendor; (4) Employee or end user errors
23
Q
Examples of fraud risk with ACH payments.
A
(1) Misappropriation of funds; (2) Misdirect payment; (3) Account takeover; (4) Business email compromise scam; (5) Vendor impersonation fraud
24
Q
Examples of fraud risk with card payments.
A
(1) Lost or stolen cards; (2) Phishing scams; (3) Skimmers; (4) Data breaches; (5) Counterfeit or altered cards; (6) Unauthorized use of a Cardholder’s card number for card-not-present transactions
25
Examples of fraud risk with check payments.
(1) Lost or stolen checks; (2) Alteration of deposited items; (3) Forged or missing endorsement; (4) Deposit of counterfeit items; (5) Check kiting; (6) Redeposit of items/duplicate presentment through RDC; (7) Proper disposal of deposited items by RDC customers; (8) Insider fraud
26
Examples of fraud risk with wire payments.
(1) Malware, spyware and viruses; (2) Business email compromise; (3) Money laundering; (4) Dishonest employees; (5) Lack of dual controls or segregation of duties
27
Examples of fraud risk with emerging payments.
(1) Speed of processing; (2) Reduced reaction time to fraud; (3) Breaches/data security; (4) Malware, spyware and viruses
28
Examples of credit risk with ACH credit payments.
(1) Originator fails to fund ODFI for credit entries initiated; (2) RDFI posted credit entry prior to Settlement Date
29
Examples of credit risk with ACH debit payments.
(1) ODFI is unable to recover funds from Originator for returned debit entries; (2) RDFI is untimely in returning debit entries
30
Maximum timeframe an ODFI is exposed to credit risk for ACH credit origination.
Up to two banking days
31
Maximum timeframe an ODFI is exposed to credit risk for ACH debit origination.
(1) Up to 60 days from the Settlement Date for consumer Standard Entry Class (SEC) codes per the ACH Rules; (2) Up to 60 days from the consumer's statement date per Regulation E
32
Examples of credit risk with card payments.
(1) Merchant declares bankruptcy, commits fraud or is otherwise unable to pay its chargebacks causing the Acquiring Financial Institution to pay the Card Issuer; (2) With EMV, the Card Issuer may encounter credit risk due to fallback transactions
33
Examples of credit risk with check payments.
(1) Bank of First Deposit (BOFD) credits the account holder provisionally and settlement does not occur for several days; (2) Paying Bank misses deadline for processing returns and adjustments
34
Examples of credit risk with emerging payments.
(1) Failure or bankruptcy of entity initiating payment; (2) Funds availability prior to receiving final settlement; (3) Per-transaction dollar limits being set too high; (4) Funds unavailable to satisfy debit return
35
Examples of credit risk with wire payments.
(1) Originating/Sender Bank makes an irrevocable payment on behalf of a customer through an extension of credit; (2) Beneficiary Bank does not post the payment properly
36
Card payment system is governed by these rules and regulations.
(1) Regulation E; (2) Regulation Z; (3) Card Association Rules
37
Wire payment system is governed by these rules and regulations.
(1) UCC 4A; (2) OFAC; (3) Bank Secrecy Act (BSA); (4) Regulation E, Subpart B; (5) Regulation J; (6) Regulation CC; (7) Federal Reserve Operating Circulars 1, 5 & 6
38
Check payment system is governed by these rules and regulations.
(1) Regulation CC; (2) UCC Article 3; (3) UCC Article 4; (4) Regulation J, Subpart A; (5) Federal Reserve Bank Operating Circular 3; (6) ECCHO Rules
39
ACH Network is governed by these rules and regulations.
(1) ACH Rules; (2) EFTA and Regulation E; (3) Regulation CC; (4) Regulation D; (5) 31 CFR Part 203, 208, 210 & 370; (6) UCC Articles 4 & 4A; (7) BSA/AML; (8) State EFT Acts; (9) FRB Operating Circular 4; (10) Private Sector ACH Operator Rules; (11) OFAC
40
Emerging payments are governed by these rules and regulations.
Generally, these are ACH or card transactions; therefore, the respective payment system rules and regulations would apply.
41
A company or individual that has been authorized by the Receiver to initiate either a credit or debit ACH entry to their account.
Originator
42
An individual or company that has authorized an Originator to initiate an ACH entry to their account with the RDFI.
Receiver
43
A financial institution that receives payment instructions from Originators and forwards the entries to the ACH Operator.
Originating Depository Financial Institution (ODFI)
44
A financial institution that receives ACH entries from the ACH Operator and posts the entries to the accounts of its depositors.
Receiving Depository Financial Institution (RDFI)
45
The central clearing facility for ACH transactions.
ACH Operator
46
A third-party that processes ACH files and/or entries on behalf of financial institutions and/or Originators.
Third-Party Service Provider
47
A third-party that provides ACH services to the Originator, and, in that capacity, acts as an intermediary between the Originator and ODFI.
Third-Party Sender
48
An entity that issues a credit or debit card to the Cardholder.
Card Issuer
49
The financial institution that contracts with a merchant to initiate payment requests to a card association or company in the context of credit and debit card payments.
Acquirer (Processor, Merchant Bank or Merchant Processor)
50
A person or entity that is issued a credit or debit account that is accessed using a card.
Cardholder
51
Network which provides switching facilities for the routing of credit, debit and ATM card transactions between Acquirers and Card Issuers
POS/ATM/Credit Card Network
52
Financial institution identified by the routing number encoded on the MICR line of a check.
Paying Bank (Payor's Depository Financial Institution)
53
The party to whom a check is made payable.
Payee
54
The first bank to which a check is deposited or transferred.
Bank of First Deposit (Payee's Depository Financial Institution)
55
The party obligated to pay on a check.
Payor (Check Writer, Maker or Drawer)
56
A voluntary association of depository institutions that facilitate the clearing of checks or electronic items through the direct exchange of funds between members.
Clearing House
57
Private depository institution, Bankers' Bank or Federal Reserve Bank providing clearing or settlement services to a Paying Bank or Bank of First Deposit.
Correspondent Bank
58
Financial institution that creates the image of the original check.
Truncating Bank
59
Financial institution that produces the Substitute Check or Image Replacement Document (IRD).
Reconverting Bank
60
Sender of the payment order in a funds or securities transfer.
Originator
61
Financial institution that initiates a funds transfer on behalf of the Originator.
Originating/Sender Bank
62
Entity that processes and settles Fedwire Funds.
Federal Reserve Bank
63
Financial institution identified in a funds transfer to be credited pursuant to the payment order.
Beneficiary's Bank
64
Person or entity to be paid in a funds transfer.
Beneficiary
65
Type of retail processing where a card payment is expected after the goods or services have been received; typically refers to credit payments (e.g., credit card).
Pay Later
66
Type of retail processing where a card payment is expected when the goods or services are received; generally associated with debit payments (e.g., debit card).
Pay Now
67
Type of retail processing where a card payment is made for goods or services with prepaid or stored-value cards.
Pay Before
68
Delivery system that enables paper checks to be processed remotely.
Remote Deposit Capture (RDC
69
Check created by a Payee based on the account holder's authorization that does not bear a signature.
Remotely Created Check (RCC)
70
A check that never appears in paper form.
Electronically Created Item (ECI)
71
An entry to the record of an account to represent the transfer or removal of funds from the account.
Debit Entry
72
An entry to the record of an account that represents the transfer or placement of funds into the account.
Credit Entry
73
A payment card issued to a person for purchasing goods and services through an electronic transfer of funds from a demand deposit account rather than using cash, checks or drafts at the point-of-sale.
Debit Card
74
A card indicating the holder has been granted a line of credit to make purchases or withdraw cash up to a prearranged ceiling.
Credit Card
75
A card-based payment system that assigns a value to the card; some cards can be "reloaded" through various methods and others are designed to be discarded.
Prepaid/Stored Value Card
76
A bank account established directly or indirectly by an employer on behalf of an employee to which an employee's wages are electronically transferred to.
Payroll Card Account
77
Global network messaging service supporting correspondent banking and financial market utilities.
SWIFT
78
Multilateral systems that provide the infrastructure for transferring, clearing and settling payments, securities and other financial transactions among financial institutions or between financial institutions and the system.
Financial Market Utilities (FMUs)
79
A set of specifications, standards or conventions that enable computer programs to exchange information.
Application Program Interface (API)
80
Computer-to-computer exchange of business documents and payment-related information in a standard electronic format between business partners.
Electronic Data Interchange (EDI)
81
Hosted service offering that acts as an intermediary between business partners to transmit data (i.e., business documents).
Value Added Network (VAN)
82
An international standard-setting body composed of representatives from various national standards organizations.
International Organization for Standards (ISO)
83
A type of database that is consensually shared and synchronized across nodes in a network spread across multiple sites, institutions or geographies.
Distributed Ledger Technology (DLT)
84
Uses algorithms to enable transactions to be aggregated in blocks, which are added to a chain of existing blocks using a cryptographic signature.
Blockchain
85
Total process required to identify, control and minimize the impact of uncertain events.
Risk Management
86
Amount of risk, on a broad level, an entity is willing to accept in pursuit of value.
Risk Appetite
87
Acceptable level of variation relative to achievement of a specific objective.
Risk Tolerance
88
Overall process of risk identification, analysis and evaluation.
Risk Assessment
89
Finding, recognizing and describing risks.
Risk Identification
90
Process to comprehend the nature of risks and determine the level of risks.
Risk Analysis
91
Process of comparing risk analysis results to determine if risk is at an acceptable level.
Risk Evaluation
92
Process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution.
Risk Measurement
93
Informed decision to accept or take a particular risk.
Risk Acceptance
94
Risk is accepted as tolerable and falls within the risk appetite.
Risk Acceptance without Treatment
95
Risks that are monitored and reviewed to ensure they remain within the risk appetite.
Risk Acceptance with Treatment
96
Informed decision to withdraw from or not become involved with an activity to avoid exposure to unwanted or unacceptable risks.
Risk Avoidance
97
Form of risk treatment involving an agreed-upon distribution of risk with other parties.
Risk Sharing
98
Form of risk sharing that allocates risk equitably.
Risk Assignment
99
Group of individuals that are elected as, or elected to act as, representatives of the stockholders to establish corporate management-related policies.
Board of Directors (Board)
100
Highest-ranking executive in an organization responsible for making major corporate decisions, managing overall operations and resources, and acting as the main point of communication with the Board.
Chief Executive Officer (CEO)
101
Group of individuals at the highest-levels of management of an organization who have the day-to-day tasks of managing the organization.
Senior Management Team (Executive Management, Management Team)
102
Group of individuals that may elect directors of an organization, including the CEO and CFO, and benefit through dividends or share buybacks.
Shareholders
103
Defines the course of action adopted for the sake of expediency and facilitation of objectives.
Policy
104
Defines the manner in which an organization will proceed, perform or affect something to accomplish the objectives of a policy.
Procedures
105
Method used to calculate the creditworthiness of an individual or business.
Credit Analysis
106
Clear, written guidelines that set the terms and conditions for supplying services on credit, qualification criteria, procedures for making collections and steps to be taken in case of customer delinquency.
Credit Policy
107
Process of reducing risks through the introduction of specific controls and risk transfer.
Risk Mitigation
108
A comprehensive written plan to maintain or resume business in the event of a disruption.
Business Continuity Plan (BCP)
109
Process of identifying the potential impact of uncontrolled, non-specific events on an institution's business processes.
Business Impact Analysis (BIA)
110
Comprehensive strategies to recover, resume and maintain all critical business functions.
Business Continuity Strategy
111
Testing method ensures critical personnel from all areas are familiar with the business continuity plan (BCP) and may be used as an effective training tool.
Tabletop Exercise/Structured Walk-Through Test
112
Testing method used to apply a specific event scenario to the business continuity plan (BCP).
Walk-Through Drill/Simulation Test
113
Testing method involves actual mobilization of personnel to other sites attempting to establish communications and perform actual recovery processing as outlined in the business continuity plan (BCP).
Functional Drill/Parallel Test
114
Testing method involves a simulated real-life emergency and all or portions of the business continuity plan (BCP) are implemented by processing data/transactions using back-up media at the recovery site.
Full-Interruption/Full-Scale Test
115
Name the four steps included in business continuity planning (BCP).
(1) Business Impact Analysis; (2) Risk assessment; (3) Risk management; (4) Risk monitoring and testing
116
Step in the BCP process that identifies the potential impact of uncontrolled, non-specific events on an institution's business processes.
Business Impact Analysis
117
Step in the BCP process that evaluates business processes and BIA assumptions using various threat scenarios.
Risk Assessment
118
A technique used to internally assess the effectiveness of risk management and control processes.
Control Self-Assessment
119
A plan that defines the action steps, involved resources and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather or workplace violence.
Incident Response Plan
120
A method used to mitigate credit risk, also required by the ACH Rules.
Exposure Limits
121
Frequency in which a business continuity plan should be reviewed by internal or external auditors.
At least annually
122
Frequency in which an enterprise-wide business continuity tests should be conducted.
At least annually, or more frequently depending on changes in the operating environment
123
Controls to detect and/or prevent errors or misappropriations.
Financial Controls
124
Controls that align with board-approved risk appetite and inform employees of management's expectations.
Administrative Controls
125
Controls that establish policies and procedures that reduce risk and ensure operating, reporting and compliance objectives are met.
Procedural Controls
126
Controls to prevent and detect unauthorized activity.
Technical Controls
127
Law to protect consumers purchasing financial products and services requiring that consumers have access to information that lets them choose the option they believe is best for their situation.
Unfair, Deceptive or Abusive Acts or Practices (UDAAP)
128
Activity that is inconsistent with or deviating from what is usual, normal or expected.
Anomalous Activity
129
Name the FTC's "four Ps" for evaluating whether a representation, omission, act or practice is likely to mislead.
(1) Prominent - will the consumer notice the information; (2) Presented - is the format easy-to.understand; (3) Placement - is the information located where a consumer would expect to look; (4) Proximity - is the information close to the claim it qualifies
130
Name the five steps in the vendor management life cycle according to the FFIEC.
(1) Planning; (2) Due Diligence in Vendor Selection; (3) Contract Negotiation; (4) Ongoing Monitoring; (5) Termination
131
A mitigating technique designed to prevent an event from occurring.
Preventitive Control
132
A test of an institution's disaster recovery plan or BCP.
Business Continuity Test/Disaster Recovery Exercise
133
A document based on the institution's test scope and objectives and includes various test methods.
Test Plan
134
A testing activity designed to validate the continuity of business transactions and the replication of associated data.
Transaction Testing
135
Process by which an organization protects the creation, collection, storage, use, transmission and disposal of information.
Information Security
136
Process of verifying the identity of an individual user, machine, software component or any other entity.
Authentication
137
Something a person is, something a person knows or something a person has.
Authentication Factor
138
Method to verify an identity using one type of authentication factor.
Single-Factor Authentication
139
Method to verify an identity using two or more types of authentication factors.
Multifactor Authentication
140
Use of different controls at different points in a transaction process.
Layered Security
141
Name the authentication factor represented by a biometric characteristic, such as a fingerprint or iris pattern.
Something a Person Is
142
Name the authentication factor represented by a password or PIN.
Something a Person Knows
143
Name the authentication factor represented by an ATM/debit card, smart card or token.
Something a Person Has
144
Challenge questions that do not rely on information that is publicly available.
Out-of-Wallet Questions
145
Technique used to establish a "fingerprint identity" of a user's computer or other web access device.
Device Identification
146
Authentication technique that uses one-time cookies, PC configuration, IP address, geo-location and other factors.
Complex Device Identification
147
A data security technique that encodes information so that data appears as a meaningless string of letters and symbols during delivery or transmission.
Encryption
148
Disposal technique used to destroy sensitive, electronic data on devices by replacing it with new, random data.
Overwriting
149
Disposal technique using powerful, varying magnetic fields to scramble data recorded on media.
Degaussing
150
Two main types of access control.
(1) Physical access control, (2) Logical access control
151
Access control that limits access to buildings, rooms and physical IT assets.
Physical Access Control
152
Access control that limits connections to computer networks, system files and data.
Logical Access Control
153
Security technique used to regulate who or what can view or use resources in a computing environment.
User Access Controls
154
A weakness in automated system security procedures, administrative controls, physical layout, internal controls, etc., that could be exploited to gain unauthorized access to information or to disrupt critical processing.
Vulnerability
155
5
Systematic examination of an information system or product to determine the adequacy of security measures and identify security deficiencies.
Vulnerability Anaylsis
156
Systematic examination of systems to identify, quantify and prioritize the security deficiencies of the systems.
Vulnerability Assessment
157
Payment system governed by the ACH Rules, UCC 4, UCC 4A, Electronic Fund Transfer Act, OFAC, Regulation E, The Right to Financial Privacy, Regulation D and Regulation CC.
ACH Network
158
8
| Payment system governed by UCC 4A, OFAC, Regulation J and Regulation CC.
Wire Transfer Payment System
159
Payment system governed by the Electronic Fund Transfer Act, Regulation Z, Card Association Rules and Fair Credit Billing.
Card Payment System
160
Payment system governed by the Expedited Funds Availability Act, UCC 3, UCC 4, OFAC, Regulation CC and Regulation J.
Check Payment System
161
Implements the Expedited Funds Availability Act of 1987.
Regulation CC
162
Transactions governed by UCC 4A.
Commercial wholesale credits, including wire transfers and CCD/CTX credits
163
Governs the clearing and settlement of ACH credit and debit items by the Federal Reserve Banks, ODFIs and RDFIs.
Federal Reserve Bank Operating Circular 4 (OC 4)
164
Provided for within the Debt Collection Improvement Act of 1996 requiring that virtually all non-tax related payments made by the federal government be made via electronic funds transfer.
The Electronic Funds Transfer (EFT) Mandate
165
Governs check collection through the Federal Reserve Bank and wire transfer.
Regulation J
166
Governs federal government payments made via the ACH Network.
Title 31 of the Code of Federal Regulations (CFR) Part 210
167
Provides rules for financial institutions that use EFT to process federal tax payments through EFTPS.
Title 31 of the Code of Federal Regulation (CFR) Part 203
168
Governs the handling of payments for the Bureau of Public Debt made through the ACH Network.
Title 31 of the Code of Federal Regulation (CFR) Part 370
169
Establishes reserve requirements and identifies non-transaction accounts.
Regulation D
170
Implements the Electronic Fund Transfer Act (EFTA).
Regulation E
171
Designed to help consumers "comparison shop" for credit by requiring disclosures about terms and cost.
Regulation Z
172
Administers economic sanctions and embargo programs that require assets and transactions involving the interest of targeted parties be blocked or frozen.
Office of Foreign Assets Control (OFAC)
173
Any agreement, authorization, Written Statement of Unauthorized Debit or other record that requires signatures or similarly authenticated methods may use an electronic signature in conformity with the terms of this Act.
Electronic Signatures in Global and National Commerce Act (E-Sign Act)
174
Primary source of rules for the commercial ACH Network defining obligations and liabilities of Participating DFIs.
Nacha Operating Rules (a.k.a. ACH Rules)
175
Act, also known as the Financial Services Modernization Act of 1999, required federal banking agencies to establish information security standards for financial institutions.
Gramm-Leach-Bliley Act (GLBA)
176
Act requires financial institutions to assist U.S. government agencies to detect and prevent money laundering.
Bank Secrecy Act (BSA)
177
Act broadened the scope of the Bank Secrecy Act to focus on terrorist financing.
USA PATRIOT Act
178
Program requiring financial institutions to verify the identity of a person seeking to open an account, to maintain records of the information used to verify an identity and to consult government known or suspected terrorist lists.
Customer Identification Program (CIP)
179
Governs the treatment of a consumer's non-public personal information by financial institutions.
Regulation P
180
Defines a negotiable check and types of endorsements.
Uniform Commercial Code Article 3 (UCC 3)
181
Governs check collection outside the Federal Reserve Bank.
Uniform Commercial Code Article 4 (UCC 4)
182
Governs wholesale credit transfers, which include wired funds and CCD and CTX credit entries.
Uniform Commercial Code Article 4A (UCC 4A)
183
Defines Federal Reserve Bank and financial institution responsibilities in clearing checks.
Federal Reserve Bank Operating Circular 3 (OC 3)
184
Terms under which an institution may access certain services and applications provided by a Federal Reserve Bank and under which an institution may send or receive data from a Federal Reserve Bank by means of an electronic connection.
Federal Reserve Bank Operating Circular 5 (OC 5)
185
Defines Federal Reserve Bank and financial institution responsibilities in transmitting funds transfers through the Fedwire Funds Service.
Federal Reserve Bank Operating Circular 6 (OC 6)
186
Federal Reserve policy addressing the risks that payment systems present to the Federal Reserve Banks, the banking system and to other sectors of the economy.
Payments System Risk (PSR) Policy
187
Reports required to be filed by the Bank Secrecy Act when a financial institution identifies or suspects fraudulent activity.
Suspicious Activity Report (SAR)
