FFIEC Flashcards
What are all the different sections of the FFIEC?
BSA/Ani-Money Laundering Manual
Authentication and Access of Financial Institution Services and Systems
Information Security
Architecture, Infrastructure, and Operations
Retail Payments System
Remote Deposit Capture Supervisory Guidance
What is BSA?
Passed by Congress (1970) as “Currency and Foreign Transactions Reporting Act”
To help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the United States or deposited in financial institutions
What is Anti-Money Laundering Act?
The Money Laundering Control Act of 1986
Imposes criminal liability on a person or financial institution that knowingly assists in the laundering of money, or that structures transactions to avoid reporting them
How is the FFIEC’s BSA/AML Examination Manual used?
provides guidance to examiners for carrying out BSA/AML and Office of Foreign Assets Control (OFAC) examinations.
provides guidance on identifying and controlling risks associated with money laundering and terrorist financing
What is a SAR?
Suspicious Activity Report (SAR): Developed in 1996 to be used by all banking organizations in the United States.
What is the guide for Authentication and Access FI Services and Systems?
highlights risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program.
- cybersecurity threat / compromised credentials
- focus on risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
- layered security and underscores weaknesses in single-factor authentication.
- multi-factor authentication or controls of equivalent strength can
What are examples of effective risk assessment practices?
- Inventory of Information Systems
- Inventory of Digital Banking Services and Customers
- Identify Customers Engaged in High-Risk Transactions
- Identify Users
- High-Risk User Identification
- Threat Identification
- Controls Assessment
What is layered security?
Layered security incorporates multiple preventative, detective, and corrective controls, and is designed to compensate for potential weaknesses in any one control.
What is multi-factor authentication?
An authentication system that requires more than one distinct authentication factor f
What key topics should management consider for an effective Information Security governance program?
- Security Culture Foster awareness and integration into business processes.
- Clear Responsibilities Assign accountability at all levels.
- Leadership Support Ensure strong backing from the board and senior management.
- Resource Allocation Provide funding and skilled personnel.
Implementation and promotion of security culture
- Integration of security activities and controls throughout the institution’s business processes
Assignment of responsibilities and accountability
- Strong board and senior management support with established and clearly communicated accountability for carrying out security responsibilities
Effective use of resources
- Funding and technical and managerial talent to contribute to the effectiveness of information security program
What are four key components of an effective risk management program?
- Risk identification
- Risk measurement
- Risk mitigation
- Risk monitoring and reporting
What are commonly accepted objectives of a risk management program?
- Confidentiality of information
- Integrity of information
- Availability of information
What actions or events increase potential adverse effects on a financial institution’s earnings, capital, or enterprise value?
- Disclosure of information to unauthorized individuals;
- Unavailability or degradation of services;
- Misappropriation or theft of information or services;
- Modification or destruction of systems or information;
- Records that are not timely, accurate, complete, or consistent
What is the purpose of the Architecture, Infrastructure, and Operations examination manual?
Addresses IT operations in the context of tactical management and daily delivery of technology to:
- capture
- transmit
- process
- store
information assets
Evaluates :
- institution’s controls and risk management processes relative to risks of technology systems within or connected to the institution
What is the “environmental survey” that regulators expect financial institutions to undertake?
A survey that provides a comprehensive understanding of the institution’s operations universe including technology embedded in business lines, functional support areas, and at physical locations
- Gain an enterprise-level view by documenting resources, physical locations, hardware and software configurations, and interfaces and interdependencies
- Survey should include:
o View of the capture, processing flow and storage of data throughout the institution; and
o Inventory of information technology assets
What are the high-level topics management should identify in an IT operations environmental survey?
IT Operations:
* Internal and external risks;
* Risks associated with individual platforms, systems, or processes as well as those of a systemic nature;
* Quality and quantity of risk mitigation controls;
* Probability of a threat or vulnerability and the financial consequences of such an event
What are the high-level topics management should identify in an IT operations environmental risk assessment?
- Importance and business criticality;
- Extent of system or process change;
- Source of system access (internal or external, including Internet, dial-up, etc.)
- Source of application (commercial off the shelf, in-house developed, combination of these two, etc.)
- Scope and criticality of systems or business units affected;
- Transaction volume and dollar value of transactions;
- Classification or sensitivity of data processed or used;
- Experience level and capability of functional area management including number of staff and staff stability;
- Number of users and customers;
- Changes in the legal, regulatory, or compliance environments;
- Presence of new or emerging risks with developing technology or technology obsolescence
What is the general purpose of the Retail Payments Systems guide?
To provide guidance to examiners, financial institutions, and technology service providers on identifying and controlling risks associated with retail payment systems and related banking activities
Retail Payments:
o ACH
o Checks
o Card-based electronic payments
o Other electronic payments (P2P, electronic benefits transfer, etc.)
Three sections:
o Retail Payment Systems Overview
o Payment Instruments, Clearing, and Settlement
o Retail Payment Systems Risk Management
Why are retail payments systems increasingly at risk?
New payment instruments have emerged recently that are largely or wholly electronic
- faster payments, RTP, etc..
What are the six primary risk categories associated with retail payments systems described in this guidance?
- Strategic risk
o Associated with financial institution’s mission and future business plans - Credit risk
o Arises when a party will not settle an obligation for full value; can involve multiple FIs and third-party entities - Reputation risk
o Arises when negative publicity regarding an institution’s business practices leads to a loss of revenue or litigation - Operational/transaction risk
o Risk of loss resulting from inadequate or failed internal processes, people and systems, or external events - Liquidity risk
o Current/potential risk to earnings or capital arising from a financial institution’s inability to meet obligations when due without incurring unacceptable losses - Legal/compliance risk
o From failure to comply with statutory or regulatory obligations
What is remote deposit capture (RDC)?
RDC is a deposit transaction delivery system that allows financial institutions to receive digital information from deposit documents captured at remote locations.
Why are strong customer and/or vendor contracts needed for RDC?
RDC enables the customer to deposit items electronically and then retain the original physical documents introducing additional risks
In general, describe types of controls that a financial institution can consider implementing to mitigate and control RDC risks.
Customer Due Diligence and Suitability
Vendor Due Diligence and Suitability
RDC Training for Customers
Contracts and Agreements
What key provisions should be included in a well-constructed RDC contract or customer agreement?
- Roles and responsibilities of the parties;
- Governing laws, regulations, and rules;
- Allocation of liability, warranties, indemnification;
- Dispute resolution;
- Eligible items that may be deposited via RDC;
- Handling and record retention procedures;
- Funds availability and collected funds requirements;
- Authority of financial institution to mandate controls at the customer’s locations including periodic audits of the RDC process; and ability to terminate the RDC relationship.
What two general areas of risk are considered in the RDC Risk Assessment step?
Compliance risk
Operational risk
- Confidentiality, integrity, availability of data from IT systems and systems used by service providers and RDC customers
Why do regulators expect financial institutions to develop/implement risk measuring and monitoring systems?
To help ensure:
- RDC activities have effective oversight; and
- Related monitoring and reporting accurately reflect current policies and procedures supporting sound business practices
