FFIEC From 2025 Preg Guide Exhibit Flashcards
What is the Bank Secrecy Act (BSA)?
Collaborative effort of federal/state banking agencies and FinCen (Financial Crimes Enforcement Network)
− Provides guidance on identifying and controlling risks associated with money laundering and terrorist financing
− Provides guidance to examiners for BSA/AML examinations
What is the objective of the BSA AML Examination Manual?
Objective: To help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the United States or deposited in financial institutions
What does the BSA/AML examination manual require?
− Requires individuals, banks, and other financial institutions to:
o File currency reports with U.S. Treasury Dept.
o Properly identify persons conducting transactions
o Maintain a paper trail by keeping appropriate records of financial transactions
− Records enable law enforcement and regulatory agencies to pursue investigations of criminal, tax, and regulatory violations, if warranted
What does the BSA/AML examination manual include?
Manual includes information on:
Suspicious Activity Reporting (SAR)
Currency Transaction Reporting (CTR)
Correspondent Accounts (Foreign)
Automated Clearing House Transaction (ACH)
Third-Party Payment Processors
What is the Anti-Money Laundering Act (AML)?
The Money Laundering Control Act of 1986
Augmented the BSA’s effectiveness by adding interrelated sections to the Federal Deposit Insurance Act (FDIA) and the Federal Credit Union Act (FCUA) to apply equally to banks of all charters
Imposes criminal liability on a person or financial institution that knowingly assists in the laundering of money, or that structures transactions to avoid reporting them
How is the FFIEC’s
BSA/AML
Examination Manual used?
provides guidance to examiners for carrying out BSA/AML and Office of Foreign Assets Control (OFAC) examinations.
provides guidance on identifying and controlling risks associated with money laundering and terrorist financing
Contains an overview of:
BSA/AML compliance program requirements
BSA/AML risks and risk management expectations
Industry sound practices, and
Examination procedures
What is SAR
Suspicious Activity Report (SAR): Developed to be used by all banking organizations in the United States.
When should a SAR be filed?
banking organization is required to file a SAR whenever it detects:
Known or suspected criminal violation of federal law
Suspicious transaction related to money laundering activity
Other violation of the BSA
What requirements should the BSA/AML compliance provide?
internal controls
- policies, procedures to assure ongoing compliance
- provide timely updates to regulatory changes
- incorporate dual controls and segregation of duties
independent testing
- conducted by bank or outside party
- testing to ensure internal controls are aligned with risk profile
BSA compliance officer
- designation for coordinating and monitoring day to day compliance
Training for appropriate personnel
- should include examples of money laundering and suspicious activity monitoring and reporting
What is MFS ?
Are the products and services that a financial institution provides to its customers through mobile devices. The mobile channel provides an opportunity for financial institutions of all sizes to increase customer access to financial services and decrease costs. Although the risks from traditional delivery channels for financial services continue to apply to MFS, the risk management strategies may differ.
What risk management strategies should MFS apply?
Management should identify the risks involved with transaction initiation, authentication and authorization, and the MFS technology itself
Some of the operational risk are associated with the mobile device and how the device communicates with the POS or other similar terminal
Management should incorporate the identification of risks associated with mobile devices,
What is SMS (Short Message Service) technology risk?
SMS messages typically are transmitted unencrypted over widely used telecommunications networks.
The messages are also vulnerable to spoofing, which allows an unauthorized user to send an SMS message pretending to be from a different mobile number to mislead a customer into providing sensitive information to the unauthorized user.
Similarly, fraudulent SMS messages may mislead customers into revealing financial institution account information or information used to access financial institution systems
What does MFS say about Mobile-Enabled Web Site Risk?
Mobile-enabled Web sites rely on existing Internet security protocols, which make the sites subject to many of the same vulnerabilities that can compromise computer-based banking.
Additionally, mobile devices can be limited by their hardware and operating systems, which can result in a reduced level of security
Why is Information Security guidance important?
Part of Information Technology Examination Handbook
Read in conjunction with IT handbook
Provides guidance for:
Assessing level of security risks to a financial institution’s information systems
Information Security Programs:
Need strong board and senior management support
Ability for institution’s board/management to continually review as new threats, technologies, and business conditions arise
What does the guidance recommend as effective IT governance?
− Implementation and promotion of SECURITY CULTURE
o Integration of security activities and controls throughout
the institution’s business processes
− Assignment of responsibilities and accountability
o Strong board and senior management support with established and clearly communicated accountability for carrying out security responsibilities
− Effective use of resources
o Funding and technical and managerial talent contribute to effectiveness of information security program
What are four key steps in establishing and supporting an effective operational risk management program?
Effective information security programs should be commensurate with the institution’s operational complexities and should include these four components:
Risk identification
Risk measurement
Risk mitigation
Risk monitoring and reporting
What actions or events increase risk and the potential adverse effects for a business?
Disclosure of information to unauthorized individuals
Unavailability or degradation of services
Misappropriation or theft of information or services
Modification or destruction of systems or information
Records that are not timely, accurate, complete, or consistent
What is the general purpose of the Retail Payments Systems?
To provide guidance to examiners, financial institutions, and technology service providers on identifying and controlling risks associated with retail payment systems and related banking activities
What are the retail payment services included in the retail payment systems guide?
Presents an overview of retail payment systems, grouping retail payment instruments in various categories:
o
ACH
o
Checks
o
Card-based electronic payments
o
Other electronic payments (P2P, electronic benefits transfer, etc.)
What are the three sections the retail payment systems guides provide?
Retail Payment Systems Overview
Payment Instruments, Clearing, and Settlement
Retail Payment Systems Risk Management
Why are retail payments systems increasingly at risk?
New payment instruments have emerged recently that are largely or wholly electronic
New payment mechanisms can enable rapid propagation of fraud, money laundering, and operational disruption if data is compromised
Compared to mature payment systems, emerging payment systems are increasingly difficult and requires diligent oversight to understand the risks and associated controls
What are the six primary risk categories associated with retail payments systems described in this guidance?
Risks associated with various retail payment systems and instruments fall into these regulatory risk categories:
Strategic risk
Credit risk
Reputational risk
Operational/transaction risk
Liquidity and settlement risk
Legal/compliance risk
What is remote deposit capture (RDC)?
RDC is a deposit transaction delivery system that allows financial institutions to receive digital information from deposit documents captured at remote locations such as:
Branches or ATMs
Domestic and foreign correspondents
Commercial and/or retail customer locations
Why are strong customer and/or vendor contracts needed for RDC?
Unlike traditional deposit delivery systems, RDC enables the customer to deposit items electronically and then retain the original physical documents introducing additional risks
− Financial institutions sending those items for collection or presentment make the warranties and take on liabilities under UCC and Regulation CC and/or Regulation J
What key provisions should be included in a strong, well- constructed RDC contract or customer agreement?
RDC AGREEMENTS should consider the following:
( REARRRLLF )
ROLES and responsibilities of the parties
Governing LAWS, regulations, and rules
Allocation of LIABILITY, warranties, indemnification, and dispute resolution
ELIGIBLE ITEMS s that may be deposited via RDC
Handling and record RETENTION procedures
FUNDS AVAILABILITY and collected funds requirements
Authority of financial institution to:
Mandate controls at the customer’s locations
Require periodic audits of the RDC process, including the IT infrastructure
Terminate the RDC relationship
What two general areas of risk are considered in the RDC Risk Management Assessment step?
Legal and compliance risk
- Risks related to UCC, Regulation CC, Regulation J and/or other applicable laws, agreements and rules
Operational risk
-Risks associated with how and where nonpublic personal information is captured, transmitted, retained, and destroyed; and
- Confidentiality, integrity, and availability of data from its IT systems and systems used by its service providers and RDC customers
- In the typical RDC process, original deposit items are not submitted to the financial institution but are retained by the customer or the customer’s service provider. Therefore, it is important for the financial institution to require customers to implement appropriate document
In general, describe areas where the guidance recommends due diligence to mitigate and control risk
- Know Your Customer
Customer Due Diligence - Check Your Vendors
(Vendor Due Diligence ) - Train Your Users
- Sign Agreements
Customer Due Diligence and Suitability
Establish appropriate guidelines to qualify customers for this service
Vendor Due Diligence and Suitability
Ensure implementation of sound vendor management processes as described in the FFIEC IT Examination
Handbook
RDC Training for Customers
Ensure customers understand their role in managing risks and monitoring for errors or unauthorized activity
Contracts and Agreements
Business Continuity: Ensure financial institution’s ability to recover and resume RDC operations to meet customer service requirements when unexpected disruption occurs
Why is the measurement and ongoing monitoring of RDC risk required?
Effective oversight/monitoring and reporting.
Effective management oversight involves regularly reviewing the reports and periodically conducting reviews and operational risk assessments to help ensure:
RDC activities have effective oversight; and
Related monitoring and reporting accurately reflect current policies and procedures supporting sound business practices
What should be included in a risk management plan for RDC?
Risk assessment to identify the related types and levels of risk exposure.
Appropriate technology and process controls implemented at both the financial institution and customer location(s) to address operational risk.
Management should establish appropriate risk-based guidelines to qualify customers for this service.
Management should ensure that customers receive sufficient training, whether the customer obtains the RDC system from the financial institution or from a third-party servicer.
Comprehensive contracts and customer agreements that clearly identify the roles, responsibilities, and liabilities of all parties in the RDC process to minimize exposure to legal and compliance risks.
Financial institution management and the customer should implement effective risk measurement and monitoring systems.
Financial institution’s business continuity plan should address RDC systems and business processes, and the testing activities should assess whether restoration of systems and processes meets recovery objectives and time frames.
When appropriate and available, insurance coverage to transfer risk.
