Fraud

Question 1

Which type of fraud is described as a “Technologically advanced form of electronic crime involving explotation of businesses of all sizes, especially those with limited computer safeguards or disbursement controls for online business banking?”

Answer 1

Corporate Account Takeover

Question 2

Which type of fraud occurs when cyber theives gain access to a company’s computer system to steal confidential banking information to then impersonate the business and initiate fraudulent electronic transfers to unauthorized accounts?

Malicious software can automate many elements of this type of fraud by circumventing forms of multi-factor authentication.

Answer 2

Corporate Account Takeover

Question 3

What are the types of Deposit Account Fraud?

Answer 3

1. Check Kiting
2. Closed Account Fraud
3. Paper-Hanging
4. New Account Fraud

Question 4

What is Paper-Hanging?

Answer 4

Customer purposely writing checks on closed accounts, as well as reordering checks on closed accounts.

Question 5

What is DDoS an acryonym for and what is it?

Answer 5

Distributed Denial of Service which is a type of fraud tied to an attack on a public website.

Question 6

This type of fraud is designed to slow website response times, preventing customers from accessing the website and/or online services, and adversely affecting back office operations. It may also serve as a diversion by criminals to commit fraud with stolen customer/employee login credentials to initiate fraudulent electronic payments (Wire, ACH).

Answer 6

Distributed Denial of Service (DDoS)

Question 7

What types of risk can a financial institution face as a result of a DDoS attack?

Answer 7

Operational and Reputation risk if the attack is coupled with any fraud attempts. If any of those fraud attempts result in financial losses to the bank then they could also experience Liquidity and Capital risks.

Question 8

What type of fraud increases following a natural disaster?

Answer 8

Forged Checks

Question 9

What are common characteristics of Altered checks?

Answer 9

• Ink that smears when rubbed
• Numeric vs. written dollar amounts are different
• Different color pen ink
• Inconsistent spacing where the numeric portion has been altered
• Inconsistent font from different printers/typewriters
• MICR line altered to delay clearing

Question 10

What are common characteristics of Counterfeit checks?

Answer 10

• Poor quality paper stock
• Absence of on serated edge or the check printer’s name/trademark
• Misspelled printed information
• Inconsistent or out of range check numbers
• MICR line missing, crooked, shiny or not machine readable
• Check number in wrong position of MICR line

Question 11

What type of fraud is based on the creation of demand drafts?

Answer 11

Telemarketing

Question 12

What are the general methods for a financial institution to deter all types of payments fraud?

Answer 12

• Know Your Customer
• Teller Training
• Full extent prosecution
• Review customer ID thoroughly
• Maintain seperation of functions
• Maintain permanent signature cards and appropriate business documentation
• Advise customer to destroy checks for unused or closed accounts
• Properly close accounts
• Be engaged with financial services industry conferences and work groups

Question 13

What are paper security features?

Answer 13

• Watermarks
• Copy void/Chemical void
• High Resolution Micro-printing
• Three dimensional
• Security Links
• Bar codes
• Optical Variable Ink (OVI)
• Thermo-chromatic ink

Question 14

What are Image-surviavable Security Features (ICSF) and what are the two primary purposes?

Answer 14

ICSF are security features through the use of cryptographic techniques and security marks that remain effective after imaging to:
1. authenticate an original document, and
2. deter fraud by thwarting different methods to alter or replicate checks.

Question 15

What are the six types of retail payments risk outlined by FFIEC?

Answer 15

1. Strategic Risk
2. Credit Risk
3. Reputation Risk
4. Operational Risk
5. Legal (Compliance) Risk
6. Liquidity Risk

S.C.R.O.L.L.

Question 16

What is FFIEC an acrynym for?

Answer 16

Federal Financial Institutions Examination Council

Question 17

What is the FFIEC?

Answer 17

• Formal interagency body that perscribes uniform principles, standards, and report forms for the federal examination of financial institutions, and
• makes recommendations to promote uniformity in the supervision of financial institutions.

Question 18

What are the various agencies that support the FFIEC?

Answer 18

• the Board of Governors of the Federal Reserve Bank
• the Federal Deposit Insurance Corporation (FDIC)
• the National Credit Union Administration (NCUA)
• the Office of the Comptroller of the Currency (OCC)
• the Consumer Financial Protection Bureau (CFPB)

Question 19

What are the steps of Money Laundering?

Answer 19

1. Placement - introduce illegal funds in the the financial system without attracting attention of financial institutions or law enforcement.
2. Layering - moving funds around the financial system through a complex series of transactions to create confusion and complicate the paper trail.
3. Integration - create the appearance of legality through additional transactions.

Question 20

What does USA PATRIOT Act stand for and when was it enacted?

Answer 20

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism - 2001

Question 21

What is included in the BSA/AML Examination Manual?

Answer 21

• Suspicious Activity Reporting (SAR)
• Currency Transaction Reporting (CTR)
• Foreign Correspondent Account Recordkeeping
• Correspondent Accounts (Foreign)
• Bulk shipments of Currency
• Automated Clearing House (ACH) Transactions
• Third-Party Payment Processors

Question 22

What are four key steps in establishing and supporting an effective operational risk management program?

Answer 22

1. Risk Identification
2. Risk Measurement
3. Risk Mitigation
4. Risk Monitoring and Reporting

FFIEC Guidance to Information Security 2016

Question 23

What is recommended as effective IT governance?

Answer 23

Governance is generally found in the IT Handbook’s Management booklet, but specific topics related to Information Security are:
* Implementation and promotion of security culture
* Assignment of responsibilities and accountability
* Effective use of resources

FFIEC Guidance to Information Security 2016

Question 24

What actions increase risk and potential adverse effects for a business?

Answer 24

• Disclosure of information to unauthorized individuals
• Unavailability or degradation of services
• Misappropriation or theft of information services
• Modification or destruction of systems or information
• Records that are NOT timely, accurate, complete, or consistent

FFIEC Guidance to Information Security 2016

Question 25

What key provisions should be included in a strong, well-constructed RDC contract or customer agreement?

Answer 25

• Roles an Respnsibilities of all parties
• Governing laws, rules, & regulations
• Allocation of liability, warranties, indemnification, & dispute resolution
• Eligible items that may be deposited via RDC
• Handling and record retention procedures
• Funds availablity and collected funds requirements
• Authority of financial institution to: (1) Mandate controls at the customer’s locations; (2) Require periodic audits of the RDC process, including the IT infastructure; (3) Terminate the RDC relationship

Supervisory Guidance for Remote Deposit Capture - Jan 2009

Question 26

What two areas of risk are considered in the RDC Risk Management Assesment step?

Answer 26

1. Legal and compliance risk
2. Operational risk

Supervisory Guidance for Remote Deposit Capture - Jan 2009

Question 27

Which areas does the Supervisory Guidance to RDC recommend due diligence to mitigate and control risk?

Answer 27

1. Customer Due Diligence and Suitability
   
   • Establish guidlines to qualify customers for RDC.
2. Vendor Due Diligence and Suitability
   
   • Ensure implementation of sound vendor management processes as described in the FFIEC IT Examination handbook.
3. RDC training for customers
   
   • Ensure customers understand their role in managing risks and monitoring for errors or unauthorized activity
4. Contracts and agreements
   
   • Business Continuity: Ensure FI can recover and resume RDC operations to meet customer service requirements

Supervisory Guidance for Remote Deposit Capture - Jan 2009

Question 28

Which FFIEC guidance provides risk management framework for Financial Institutions offering internet-based services?

Answer 28

Authentication and Access to Financial Institution Services and Systems*

• This Guidance replaces the FFIEC-issued Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011)

Question 29

What type of risk is associated with the financial institutions mission and future business plans?

Answer 29

Strategic risk

Question 30

What are examples of Strategic risk and preventative measures?

Answer 30

Examples:
* Plans for entering new business lines
* Expanding existing services through mergers & aquisitions
* Enhancing infastructure

Preventative Measures:
* Strategic planning process that addresses retail payment business goals and objectives supporting IT components
* Third-party service providers; Need comprehensive planning/vendor management

Question 31

What type of risk occurs when negative publicity regarding an institution’s business practice leads to a loss of revenue or litigation?

Answer 31

Reputational risk

Question 32

What type of risk may be associated with activities of third-party service providers, such as operational failures/system disruptions, and lack of security and privacy policies resulting in realease of customer information.

Answer 32

Reputaional risk

Question 33

What are preventative measures of reputational risk?

Answer 33

• Carefully review all contracts
• Ensure management oversight of third-party service providers.

Question 34

What type of risk arises when a party will not settle an obligation for full value?

Answer 34

Credit risk

Comparable to an extension of credit

Question 35

What are preventative measures to mitigate credit risk?

Answer 35

• Require limits (deposit & transaction)
• Require pre-funding for credit originators
• Require adequate risk-based reserves for debit originators
• Financial benchmarks and reporting
• Credit checks & background checks

Question 36

What is a risk of loss resulting from inadequate of failed internal processes, people and systems, or external events?

Answer 36

Operational risk

Question 37

What are examples of operational risk and preventative measures?

Answer 37

Examples:
* Communications Failure
* Disaster
* Hardware Failure/Power Failure
* Software Failure
* Human Error
* Staffing Issues

Preventative Measures:
* Qualified/Trained Staff
* Polices and Procedures
* Monitoring and Auditing

Question 38

What type of risk arises from failure to comply with statutory or regulatory obligations?

Answer 38

Legal (Compliance) risk

Question 39

What are preventative measures of legal risk?

Answer 39

• Be aware of changing legal and regulatory requirements, as well as new network rules thatmight create unexpected liability
• Review processing arrangements with third-party service providers and originators to ensure all such arrangements are governed by clearly written contracts that define the outsourced responsibilities and liabilities.

Question 40

What type of risk is defined as “Current and potential risk to earnings or capital arising from a financial institution’s inability to meet its obilgations when they come due without incurring unacceptable losses?”

Answer 40

Liquidity risk

Question 41

What is BCM and its purpose?

Answer 41

Business Continuity Management - Establishes basis for financial institution to recover and resume business processes when operations are unexpectedly disrupted.

Question 42

What are the goals of a enterprise-wide BCM strategy?

Answer 42

• Minimize financial losses to the institiution
• Serve customers and fianancial markets with minimal disruptions
• Mitigate negative effects of disruptions on business operations

Question 43

Components of the BCM should include guidelines for what?

Answer 43

• Personnel
• Communications
• Technology Issues
• Facilities
• Electronic payment systems
• Liquidity concerns
• Financial disbursement
• Manual operations

Question 44

What are the four main steps in developing a BCM?

Answer 44

1. Business Impact Analysis - Identification of potential impact of uncontrolled events on business functions and processes.
2. Risk Assessment- Analysis on threats and prioritization of potential disruptions based on severity.
3. Risk Management - Id, assess, and reduce risk to acceptable level and develop, implement, and maintain written enterprise-wide BCM.
4. Risk Monitoring & Testing- Regular assessment and revision and incorporate BIA & risk assessment findings into BCM.

Question 45

What are the goals of BIA?

Answer 45

1. Determine criticality
2. Estimate maximum downtime
3. Evaluate resource requirements.

Question 46

What is the role of the risk assessment when developing a BCM?

Answer 46

• Assess/analyze threats based upon business impact
• Evaluate BIA assumptions using various threat scenarios
• Perform gap analysis to compare existing BCM to current policies and procedures and identify what should be implemented.

Question 47

What events could invoke the BCM?

Answer 47

• Hardware/equipment malfunctioned or destroyed
• Critical personnel are unavailable or out of contact
• Critical buildings, facilities, or geographic regions not accessible
• Vital records not available
• Third-party services not available
• Utilities not available (power, telecommunications)
• Liquidity needs cannot be met

Question 48

What is the Board responsible for overseeing with the BCM?

Answer 48

• Assigning BCM responsibility and accountability
• Allocating resources to BCM
• Aligning BCM with the entitiy’s business strategy and risk appetite
• Understanding business continuity risks and adopting policies and plans to manage events
• Reviewing business continuity operating results and performance through management reporting , testing and auditing
• Providing a credible challange to management responsible for the BCM process.

Question 49

What is Management reponsible for overseeing with the BCM?

Answer 49

• Defining BCM roles, responsibilities, and succession plans
• Allocating knowledgable personnel and sufficient financial resources
• Validating that personnel understand their roles and responsibilities
• Establishing measurable goal which the BCM performance is assessed
• Designing and implementing a business continuity exercise strategy
• Confirming exercises, tests and training are consistent with the strategy
• Resolving weaknesses identified in the tests
• Meeting regularly with designated BCM coordinator to discuss policy changes, exercises, tests, and training.
• Assessing and updateing strategies and plans to reflect current operations
• Coordinating plans and responses with external groups.