Payments Risk Management Controls Flashcards
Process of reducing risks through the introduction of specific controls and risk transfer.
Risk Mitigation
A comprehensive written plan to maintain or resume business in the event of a disruption.
Business Continuity Plan (BCP)
Process of identifying the potential impact of uncontrolled, non-specific events on an institution’s business processes.
Business Impact Analysis (BIA)
Comprehensive strategies to recover, resume and maintain all critical business functions.
Business Continuity Strategy
Testing method ensures critical personnel from all areas are familiar with the business continuity plan (BCP) and may be used as an effective training tool.
Tabletop Exercise/Structured Walk-Through Test
Testing method used to apply a specific event scenario to the business continuity plan (BCP).
Walk-Through Drill/Simulation Test
Testing method involves actual mobilization of personnel to other sites attempting to establish communications and perform actual recovery processing as outlined in the business continuity plan (BCP).
Functional Drill/Parallel Test
Testing method involves a simulated real-life emergency and all or portions of the business continuity plan (BCP) are implemented by processing data/transactions using back-up media at the recovery site.
Full-Interruption/Full-Scale Test
Name the four steps included in business continuity planning (BCP).
(1) Business Impact Analysis; (2) Risk assessment; (3) Risk management; (4) Risk monitoring and testing
Step in the BCP process that identifies the potential impact of uncontrolled, non-specific events on an institution’s business processes.
Business Impact Analysis
Step in the BCP process that evaluates business processes and BIA assumptions using various threat scenarios.
Risk Assessment
A technique used to internally assess the effectiveness of risk management and control processes.
Control Self-Assessment
A plan that defines the action steps, involved resources and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather or workplace violence.
Incident Response Plan
A method used to mitigate credit risk, also required by the ACH Rules
Exposure Limits
Frequency in which a business continuity plan should be reviewed by internal or external auditors.
At least annually
Frequency in which an enterprise-wide business continuity tests should be conducted.
At least annually, or more frequently depending on changes in the operating environment
Controls to detect and/or prevent errors or misappropriations.
Financial Controls
Controls that align with board-approved risk appetite and inform employees of management’s expectations.
Administrative Controls
Controls that establish policies and procedures that reduce risk and ensure operating, reporting and compliance objectives are met.
Procedural Controls
Controls to prevent and detect unauthorized activity.
Technical Controls
Law to protect consumers purchasing financial products and services requiring that consumers have access to information that lets them choose the option they believe is best for their situation.
Unfair, Deceptive or Abusive Acts or Practices (UDAAP)
Activity that is inconsistent with or deviating from what is usual, normal or expected.
Anomalous Activity
Name the FTC’s “four Ps” for evaluating whether a representation, omission, act or practice is likely to mislead.
(1) Prominent - will the consumer notice the information; (2) Presented - is the format easy-to.understand; (3) Placement - is the information located where a consumer would expect to look; (4) Proximity - is the information close to the claim it qualifies
Name the five steps in the vendor management life cycle according to the FFIEC.
(1) Planning; (2) Due Diligence in Vendor Selection; (3) Contract Negotiation; (4) Ongoing Monitoring; (5) Termination
A mitigating technique designed to prevent an event from occurring.
Preventative Control
A test of an institution’s disaster recovery plan or BCP.
Business Continuity Test/Disaster Recovery Exercise
A document based on the institution’s test scope and objectives and includes various test methods.
Test Plan
A testing activity designed to validate the continuity of business transactions and the replication of associated data.
Transaction Testing