Payments Risk Management Controls

Question 1

Process of reducing risks through the introduction of specific controls and risk transfer.

Answer 1

Risk Mitigation

Question 2

A comprehensive written plan to maintain or resume business in the event of a disruption.

Answer 2

Business Continuity Plan (BCP)

Question 3

Process of identifying the potential impact of uncontrolled, non-specific events on an institution’s business processes.

Answer 3

Business Impact Analysis (BIA)

Question 4

Comprehensive strategies to recover, resume and maintain all critical business functions.

Answer 4

Business Continuity Strategy

Question 5

Testing method ensures critical personnel from all areas are familiar with the business continuity plan (BCP) and may be used as an effective training tool.

Answer 5

Tabletop Exercise/Structured Walk-Through Test

Question 6

Testing method used to apply a specific event scenario to the business continuity plan (BCP).

Answer 6

Walk-Through Drill/Simulation Test

Question 7

Testing method involves actual mobilization of personnel to other sites attempting to establish communications and perform actual recovery processing as outlined in the business continuity plan (BCP).

Answer 7

Functional Drill/Parallel Test

Question 8

Testing method involves a simulated real-life emergency and all or portions of the business continuity plan (BCP) are implemented by processing data/transactions using back-up media at the recovery site.

Answer 8

Full-Interruption/Full-Scale Test

Question 9

Name the four steps included in business continuity planning (BCP).

Answer 9

(1) Business Impact Analysis; (2) Risk assessment; (3) Risk management; (4) Risk monitoring and testing

Question 10

Step in the BCP process that identifies the potential impact of uncontrolled, non-specific events on an institution’s business processes.

Answer 10

Business Impact Analysis

Question 11

Step in the BCP process that evaluates business processes and BIA assumptions using various threat scenarios.

Answer 11

Risk Assessment

Question 12

A technique used to internally assess the effectiveness of risk management and control processes.

Answer 12

Control Self-Assessment

Question 13

A plan that defines the action steps, involved resources and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather or workplace violence.

Answer 13

Incident Response Plan

Question 14

A method used to mitigate credit risk, also required by the ACH Rules

Answer 14

Exposure Limits

Question 15

Frequency in which a business continuity plan should be reviewed by internal or external auditors.

Answer 15

At least annually

Question 16

Frequency in which an enterprise-wide business continuity tests should be conducted.

Answer 16

At least annually, or more frequently depending on changes in the operating environment

Question 17

Controls to detect and/or prevent errors or misappropriations.

Answer 17

Financial Controls

Question 18

Controls that align with board-approved risk appetite and inform employees of management’s expectations.

Answer 18

Administrative Controls

Question 19

Controls that establish policies and procedures that reduce risk and ensure operating, reporting and compliance objectives are met.

Answer 19

Procedural Controls

Question 20

Controls to prevent and detect unauthorized activity.

Answer 20

Technical Controls

Question 21

Law to protect consumers purchasing financial products and services requiring that consumers have access to information that lets them choose the option they believe is best for their situation.

Answer 21

Unfair, Deceptive or Abusive Acts or Practices (UDAAP)

Question 22

Activity that is inconsistent with or deviating from what is usual, normal or expected.

Answer 22

Anomalous Activity

Question 23

Name the FTC’s “four Ps” for evaluating whether a representation, omission, act or practice is likely to mislead.

Answer 23

(1) Prominent - will the consumer notice the information; (2) Presented - is the format easy-to.understand; (3) Placement - is the information located where a consumer would expect to look; (4) Proximity - is the information close to the claim it qualifies

Question 24

Name the five steps in the vendor management life cycle according to the FFIEC.

Answer 24

(1) Planning; (2) Due Diligence in Vendor Selection; (3) Contract Negotiation; (4) Ongoing Monitoring; (5) Termination

Question 25

A mitigating technique designed to prevent an event from occurring.

Answer 25

Preventative Control

Question 26

A test of an institution’s disaster recovery plan or BCP.

Answer 26

Business Continuity Test/Disaster Recovery Exercise

Question 27

A document based on the institution’s test scope and objectives and includes various test methods.

Answer 27

Test Plan

Question 28

A testing activity designed to validate the continuity of business transactions and the replication of associated data.

Answer 28

Transaction Testing