Risk Management Flashcards
20%
What is compliance risk?
Risk that occurs when a party to a transaction fails to comply, either knowingly or inadvertently, with payment system rules, policies, regulations, and applicable U.S. and state law.
What is credit risk?
Risk that a party to a transaction will not be able to provide the necessary funds, as contracted for settlement to take place.
What is cross-channel risk?
Risk that occurs when the movement of fraudulent or illegal payment transactions from one payments channel to another is met with inconsistent risk management practices and lack of information sharing across payment channels about fraud.
What is Direct Access risk?
Risk specific to the ACH Network that occurs when an Originator or third party transmits Files (transactions) directly to an ACH Operator using a financial institution’s routing and transit number and settlement account.
What is fraud risk?
Risk that occurs when a payment transaction is initiated or altered by any party to the transaction in an attempt to misdirect or misappropriate funds with fraudulent intent.
What is operational risk?
Risk that occurs when a transaction is altered or delayed due to an unintentional error.
What is reputation risk?
Risk that occurs when negative publicity regarding an organization’s business practices leads to a loss of revenue or results in litigation.
What is systemic risk?
Risk that occurs when one funds transfer system participant is unable to settle its commitments causing other participants to be unable to settle their commitments.
What is third-party risk?
Risk that occurs when Organizations rely on outside parties to perform services on their behalf and experience inferior performance by the third party or manage the relationship poorly.
All financial institutions participating in the ACH Network must provide information to reach their ACH operations department and ACH risk/fraud department where?
ACH Contact Registry in the Nacha Risk Management Portal
ODFIs must complete this database registration if they any of their Originators, Third-Party Service Providers, or Third-Party Senders Transmit Files directly to an ACH Operator.
Direct Access Registration Database
ODFIs must complete this database registration if have an agreement with a type of Third-Party Service Provider but do not have an Origination Agreement with the TPSP’s Originators.
Third-Party Sender Registration Database
What are administrative controls?
Procedures and practices used to manage risk, ensure compliance, and safeguard sensitive data.
What is excused delay?
Permissible delay by a Participating DFI or ACH Operator in the performance of its obligations under the Rules beyond the required time limits provided the delay was:
1. Caused by the interruption of communication or computer facilities; and
2. Beyond the reasonable control of the Participating DFI or ACH Operator
What is a contingency plan?
Steps taken to prepare for, respond to, and recover from disruptions to operations.
What is the deadline to report a possible ACH Rules violation?
Within 90 days of the occurrence
What is the length of time a financial institution has to respond to a written request from Nacha regarding an Originator’s or TPS’s Unauthorized Entry Return Rate?
10 Banking Days
Who must conduct an ACH risk assessment?
Participating DFIs and TPSs
What are four components of multifactor authentication?
- Something the Receiver knows (ie: password)
- Something the Receiver has (ie: computer)
- Something the Receiver is (ie: voice or fingerprint)
- Some place the Receiver is (ie: geolocation)
What is multifactor authentication?
Use of 2 or more factors to determine a Receiver’s identity
Who must protect the confidentiality and integrity of Protected Information until its destruction?
- Non-Consumer Originators
- Participating DFIs
- Third-Party Service Providers
- Third-Party Senders
What criteria must non-consumer Originators (who are not Participating DFIs), TPSPs, or TPSs meet to be required to render DFI account numbers unreadable when stored electronically?
Their volume exceeds 2 million Entries annually
Banking information related to an Entry that is Transmitted via an Unsecured Electronic Network must be protected how?
Either encrypted or via a secure session
What types of transmissions are not subject to the rule regarding Entries Transmitted via an Unsecured Electronic Network?
Transmissions by means of voice or keypad inputs from a wireline or wireless telephone to a live operator or voice response unit (VRU).
What is considered banking information that must be protected as related to Entries Transmitted via an Unsecured Electronic Network?
Routing numbers, account numbers, PINs, or other identification symbols in an Entry
Originators of debit WEB transactions MUST establish and implement what type of detection system?
Fraudulent transaction detection system
At a minimum, what does an Originator of debit WEB Entries need to validate?
The account number to be debited MUST be validated for the first use and when any subsequent changes are made to the account being debited.
An ODFI MUST enter into what with each Originator or Third-Party Sender?
Origination Agreement
An ODFI MUST establish, implement, and periodically review this for each Originator or Third-Party Sender.
Exposure limits
An ODFI MUST monitor what across multiple Settlement Dates?
An Originator’s or Third-Party Sender’s origination and Return activity
Who must approve an ODFI’s Direct Access Debit Participants?
The ODFI’s board of directors or board designees
An ODFI may terminate or suspend an Origination Agreement within how many days notice if an Originator or Third-Party Sender breaches or causes the ODFI to breach the Rules?
10 Banking Days
(or less if stipulated in the Origination Agreement)
Between the ODFI and Gateway, who bears the risk that the laws of the receiving country prohibit the processing, settlement, or transfer of the proceeds of an IAT Entry?
ODFI
The lack of an Origination Agreement between an Originator and ODFI increases what type of risk for the ODFI if the Originator is unable to provide funds for settlement?
Credit
What are five things an ODFI MUST do as part of their Originator or TPS risk management due diligence?
- Assess the nature of the Originator’s or TPS’s activity and the risk it presents
- Establish, implement, and periodically review exposure limits
- Establish and implement procedures to monitor origination and Return activity across multiple days
- Enforce restrictions on types of Entries that can be originated
- Enforce exposure limits
List three controls to help mitigate Direct Access risk.
- Underwriting
- Management
- Monitoring
Who is subject to the same risk assessment criteria as its ODFI?
A Third-Party Sender
List six requirements that should be part of a Third-Party Sender’s risk management practice.
- Perform customer due diligence
- Set and enforce customer limits
- Audit and test Originator authorization processes
- Monitor forward and Return transaction volumes, dollars, and rates
- Establish data security policies, procedures, and systems with access controls
- Establish SEC Code specific risk management requirements
Reviewing an Originator’s business licenses, financial statements, and ACH processing experience during the on-boarding process are examples of what?
Customer due diligence
For high-risk Originators, requiring additional documentation, setting transaction limits, and implementing more frequent monitoring are examples of what type of strategy?
Risk mitigation strategy
How does the concept of risk management apply to ODFIs for ongoing due diligence of Originators?
Nacha Rules require Originating Depository Financial Institutions (ODFIs) to have a risk management program that should encompass ongoing monitoring of ACH participants, including Originators. This monitoring helps identify and mitigate potential risks associated with an Originator’s activities.
What risk is associated with early posting of credits?
Credit risk
Who assumes the risk associated with the early posting of credits?
Credit risk is assumed by the ODFI
Segregation of duties, transaction monitoring, and account reconciliation are examples of what types of control?
Internal controls
Policies, procedures, and risk assessments assist in controlling what type of risk?
Compliance risk
What is the level and degree of risk an Organization is willing to assume to meet its strategic goals called?
Risk appetite
What is the acceptable level of variance relative to achieving a specific objective called?
Risk tolerance
This should be conducted periodically and be designed to review risks associated with an Organization’s ACH program.
ACH risk assessment
The Rules allow an ODFI to suspend or terminte an Origination Agreement with an Originator or Third-Party Sender if they breaches the rules or causes the ODFI to breach the rules within how many days notice?
10 Banking Days notice
(or shorter if stipulated in the Origination Agreement)
This is a group of employees who are assigned the responsibility of monitoring ACH operations and related maintenance tasks.
ACH operational control group
What is the goal of a disaster recovery or contingency plan?
To resume business as quickly and fully as possible
