Wire Transfer Basics

Presented by Jessica Noll, AAP Auditor/Trainer Audio

Handouts

Questions Presented by: Jessica Noll, AAP Auditor/Trainer PAR/WACHA-The Premier Payments Resource [email protected] 2018

Disclaimer

• WACHA, through its Direct Membership in NACHA, is a specially recognized and licensed provider of ACH education, publications and support. • Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program. • NACHA owns the copyright for the NACHA Operating Rules & Guidelines. • The Accredited ACH Professional (AAP) is a service mark of NACHA. • This material is derived from collaborative work product developed by NACHA ─ The Electronic Payments Association and its member Regional Payments Associations, and is not intended to provide any warranties or legal advice, and is intended for educational purposes only. • This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only. • This document could include technical inaccuracies or typographical errors and individual users are responsible for verifying any information contained herein. • No part of this material may be used without the prior written permission of WACHA/PAR

Key Definitions Types of Networks Rules and Regulations Risk Management Tools and Policies Internal Controls Corporate Account Takeover Objectives

Provides Payments Professionals with the fundamentals of wire transfer payments and how they differ from other payment systems

Illustrate key definitions, types of wire transfer networks, and wire transfer rules and regulations

Risk/Fraud Awareness

How to establish strong Internal and External controls

Key Definitions

• Wire transfer – The electronic transfer of money from one person to another from one Bank or Credit Union to another • Drawdown – Message requesting receiving financial institution to debit an account & wire funds to sender of the message. AKA – “reverse wire transfer”, “debit transfer” or “request for funds”. Term comes from “drawing down” balance in correspondent account Repetitive wire transfer – Transfer where the information and payment instruction do not change Key Definitions

Non-repetitive wire – Transfer where any information can be changed Correspondent Bank – A Financial Institution that provides services on behalf of another Financial Intuition. Routing number/ABA – A nine digit code that’s based on the US Bank location where an account was opened. Corporate Account Takeover- Business identity theft in which a criminal steals a business’s online banking credentials. Wire Transfer Key Characteristics

Higher dollar transfers compared to other payment types (checks or ACH) Credit push model Safe (assuming money isn’t going to a thief) Fast/same day settlement for domestic transfers Risk: Higher dollar loss Irrevocable Instant Higher processing fee Wire Transfer Process Flow

Correspondent FI Sender Receiver

Sending FI Federal Reserve Receiving FI FedWire®

Operated by the Federal Reserve System Move funds between FRB member banks Real-time, gross settlement system. Transfers are irrevocable when received from FRB CHIPS® Clearing House Interbank Payments System Operated by The Clearing House Governed by UCC 4A Differs from Fedwires Only has 47 Member participants

SWIFT®

Society for Worldwide Interbank Financial Telecommunication International messaging system Enables FI’s to send and receive information about Financial transactions Funds settle through correspondent accounts Rules and Regulations

Regulation J Subpart B Regulation S UCC4A Regulation E Regulation CC FFIEC Guidance Rules and Regulations

Federal Reserve Board Payment System Risk Policy (PSR) OCC Banking Circular 235 Office of Foreign Asset Control (OFAC) FRB Regulation J - Subpart B

Legal relationship between Financial Institution and Federal Reserve Bank Does not cover the relationship between FI and account holder Incorporates a version of New York UCC4A Bank Secrecy Act

Also referred to as BSA Requires US Financial Institutions to assist US Government Agencies to detect & prevent money laundering. Recordkeeping requirements for Wires $3,000.00 or more Recordkeeping requirements for non established customers Retrievability Uniform Commercial Code Article 4A

State law New York was one of first states to pass Local state law by contract UCC4A Key Points Wholesale electronic funds transfers Specifically excludes: Items covered by Regulation E (consumer transfers) Exception: Foreign Remittances added as part of Dodd-Frank effective February 7, 2013 Debit transfers Regulation E excludes transfers sent thru Fedwire® or similar networks UCC4A Key Points UCC4A-105 - “funds transfer day” Example: If payment order is received after the institution’s cutoff, institution may hold until the next funds transfer day to execute Written Agreement Some items cannot be varied by contract UCC4A – 404 Notice for Credits of Incoming Transfer UCC4A – 209 Definitions of “Acceptance” UCC4A – 201 “Commercially Reasonable Security Measures” UCC4A – 207 Can rely on account number # alone to post Unless determine that there is a discrepancy between name and acct # If name & account number mismatch is known, cannot accept payment order Dodd Frank 1073 International Remittance Rule Regulation E Remittance Transfer Rules New Subpart B to Regulation E Section 919 of the EFTA: Requires disclosure of certain information prior to and at the time of the transfer Creates new consumer protections, including the right to cancel a transfer and the right to a refund in certain circumstances Establishes a new error resolution scheme to which remittance transfer providers must adhere Establishes standards of liability for remittance transfer providers and their agents Consumer protection Comparison shopping Transparency and certainty of costs Regulation E & Foreign Remittances

Impacts Any consumer request to send funds to a recipient outside of the United States Recipient can be a consumer or business Wire transfer, international ACH, and bill payment 30 minutes to rescind request Applies to remittance transfers More than $15 Made by a consumer in the US Sent to a person or company in foreign country Exemption for FIs that send less than 100 remittances a year Regulation E & Foreign Remittances

Pre-payment disclosure Transfer amount in currency use to fund request Institution fees Transfer amount Exchange rate All other fees and taxes, i.e. correspondents and foreign taxes Total amount RECEIVED by the recipient Must be provided to the consumer before they agree to the transaction Regulation E & Foreign Remittances

Receipt disclosure: All the information from Pre-payment disclosure Date the funds will be available to the recipient Name of recipient (and contact if available) Consumers error resolution rights Contact information of the financial institution Statement that consumer may contact state agency that licenses the financial institution and CFPB The consumer has at least 2 receipts/disclosures Error Resolution Consumer has 180 days to notify FI of an “error” Such as receiver never received funds, or wrong amount Regulation CC

Fedwire® funds transfers are subject to funds availability provisions and to Bank Secrecy Act requirements FFIEC Guidance

States Institutions should rely on “layered security approaches Not all transactions have the same risk Requires Institutions to implement solutions to: Detect and respond to suspicious activity Have better control of administrative functions FRB Payment System Risk Policy Commonly referred to as “Daylight Overdraft” Requires FI to evaluate and continually monitor several factors Credit worthiness of “significant” customers Own credit worthiness Own credit and operational policies FI may have a “Daylight Overdraft limit” Federal Reserve monitors FIs in real-time and may require pre-funding OCC Banking Circular 235

Addresses payment systems risks Covers risks associated with different systems Outlines policies and controls that senior management implement Office of Foreign Assets Control

Commonly known as OFAC Controls assets of certain foreign countries and designated individuals Each country or individual is “authorized” by a Federal law Countries/individuals can be added or deleted Penalties include prison and fines List is referred to as the “SDN” and changes frequently

Office of Foreign Assets Control Financial Institution requirements Block and hold funds transfers until OFAC authorizes release Review originated or received fund transfers to ensure funds are not transferred into or out of accounts of a listed entity Incoming transfers for a flagged SDN account must be frozen and the FI contact OFAC OFAC considers any transfer made in violation of OFAC regulations null and void General info, contacts and latest SDN list https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx Types of Risk

Credit Operational Fraud Systemic Sovereign Technology/3rd Party Reputational Credit Risks “Good funds” Available at time of transfer, End of day, or When settlement is attempted

Risk Mitigation Credit review and approval policies and procedures Identify sender and validity of instructions Funds held or debited prior to sending outgoing wire transfer (collected funds ONLY) Operating Risks Hardware/Software or Telecommunications Failure Human Error Limited/Untrained Staff Disaster

Risk Mitigation Disaster recovery plan that is unique to wire transfer area Expand beyond disaster recovery to include business resumption Include users (external & internal) Staff training, cross training and backup systems Fraud Risks Internal Fraud FI Employees 3rd Party Processors External Fraud Company Employees 3rd Party Processors Interlopers/hackers Key loggers Customer Impersonation Social Engineering Fraud Risks Risk Mitigation “Know Your Customers” Formal contracts “Commercially Reasonable Security Procedures” Call-backs, digital signatures, dual controls, test keys, tokens, out of band authentication, biometrics Need to know limits Systemic Risk Risk to the system/network that one financial institution’s inability to settle its position will cause other financial institutions to fail to settle

Risk Mitigation Federal Reserve’s Payment System Risk Policy (Daylight Overdraft) was developed to prevent this from occurring. Requires FI to monitor both its Fed position and customer’s position Sovereign Risk Risk that a sovereign government or other political entity will take some action to prevent or alter the settlement of transfers Often referred to as “Political” risk Technology/3rd Party Risk Risks that occur from use of technology or a third party processor Presents multiple types of risk Has the third-party identified all the appropriate risks, designed and implemented adequate controls to prevent loss? If not, FI bears risks for this “lacking” element of risk management FIs should have contracts/agreements in place with correspondent FIs and service providers that outline what controls are implemented and 3rd party’s responsibility for any errors or losses FIs should evaluate the controls employed and ask for additional controls to be implemented (if appropriate) or add compensating controls such as procedures or manual controls FI should request certification of audits conducted by technology providers to ensure compliance with legal and regulatory requirements Reputational Risk The risk that a loss or problem is communicated to the general public resulting in negative press and a loss of business Risk Mitigation Have a PR plan prepared in the event that a significant loss occurs Should include internal communications, and external press releases, contact information, and ongoing mitigation strategies Risk Management Tools Personnel Management Policies Reassign personnel who have given notice Randomly rotate personnel Utilize dual controls at all levels Recognize that for small business or FIs it may be difficult Hire staff for funds transfers operations with a proven history with organization (not new hires) Adequate Training and Written Documentation Pre employment Screenings (drug, credit, and police check) “Time Away” Policy Risk Management Tools Use of Repetitive Wire Transfers Since most of the critical information in the payment order is “static”, risk is reduced (operational errors, fraud, etc) Key control is how are repetitive wires updated/changed. Limit non-repetitive wire transfers Verify key data elements (amount, beneficiary and bank info) Wire Requests by Phone/Fax ? Wire transfers requests should not be processed relying solely on an email request (stronger customer verification is needed) Wire Request Forms Internal Controls

Wire Transfer Policy Approved by the Board annually, or when there are significant changes in the wire process, systems, etc. Wire Transfer Policy should address Wire software used Types of wires (domestic vs. international, customer vs. non- customer) Use of security procedures & customer agreements Approval of an administrator and Wire limits Dual Control Rekey of wire dollar amount Transaction limits Customer Agreements. Wrien agreements with repeat wire customers (usually for wires initiated by phone or fax, not “in person” requests) Agreements should: Describe the security procedures to be followed when verifying the authenticity of a wire request Include waivers from the customer if they opt-out of the security procedures. (wrien and signed by customer) Established cut-oﬀ times for receiving, transmiing, amending and cancelling wire transfer requests Individuals authorized to request wire transfers and any wire limits established Deﬁned methods by which a wire transfer request can be initiated (phone,

fax, online banking)

Internal Controls

Customer Agreements. Written agreements with repeat wire customers (usually for wires initiated by phone or fax, not “in person” requests) Agreements should: Describe the security procedures to be followed when verifying the authenticity of a wire request Include waivers from the customer if they opt-out of the security procedures. (written and signed by customer) Established cut-off times for receiving, transmitting, amending and cancelling wire transfer requests Individuals authorized to request wire transfers and any wire limits established Defined methods by which a wire transfer request can be initiated (phone, fax, online banking) Internal Controls

Security procedures Daily Reconciliation by wire operations staff Independent Reconciliation (segregation of duties) Wire administrator should not have wire create or verify capabilities Due from account used for wire settlement should be reconciled by someone independent of wire operations May be difficult for some institutions due to limited staff. Supervisory review of reconcilements of funds transfer activity on a regular basis Corporate Account Takeover Corporate account takeover is a type of business identity theft in which a criminal entity steals a business’s valid online banking credentials which usually results in a fraudulent wire/ACH How does it work Malicious document aached to an email Links within an email to an infected website Employee(s) visiting legitimate website download infected/malicious ﬁles Introduction of other devices (ﬂash drives) Corporate Account Takeover

Who are the players Organized criminals (often overseas) Commercial Customers (usually a small business) Financial Institutions Money Mules What is a Money Mule Money Mules receive funds in their bank account They then forward the funds to another account (usually overseas) They keep a small portion of funds as payment Money Mules typically only receive between $5K-$10K to transfer, so their fee is often small Lessons Learned

Financial Institution Employee receives email from supposed account holder requesting account balances for all accounts owned Employee provides account balances via email Supposed account holder request a wire transfer to be completed and includes wire transfer instructions Financial Institution completes wire transfer without further verification from account holder (call back to phone number on file) Financial Institution learns of the Wire is fraudulent after it has been sent and suffers a loss for not following policy or security procedures. Lessons Learned

Small Business Secretary receives an email from one of the owners of the Company she works for. The email requests her to contact their Financial Institution to do a wire transfer which includes the Wire transfer instructions and what ledger account to charge the Wire transfer expense to. Secretary contacts the FI and requests the wire transfer via phone but because she is not a signer the FI will need signature verification from one of the owners of the Company. FI faxes the Wire request to the Secretary and she obtains the signature of the owner who is a signer on the account but did not initially request the transfer. Lessons Learned

Wire Transfer is faxed back to the FI and they verify the legitimacy of the Signature verification and process the Wire Transfers Wire Transfer email request is found to be fraudulent by the Company and the Company is at a loss for not following internal controls. Questions Resources

• UCC4A www.law.cornell.edu/lii.html

• FFIEC authentication guidance issued June 28, 2011 www.ffiec.gov

• OFAC https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx AAP Continuing Education Credits

Wire Transfer Basics

This session is worth 1.8 credits (Keep this for your records) Resources WACHA- The Premier Payments Resource PAR- Payment Advisory Resource HELP DESK Phone: 262-345-1245 Toll Free: 800-453-1843 Fax: 262-345-1246 [email protected] Jessica Noll, AAP [email protected]

Upcoming WACHA events with CBANC Education:

Tax Refunds Wed 2/7 at 1pm CT/2pm ET Regulation E Disputes Thurs 2/15 at 1pm CT/2pm ET Government Payments Overview Wed 2/21 at 1pm CT/2pm ET