Commercial Bank Examination Manual, Section

5000—OTHER EXAMINATION AREAS

The 5000 series of sections provide background have subject matter expertise or specialized on the supervisory assessment of certain bank training. More speciﬁcally, there is a section on activities in which a state member bank may or a bank’s ﬁduciary or asset and wealth manage- may not engage. These examination activities ment activities. There are also sections that are are sometimes referred to as “specialty exami- salient to the supervisory assessment of infor- nations” and are conducted by examiners who mation technology and payment systems risks.

Commercial Bank Examination Manual May 2021 Page 1 Fiduciary Activities Effective date April 2013 Section 5200.1

Fiduciary activities and other related services unique risk profile; and (3) reviews of risk generally include traditional trust services, such identification, measurement, monitoring, and as personal trust, corporate trust, and transfer- control. Examiners should use the state member agent services and employee benefit account bank’s control disciplines (internal audit, risk products and services, as well as custody and management, and compliance program) when- securities-lending services, clearing and settle- ever possible. ment, private banking, asset management, and Examiners have access to a broad variety of investment advisory activities. (See SR-01-5.) FRS supervisory information and analytical sup- Pursuant to 12 USC 24 (seventh), 92a, and port tools to evaluate the fiduciary activities of 93a, the Office of the Comptroller of the Cur- financial institutions. The Uniform Bank Perfor- rency (OCC) has established standards (the mance Report (UBPR) can assist examiners in OCC rules for fiduciary activities of national evaluating a state member bank’s fiduciary busi- banks). These rules are typically considered the ness lines or activities relative to its peers. (See industry standard for fiduciary activities of all the UBPR, pages Trust 1 and Trust 1A.) Begin- financial institutions operating in the United ning with the December 2002 release, ‘‘Section States. (See 12 CFR 9.) When considering II: Technical Information’’ of the UBPR User’s whether a state member bank has adhered to Guide (available online at www.ffiec.gov/ industry standards for fiduciary activities, Fed- ubprguide.htm) discusses the availability of the eral Reserve System (FRS) examiners can refer Total Fiduciary Assets within a fiduciary group to the guidance set forth in the OCC rules and number (peer group). (See page II-3.) ‘‘Total FRS and OCC examination manuals, as well as Fiduciary Assets’’ are the totals of managed and the examination materials issued by other U.S. nonmanaged fiduciary assets for FDIC-insured financial institution regulatory agencies. With commercial and savings banks, as reported on respect to a state member bank subsidiary, the Schedule RC-T of the call report. appropriate bank, thrift, or functional regulator has the primary supervisory responsibility for evaluating risks, hedging, and risk management at the legal-entity level for the entity that the COMPLEX FIDUCIARY regulator supervises. (See SR-00-13.) Examin- ORGANIZATIONS ers should seek to use the examination findings of the functional regulator. SR-01-5 explains that complex fiduciary orga- A risk-focused fiduciary examination concen- nizations are those banking organizations that trates on understanding and evaluating risk and conduct significant or complex fiduciary activi- assessing the internal controls the state member ties. This includes large complex banking orga- bank has employed to manage risk. The program nizations (LCBOs), other large or regional insti- encompasses continuous monitoring; targeted tutions for which fiduciary activities represent a reviews of fiduciary activities; preparation of significant portion of their business, and clear- supervisory risk profiles and assessments; and ing agencies registered with the Securities and the development of supervisory plans, which are Exchange Commission (SEC) for which the integrated into the preplanning of an examina- Federal Reserve is the primary supervisor. The tion. Conclusions are used to develop an overall fiduciary-examination frequency should be deter- safety-and-soundness evaluation of the state mined on the basis of the impact that fiduciary member bank’s fiduciary activities. activities have on the organization’s risk profile. (See SR-96-10.) At a minimum, all material fiduciary business The Federal Reserve System’s fiduciary- lines should be subject to examination over a examination program reviews and assesses the two-year period or examination cycle as part of risk-management practices and related aspects the continuous supervision process, with higher- of a state member bank’s fiduciary activities. risk areas generally reviewed annually. This approach results in (1) the use of a more Composite Uniform Interagency Trust Rating diversified examiner population, including those System (UITRS) ratings and transfer-agent rat- with capital-markets, information systems, and ings reflecting the overall condition of the fidu- safety-and-soundness experience; (2) an empha- ciary function at each institution, and any com- sis on assessing the individual organization’s ponent ratings considered relevant, should be

Commercial Bank Examination Manual April 2013 Page 1 5200.1 Fiduciary Activities assigned or updated in a timely manner on the ment. Material examination findings should be basis of the results of examinations, targeted integrated into the overall examination report reviews, or other assessments of fiduciary for the institution, which should clearly indicate activities. UITRS ratings do not need to be the significance of any findings to the safety and assigned for each targeted business-line review. soundness of the institution and the impact of However, at a minimum, composite UITRS and the findings on any relevant risk assessments transfer-agent ratings should be updated annu- and risk-management ratings. ally, and any material findings related to these areas should be included in the annual summary supervisory report. Any significant concerns ORGANIZATIONS WITH should be reflected in the safety-and-soundness examination ratings. Fiduciary risks and SUPERVISORY CONCERNS fiduciary-risk management assessments should Organizations whose fiduciary activities have also be reflected in the relevant risk-assessment raised supervisory concerns should be subject to and risk-management ratings for the banking an additional level of supervisory attention on organization, as necessary. the basis of the severity of those supervisory concerns. Generally, this would include those organizations with a composite UITRS rating of OTHER INSTITUTIONS OFFERING 3, 4, or 5; a transfer-agent rating of B or C; or FIDUCIARY AND TRANSFER- significant deficiencies in one or more AGENT SERVICES component-rating categories. In the case of an institution assigned a UITRS rating of 4 or 5 or The frequency of fiduciary and transfer-agent a transfer-agent rating of C, supervisory action examinations for other institutions, generally should be initiated promptly and continued until smaller state-chartered Federal Reserve member the problems or deficiencies have been appro- banks and trust companies with noncomplex priately addressed. operations, should be determined on the basis of Under the Securities and Exchange Act of the significance of their fiduciary and transfer- 1934, the Federal Reserve continues to be agent activities and an assessment of the level of responsible for examining transfer agents and risk the activities present to the institution. This clearing agencies for which it is the primary scheduling guidance also applies to initial supervisor, including reviewing compliance with examinations of new institutions and to those SEC rules. Any material violations of transfer- institutions subject to Federal Reserve supervi- agent or clearing-agency rules must be reported sion as a result of a charter conversion. promptly to Board staff to facilitate coordination with the SEC. At a minimum, fiduciary activities should be reviewed no less frequently than during every other routine safety-and-soundness examination. Examinations governed by alternating RISK PROFILE OF FIDUCIARY examination programs with state banking ACTIVITIES authorities may continue to be performed in accordance with those arrangements or as nec- Regular supervisory assessments of the risk of essary to incorporate the provisions of SR-01-5. fiduciary activities, as outlined in SR-01-5, sup- Examinations of fiduciary activities at noncom- port the supervisory process. Risk profiles for plex limited-purpose trust companies and other LCBOs are updated quarterly. These risk pro- fiduciary institutions subject to supervision by files should include explicit consideration of the the Federal Reserve that do not receive routine risks of fiduciary activities. For other complex safety-and-soundness examinations should be fiduciary organizations, risk profiles reflecting conducted no less frequently than every two fiduciary activities should be prepared and up- years. dated as needed, but no less frequently than Composite UITRS and transfer-agent exami- annually. For these organizations, supervisory nation ratings reflecting the overall condition of plans should detail the fiduciary specialist’s the function, and any component ratings consid- recommended examination coverage of fidu- ered relevant, should be assigned or updated at ciary activities. For banking organizations the completion of the examination or assess- supervised by the Federal Reserve that have

April 2013 Commercial Bank Examination Manual Page 2 Fiduciary Activities 5200.1 smaller, noncomplex fiduciary operations, for- and litigation if not conducted in a manner mal risk profiles may not be necessary. How- consistent with the fiduciary’s duty of loyalty ever, fiduciary-risk information should normally and the investor’s stated objectives. be updated at each examination or inspection A review of internal controls and policies and and incorporated into supervisory plans. procedures is an integral part of the examination Risk profiles should include an assessment of program. Facets of a fiduciary examination the inherent risk in the organization’s fiduciary include management competence and account- activities, as well as a consideration of the ability, management’s review of risks associated effectiveness of its risk management. Risk with the introduction of new products and ser- assessments would normally include the follow- vices, and management’s overall risk awareness. ing factors: The emphasis on risk assessment and control parallels the guidelines and procedures pertain- • the size and number of fiduciary accounts and ing to state member bank examinations and assets administered bank holding company inspections, as described • the nature and complexity of fiduciary prod- in SR-95-51 and SR-16-11, and recognizes the ucts and services offered efforts of many progressive institutions in estab- • significant changes to management or staffing lishing fiduciary-risk assessment and control for fiduciary services initiatives of their own. When rating the quality • significant changes to data processing systems of risk management of fiduciary activities, ex- supporting fiduciary services aminers should place primary consideration on • new affiliations, partnerships, or outsourcing findings relating to the following elements of a arrangements sound risk-management system: (1) active board • changes in strategic direction affecting fidu- and senior management oversight; (2) adequate ciary services or exposure to emerging risks policies, procedures, and limits; (3) adequate • significant litigation, settlements, or charge- risk-measurement, -monitoring, and manage- offs ment information systems; and (4) comprehen- • the length of time since the last on-site exami- sive internal controls. Each of these elements is nation in which fiduciary activities were described further below, along with a list of reviewed, and the scope of that examination considerations relevant to assessing the adequacy • the significance of prior examination findings of each element. • the effectiveness of the organization’s control environment, including its audit function, and Active Board and Management the adequacy of its risk-management practices relative to the nature and scope of its business Oversight Given that a board of directors has ultimate responsibility for all of the activities of its RISK FOCUS institution, the board should approve overall fiduciary business strategies and policies, includ- As explained in SR-96-10, for a complex insti- ing those related to identifying, measuring, moni- tution, fiduciary examiners will direct their toring, and controlling fiduciary risks. A board attention to assessing the organization’s func- of directors must understand the nature of the tions and its ability to identify, measure, moni- risks that are significant to the organization, and tor, and control fiduciary, market, credit, and it should ensure that management is taking the operational risks. Examiners should assess risks steps necessary to manage these risks. that result from the fiduciary’s investment- Senior management has the responsibility for management, investment advisory, mutual funds, implementing approved strategies in a way that global custody, and securities-lending and pro- will limit fiduciary risks and ensure compliance cessing activities. Any other activities that are with laws and regulations. Senior management subject to adverse movements in market rates or should, therefore, be fully involved in the fidu- prices, or to operating problems associated with ciary activities of their institution and have processing a large volume of securities, should sufficient knowledge of all fiduciary business also be assessed. These fiduciary activities could lines to ensure that necessary policies, controls, result in material losses to trust customers and, and risk-monitoring systems are in place and in turn, expose the institution to financial losses that accountability and lines of authority are

Commercial Bank Examination Manual November 2003 Page 3 5200.1 Fiduciary Activities clearly defined. In assessing the quality of fidu- and related procedures would be expected. In ciary oversight by boards of directors and senior assessing the adequacy of an institution’s fidu- management, examiners should consider whether ciary and fiduciary-risk management policies these conditions exist: and procedures, examiners should consider whether these conditions exist: • The board and senior management have a clear understanding and working knowledge • The institution’s policies and procedures of the types of fiduciary activities the institu- adequately address the fiduciary activities per- tion performs and of the risks inherent in formed and are consistent with management’s them. They have approved appropriate poli- experience level and with the institution’s cies, procedures, recordkeeping systems, and stated goals and objectives. reporting systems to support the fiduciary • The institution’s policies and procedures pro- activities and to help measure and monitor vide for adequate identification, measurement, risks. They have established procedures to monitoring, and control of the risks posed by stay informed about changes in fiduciary its fiduciary activities. activities and the associated risks. • Policies clearly establish accountability and • Management at all levels adequately super- set forth lines of authority. vises the daily activities of officers and • Policies provide for review of new fiduciary employees to ensure that the lines of fiduciary services and activities to ensure that they are business are managed and staffed by persons suitable and consistent with fiduciary-customer whose knowledge, experience, and expertise objectives, and to ensure that the systems are consistent with the nature and scope of the necessary to identify, measure, monitor, and organization’s fiduciary activities. control risks associated with new services and • Before offering new services or introducing activities are in place before the activity is new products, management identifies the fidu- initiated. ciary risks associated with them and ensures that internal controls are in place to manage the service or product and its accompanying Adequate Risk-Monitoring and risk. Management Information Systems

Risk monitoring requires institutions to identify Adequate Policies, Procedures, and and measure all areas of material fiduciary risk Limits continuously. Risk-monitoring activities must be supported by management information sys- An institution’s directors and senior manage- tems that provide senior management with timely ment should establish fiduciary and fiduciary- reports on financial condition, operating perfor- risk management policies and procedures com- mance, marketing efforts, new products and mensurate with the types of activities the services, pending or threatened litigation, and institution conducts. The policies and proce- risk exposure arising from fiduciary activities. dures should provide enough detailed guidance The information system also must provide regu- to ensure that all material areas of fiduciary lar and more detailed reports for managers activity and risk are addressed. They should also engaged in the daily management of the institu- be modified when necessary to respond to tion’s activities. changes in the organization’s activities. A The sophistication of risk-monitoring and con- smaller, less complex institution that has effec- trol information systems should be commensu- tive management and that is heavily involved in rate with the complexity of the institution’s daily operations generally would be expected to fiduciary operations. Less complex institutions have more basic policies addressing the signifi- may require only a limited number of manage- cant areas of its activities and setting forth a ment reports to support risk-monitoring activi- limited but appropriate set of requirements and ties. Larger, more complex institutions, how- procedures. In a larger institution, where senior ever, would be expected to have much more management must rely on a widely dispersed comprehensive reporting and monitoring sys- staff to implement strategies in a wide range of tems. These systems would allow for more complex situations, far more detailed policies frequent reporting and closer monitoring of

October 2016 Commercial Bank Examination Manual Page 4 Fiduciary Activities 5200.1 complex activities. In assessing the adequacy of • The system of internal controls is appropriate an institution’s measurement and monitoring of to the type and level of fiduciary activities. fiduciary risk, examiners should consider whether • The institution’s organizational structure these conditions exist: establishes clear lines of authority and responsibility. • The institution’s fiduciary-risk monitoring • Reporting lines are sufficiently independent of practices and reports encompass all of its the control areas and from the business lines, business lines and activities, and they are and there is adequate separation of duties structured to monitor exposures consistent throughout the institution. with established goals, limits, and objectives. • Financial, operational, and regulatory reports • Key assumptions, data sources, and proce- are reliable, accurate, and timely. dures used in identifying, measuring, and • Adequate procedures exist for ensuring com- monitoring fiduciary risk are appropriate for pliance with laws and regulations. the activities the institution performs and are • Internal-audit or other control-review prac- adequately documented and continuously tices provide for independence and objectivity. tested for reliability. • Reports to management are accurate and timely • Internal controls and information systems are and contain sufficient information for policy adequately tested and reviewed, with findings and decision makers to identify any adverse documented and weaknesses given appropri- trends and any potential or real problems. The ate and timely attention. reports must be adequate for management to • The board of directors or the audit committee evaluate the level of fiduciary risk faced by reviews the effectiveness of internal audits the institution. and other control-review activities regularly. The fiduciary-risk assessment and control cate- Adequate Internal Controls gories and tools listed above are not all- inclusive. They are guidelines for the fiduciary A comprehensive internal-control structure is examiner and fiduciary-activities management critical to the safe and sound functioning of an to use in their risk-assessment and -control institution and its fiduciary-risk management efforts. The examination of fiduciary activities system. Establishing and maintaining a system may require some modification, depending on of internal controls that sets forth official lines how the activities are organized and the com- of authority and an appropriate segregation of plexity of the products and services offered. duties is one of management’s most important responsibilities. A well-structured system of internal controls promotes effective fiduciary operations and INVESTMENT OF FIDUCIARY reliable reporting; safeguards assets; and helps ASSETS IN MUTUAL FUNDS AND to ensure compliance with laws, regulations, and POTENTIAL CONFLICTS OF institutional policies. Controls should be peri- INTEREST odically tested by an independent party (preferably the auditor or at least an individual not Banks and trust institutions encounter various involved in the process being reviewed) who direct or indirect financial incentives to place reports directly to either the institution’s board trust assets with particular mutual funds. These of directors or one of its designated committees. incentives include fees for using nonaffiliated Given the importance of appropriate internal fund families as well as incentives for using an controls to organizations of all sizes and risk institution’s proprietary mutual funds. The pri- profiles, the results of these reviews should be mary supervisory concern is that an institution adequately documented, as should manage- may fail to act in the best interest of its benefi- ment’s responses to them. In evaluating the ciaries if it stands to benefit independently from adequacy of an institution’s internal controls as a particular investment. As a result, an institu- they relate to fiduciary activities, examiners tion may be exposed to an increased risk of legal should consider whether these conditions exist: action by account beneficiaries, and it could potentially violate laws or regulations. The Fed- eral Reserve Board issued SR-99-7 to help

Commercial Bank Examination Manual October 2016 Page 5 5200.1 Fiduciary Activities institutions minimize these risks and ensure that Nearly every state legislature modified its their activities meet fiduciary standards. laws in the 1990s to allow explicitly the accep- Institutions should ensure that they perform tance of such service fees by fiduciaries under and document an appropriate level of due dili- certain conditions. These conditions often include gence before entering into any compensation compliance with standards of prudence, quality, arrangements with mutual fund providers or and appropriateness for the account, and a before placing fiduciary assets in their own determination of the ‘‘reasonableness’’ of the proprietary mutual funds. SR-99-7 discusses the fees received by the institution. The Office of type of measures that should be included in this the Comptroller of the Currency (OCC) also process, including a reasoned legal opinion adopted these general standards for national addressing the activity, appropriate policies and banks.1 However, the Employee Retirement procedures, and documented analysis and ongo- Income Security Act of 1974 (ERISA) generally ing review of investment decisions. For issues prohibits fee arrangements between fiduciaries pertaining to retail sales of nondeposit invest- and third parties, such as mutual fund providers, ment products and matters relating to compen- with limited exceptions.2 ERISA requirements sation, see section 4170.1. supersede state laws and guidelines put forth by the bank regulatory agencies. Although there has been no comprehensive Types of Financial Incentives review of the extent to which mutual fund providers are offering the types of incentive Financial incentives for placing trust assets with payments cited above, the practice is not uncom- particular mutual funds range from payments mon. In addition to these service fees, another structured as reimbursements for services or for form of compensation reportedly offered by transferring business to an unaffiliated fund some mutual fund providers is a lump-sum family, to financial benefits that arise from using payment based on assets transferred into a mutual funds that are managed by the institution mutual fund. or an affiliate. In some cases, such as service Similar conflict-of-interest concerns are raised fees for administrative and recordkeeping func- by the investment of fiduciary-account assets in tions performed by the trust institution, the mutual funds for which the institution or an permissibility of such payments may be specifi- affiliate acts as investment adviser (referred to as cally addressed under state law. However, guid- ‘‘proprietary’’ funds). In this case, the institution ance under applicable law may be less clear for receives a financial benefit from management other financial incentives. In all cases, decisions fees generated by the mutual fund investments.3 to place fiduciary assets in particular investments must be consistent with the underlying trust documents and must be undertaken in the Due-Diligence Measures best interest of the trust beneficiary. Certain mutual fund providers offer compen- Although many state laws explicitly authorize sation in the form of ‘‘service’’ fees to institu- certain fee arrangements in conjunction with the tions that invest fiduciary assets in particular investment of trust assets in mutual funds, mutual funds. These fees, referred to variously as shareholder, subaccounting, or administrative- 1. In general, national banks may make these investments service fees, are structured as payments to and receive such fees if the practice is authorized by applicable law and if the investment is prudent and appropriate for reimburse the institution for performing stan- fiduciary accounts and consistent with fiduciary requirements dard recordkeeping and accounting functions for established by state law. These requirements include a ‘‘rea- the institution’s fiduciary accounts, such as main- sonableness’’ test for any fees received by the institution. taining shareholder subaccounts and records, (OCC Interpretive Letter No. 704, February 1996.) 2. ERISA section 406(b)(3), Department of Labor, Pension transmitting mutual fund communications as Welfare and Benefits Administration Advisory Opinion 97- necessary, and arranging mutual fund transac- 15A and Advisory Opinion 97-16A. tions. These fees are typically based on a per- 3. A Board interpretation of Federal Reserve Regulation Y centage or basis-point amount of the dollar addresses the investment of fiduciary-account assets in mutual funds for which the trustee bank’s holding company acts as value of assets invested or on transaction investment adviser. In general, such investments are prohib- volume. ited unless specifically authorized by the trust instrument, court order, or state law. See Federal Reserve Regulatory Service 4–177.

November 2002 Commercial Bank Examination Manual Page 6 Fiduciary Activities 5200.1 institutions nonetheless face heightened legal policies and procedures by internal or external and compliance risks from activities in which a audit staff. conflict of interest exists, particularly if proper • Analysis and documentation of investment fiduciary standards are not observed and docu- decisions. Where an institution receives fees mented. Section 23B of the Federal Reserve Act or other compensation in connection with (FRA) requires, before a member bank pur- fiduciary-account investments over which it chases shares issued by an affiliate, including has investment discretion or where such invest- investment-fund shares, that the board of direc- ments are made in the institution’s proprietary tors approve the purchase based on a determi- mutual funds, the institution should fully docu- nation that the purchase is a sound investment ment its analysis supporting the investment for the bank, irrespective that an affiliate is the decision. This analysis should be performed principal underwriter.4 Even for investments in on a regular, ongoing basis and would typi- which the institution does not exercise invest- cally include factors such as historical perfor- ment discretion, disclosure or other require- mance comparisons to similar mutual funds, ments may apply. Therefore, institutions should management fees and expense ratios, and ensure that they perform and document an ratings by recognized mutual-fund rating ser- appropriate level of due diligence before enter- vices. The institution should also document its ing into any fee arrangements similar to those assessment that the investment is, and contin- described above or before placing fiduciary ues to be, appropriate for the individual assets in proprietary mutual funds. According to account, in the best interest of account ben- SR-99-7, the following measures should be eficiaries, and in compliance with section 23B included in this process: of the FRA and with provisions of the “prudent-investor” or “prudent-man rules,” as • A reasoned legal opinion. The institution appropriate. should obtain a reasoned opinion of counsel that addresses the conflict of interest inherent in the receipt of fees or other forms of UNIFORM INTERAGENCY TRUST compensation from mutual fund providers in RATING SYSTEM connection with the investment of fiduciary assets. The opinion should address the permis- In December 1998, the Federal Reserve Board sibility of the investment and compensation issued implementing guidelines for the Uniform under applicable state or federal laws, the trust Interagency Trust Rating System (UITRS).5 The instrument, or court order, as well as any revised UITRS was made effective for exami- applicable disclosure requirements or ‘‘reason- nations commencing on or after January 1, ableness’’ standard for fees set forth in the 1999.6 Federal Reserve examiners should assign law. UITRS ratings in conformance with the defini- • Establishment of policies and procedures. The tions adopted by the Federal Financial Institu- institution should establish written policies tions Examination Council (FFIEC), as aug- and procedures governing the acceptance of mented by the guidance below. fees or other compensation from mutual fund A full composite UITRS rating is required to providers, as well as the use of proprietary be assigned as a result of all trust examinations, mutual funds. The policies must be reviewed except for targeted examinations, where compo- and approved by the institution’s board of nent ratings need only be assigned for those directors or its designated committee. Policies areas included within the examination’s scope. and procedures should, at a minimum, address In those cases, component ratings should be the following issues: (1) designation of assigned as the targeted examinations are com- decision-making authority; (2) analysis and pleted. When an institution’s trust activities are documentation of investment decisions; examined as a series of limited reviews over a (3) compliance with applicable laws, regula- period of time, the full UITRS rating should be tions, and sound fiduciary principles, including any disclosure requirements or reasonableness standards for fees; and (4) staff training 5. The UITRS was developed by the Federal Financial and methods for monitoring compliance with Institutions Examination Council. SR-98-37 mandated the use of UITRS for Federal Reserve examinations of fiduciary activities. 4. 12 USC 371c-1(b)(2). 6. See 63 Fed. Reg. 54704 (October 13, 1998).

Commercial Bank Examination Manual November 2002 Page 7 5200.1 Fiduciary Activities assigned when the examination is considered Reserve examiners may, therefore, assign an complete, or at least as often as required under earnings rating of 2 for an institution that has SR-01-05. experienced losses in its fiduciary activities, provided that (1) management has determined that there are benefits to the overall institution or its community from offering fiduciary services, Additional Considerations for Specific (2) losses from fiduciary activities are stable and UITRS Components consistent with management expectations, and (3) such losses do not have a significant adverse Management effect on the profitability of the institution as a whole. The revised UITRS puts greater emphasis on assessing the quality of an institution’s risk management, consistent with guidance previ- Asset Management ously provided to Federal Reserve examiners in SR-96-10. Examiners should continue to include As noted in the UITRS, the asset-management in risk profiles and risk-management assess- component may not be applicable for some ments the key risks outlined in SR-95-51, includ- institutions because their activities do not involve ing reputation risk, operational risk, legal risk, the management of discretionary assets. A rat- credit risk, market risk, and liquidity risk. See ing for asset management may, therefore, be also SR-16-11. Whether all of these risks or a omitted for examinations of institutions whose subset of them is relevant to the assessment of operations are limited to activities such as risk management, and thus to the management directed-agency relationships, securities clear- rating, depends on the scope of the particular ing, nonfiduciary custody relationships, or institution’s fiduciary activities. The other four transfer-agent or registrar activities. However, UITRS rating components may also include this component rating should be assigned for an consideration of the institution’s ability to man- institution that provides investment advice, even age some or all of these risks. though it does not have discretion over the account assets. Where an asset-management rating is not assigned for a particular examina- Earnings tion, a rating of 0 should be given, and this component should be excluded from consider- Examiners must evaluate earnings for all insti- ation in the composite rating. tutions that exercise fiduciary powers. In addition, an earnings rating must be assigned for institutions that, at the time of the examination, Examination Reports have total fiduciary assets of more than $100 million and for all nondeposit trust companies. For all other institutions, examiners are not required SR-96-26 requires that the UITRS rating be to assign a rating and should only do so in cases disclosed to the institution in the summary where fiduciary activities are significant and the section of each examination report. In addition, earnings rating would be meaningful to the the individual numerical component ratings, overall rating. In these cases, examiners should which should also be disclosed in the open use the standard earnings-rating definition, rather section of the report, may be included in the than the alternate-rating definitions provided in summary section. If the component ratings are the UITRS. For examinations where no earnings included in the summary section, the ratings rating is assigned, a rating of 0 should be given should also be included in the open-section for the earnings component, and this component pages of the report in which trust findings are should be excluded from consideration in the presented. If the Reserve Bank prefers not to composite rating. disclose the examiner’s evaluation of the component ratings to the institution, this information Earnings ratings of 3 or worse should be may be included in the confidential section of reserved for institutions whose earnings perfor- the report. Regardless of where in the report it mance indicates a supervisory problem requir- appears, the evaluation must include sufficient ing corrective action, which, if left unaddressed, detail to justify the rating assigned. may pose a risk to the institution. Federal

October 2016 Commercial Bank Examination Manual Page 8 Fiduciary Activities 5200.1

UITRS Description For less complex institutions engaged solely in traditional fiduciary activities and whose direc- Under the UITRS, the fiduciary activities of tors and senior managers are actively involved financial institutions are assigned a composite in the oversight and management of day-to-day rating based on an evaluation and rating of five operations, relatively basic management sys- essential components of an institution’s fidu- tems and controls may be adequate. On the other ciary activities. Composite and component rat- hand, at more complex institutions, detailed and ings are assigned based on a 1-to-5 numerical formal management systems and controls are scale. A 1 is the highest rating and indicates the needed to address a broader range of activities strongest performance and risk-management and to provide senior managers and directors practices and the least degree of supervisory with the information they need to supervise concern. A 5 is the lowest rating and indicates day-to-day activities. the weakest performance and risk-management All institutions are expected to properly man- practices and, therefore, the highest degree of age their risks. For less complex institutions supervisory concern. The evaluation of the com- engaging in less risky activities, detailed or posite and components considers the size and highly formalized management systems and con- sophistication, the nature and complexity, and trols are not required to receive strong or satis- the risk profile of the institution’s fiduciary factory component or composite ratings. activities. The composite rating generally bears a close relationship to the component ratings assigned. Composite Ratings However, the composite rating is not derived by computing an arithmetic average of the compo- Composite ratings are based on a careful evalu- nent ratings. Each component rating is based on ation of how an institution conducts its fiduciary a qualitative analysis of the factors that make up activities. The review encompasses the capabil- a particular component and on its interrelation- ity of management, the soundness of policies ship with the other components. When assigning and practices, the quality of service rendered to a composite rating, some components may be the public, and the effect of fiduciary activities given more weight than others depending on the on the soundness of the institution. The compos- situation at the institution. In general, the assign- ite ratings are defined as follows. ment of a composite rating may incorporate any factor that bears significantly on the overall administration of the financial institution’s fidu- Composite 1 ciary activities. Assigned composite and component ratings are disclosed to the institution’s Administration of fiduciary activities is sound in board of directors and senior management. every respect. Generally, all components are Management’s ability to respond to changing rated 1 or 2. Any weaknesses are minor and can circumstances and address the risks that may be handled in a routine manner by management. arise from changing business conditions, or The institution is in substantial compliance with from the initiation of new fiduciary activities or fiduciary laws and regulations. Risk-management products, is an important factor in evaluating an practices are strong relative to the size, complex- institution’s overall fiduciary-risk profile and the ity, and risk profile of the institution’s fiduciary level of supervisory attention warranted. For activities. Fiduciary activities are conducted in this reason, the management component is given accordance with sound fiduciary principles and special consideration when assigning a compos- give no cause for supervisory concern. ite rating. The ability of management to identify, measure, monitor, and control the risks of its fidu- Composite 2 ciary operations is also taken into account when assigning each component rating. It is recog- Administration of fiduciary activities is funda- nized, however, that appropriate management mentally sound. Generally, no component rating practices may vary considerably among finan- should be more severe than 3. Only moderate cial institutions, depending on the size, complex- weaknesses are present and are well within ity, and risk profiles of their fiduciary activities. management’s capabilities and willingness to

Commercial Bank Examination Manual October 2016 Page 9 5200.1 Fiduciary Activities correct. Fiduciary activities are conducted in the institution. Close supervisory attention is substantial compliance with laws and regula- required, which means, in most cases, formal tions. Overall risk-management practices are enforcement action is necessary to address the satisfactory relative to the institution’s size, problems. complexity, and risk proﬁle. There are no material supervisory concerns and, as a result, the supervisory response is informal and limited. Composite 5

Fiduciary activities are conducted in an extremely Composite 3 unsafe and unsound manner. Administration of fiduciary activities is critically deficient in Administration of fiduciary activities exhibits numerous major respects, with problems result- some degree of supervisory concern in one or ing from incompetent or neglectful administra- more of the component areas. A combination of tion, flagrant or repeated disregard for laws and weaknesses exists that may range from moder- regulations, or a willful departure from sound ate to severe; however, the magnitude of the fiduciary principles and practices. The volume deficiencies generally does not cause a compo- and severity of problems are beyond manage- nent to be rated more severely than 4. Manage- ment’s ability or willingness to control or cor- ment may lack the ability or willingness to rect. Such conditions evidence a flagrant disre- effectively address weaknesses within appropri- gard for the interests of the beneficiaries and ate time frames. Additionally, fiduciary activi- may pose a serious threat to the soundness of the ties may reveal some significant noncompliance institution. Continuous close supervisory atten- with laws and regulations. Risk-management tion is warranted and may include termination of practices may be less than satisfactory relative the institution’s fiduciary activities. to the institution’s size, complexity, and risk profile. Although problems of relative significance may exist, they are not of such importance as to pose a threat to the trust beneficiaries Component Ratings generally or to the soundness of the institution. The institution’s fiduciary activities require The five key components used to assess an more-than-normal supervision and may include institution’s fiduciary activities are (1) the capa- formal or informal enforcement actions. bility of management; (2) the adequacy of operations, controls, and audits; (3) the quality and level of earnings; (4) compliance with Composite 4 governing instruments, applicable law (including self-dealing and conflicts-of-interest laws Fiduciary activities generally exhibit unsafe and and regulations), and sound fiduciary principles; unsound practices or conditions, resulting in and (5) the management of fiduciary assets. unsatisfactory performance. The problems range Each of the component-rating descriptions is from severe to critically deficient and may be divided into three sections: a narrative descrip- centered around inexperienced or inattentive tion of the component, a list of the principal management, weak or dangerous operating prac- factors used to evaluate that component, and a tices, or an accumulation of unsatisfactory fea- description of each numerical rating for that tures of lesser importance. The weaknesses and component. Some of the evaluation factors are problems are not being satisfactorily addressed repeated under one or more of the other compo- or resolved by the board of directors and man- nents to reinforce the interrelationship among agement. There may be significant noncompli- components. ance with laws and regulations. Risk-management practices are generally unacceptable relative to the size, complexity, and risk profile of fiduciary Management activities. These problems pose a threat to the account beneficiaries generally and, if left The management rating reflects the capability of unchecked, could evolve into conditions that the board of directors and management, in their could cause significant losses to the institution respective roles, to identify, measure, monitor, and ultimately undermine public confidence in and control the risks of an institution’s fiduciary

November 2002 Commercial Bank Examination Manual Page 10 Fiduciary Activities 5200.1 activities. The rating also reflects the ability of • the overall level of compliance with laws, the board of directors and management to ensure regulations, and sound fiduciary principles that the institution’s fiduciary activities are con- • responsiveness to recommendations from ducted in a safe and sound manner and in auditors and regulatory authorities compliance with applicable laws and regula- • strategic planning for fiduciary products and tions. Directors should provide clear guidance services regarding acceptable risk-exposure levels and • the level of experience and competence of ensure that appropriate policies, procedures, and fiduciary management and staff, including practices are established and followed. Senior issues relating to turnover and succession fiduciary management is responsible for devel- planning oping and implementing policies, procedures, • the adequacy of insurance coverage and practices that translate the board’s objec- • the availability of competent legal counsel tives and risk limits into prudent operating • the extent and nature of pending litigation standards. associated with fiduciary activities, and its Depending on the nature and scope of an potential impact on earnings, capital, and the institution’s fiduciary activities, management institution’s reputation practices may need to address some or all of the • the process for identifying and responding to following risks: reputation, operating or trans- fiduciary-customer complaints. action, strategic, compliance, legal, credit, market, liquidity, and other risks. Sound manage- Ratings of management. A rating of 1 indicates ment practices are demonstrated by active strong performance by management and the oversight by the board of directors and manage- board of directors and strong risk-management ment; competent personnel; adequate policies, practices relative to the size, complexity, and processes, and controls that consider the size risk profile of the institution’s fiduciary activi- and complexity of the institution’s fiduciary ties. All significant risks are consistently and activities; and effective risk-monitoring and man- effectively identified, measured, monitored, and agement information systems. This rating should controlled. Management and the board are pro- reflect the board’s and management’s ability as active and have demonstrated the ability to it applies to all aspects of fiduciary activities in promptly and successfully address existing and which the institution is involved. potential problems and risks. The management rating is based on an assess- A rating of 2 indicates satisfactory management of the capability and performance of man- ment and board performance and risk- agement and the board of directors, including, management practices relative to the size, com- but not limited to, the following evaluation plexity, and risk profile of the institution’s factors: fiduciary activities. Moderate weaknesses may exist, but are not material to the sound admin- • the level and quality of oversight and support istration of fiduciary activities and are being of fiduciary activities by the board of directors addressed. In general, significant risks and prob- and management, including committee struc- lems are effectively identified, measured, moni- ture and adequate documentation of commit- tored, and controlled. tee actions A rating of 3 indicates management and board performance that needs improvement or risk- • the ability of the board of directors and management practices that are less than satisfac- management, in their respective roles, to plan tory given the nature of the institution’s fidu- for and respond to risks that may arise from ciary activities. The capabilities of management changing business conditions or the introduc- or the board of directors may be insufficient for tion of new activities or products the size, complexity, and risk profile of the • the adequacy of and conformance with appro- institution’s fiduciary activities. Problems and priate internal policies, practices, and controls significant risks may be inadequately identified, addressing the operations and risks of signifi- measured, monitored, or controlled. cant fiduciary activities A rating of 4 indicates deficient management • the accuracy, timeliness, and effectiveness of and board performance or risk-management prac- management information and risk-monitoring tices that are inadequate considering the size, systems appropriate for the institution’s size, complexity, and risk profile of the institution’s complexity, and fiduciary-risk profile fiduciary activities. The level of problems and

Commercial Bank Examination Manual November 2002 Page 11 5200.1 Fiduciary Activities risk exposure is excessive. Problems and signifi- — trading functions and securities-lending cant risks are inadequately identified, measured, activities; monitored, or controlled and require immediate — vault controls and securities movement; action by the board and management to protect — segregation of duties; the assets of account beneficiaries and to prevent — controls over disbursements (checks or erosion of public confidence in the institution. electronic) and unissued securities; Replacing or strengthening management or the — controls over income-processing activi- board may be necessary. ties; and A rating of 5 indicates critically deficient — reconciliation processes (depository, cash, management and board performance or risk- vault, subcustodians, suspense accounts, management practices. Management and the etc.) board of directors have not demonstrated the • disaster or business-recovery programs— ability to correct problems and implement — hold-mail procedures and controls over appropriate risk-management practices. Prob- returned mail, and lems and significant risks are inadequately iden- — investigation and proper escheatment of tified, measured, monitored, or controlled and funds in dormant accounts now threaten the continued viability of the • auditing, including— institution or its administration of fiduciary — the independence, frequency, quality, and activities, and they pose a threat to the safety of scope of the internal and external fiduciary- the assets of account beneficiaries. Replacing or audit function relative to the volume, char- strengthening management or the board of acter, and risk profile of the institution’s directors is necessary. fiduciary activities; — the volume or severity of internal-control and audit exceptions and the extent to Operations, Internal Controls, and which these issues are tracked and resolved; Auditing and — the experience and competence of the The operations, internal controls, and auditing audit staff. rating reflects the adequacy of the institution’s fiduciary operating systems and internal controls Ratings of operations, internal controls, and in relation to the volume and character of auditing. A rating of 1 indicates that operations, business conducted. Audit coverage must ensure internal controls, and auditing are strong in the integrity of the financial records, the suffi- relation to the volume and character of the ciency of internal controls, and the adequacy of institution’s fiduciary activities. All significant the compliance process. risks are consistently and effectively identified, Fiduciary operating systems, internal con- measured, monitored, and controlled. trols, and the audit function subject an institu- A rating of 2 indicates that operations, inter- tion primarily to transaction and compliance nal controls, and auditing are satisfactory in risk. Other risks, including reputation, strategic, relation to the volume and character of the and financial risk, also may be present. The institution’s fiduciary activities. Moderate weak- ability of management to identify, measure, nesses may exist, but are not material. Signifi- monitor, and control these risks is reflected in cant risks, in general, are effectively identified, this rating. measured, monitored, and controlled. The operations, internal controls, and auditing A rating of 3 indicates that operations, inter- rating is based on, but not limited to, an assess- nal controls, or auditing need improvement in ment of the following evaluation factors: relation to the volume and character of the institution’s fiduciary activities. One or more of • operations and internal controls, including the these areas are less than satisfactory. Problems adequacy of— and significant risks may be inadequately iden- — staff, facilities, and operating systems; tified, measured, monitored, or controlled. — records, accounting, and data processing A rating of 4 indicates deficient operations, systems (including controls over systems internal controls, or audits. One or more of these access and such accounting procedures as areas are inadequate or the level of problems aging, investigation, and disposition of and risk exposure is excessive in relation to the items in suspense accounts); volume and character of the institution’s fidu-

November 2002 Commercial Bank Examination Manual Page 12 Fiduciary Activities 5200.1 ciary activities. Problems and significant risks For those institutions for which a rating of are inadequately identified, measured, moni- earnings is mandatory, additional factors should tored, or controlled and require immediate action. include the following: Institutions with this level of deficiencies may make little provision for audits, or they may • the level and consistency of profitability, or evidence weak or potentially dangerous operat- the lack thereof, generated by the institution’s ing practices in combination with infrequent or fiduciary activities in relation to the volume inadequate audits. and character of the institution’s business A rating of 5 indicates critically deficient • dependence on nonrecurring fees and commis- operations, internal controls, or audits. Operat- sions, such as fees for court accounts ing practices, with or without audits, pose a • the effects of charge-offs or compromise serious threat to the safety of assets of fiduciary actions accounts. Problems and significant risks are • unusual features regarding the composition of inadequately identified, measured, monitored, or business and fee schedules controlled and now threaten the ability of the • accounting practices that contain practices institution to continue engaging in fiduciary such as (1) unusual methods of allocating activities. direct and indirect expenses and overhead, or (2) unusual methods of allocating fiduciary Earnings income and expense where two or more fiduciary institutions within the same holding The earnings rating reflects the profitability of company family share fiduciary services or an institution’s fiduciary activities and their processing functions effect on the financial condition of the institu- • the extent of management’s use of budgets, tion. The use and adequacy of budgets and projections, and other cost-analysis procedures earnings projections by functions, product lines, • methods used for directors’ approval of finan- and clients are reviewed and evaluated. Risk cial budgets or projections exposure that may lead to negative earnings is • management’s attitude toward growth and also evaluated. new-business development • new-business development efforts, including An evaluation of earnings is required for all types of business solicited, market potential, institutions with fiduciary activities. An assign- advertising, competition, relationships with ment of an earnings rating, however, is required local organizations, and an evaluation by man- only for institutions that, at the time of the agement of the risk potential inherent in new examination, have total trust assets of more than business areas $100 million or that are a nondeposit trust company. Ratings of earnings. A rating of 1 indicates The evaluation of earnings is based on, but strong earnings. The institution consistently earns not limited to, an assessment of the following a rate of return on its fiduciary activities that is factors: commensurate with the risk of those activities. This rating would normally be supported by a • the profitability of fiduciary activities in rela- history of consistent profitability over time and a tion to the size and scope of those activities judgment that future earnings prospects are and to the overall business of the institution favorable. In addition, management techniques • the overall importance to the institution of for evaluating and monitoring earnings perfor- offering fiduciary services to its customers and mance are fully adequate, and there is appropri- local community ate oversight by the institution’s board of directors or a committee thereof. Management makes • the effectiveness of the institution’s proce- effective use of budgets and cost-analysis pro- dures for monitoring fiduciary-activity income cedures. Methods used for reporting earnings and expense relative to the size and scope of information to the board of directors, or a these activities and their relative importance committee thereof, are comprehensive. to the institution, including the frequency and A rating of 2 indicates satisfactory earnings. scope of profitability reviews and planning by Although the earnings record may exhibit some the institution’s board of directors or a com- weaknesses, earnings performance does not pose mittee thereof a risk to the overall institution nor to its ability

Commercial Bank Examination Manual November 2002 Page 13 5200.1 Fiduciary Activities to meet its fiduciary obligations. Generally, 1998 Federal Reserve UITRS implementing fiduciary earnings meet management targets and guidelines. For institutions where the assign- appear to be at least sustainable. Management ment of an earnings rating is not required by the processes for evaluating and monitoring earn- UITRS, an FFIEC federal supervisory agency ings are generally sufficient in relationship to the has the option to assign an earnings rating using size and risk of fiduciary activities that exist, and an alternate set of ratings. The alternate ratings any deficiencies can be addressed in the normal are provided here so examiners will be able to course of business. A rating of 2 may also be interpret earnings ratings assigned by other assigned to institutions with a history of profit- banking supervisors that have adopted the able operations if there are indications that alternate-rating system for earnings. Under the management is engaging in activities with which alternate-ratings scheme, alternate ratings are it is not familiar or where there may be inordi- assigned based on the level of implementation nately high levels of risk present that have not of four minimum standards by the board of been adequately evaluated. Alternatively, an directors and management: institution with otherwise strong earnings performance may also be assigned a 2 rating if • Standard No. 1. The institution has reasonable there are significant deficiencies in its methods methods for measuring income and expense used to monitor and evaluate earnings. commensurate with the volume and nature of A rating of 3 indicates less-than-satisfactory the fiduciary services offered. earnings. Earnings are not commensurate with • Standard No. 2. The level of profitability is the risk associated with the fiduciary activities reported to the board of directors, or a com- undertaken. Earnings may be erratic or exhibit mittee thereof, at least annually. downward trends, and future prospects are • Standard No. 3. The board of directors peri- unfavorable. This rating may also be assigned if odically determines that the continued offer- management processes for evaluating and moni- ing of fiduciary services provides an essential toring earnings exhibit serious deficiencies, pro- service to the institution’s customers or to the vided the deficiencies identified do not pose an local community. immediate danger to either the overall financial • Standard No. 4. The board of directors, or a condition of the institution or its ability to meet committee thereof, reviews the justification its fiduciary obligations. for the institution to continue to offer fiduciary A rating of 4 indicates earnings that are services, even if the institution does not earn seriously deficient. Fiduciary activities have a sufficient income to cover the expenses of significant adverse effect on the overall income providing those services. of the institution and its ability to generate adequate capital to support the continued opera- Ratings to be applied for the alternate rating of tion of its fiduciary activities. The institution is earnings. A rating of 1 may be assigned where characterized by fiduciary earnings performance an institution has implemented all four mini- that is poor historically or that faces the prospect mum standards. If fiduciary earnings are lack- of significant losses in the future. Management ing, management views this as a cost of doing processes for monitoring and evaluating earn- business as a full-service institution and believes ings may be poor. The board of directors has not that the negative effects of not offering fiduciary adopted appropriate measures to address signifi- services are more significant than the expense of cant deficiencies. administrating those services. A rating of 5 indicates critically deficient A rating of 2 may be assigned where an earnings. In general, an institution with this institution has implemented, at a minimum, rating is experiencing losses from fiduciary three of the four standards. This rating may be activities that have a significant negative impact assigned if the institution is not generating on the overall institution, representing a distinct positive earnings or where formal earnings threat to its viability through the erosion of its information may not be available. capital. The board of directors has not imple- A rating of 3 may be assigned if the institu- mented effective actions to address the situation. tion has implemented at least two of the four standards. Although management may have Alternate rating of earnings. The UITRS alter- attempted to identify and quantify other revenue nate rating of earnings is not for use by Federal to be earned by offering fiduciary services, it has Reserve System examiners, per the December decided that these services should be offered as

November 2002 Commercial Bank Examination Manual Page 14 Fiduciary Activities 5200.1 a service to customers, even if they cannot be practices pertaining to account administration operated profitably. and conflicts of interest are evaluated in light of A rating of 4 may be assigned if the institu- the size and character of an institution’s fidu- tion has implemented only one of the four ciary business. standards. Management has undertaken little or The compliance rating is based on, but not no effort to identify or quantify the collateral limited to, an assessment of the following evalu- advantages, if any, to the institution from offer- ation factors: ing fiduciary services. A rating of 5 may be assigned if the institu- • compliance with applicable federal and state tion has implemented none of the standards. statutes and regulations, including, but not limited to, federal and state fiduciary laws, the Employee Retirement Income Security Act of Compliance 1974, federal and state securities laws, state investment standards, state principal and The compliance rating reflects an institution’s income acts, and state probate codes overall compliance with applicable laws, regu- • compliance with the terms of governing lations, accepted standards of fiduciary conduct, instruments governing account instruments, duties associ- • the adequacy of overall policies, practices, ated with account administration, and internally and procedures governing compliance, consid- established policies and procedures. This com- ering the size, complexity, and risk profile of ponent specifically incorporates an assessment the institution’s fiduciary activities of a fiduciary’s duty of undivided loyalty and • the adequacy of policies and procedures compliance with applicable laws, regulations, addressing account administration and accepted standards of fiduciary conduct • the adequacy of policies and procedures related to self-dealing and other conflicts of addressing conflicts of interest, including those interest. designed to prevent the improper use of ‘‘mate- The compliance component includes review- rial inside information’’ ing and evaluating the adequacy and soundness • the effectiveness of systems and controls in of adopted policies, procedures, and practices place to identify actual and potential conflicts generally and as they relate to specific transac- of interest tions and accounts. It also includes reviewing • the adequacy of securities-trading policies and policies, procedures, and practices to evaluate practices relating to the allocation of broker- the sensitivity of management and the board of age business; the payment of services with directors to refrain from self-dealing, minimize “soft dollars”; and the combining, crossing, potential conflicts of interest, and resolve actual and timing of trades conflict situations in favor of the fiduciary- • the extent and permissibility of transactions account beneficiaries. with related parties, including, but not limited Risks associated with account administration to, the volume of related commercial and are potentially unlimited because each account fiduciary relationships and holdings of corpo- is a separate contractual relationship that con- rations in which directors, officers, or employ- tains specific obligations. Risks associated with ees of the institution may be interested account administration include failure to comply • the decision-making process used to accept, with applicable laws, regulations, or terms of the review, and terminate accounts governing instrument; inadequate account- • the decision-making process related to administration practices; and inexperienced man- account-administration duties, including cash agement or inadequately trained staff. Risks balances, overdrafts, and discretionary associated with a fiduciary’s duty of undivided distributions loyalty generally stem from engaging in self- dealing or other conflict-of-interest transactions. Ratings of compliance. A rating of 1 indicates An institution may be exposed to compliance, strong compliance policies, procedures, and prac- strategic, financial, and reputation risk related to tices. Policies and procedures covering conflicts account-administration and conflicts-of-interest of interest and account administration are appro- activities. The ability of management to identify, priate in relation to the size and complexity of measure, monitor, and control these risks is the institution’s fiduciary activities. Accounts reflected in this rating. Policies, procedures, and are administered in accordance with governing

Commercial Bank Examination Manual November 2002 Page 15 5200.1 Fiduciary Activities instruments, applicable laws and regulations, A rating of 5 indicates critically deficient sound fiduciary principles, and internal policies compliance practices. Account administration is and procedures. Any violations are isolated, critically deficient or incompetent, and there is a technical in nature, and easily correctable. All flagrant disregard for the terms of the governing significant risks are consistently and effectively instruments and interests of account beneficia- identified, measured, monitored, and controlled. ries. The institution frequently engages in trans- A rating of 2 indicates fundamentally sound actions that compromise its fundamental duty of compliance policies, procedures, and practices undivided loyalty to account beneficiaries. There in relation to the size and complexity of the are flagrant or repeated violations of laws and institution’s fiduciary activities. Account admin- regulations and significant departures from sound istration may be flawed by moderate weaknesses fiduciary principles. Management is unwilling in policies, procedures or practices. Manage- or unable to operate within the scope of laws ment’s practices indicate a determination to and regulations or within the terms of governing minimize the instances of conflicts of interest. instruments, and efforts to obtain voluntary Fiduciary activities are conducted in substantial compliance have been unsuccessful. The sever- compliance with laws and regulations, and any ity of noncompliance presents an imminent violations are generally technical in nature. monetary threat to account beneficiaries and Management corrects violations in a timely creates significant legal and financial exposure manner and without loss to fiduciary accounts. to the institution. Problems and significant risks Significant risks are effectively identified, mea- are inadequately identified, measured, moni- sured, monitored, and controlled. tored, or controlled and now threaten the ability A rating of 3 indicates compliance practices of management to continue engaging in fidu- that are less than satisfactory in relation to the ciary activities. size and complexity of the institution’s fiduciary activities. Policies, procedures, and controls have not proven effective and require strengthening. Asset Management Fiduciary activities may be in substantial noncompliance with laws, regulations, or governing The asset-management rating reflects the risks instruments, but losses are no worse than mini- associated with managing the assets (including mal. Although management may have the abil- cash) of others. Prudent portfolio management ity to achieve compliance, the number of viola- is based on an assessment of the needs and tions that exist, or the failure to correct prior objectives of each account or portfolio. An violations, is an indication that management has evaluation of asset management should consider not devoted sufficient time and attention to its the adequacy of processes related to the invest- compliance responsibilities. Risk-management ment of all discretionary accounts and port- practices generally need improvement. folios, including collective investment funds, A rating of 4 indicates an institution with proprietary mutual funds, and investment advi- deficient compliance practices in relation to the sory arrangements. size and complexity of its fiduciary activities. The institution’s asset-management activities Account administration is notably deficient. The subject it to reputation, compliance, and strate- institution makes little or no effort to minimize gic risks. In addition, each individual account or potential conflicts or refrain from self-dealing, portfolio managed by the institution is subject to and it is confronted with a considerable number financial risks such as market, credit, liquidity, of potential or actual conflicts. Numerous sub- and interest-rate risk, as well as transaction and stantive and technical violations of laws and compliance risk. The ability of management to regulations exist, and many may remain uncor- identify, measure, monitor, and control these rected from previous examinations. Manage- risks is reflected in this rating. ment has not exerted sufficient effort to effect The asset-management rating is based on, but compliance and may lack the ability to effec- not limited to, an assessment of the following tively administer fiduciary activities. The level evaluation factors: of compliance problems is significant and, if left unchecked, may subject the institution to mone- • the adequacy of overall policies, practices, tary losses or reputation risk. Risks are inad- and procedures governing asset management, equately identified, measured, monitored, and considering the size, complexity, and risk controlled. profile of the institution’s fiduciary activities

November 2002 Commercial Bank Examination Manual Page 16 Fiduciary Activities 5200.1

• the decision-making processes used for selec- guidelines. However, this component should be tion, retention, and preservation of discretion- assigned when the institution provides invest- ary assets, including adequacy of documenta- ment advice, even though it does not have tion, committee review and approval, and a discretion over the account assets. An example system to review and approve exceptions of this type of activity would be where the • the use of quantitative tools to measure the institution selects or recommends the menu of various financial risks in investment accounts mutual funds offered to participant-directed and portfolios 401(k) plans. • the existence of policies and procedures addressing the use of derivatives or other Ratings of asset management. A rating of 1 complex investment products indicates strong asset-management practices. • the adequacy of procedures related to the Identified weaknesses are minor in nature. Risk purchase or retention of miscellaneous assets, exposure is modest in relation to management’s including real estate, notes, closely held com- abilities and the size and complexity of the panies, limited partnerships, mineral interests, assets managed. insurance, and other unique assets A rating of 2 indicates satisfactory asset- • the extent and adequacy of periodic reviews of management practices. Moderate weaknesses investment performance, taking into consider- are present and are well within management’s ation the needs and objectives of each account ability and willingness to correct. Risk exposure or portfolio is commensurate with management’s abilities • the monitoring of changes in the composition and the size and complexity of the assets man- of fiduciary assets for trends and related risk aged. Supervisory response is limited. exposure A rating of 3 indicates that asset-management • the quality of investment research used in the practices are less than satisfactory in relation to decision-making process and documentation the size and complexity of the assets managed. of the research Weaknesses may range from moderate to severe; • the due-diligence process for evaluating invest- however, they are not of such significance as to ment advice received from vendors or brokers generally pose a threat to the interests of account (including approved or focus lists of securities) beneficiaries. Asset-management and risk- • the due-diligence process for reviewing and management practices generally need to be approving brokers or counterparties used by improved. An elevated level of supervision is the institution normally required. A rating of 4 indicates deficient asset- This rating may not be applicable for some management practices in relation to the size and institutions because their operations do not complexity of the assets managed. The levels of include activities involving the management of risk are significant and inadequately controlled. any discretionary assets. Functions of this type The problems pose a threat to account benefi- would include, but not necessarily be limited to, ciaries generally and, if left unchecked, may directed-agency relationships, securities clear- subject the institution to losses and could under- ing, nonfiduciary custody relationships, and mine the reputation of the institution. transfer-agent and registrar activities. In institu- A rating of 5 represents critically deficient tions of this type, the rating for asset manage- asset-management practices and a flagrant dis- ment may be omitted by the examiner in accor- regard of fiduciary duties. These practices jeop- dance with the examining agency’s implementing ardize the interests of account beneficiaries, subject the institution to losses, and may pose a threat to the soundness of the institution.

Commercial Bank Examination Manual November 2002 Page 17 Private-Banking Activities Effective date April 2016 Section 5210.1

The role of bank regulators in supervising list of core requests to be made in the first-day private-banking activities is (1) to evaluate man- letter. Additional examination guidance can be agement’s ability to measure and control the found in this manual, the Federal Financial risks associated with such activities and (2) to Institutions Examination Council’s (FFIEC) determine if the proper internal control and audit Bank Secrecy Act/Anti-Money Laundering (BSA/ infrastructures are in place to support effective AML) Examination Manual, the Federal Reserve compliance with relevant laws and regulations. System’s Trading and Capital-Markets Activi- In this regard, the supervisors may deter- ties Manual, and the FFIEC Information mine that certain risks have not been iden- Technology Examination Infobase. tified or adequately managed by the institution, In reviewing specific functional and product- a potentially unsafe and unsound banking examination procedures (as found in the private- practice. banking activities module that is part of the Private-banking functions may be performed framework for risk-focused supervision of large in a specific department of a commercial bank, complex institutions), all aspects of the private- an Edge corporation or its foreign subsidiaries, a banking review should be coordinated with the nonbank subsidiary, a branch or agency of a for- rest of the examination to eliminate unnecessary eign banking organization, or multiple areas of duplication of effort. Furthermore, this section an institution. Private banking may also be the has introduced the review of trust activities and sole business of an institution. Regardless of fiduciary services, critical components of most how an institution is organized or where it is private-banking operations, as part of the overall located, the results of the private-banking private-banking review. Although the product review should be reflected in the entity’s overall nature of these activities differs from that of supervisory assessment.1 products generated by other banking activities, This section provides examiners with guid- such as lending and deposit taking, the func- ance for reviewing private-banking activities at tional components of private banking (supervi- all types and sizes of financial institutions. It is sion and organization, risk management, opera- intended to supplement, not replace, existing tional controls and management information guidance on the examination of private-banking systems, audit, compliance, and financial activities and to broaden the examiner’s review condition/business profile) should be reviewed of general risk-management policies and prac- across product lines. tices governing private-banking activities. In Private banking offers the personal and dis- addition to providing an overview of private crete delivery of a wide variety of financial banking, the general types of customers, and the services and products to an affluent market, various products and services typically pro- primarily to high net worth individuals and their vided, the ‘‘Functional Review’’ subsection corporate interests. A private-banking operation describes the critical functions that constitute a typically offers its customers an all-inclusive private-banking operation and identifies certain money-management relationship, including safe and sound banking practices. These critical investment portfolio management, financial- functions are supervision and organization, risk planning advice, offshore facilities, custodial management, fiduciary standards, operational services, funds transfer, lending services, over- controls, management information systems, draft privileges, hold mail, letter-of-credit financ- audit, and compliance. Included in the risk- ing, and bill-paying services. As the affluent management portion is a discussion of the basic market grows, both in the United States and ‘‘customer-due-diligence’’ (CDD) principle that globally, competition to serve it is becoming is the foundation for the safe and sound opera- more intense. Consequently, the private-banking tion of a private-banking business. The ‘‘Prepa- marketplace includes banks, nonbanks, and other ration for Examination’’ subsection assists in types of banking organizations and financial defining the examination scope and provides a institutions. Private-banking products, services, technologies, and distribution channels are still evolving. A range of private-banking products 1. Throughout this section, the word bank will be used to and services may be offered to customers describe all types of financial institutions, and the term board of directors will be interchangeable with senior management throughout an institution’s global network of of branches and agencies of foreign banks. affiliated entities—including branches, subsidi-

Commercial Bank Examination Manual April 2016 Page 1 5210.1 Private-Banking Activities aries, and representative offices—in many dif- provide cash management, custodian, or trust ferent regions of the world, including offshore services.” 3 Under the CIP rule, a person that secrecy jurisdictions. opens a new account is deemed a customer.4 An Typically, private-banking customers are high account does not include: net worth individuals or institutional investors who have minimum investible assets of $1 mil- • “products and services for which a formal lion or more. Institutions often differentiate banking relationship is not generally estab- domestic from international private banking, lished with a person, such as check cashing, and they may further segregate the international wire transfer, or the sale of a check or money function on the basis of the geographic location order” or of their international client base. International • any account that the bank acquires, or accounts private-banking clients may be wealthy individu- opened, to participate in an employee benefit als who live in politically unstable nations and plan established under the Employee Retire- are seeking a safe haven for their capital. There- ment Income Security Act of 1974. fore, obtaining detailed background information and documentation about the international client (Refer to SR-16-7 and its interagency attach- may be more difficult than it is for the domestic ment.) Customer identification programs are to customer. Private-banking accounts may, for include measures to— example, be opened in the name of an individual, a commercial business, a law firm, an • require that certain information be obtained at investment adviser, a trust, a personal invest- account opening (for individuals, the informa- ment company (PIC), or an offshore mutual tion would generally include their name, ad- fund. dress, tax identification number, and date of In 2001, the USA PATRIOT Act (the Patriot birth); Act) established new and enhanced measures to • verify the identity of new account holders prevent, detect, and prosecute money launder- within a reasonable time period; ing and terrorist financing. In general, these • ensure that a banking organization has a measures were enacted through amendments to reasonable belief that it knows each cus- the Bank Secrecy Act (BSA). The measures tomer’s identity; directly affecting banking organizations are • maintain records of the information used to implemented primarily through regulations verify a person’s identity; and issued by the U.S. Department of the Treasury • compare the names of new customers against (31 CFR 1010).2 Section 326 of the Patriot Act government lists of known or suspected ter- (see the BSA at 31 USC 5318(l)) requires finan- rorists or terrorist organizations. cial institutions (such as banks, savings associations, and credit unions) to have customer A customer identification program is an impor- identification programs. tant component of a financial institution’s over- A customer identification program is depen- all anti-money-laundering and BSA compliance dent on whether an account has been created. An program. “account” is defined in the CIP rule as “a formal The FFIEC BSA/AML Examination Manual banking relationship established to provide or provides the interagency BSA examination pro- engage in services, dealings, or other financial cedures that should be used to evaluate banking transactions, including a deposit account, a trans- organizations’ compliance with the regulation. action or asset account, a credit account or other The examination’s scope can be tailored to the extension of credit.” An account also includes “a reliability of the banking organization’s relationship established to provide a safety de- compliance-management system and to the level posit box or other safekeeping services or to of risk that the organization assumes. Relevant interagency guidance (in a frequently-asked- 2. For banking organizations, the regulation implementing question format) has been issued to address the the requirements of section 326 of the Patriot Act was jointly customer identification program rules. (See issued by the U.S. Department of the Treasury, through the SR-05-9.) Financial Crimes Enforcement Network (FinCEN), and the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and 3. 31 CFR 1020.100 (a)(1). the National Credit Union Administration. 4. 31 CFR 1020.100(c)(1)(i).

April 2016 Commercial Bank Examination Manual Page 2 Private-Banking Activities 5210.1

Private-banking accounts are usually gener- Products and Services ated on a referral basis. Every client of a private-banking operation is assigned a salesper- son or marketer, commonly known as a relation- Personal Investment Companies, Offshore ship manager (RM), as the primary point of Trusts, and Token-Name Accounts contact with the institution. The RM is generally charged with understanding and anticipating the Private-banking services almost always involve needs of his or her wealthy clients and then a high level of confidentiality for clients and recommending services and products for them. their account information. Consequently, it is The number of accounts an RM handles varies, not unusual for private bankers to help their depending on the portfolio size or net worth of clients achieve their financial-planning, estate- the particular accounts. RMs strive to provide a planning, and confidentiality goals through off- high level of support, service, and investment shore vehicles such as personal investment opportunities to their clients and tend to main- companies (PICs), trusts, or more-exotic arrange- tain strong, long-term client relationships. Fre- ments, such as hedge fund partnerships. While quently, RMs take accounts with them to other these vehicles may be used for legitimate rea- private-banking institutions if they change sons, without careful scrutiny, they may camou- employment. Historically, initial and ongoing flage illegal activities. Private bankers should be due diligence of private-banking clients is not committed to using sound judgment and enforc- always well documented in the institution’s files ing prudent banking practices, especially when because of RM turnover and confidentiality they are assisting clients in establishing offshore concerns. vehicles or token-name accounts. Clients may choose to delegate a great deal of authority and discretion over their financial Through their global network of affiliated affairs to RMs. Given the close relationship entities, private banks often form PICs for their between clients and their account officers, an clients. These ‘‘shell’’ companies, which are integral part of the examination process is incorporated in offshore secrecy jurisdictions assessing the adequacy of managerial oversight such as the Cayman Islands, Channel Islands, of the nature and volume of transactions con- Bahamas, British Virgin Islands, and Nether- ducted within the private-banking department or lands Antilles, are formed to hold the customer’s with other departments of the financial institu- assets as well as offer confidentiality by opening tion, as well as determining the adequacy and accounts in the PIC’s name. The ‘‘beneficial integrity of the RM’s procedures. Policy guide- owners’’ of the shell corporations are typically lines and management supervision should pro- foreign nationals. The banking institution should vide parameters for evaluating the appropriate- know and be able to document that it knows the ness of all products, especially those involving beneficial owners of such corporations and that market risk. Moreover, because of the discretion it has performed the appropriate due diligence to given to RMs, management should develop support these efforts. Emphasis should be placed effective procedures to review the activity of on verifying the source or origin of the cus- client accounts in order to protect the client from tomer’s wealth. Similarly, offshore trusts estab- any unauthorized activity. In addition, ongoing lished in these jurisdictions should identify grant- monitoring of account activity should be con- ors of the trusts and sources of the grantors’ ducted to detect activity that is inconsistent with wealth. Anonymous relationships or relation- the client profile (for example, frequent or ships in which the RM does not know and sizable unexplained transfers flowing through document the beneficial owner should not be the account). permitted. Finally, as clients develop a return-on-assets PICs are typically passive personal invest- (ROA) outlook to enhance their returns, the use ment vehicles. However, foreign nationals have of leveraging and arbitrage is becoming more established PICs as operating accounts for busi- evident in the private-banking business. Exam- ness entities they control in their home coun- iners should be alert to the totality of the client tries. Accordingly, financial institutions should relationship product by product, in light of use extra care when dealing with beneficial increasing client awareness and use of deriva- owners of PICs and associated trusts; these tives, emerging-market products, foreign vehicles can be used to conceal illegal activities. exchange, and margined accounts.

Commercial Bank Examination Manual April 2016 Page 3 5210.1 Private-Banking Activities

Deposit Taking vised U.S. branches, agencies, and representative offices of foreign banks) must establish and A client’s private-banking relationship fre- maintain procedures reasonably designed to en- quently begins with a deposit account and then sure and monitor compliance with the BSA and expands into other products. In fact, many related regulations. Each of these banking orga- institutions require private-banking customers to nizations’ compliance programs must include, at establish a deposit account before maintaining a minimum (1) a system of internal controls to any other accounts. Deposit accounts serve as ensure ongoing compliance, (2) independent conduits for a client’s money flows. To distin- testing of compliance by the institution’s per- guish private-banking accounts from retail sonnel or by an outside party, (3) the designation accounts, institutions usually require signifi- of an individual or individuals responsible for cantly higher minimum account balances and coordinating and monitoring day-to-day compli- assess higher fees. The private-banking function ance, and (4) training for appropriate personnel. or institution should have account-opening pro- (See SR-06-7.) cedures and documentation requirements that must be fulfilled before a deposit account can be opened. (These standards are described in detail Investment Management in the ‘‘Functional Review’’ subsection.) Most private banks offer a broad spectrum of In private banking, investment management usu- deposit products, including multicurrency deposit ally consists of two types of accounts: (1) dis- accounts that are used by clients who engage in cretionary accounts in which portfolio managers foreign-exchange, securities, and derivatives make the investment decisions on the basis of transactions. The client’s transaction activity, recommendations from the bank’s investment such as wire transfers, check writing, and cash research resources and (2) nondiscretionary deposits and withdrawals, is conducted through (investment advisory) accounts in which clients deposit accounts (including current accounts). It make their own investment decisions when con- is very important that the transaction activity ducting trades. For nondiscretionary clients, the into and out of these deposit accounts (including banks typically offer investment recommenda- internal transfers between affiliated depository tions subject to the client’s written approval. accounts) be closely monitored for suspicious Discretionary accounts consist of a mixture of transactions that are inconsistent with the cli- instruments bearing varying degrees of market, ent’s profile of usual transactions. Suspicious credit, and liquidity risk that should be appro- transactions could warrant the filing of a Suspi- priate to the client’s investment objectives and cious Activity Report for Depository Institutions risk appetite. Both account types are governed (SAR) form. A bank holding company or any under separate agreements between the client nonbank subsidiary thereof, or a foreign bank and the institution. that is subject to the Bank Holding Company Unlike depository accounts, securities and Act (or any nonbank subsidiary of such a other instruments held in the client’s investment foreign bank operating in the United States), is accounts are not reflected on the balance sheet required to file a SAR form in accordance with of the institution because they belong to the the provision of section 208.62 of the Federal client. These managed assets are usually Reserve Board’s Regulation H (12 CFR 208.62) accounted for on a separate ledger that is segre- when suspicious transactions or activities are gated according to the customer who owns the initially discovered and warrant or require re- assets. porting. See the expanded procedures for private banking in the FFIEC’s BSA/AML Examination Manual. Credit On March 15, 2006, the Board approved a revision to Regulation K (effective April 19, Private-banking clients may request extensions 2006) that incorporates by reference into sec- of credit on either a secured or an unsecured tions 211.5 and 211.24 of Regulation K section basis. Loans backed by cash collateral or man- 208.63 of Regulation H. The incorporation aged assets held by the private-banking function results in the requirement that Edge and agree- are quite common, especially in international ment corporations and other foreign banking private banking. Private-banking clients may organizations (that is, Federal Reserve super- pledge a wide range of their assets, including

April 2012 Commercial Bank Examination Manual Page 4 Private-Banking Activities 5210.1 cash, mortgages, marketable securities, land, or (PTAs). PTAs are transaction deposit accounts buildings, to securitize their loans. Management through which U.S. banking entities (‘‘payable- should demonstrate an understanding of the through banks’’) extend check-writing privi- purpose of the credit, the source of repayment, leges to the customers of a foreign bank. The the loan tenor, and the collateral used in the foreign bank (‘‘master account holder’’) opens a financing. When lending to individuals with master checking account with the U.S. bank and high net worths, whether on a secured or an uses this account to provide its customers with unsecured basis, the creditworthiness determi- access to the U.S. banking system. The master nation is bolstered by a thorough and well- account is divided into ‘‘subaccounts,’’ each in structured customer-due-diligence process. If the name of one of the foreign bank’s customers. that process is not thorough, collateral derived The foreign bank extends signature authority on from illicit activities may be subject to govern- its master account to its own customers, who ment forfeiture. may not be known to the U.S. bank. Conse- Borrowing mechanisms are sometimes estab- quently, the U.S. bank may have customers who lished to afford nonresident-alien customers the have not been subject to the same accountability to keep financial assets in the United opening requirements imposed on its U.S. States and to use such assets (via collateralized account holders. These subaccount customers borrowing arrangements) to provide operating are able to write checks and make deposits at the capital for businesses they own and operate in U.S. banking entity. The number of subaccounts their home countries. Such arrangements enable permitted under this arrangement may be virtu- these customers to keep the existence of the ally unlimited. financial assets secret from their home-country U.S. banking entities engage in PTAs primar- authorities and others, while they continue to ily because they attract dollar deposits from the use the funds (via collateralized borrowings) to domestic market of their foreign correspondents fund the businesses at home. without changing the primary bank-customer Private bankers need to maintain in the United relationship; PTAs also provide substantial fee States adequate CDD information on such income. Generally, PTAs at U.S. banking enti- nonresident-alien customers and their primary ties have the following characteristics: they are business interests. A well-documented CDD file carried on the U.S. banking entity’s books as a may include information on the customer from correspondent bank account, their transaction “who’s who” and similar services, Internet re- volume is high, checks passing through the search, foreign tax returns and financial state- account contain wording similar to ‘‘payable ments, checks conducted by the Office of For- through XYZ bank,’’ and the signatures appear- eign Assets Control (OFAC), and written and ing on checks are not those of authorized offi- appropriately documented Call Reports pre- cers of the foreign bank. See the expanded pared by the RM. examination procedures for PTAs in the FFIEC’s While these lending mechanisms may be used BSA/AML Examination Manual. for legitimate reasons, management needs to determine whether the arrangements are being used primarily to obfuscate the beneficial own- Personal Trust and Estates ership of collateral assets, making it difficult for the customer’s home-country government to In trust and estate accounts, an institution offers identify who owns the assets. If so, management management services for a client’s assets. When needs to further determine whether the practice dealing with trusts under will, or ‘‘testamentary varies from both the appropriate standards of trusts,’’ the institution may receive an estate international cooperation for transparency issues appointment (executor) and a trustee appoint- and with prudent banking practices, and if so, ment if the will provided for the trust from the whether the institution is exposed to elevated probate. These accounts are fully funded at legal risk. origination with no opportunity for an outside party to add to the account, and all activities are subject to review by the probate or surrogates’ Payable-Through Accounts court. On the other hand, with living trusts, or “grantor trusts,” the customer (grantor) may Another product that may be available in private- continually add to and, in some instances, has banking operations is payable-through accounts control over the corpus of the account. Trusts

Commercial Bank Examination Manual April 2012 Page 5 5210.1 Private-Banking Activities and estates require experienced attorneys, money hold until the ultimate receiver of the funds managers, and generally well-rounded profes- ‘‘performs’’ in accordance with the written es- sionals to set up and maintain the accounts. In crow agreement, at which time the institution certain cases, bankers may need to manage a releases the funds to the designated party. customer’s closely held business or sole propri- etorship. In the case of offshore trust facilities, recent changes in U.S. law have imposed addi- Funds Transfer tional obligations on those banks that function as trustees or corporate management for off- Funds transfer, another service offered by shore trusts and PICs. private-banking functions, may involve the trans- A critical element in offering personal trust fer of funds between third parties as part of and estate services is the fiduciary responsibility bill-paying and investment services on the basis of the institutions to their customers. This of customer instructions. The adequacy of con- responsibility requires that institutions always trols over funds-transfer instructions that are act in the best interest of the clients pursuant to initiated electronically or telephonically is the trust documentation, perhaps even to the extremely important. Funds-transfer requests are detriment of the bank. In these accounts, the quickly processed and, as required by law, bank is the fiduciary and the trust officer serves funds-transfer personnel may have limited knowl- as a representative of the institution. Fiduciaries edge of the customers or the purpose of the are held to higher standards of conduct than transactions. Therefore, strong controls and ad- other bankers. Proper administration of trusts equate supervision over this area are critical. See and estates includes strict controls over assets, section 4063.1. prudent investment and management of assets, and meticulous recordkeeping. See the expanded examination procedures for trust and asset- Hold Mail, No Mail, and Electronic-Mail management services in the FFIEC’s BSA/AML Only Examination Manual. Hold-mail, no-mail, or electronic-mail-only accounts are often provided to private-banking Custody Services customers who elect to have bank statements and other documents maintained at the institu- Custodial services offered to private-banking tion rather than mailed to their residence. Agree- customers include securities safekeeping, receipt ments for hold-mail accounts should be in place, and disbursement of dividends and interest, and the agreements should indicate that it was recordkeeping, and accounting. Custody relation- the customer’s choice to have the statements ships can be established in many ways, includ- retained at the bank and that the customer will ing by referrals from other departments in the pick up his or her mail at least annually. Varia- bank or from outside investment advisers. The tions of hold-mail services include delivery of customer or a designated financial adviser retains mail to a prearranged location (such as another full control of the investment management of branch of the bank) by special courier or the the property subject to the custodianship. Sales bank’s pouch system. and purchases of assets are made by instruction from the customer, and cash disbursements are prearranged or as instructed. Custody accounts Bill-Paying Services involve no investment supervision and no discretion. However, the custodian may be respon- Bill-paying services are often provided to sible for certain losses if it fails to act properly private-banking customers for a fee. If this according to the custody agreement. Therefore, service is provided, an agreement between the procedures for proper administration should be bank and the customer should exist. Typically, a established and reviewed. customer may request that the bank debit a An escrow account is a form of custody deposit account for credit card bills, utilities, account in which the institution agrees to hold rent, mortgage payments, or other monthly con- cash or securities as a middleman, or a third sumer charges. In addition, the increased use of party. The customer, for example, an attorney or the Internet has given rise to the ‘‘electronic- a travel agency, gives the institution funds to mail-only’’account, whereby customers elect to

April 2012 Commercial Bank Examination Manual Page 6 Private-Banking Activities 5210.1 have statements, notices, etc., sent to them only ucts, operations, internal controls, and audits. by e-mail. However, management alone must implement policies and programs within the organizational framework instituted by the board of directors. FUNCTIONAL REVIEW When discussing the functional aspects of a Risk Management private-banking operation, functional refers to managerial processes and procedures, such as Sound risk-management processes and strong reporting lines, quality of supervision (includ- internal controls are critical to safe and sound ing involvement of the board of directors), banking generally and to private-banking activi- information flows, policies and procedures, risk- ties in particular. Management’s role in ensuring management policies and methodologies, the integrity of these processes has become segregation of duties, management information increasingly important as new products and systems, operational controls (including technologies are introduced. Similarly, the client- BSA/AML monitoring), and audit coverage. selection, documentation, approval, and account- The examiner should be able to draw sound monitoring processes should adhere to sound conclusions about the quality and culture of and well-identified practices. management and stated private-banking poli- The quality of risk-management practices and cies after reviewing the functional areas internal controls is given significant weight in described below. Specifically, the institution’s the evaluation of management and the overall risk-identification process and risk appetite condition of private-banking operations. A should be carefully defined and assessed. Ad- bank’s failure to establish and maintain a risk- ditionally, the effectiveness of the overall management framework that effectively identi- control environment maintained by manage- fies, measures, monitors, and controls the risks ment should be evaluated by an internal or associated with products and services should be external audit. The effectiveness of the follow- considered unsafe and unsound conduct. Fur- ing functional areas is critical to any private- thermore, well-defined management practices banking operation, regardless of its size or should indicate the types of clients that the product offerings. institution will and will not accept and should establish multiple and segregated levels of authorization for accepting new clients. Institutions Supervision and Organization that follow sound practices will be better positioned to design and deliver products and ser- As part of the examiner’s appraisal of an orga- vices that match their clients’ legitimate needs, nization, the quality of supervision of private- while reducing the likelihood that unsuitable banking activities is evaluated. The appraisal of clients might enter their client account base. management covers the full range of functions Deficiencies noted in this area are weighted in and activities related to the operation of the context of the relative risk they pose to the private bank. The discharge of responsibilities institution and are appropriately reflected in the by bank directors should be effected through an appraisal of management. organizational plan that accommodates the vol- The private-banking function is exposed to a ume and business services handled, local busi- number of risks, including reputational, fidu- ness practices and the bank’s competition, and ciary, legal, credit, operational, and market. A the growth and development of the institution’s brief description of some of the different types private-banking business. Organizational plan- of risks follows: ning is the joint responsibility of senior bank and private-bank management, should be inte- • Reputational risk is the potential that negative grated with the long-range plan for the institu- publicity regarding an institution’s business tion, and should be consistent with any enterprise- practices and clients, whether true or not, wide-risk-management program. could cause a decline in the customer base, Both the directors and management have costly litigation, or revenue reductions. important roles in formulating policies and • Fiduciary risk refers to the risk of loss due to establishing programs for private-banking prod- the institution’s failure to exercise loyalty;

Commercial Bank Examination Manual April 2012 Page 7 5210.1 Private-Banking Activities

safeguard assets; and, for trusts, to use assets inconsistent with the client profile and may productively and according to the appropriate constitute unlawful activities, such as money standard of care. This risk generally exists in laundering. The client’s identity, background, an institution to the extent that it exercises and the nature of his or her transactions should discretion in managing assets on behalf of a be documented and approved by the back office customer. before opening an account or accepting client • Legal risk arises from the potential of unen- monies. Certain high-risk clients like foreign forceable contracts, client lawsuits, or adverse politicians or money exchange houses should judgments to disrupt or otherwise negatively have additional documentation to mitigate their affect the operations or condition of a banking higher risk. organization. One key dimension of legal risk Money laundering is associated with a broad is supervisory action that could result in costly range of illicit activities: the ultimate intention is fines or other punitive measures being levied to disguise the money’s true source—from the against an institution for compliance break- initial placement of illegally derived cash pro- downs. ceeds to the layers of financial transactions that • Credit risk arises from the potential that a disguise the audit trail—and make the funds borrower or counterparty will fail to perform appear legitimate. Under U.S. money-laundering on an obligation. statutes, a bank employee can be held personally • Operational risk arises from the potential that liable if he or she is deemed to engage in inadequate information systems, operational ‘‘willful blindness.’’ This condition occurs when problems, breaches in internal controls, fraud, the employee fails to make reasonable inquiries or unforeseen catastrophes will result in to satisfy suspicions about client account unexpected losses. activities. Since the key element of an effective CDD Although effective management of all of the policy is a comprehensive knowledge of the above risks is critical for an institution, certain client, the bank’s policies and procedures should aspects of reputational, legal, and fiduciary risks clearly reflect the controls needed to ensure the are often unique to a private-banking function. policy is fully implemented. CDD policies should In this regard, the following customer-due- clearly delineate the accountability and author- diligence policies and practices are essential in ity for opening accounts and for determining if the management of reputational and legal risks effective CDD practices have been performed in the private-banking functions. (In addition, on each client. In addition, policies should sound fiduciary practices and conflicts-of-interest delineate documentation standards and account- issues that a private-banking operation may face ability for gathering client information from in acting as fiduciary are described in the sub- referrals among departments or areas within the section on fiduciary standards.) institution as well as from accounts brought to the institution by new RMs. Customer-Due-Diligence Policy In carrying out prudent CDD practices on and Procedures potential private-banking customers, management should document efforts to obtain and Sound customer-due-diligence (CDD) policies corroborate critical background information. and procedures are essential to minimize the Private-banking employees abroad often have risks inherent in private banking. The policies local contacts who can assist in corroborating and procedures should clearly describe the tar- information received from the customer. The get client base in terms such as “minimum information listed below should be corroborated investable net worth” and “types of products by a reliable, independent source, when possible: sought,” as well as specifically indicate the type of clientele the institution will or will not accept. • The customer’s current address and telephone Policies and procedures should be designed to number for his or her primary residence, ensure that effective due diligence is performed which should be corroborated at regular inter- on all potential clients, that client files are vals, can be verified through a variety of bolstered with additional CDD information on methods, such as— an ongoing basis, and that activity in client — visiting the residence, office, factory, accounts is monitored for transactions that are or farm (with the RM recording the results

April 2012 Commercial Bank Examination Manual Page 8 Private-Banking Activities 5210.1

of the visit or conversations in a should be in place. Similarly, other exceptions to memorandum); policy and procedures should readily identify — checking the information against the tele- the specific exception and the required due- phone directory; the client’s residence, as diligence and approval process for overriding indicated on his or her national ID card; a existing procedures. mortgage or bank statement or utility or In most instances, all CDD information and property tax bill; or the electoral or tax documentation should be maintained and avail- rolls; able for examination and inspection at the loca- — obtaining a reference from the client’s tion where the account is located or where the government or known employer or from financial services are rendered. If the bank another bank; maintains centralized customer files in locations — checking with a credit bureau or profes- other than where the account is located or the sional corroboration organization; or financial services are rendered, complete cus- — any other method verified by the RM. tomer information, identification, and documen- • Sufficient business information about the cus- tation must be made available at the location tomer should be gathered so that the RM where the account is located or where the understands the profile of the customer’s com- financial services are rendered within 48 hours mercial transactions. This information should of a Federal Reserve examiner’s request. Off- include a description of the nature of the site storage of CDD information will be allowed customer’s business operations or means of only if the bank has adopted, as part of its generating income, primary trade or business customer-due-diligence program, specific proce- areas, and major clients and their geographic dures designed to ensure that (1) the accounts locations, as well as the primary business are subject to ongoing Office of Foreign Assets address and telephone number. These items Control screening that is equivalent to the screen- can be obtained through a combination of any ing afforded other accounts, (2) the accounts are of the following sources: subject to the same degree of review for suspi- — a visit to the office, factory, or farm cious activity, and (3) the bank demonstrates — a reliable third party who has a business that the appropriate review of the information relationship with the customer and documentation is being performed by per- — financial statements sonnel at the offshore location. — Dun and Bradstreet reports CDD procedures should be no different when — newspaper or magazine articles the institution deals with a financial adviser or — LexisNexis reports on the customer or other type of intermediary acting on behalf of a customer’s business client. To perform its CDD responsibilities when — “Who’s Who” reports from the home dealing with a financial adviser, the institution country should identify the beneficial owner of the — private investigations account (usually the intermediary’s client, but in • Although it is often not possible to get proof rare cases, it is the intermediary itself) and of a client’s wealth, the RM can use his or her perform its CDD analysis with respect to that good judgment to derive a reasonable estimate beneficial owner. The imposition of an interme- of the individual’s net worth. diary between the institution and counterparty • As part of the ongoing CDD process, the RM should not lessen the institution’s CDD should document in memos or ‘‘call reports’’ responsibilities. the substance of discussions that take place The purpose of all private-banking relation- during frequent visits with the client. Addi- ships should also be readily identified. Incoming tional information about a client’s wealth, customer funds may be used for various pur- business, or other interests provides insight poses, such as establishing deposit accounts, into potential marketing opportunities for the funding investments, or establishing trusts. The RM and the bank, and updates and strengthens bank’s CDD procedures should allow for the the CDD profile. collection of sufficient information to develop a transaction or client profile for each customer, As a rule, most private banks make it a policy which will be used in analyzing client transac- not to accept walk-in clients. If an exception is tions. Internal systems should be developed for made, procedures for the necessary documenta- monitoring and identifying transactions that may tion and approvals supporting the exception be inconsistent with the transaction or client

Commercial Bank Examination Manual April 2012 Page 9 5210.1 Private-Banking Activities profile for a customer and which may thus date of initial detection of a reportable transac- constitute suspicious activity. tion. In situations involving violations requiring immediate attention, such as when a reportable Suspicious Activity Reports by Depository Insti- violation is ongoing, the financial institution is tutions. The proper and timely filing of Suspi- required to immediately notify an appropriate cious Activity Report (SAR) forms is an impor- law enforcement authority in addition to its tant component of a bank’s CDD program. timely filing of a SAR form. Since 1996, the federal financial institution su- A bank’s internal systems for capturing sus- pervisory agencies and the Department of the picious activities should provide essential infor- Treasury’s Financial Crimes Enforcement Net- mation about the nature and volume of activities work (FinCEN) have required banking organi- passing through customer accounts. Any infor- zations to report known or suspected violations mation suggesting that suspicious activity has of law as well as suspicious transactions on a occurred should be pursued, and, if an explana- suspicious activity report or SAR form. See the tion is not forthcoming, the matter should be Board’s SAR form regulation (Regulation H, reported to the bank’s management. Examiners section 208.62 (12 CFR 208.62)).5 Law enforce- should ensure that the bank’s approach to SAR ment agencies use the information reported on forms is proactive and that well-established the form to initiate investigations, and Federal procedures cover the SAR form process. Reserve staff use the SAR form information in Accountability should exist within the organiza- their examination and oversight of supervised tion for the analysis and follow-up of internally institutions. identified suspicious activity; this analysis should A member bank is required to file a SAR form conclude with a decision on the appropriateness with the appropriate federal law enforcement of filing a SAR form. See the core procedures agencies and the Department of the Treasury. A concerning suspicious-activity-reporting require- SAR form must be prepared in accordance with ments in the FFIEC BSA/AML Examination the form’s instructions and is to be sent to Manual. FinCEN when an institution detects—

• insider abuse involving any amount, Credit-Underwriting Standards • violations aggregating $5,000 or more in which a suspect can be identified, The underwriting standards for private-banking • violations aggregating $25,000 or more regard- loans to high net worth individuals should be less of a potential suspect, or consistent with prudent lending standards. The • transactions aggregating $5,000 or more that same credit policies and procedures that are involve potential money laundering or viola- applicable to any other type of lending arrange- tions of the Bank Secrecy Act. ment should extend to these loans. At a minimum, sound policies and procedures should When a SAR form is filed, the management of a address the following: all approved credit prod- member bank must promptly notify its board of ucts and services offered by the institution, directors or a committee thereof. lending limits, acceptable forms of collateral, A SAR form must be filed within 30 calendar geographic and other limitations, conditions un- days after the date of initial detection of the facts der which credit is granted, repayment terms, that may constitute a basis for filing a SAR maximum tenor, loan authority, collections and form. If no suspect was identified on the date of charge-offs, and prohibition against capitaliza- detection of the incident requiring the filing, a tion of interest. member bank may delay filing a SAR form for An extension of credit based solely on collat- an additional 30 calendar days in order to eral, even if the collateral is cash, does not identify the suspect. Reporting may not be ensure repayment. While the collateral enhances delayed more than 60 calendar days after the the bank’s position, it should not substitute for regular credit analyses and prudent lending prac- 5. The Board’s SAR form rules apply to state member tices. If collateral is derived from illegal activi- banks, bank holding companies and their nonbank subsidi- ties, it is subject to forfeiture through the seizure aries, some of which have other independent SAR require- of assets by a government agency. The bank ments (for example, broker-dealers), Edge and agreement corporations, and the U.S. branches and agencies of foreign should perform its due diligence by adequately banks supervised by the Federal Reserve. and reasonably ascertaining and documenting

April 2015 Commercial Bank Examination Manual Page 10 Private-Banking Activities 5210.1 that the funds of its private-banking customers be brought to the attention of management and were derived from legitimate means. Banks the trust committee, with appropriate action should also verify that the use of the loan taken. Conflicts of interest may arise through- proceeds is for legitimate purposes. out an institution. Care should be taken by In addition, bank policies should explicitly fiduciary business lines, in particular, to man- describe the terms under which ‘‘margin loans,’’ age conflicts of interest between fiduciary loans collateralized by securities, are made and business lines and other business lines (includ- should ensure that they conform to applicable ing other fiduciary business lines). Conse- regulations. Management should review and quently, management throughout the institu- approve daily MIS reports. The risk of market tion should receive training in these matters. deterioration in the value of the underlying For more information on the supervision of collateral may subject the lender to loss if the fiduciary activities, see section 4200.0 in this collateral must be liquidated to repay the loan. manual and section 3120.0 of the Bank Hold- In the event of a ‘‘margin call,’’ any shortage ing Company Supervision Manual. should be paid for promptly by the customer • Duty to prudently manage discretionary trust from other sources pursuant to the terms of the and agency assets. Since 1994, the majority of margin agreement. states have adopted laws concerning the pru- In addition, policies should address the accep- dent investor rule (PIR) with respect to the tance of collateral held at another location, such investment of funds in a fiduciary capacity. as an affiliated entity, but pledged to the private- PIR is a standard of review that imposes an banking function. Under these circumstances, obligation to prudently manage the portfolio management of the private-banking function as a whole, focusing on the process of port- should, at a minimum, receive frequent reports folio management, rather than on the outcome detailing the collateral type and current valua- of individual investment decisions. Although tion. In addition, management of the private- this rule only governs trusts, the standard is banking function should be informed of any traditionally applied to all accounts for which changes or substitutions in collateral. the institution is managing funds.

Fiduciary Standards Operational Controls

Fiduciary risk is managed through the mainte- To minimize any operational risks associated nance of an effective and accountable committee with private-banking activities, management is structure; retention of technically proficient staff; responsible for establishing an effective internal and development of effective policies, proce- control infrastructure and reliable management dures, and controls. In managing its fiduciary information systems. Critical operational con- risk, the bank must ensure that it carries out the trols over any private-banking activity include following fiduciary duties: the establishment of written policies and procedures, segregation of duties, and comprehensive • Duty of loyalty. Trustees are obligated to management reporting. Throughout this section, make all decisions based exclusively on the specific guidelines and examination procedures best interests of trust customers. Except as for assessing internal controls over different permitted by law, trustees cannot place private-banking activities are provided. Listed themselves in a position in which their below are some of those guidelines that cover interests might conflict with those of the trust specific private-banking services. beneficiaries. • Avoidance of conflicts of interest. Conflicts of interest arise in any transaction in which the Segregation of Duties fiduciary simultaneously represents the interests of multiple parties (including its own Banking organizations should have guidelines interests) that may be adverse to one another. on the segregation of employees’ duties in order Institutions should have detailed policies and to prevent the unauthorized waiver of documen- procedures regarding potential conflicts of tation requirements, poorly documented refer- interest. All potential conflicts identified should rals, and overlooked suspicious activities. Inde-

Commercial Bank Examination Manual April 2015 Page 11 5210.1 Private-Banking Activities pendent oversight by the back office helps to with a foreign bank in situations in which ensure compliance with account-opening proce- (1) adequate information about the ultimate dures and CDD documentation. Control- users of PTAs cannot be obtained, (2) the conscious institutions may use independent units, foreign bank cannot be relied on to identify and such as compliance, risk management, or senior monitor the transactions of its own customers, management to fill this function in lieu of the or (3) the U.S. banking entity is unable to ensure back office. The audit and compliance functions that its payable-through accounts are not being of the private-banking entity should be similarly used for money laundering or other illicit independent so that they can operate autono- purposes. mously from line management. Omnibus, or general clearing, accounts may also exist in the private-banking system. They may be used to accommodate client funds Inactive and Dormant Accounts before an account opening to expedite a new relationship, or they may fund products such as Management should be aware that banking laws mutual funds in which client deposit accounts in most states prohibit banks from offering may not be required. However, these accounts services that allow deposit accounts to be inac- could circumvent an audit trail of client transac- tive for prolonged periods of time (generally, 12 tions. Examiners should carefully review a or more months with no externally generated bank’s use of such accounts and the adequacy account-balance activity). These regulations are of its controls on their appropriate use. Gener- based on the presumption that inactive and ally, client monies should flow through client dormant accounts may be subject to manipula- deposit accounts, which should function as the tion and abuse by insiders. Policies and proce- sole conduit and paper trail for client dures should delineate when inactivity occurs transactions. and when inactive accounts should be converted to dormant status. Effective controls over dormant accounts should include a specified time Hold-Mail, No Mail, and E-mail-Only between the last customer-originated activity Controls and its classification as dormant, the segregation of signature cards for dormant accounts, dual Controls over hold-mail, no-mail, and e-mail- control of records, and the blocking of the only accounts are critical because the clients account so that entries cannot be posted to the have relinquished their ability to detect unau- account without review by more than one mem- thorized transactions in their accounts in a ber of senior management. timely manner. Accounts with high volume or significant losses warrant further inquiry. Hold- mail, no-mail, and e-mail-only account opera- Pass-Through Accounts and tions should ensure that client accounts are Omnibus Accounts subject to dual control and are reviewed by an independent party. Pass-through accounts (PTAs) extend checking- account privileges to the customers of a foreign bank; several risks are involved in providing Funds Transfer—Tracking Transaction these accounts. In particular, if the U.S. banking Flows entity does not exercise the same due diligence and customer vetting for PTAs as it does for One way that institutions can improve their domestic account relationships, the use of PTAs customer knowledge is by tracking the transac- may facilitate unsafe and unsound banking prac- tion flows into and out of customer accounts and tices or illegal activities, including money laun- payable-through subaccounts. Tracking should dering. Additionally, if accounts at U.S. banking include funds-transfer activities. Policies and entities are used for illegal purposes, the entities procedures to detect unusual or suspicious could be exposed to reputational risk and risk of activities should identify the types of activities financial loss as a result of asset seizures and that would prompt staff to investigate the forfeitures brought by law enforcement authori- customer’s activities and should provide guid- ties. It is recommended that U.S. banking enti- ance on the appropriate action required for ties terminate a payable-through arrangement suspicious activity. The following is a checklist

April 2015 Commercial Bank Examination Manual Page 12 Private-Banking Activities 5210.1 to guide bank personnel in identifying some • aggregate the assets under management potential abuses: according to customer, product or service, geographic area, and business unit • indications of frequent overrides of estab- • attribute revenue according to customer and lished approval authority or other internal product type controls • identify customer accounts that are related to • intentional circumvention of approval author- or affiliated with one another through common ity by splitting transactions ownership or common control • identify and aggregate customer accounts by • wire transfers to and from known secrecy source of referral jurisdictions • identify beneficial ownership of trust, PIC, • frequent or large wire transfers for persons and similar accounts who have no account relationship with the bank, or funds being transferred into and out To monitor and report transaction activity and to of an omnibus or general clearing account detect suspicious transactions, management instead of the client’s deposit account reports may be developed to— • wire transfers involving cash amounts in excess of $10,000 • monitor a specific transaction criterion, such • inadequate control of password access as a minimum dollar amount or volume or activity level; • customer complaints or frequent error • monitor a certain type of transaction, such as conditions one with a particular pattern; • monitor individual customer accounts for variations from established transaction and Custody—Detection of Free Riding activity profiles based on what is usual or expected for that customer; and Custody departments should monitor account • monitor specific transactions for BSA com- activity to detect instances of free-riding, the pliance. practice of offering the purchase of securities without sufficient capital and then using the In addition, reports prepared for private- proceeds of the sale of the same securities to banking customers should be accurate, timely, cover the initial purchase. Free-riding poses and informative. Regular reports and statements significant risk to the institution and typi- prepared for private-banking customers should cally occurs without the bank’s prior knowl- adequately and accurately describe the appli- edge. Free-riding also violates margin rules cation of their funds and should detail all trans- (Regulations T, U, and X) governing the exten- actions and activity that pertain to the custom- sion of credit in connection with securities ers’ accounts. transactions. (See SR-93-13.) Furthermore, MIS and technology play a role in building new and more direct channels of information between the institution and its private-banking customers. Active and sophisti- Management Information Systems cated customers are increasing their demand for data relevant to their investment needs, which is Management information systems (MIS) should fostering the creation of online information accumulate, interpret, and communicate infor- services. Online information can satisfy custom- mation on (1) the private-banking assets under ers’ desire for convenience, real-time access to management, (2) profitability, (3) business and information, and a seamless delivery of transaction activities, and (4) inherent risks. The information. form and content of MIS for private-banking activities will be a function of the size and complexity of the private-banking organization. Audit Accurate, informative, and timely reports that perform the following functions may be pre- An effective audit function is vital to ensuring pared and reviewed by RMs and senior the strength of a private bank’s internal controls. management: As a matter of practice, internal and external

Commercial Bank Examination Manual April 2015 Page 13 5210.1 Private-Banking Activities auditors should be independently verifying and the private-banking function. Following is a confirming that the framework of internal con- description of certain regulations that may be trols is being maintained and operated in a monitored by the compliance function. manner that adequately addresses the risks associated with the activities of the organization. Critical elements of an effective internal Office of Foreign Assets Control audit function are the strong qualifications and expertise of the internal audit staff and a sound The Office of Foreign Assets Control (OFAC) of risk-assessment process for determining the the U.S. Department of the Treasury administers scope and frequency of specific audits. The audit and enforces economic and trade sanctions based process should be risk-focused and should ulti- on U.S. foreign policy and national security mately determine the risk rating of business goals. Sanctions are imposed against targeted lines and client CDD procedures. Compliance foreign countries, terrorists, international narcot- with CDD policies and procedures and the ics traffickers, and those engaged in activities detailed testing of files for CDD documentation related to the proliferation of weapons of mass are also key elements of the audit function. destruction. OFAC acts under presidential war- Finally, examiners should review and evaluate time and national emergency powers, as well as management’s responsiveness to criticisms by under authority granted by specific legislation, the audit function. to impose controls on transactions and freeze foreign assets under U.S. jurisdiction. Many of the sanctions are based on United Nations and Compliance other international mandates, are multilateral in scope, and involve close cooperation with allied The responsibility for ensuring effective com- governments. Under the International Emer- pliance with relevant laws and regulations may gency Economic Powers Act, the President can vary among different forms of institutions, impose sanctions, such as trade embargoes, the depending on their size, complexity, and avail- freezing of assets, and import surcharges, on ability of resources. Some institutions may certain foreign countries and the ‘‘specially have a distinct compliance department with the designated nationals’’ of those countries. centralized role of ensuring compliance A ‘‘specially designated national’’ is a person institution-wide, including private-banking or entity who acts on behalf of one of the activities. This arrangement is strongly prefer- countries under economic sanction by the United able to a situation in which an institution del- States. Dealing with such nationals is prohib- egates compliance to specific functions, which ited. Moreover, their assets or accounts in the may result in the management of private- United States are frozen. In certain cases, the banking operations being responsible for its Treasury Department can issue a license to a own internal review. Compliance has a critical designated national. This license can then be role in monitoring private-banking activities; presented by the customer to the institution, the function should be independent of line allowing the institution to debit his or her management. In addition to ensuring compli- account. The license can be either general or ance with various laws and regulations such as specific. the Bank Secrecy Act and those promulgated OFAC screening may be difficult when trans- by the Office of Foreign Assets Control, com- actions are conducted through PICs, token pliance may perform its own internal investiga- names, numbered accounts, or other vehicles tions and due diligence on employees, custom- that shield true identities. Management must ers, and third parties with whom the bank has ensure that accounts maintained in a name other contracted in a consulting or referral capacity than that of the beneficial owner are subject to and whose behavior, activities, and transactions the same level of filtering for OFAC specially appear to be unusual or suspicious. Institutions designated nationals and blocked foreign coun- may also find it beneficial for compliance to tries as other accounts. That is, the OFAC review and authorize account-opening docu- screening process must include the account’s mentation and CDD adequacy for new beneficial ownership as well as the official accounts. The role of compliance is a control account name. function, but it should not be a substitute for Any violation of regulations implementing regular and frequent internal audit coverage of designated national sanctions subjects the viola-

April 2015 Commercial Bank Examination Manual Page 14 Private-Banking Activities 5210.1 tor to criminal prosecution, including prison the institution and to the time frame of the sentences and fines to corporations and prior private-banking review. individuals, per incident. Any funds frozen • Obtain relevant correspondence sent since the because of OFAC orders should be placed in a prior examination, such as management’s blocked account. Release of those funds can- response to the report of examination, any not occur without a license from the Treasury applications submitted to the Federal Reserve, Department. and any supervisory action. • Research press releases and published news stories about the institution and its private- Bank Secrecy Act banking activities. • Review internal and external audit reports and Guidelines for compliance with the Bank any internal risk assessments performed by Secrecy Act (BSA) can be found in the FFIEC the institution on its private-banking activi- BSA/AML Examination Manual. See also the ties. Such reports should include an assess- question-and-answer format interpretations (SR- ment of the internal controls and risk profile 05-9) of the U.S. Department of Treasury’s of the private-banking function. regulation (31 CFR 1010) for banking organiza- • Contact the institution’s management to tions, which is based on section 326 of the ascertain what changes have occurred since Patriot Act. In addition, the procedures for the last exam or are planned in the near future. conducting BSA examinations of foreign offices For example, examiners should determine if of U.S. banks are detailed in the FFIEC BSA/ there have been changes to the strategic plan; AML Examination Manual. The SAR form filing senior management; or the level and type of requrements for nonbank subsidiaries of bank private-banking activities, products, and ser- holding companies and state member banks are vices offered. If there is no mention of private also set forth in SR-10-8. banking in the prior examination report, management should be asked at this time if they have commenced or plan to commence any private-banking activities. PREPARATION FOR • Follow the core examination procedures in EXAMINATION the FFIEC BSA/AML Examination Manual in order to establish the base scope for the The following subsections provide examiners examination of private-banking activities. with guidance on preparing for the on-site Review and follow the expanded procedures examination of private-banking operations, for private banking and any other expanded including determination of the examination scope procedures that are deemed necessary. and drafting of the first-day-letter questionnaire that is provided to the institution. Examination Staffing and Scope

Preexamination Review Once the exam scope has been established and before beginning the new examination, the To prepare the examiners for their assignments examiner-in-charge and key administrators of and to determine the appropriate staffing and the examination team should meet to discuss the scope of the examination, the following guide- private-banking examination scope, the assign- lines should be followed during the preexami- ments of the functional areas of private banking, nation planning process: and the supplemental reviews of specific private- banking products and services. If the bank’s • Review the prior report of examination and business lines and services overlap and if its workpapers for the exam scope; structure and customer base and personnel are shared through- type of private-banking activities conducted; out the organization, examiners may be forced and findings, conclusions, and recommenda- to go beyond a rudimentary review of private- tions of the prior examination. The prior banking operations. They will probably need to examination report and examination plan focus on the policies, practices, and risks within should also provide insight to key contacts at the different divisions of a particular institution

Commercial Bank Examination Manual April 2015 Page 15 5210.1 Private-Banking Activities and throughout the institution’s global network requests regarding private banking that examin- of affiliated entities. ers should consider including in the first-day letter. Responses to these items should be reviewed in conjunction with responses to the Reflection of Organizational Structure BSA, fiduciary, audit, and internal control inquiries: The review of private-banking activities should be conducted on the basis of the financial • organizational chart for the private bank on institution’s organizational structure. These struc- both a functional and legal-entity basis tures may vary considerably, depending on the • business or strategic plan size and sophistication of the institution, its • income and expense statements for the prior country of origin and the other geographic fiscal year and current year to date, with markets in which it competes, and the objectives projections for the remainder of the current and strategies of its management and board of and the next fiscal year, and income by prod- directors. To the extent possible, examiners uct division and marketing region should understand the level of consolidated • balance-sheet and total assets under manage- private-banking activities an institution con- ment (list the most active and profitable ducts in the United States and abroad. This accounts by type, customer domicile, and broad view is needed to maintain the ‘‘big responsible account officer) picture’’ impact of private banking for a particu- • most recent audits for private-banking activities lar institution. • copies of audit committee minutes • copy of the CDD and SAR form policies and procedures • list of all new business initiatives introduced Risk-Focused Approach last year and this year, relevant new-product- approval documentation that addresses the Examiners reviewing the private-banking opera- evaluation of the unique characteristics and tions should implement the risk-focused risk associated with the new activity or prod- examination approach. The exam scope and uct, and an assessment of the risk-management degree of testing of private-banking practices oversight and control infrastructures in place should reflect the degree of risk assumed, prior to manage the risks exam findings on the implementation of poli- • list of all accounts in which an intermediary is cies and procedures, the effectiveness of acting on behalf of clients of the private bank, controls, and an assessment of the adequacy of for example, as financial advisers or money the internal audit and compliance functions. If managers initial inquiries into the institution’s internal • explanation of the methodology for following audit and other assessment practices raise up on outstanding account documentation and doubts about the internal system’s effective- a sample report ness, expanded analysis and review are • description of the method for aggregating required. Examiners should then perform more client holdings and activities across business transaction testing. Examiners will usually need units throughout the organization to follow the core examination procedures in the • explanation of how related accounts, such as FFIEC BSA/AML Examination Manual as well common control and family link, are identified as the expanded procedures for private bank- • name of a contact person for information on ing. Other expanded procedures should be fol- compensation, training, and recruiting pro- lowed if circumstances dictate. grams for relationship managers • list of all personal investment company accounts First-Day Letter • list of reports that senior management receives regularly on private-banking activities As part of the examination preparation, exam- • description and sample of the management iners should customize the first-day-letter ques- information reports that monitor account tionnaire to reflect the structure and type of activity private-banking activities of the institution and • description of how senior management moni- the scope of the exam. The following is a list of tors compliance with global policies for world-

April 2012 Commercial Bank Examination Manual Page 16 Private-Banking Activities 5210.1

wide operations, particularly for ofﬁces oper- Manual, as well as any other items from the ating in secrecy jurisdictions expanded procedures that are needed to gauge • appropriate additional items from the core and the adequacy of the BSA/AML program for expanded procedures for private banking, as private-banking activities. set forth in the FFIEC BSA/AML Examination

Commercial Bank Examination Manual April 2012 Page 17 Private-Banking Activities Examination Objectives Effective date May 2006 Section 5210.2

1. To determine if the policies, practices, pro- 4. To determine the scope and adequacy of the cedures, and internal controls regarding audit function for private-banking activities. private-banking activities are adequate for 5. To determine compliance with applicable the risks involved. laws and regulations for private banking. 2. To determine if the bank’s officers and employees are operating in conformance with 6. To initiate corrective action when policies, established guidelines for conducting private- practices, procedures, or internal controls are banking activities. deficient, or when violations of laws or 3. To assess the financial condition and income- regulations are found. generation results of the private-banking activities.

Commercial Bank Examination Manual May 2006 Page 1 Private-Banking Activities Examination Procedures Effective date May 2007 Section 5210.3

As appropriate, the examiner-in-charge should 5. Review internal and external audit reports supplement the following procedures with the and any internal risk assessments performed examination procedures for private banking set by the bank’s internal or external auditors forth in the FFIEC’s BSA/AML Examination on its private-banking activities. Review Manual. See that manual’s core examination information on any assessments of the in- procedures for the BSA/AML compliance pro- ternal controls and risk profile of the private- gram and the expanded examination procedures banking function. for private banking. 6. Contact management at the bank to ascertain what changes in private-banking services have occurred since the last examina- PRIVATE-BANKING tion or if there are any planned in the near PREEXAMINATION PROCEDURES future. a. Determine if the previous examination or 1. As the examiner-in-charge, conduct a meet- examination report(s) mention private ing with the lead members of the private- banking; if not, ask management if they banking examination team and discuss— have commenced or plan to commence a. the private-banking examination scope any private-banking activities within any (The examination may need to extend part of the bank’s organization. beyond a rudimentary review of private- b. Determine if there have been any changes banking operations if the bank’s business to the strategic plan; senior manage- lines and services overlap and if its ment; or the level and type of private- customer base and personnel are shared banking activities, products, and services throughout the organization. Examiners offered. will probably need to focus on the poli- c. During the entire examination of private- cies, practices, and risks within the dif- banking activities, be alert to the totality ferent divisions of the bank and, if appli- of the client relationship, product by cable, throughout the bank’s domestic or product, in light of increasing client foreign-affiliated entities.); awareness and use of derivatives, b. examiner assignments for the functional emerging-market products, foreign areas of private banking; and exchange, and margined accounts. c. the supplemental reviews of specific private-banking products and services. 2. Review the prior report of examination and FULL-EXAMINATION PHASE the previous examination’s workpapers; description of the examination scope; struc- 1. After reviewing the private-banking func- ture and type of private-banking activities tional areas, draw sound conclusions about conducted; and findings, conclusions, and the quality and culture of management and recommendations of the prior examination. stated private-banking policies. The prior examination report and examina- 2. Evaluate the adequacy of risk-management tion plan should also provide information policies and practices governing private- and insight on key contacts at the bank and banking activities. on the time frame of the prior private- 3. Assess the organization of the private- banking review. banking function and evaluate the quality of 3. Review relevant correspondence exchanged management’s supervision of private- since the prior examination, such as man- banking activities. An appraisal of manage- agement’s response to the report of exami- ment covers the— nation, any applications submitted to the a. full range of functions (i.e., supervision Federal Reserve, and any supervisory actions. and organization, risk management, fidu- 4. Research press releases and published news ciary standards, operational controls, stories about the bank and its private- management information systems, audit, banking activities. and compliance) and activities related to

Commercial Bank Examination Manual April 2015 Page 1 5210.3 Private-Banking Activities: Examination Objectives

the operation of the private-banking ac- 8. Ascertain whether the bank adequately su- tivities and pervises its custody services. The bank b. discharge of responsibilities by the bank’s should ensure that it, and its nonbank enti- directors through a long-range organiza- ties, have established and currently main- tional plan that accommodates the vol- tain procedures for the proper administra- ume and business services handled, local tion of custody services, including the business practices and the bank’s com- regular review of the services on a preset petition, and the growth and develop- schedule. ment of the bank’s private-banking 9. Determine whether the bank’s nonbank sub- business. sidiaries and affiliates are required to, and 4. Determine if management has effective pro- actually maintain, strong controls and su- cedures for conducting ongoing reviews of pervision over funds transfers. client-account activity to detect, and protect 10. Ascertain if the bank’s management and the client from, any unauthorized activity staff are required to perform due diligence, and any account activity that is inconsistent that is, to verify and document that the with the client’s profile (for example, fre- funds of its private-banking customers were quent or sizable unexplained transfers flow- derived through legitimate means, and when ing through the account). extending credit, to verify that the use of 5. Determine if the bank has initiated private- loan proceeds was legitimate. banking account-opening procedures and 11. Review the bank’s use of deposit accounts. documentation requirements that must be satisfied before an account can be opened. a. Assess the adequacy of the bank’s con- Determine if the bank maintains internal trols and whether they are appropriately controls over these procedures and used. requirements. b. Determine if client monies flow through 6. Determine if the bank requires its subsidi- client deposit accounts and whether the ary entities and affiliates to maintain and accounts function as the sole conduit and adhere to well-structured customer-due- paper trail for client transactions. diligence (CCD) procedures. 12. Determine and ensure that the bank’s ap- 7. Determine if the bank has proper controls proach to Suspicious Activity Reports is and procedures to ensure its proper admin- proactive and that it has well-established istration of trust and estates, including strict procedures covering the SAR process. Es- controls over assets, prudent investment and tablish whether there is accountability within management of assets, and meticulous rec- the organization for the analysis and ordkeeping. Review previous trust exami- follow-up of internally identified suspicious nation reports and consult with the desig- activity (this analysis includes a sound de- nated Federal Reserve System trust cision on whether the bank needs to file, or examiners. is required by regulation to file, a SAR).

April 2015 Commercial Bank Examination Manual Page 2 Employee Beneﬁt Trusts Effective date May 1996 Section 5220.1

Employee benefit trusts are specialized trusts ing new nondiscrimination rules covering plan most commonly established to provide retire- contributions and distributions. Virtually all ment benefits to employees. However, they may qualified plans had to be amended to comply also be established for employee stock owner- with this law. ship or thrift purposes, or to provide medical, A specific statutory provision of ERISA man- accident, and disability benefits. There are quali- dates the exchange of information among fed- fied and unqualified plans. Retirement plans are eral agencies. Accordingly, the federal banking qualified under section 401 of the Internal Rev- agencies have entered into an agreement with enue Code (IRC), and employee benefit trusts the DOL whereby a banking agency noting any are tax exempt under section 501(a) of the IRC. possible ERISA violations that meet certain The major types of qualified plans are profit specific criteria will refer the matter to the DOL. sharing, money purchase, stock bonus, employee ERISA imposes very complex requirements stock ownership plans (ESOPS), 401(k) plans, on banks acting as trustees or in other fiduciary and defined benefit pension plans. capacities for employee benefit trusts. Severe Since 1974, state jurisdiction of employee penalties can result from violations of statutory benefit trusts and their administration has been obligations. With respect to a bank’s own largely preempted by a comprehensive scheme employees’ retirement plan, the bank (or ‘‘plan of federal laws and regulations under the sponsor’’), regardless of whether it is named Employee Retirement Income Security Act of trustee, is still a ‘‘party-in-interest’’ pursuant to 1974 (ERISA). ERISA is divided into four the statute. Therefore, unless a transaction quali- titles: Title I, ‘‘Protection of Employee Benefit fies for narrowly defined statutory exemptions Rights,’’ includes the fiduciary responsibility (or unless it is the subject of a specific ‘‘indi- provisions (in part 4) that are interpreted and vidual’’ exemption granted by the DOL), any enforced by the U.S. Department of Labor transaction involving the purchase or sale of an (DOL). Title II, ‘‘Amendments to the Internal asset of the plan from or to the bank, any Revenue Code Relating to Retirement Plans,’’ is affiliate, officer, or employee could constitute a similar to Title I, but the Internal Revenue prohibited transaction under ERISA. Service (IRS) is responsible for its enforcement. The current and projected costs of employee Title III, ‘‘Jurisdiction, Administration, Enforce- benefit plans should be analyzed for their impact ment,’’ grants jurisdiction and powers for admin- on the expenses and overall financial condition istration to various governmental units. Title IV, of the bank. Excessive pension or profit-sharing ‘‘Plan Termination Insurance,’’ establishes the benefits, large expense accounts, employment Pension Benefit Guaranty Corporation (PBGC). contracts, or bonuses for officers or directors The PBGC ensures that defined benefit plans (especially if they are also large shareholders) have sufficient resources to provide minimum could prove detrimental and even lead to civil levels of benefits to participants. In addition to liability for the bank or its board. the PBGC, the primary agencies that have pro- Depending on the type of plan and the allo- mulgated necessary regulations and interpreta- cations of its fiduciary duties, certain reporting, tions pursuant to ERISA are the DOL and IRS. disclosure, and plan design requirements are However, state and federal banking agencies imposed on the plan sponsor and/or its desig- also have a recognized role under this statute. nated supervising committee. Therefore, a bank Numerous laws affecting employee benefit should have appropriate expertise, policies, and plans have been enacted since the adoption of procedures to properly administer the type of ERISA; however, the most sweeping changes employee benefit accounts established for its were imposed by the Tax Reform Act of 1986. employees. These changes include (1) imposing numerous If an examiner, as part of any examination excise taxes on employers and employees for assignment, detects possible prohibited transac- failure to meet new plan contribution and distri- tions, self-dealing, or other questionable activi- bution rules, (2) lowering the maximum amount ties involving the bank’s employee benefit plan, of contributions and benefits allowed under an appropriate investigation should be under- qualified defined contribution and defined bene- taken. Substantial conversions of existing defined fit plans, (3) lowering the amount an individual benefit plans or plan assets into holdings of bank can contribute to a 401(k) plan, and (4) provid- or affiliate stock, under certain circumstances,

Commercial Bank Examination Manual May 1996 Page 1 5220.1 Employee Benefit Trusts could involve ERISA violations. An examiner fit plan is not trusteed by the bank or by an should refer a complicated question arising out affiliate bank subject to supervision by a federal of any of these situations to the examiner-in- banking agency. Parts I and II may be completed charge for resolution or submission to the by a trust specialist, if available. When a bank Reserve Bank. trust department is named as trustee, the exam- Part I of the following examination proce- iner should determine whether compliance with dures (section 4080.3) should be completed for ERISA was reviewed during the previous trust every commercial bank examination; part II examination. If not, then part II should be should also be completed if the employee bene- completed.

May 1996 Commercial Bank Examination Manual Page 2 Employee Beneﬁt Trusts Examination Objectives Effective date May 1996 Section 5220.2

1. To determine if the policies, practices, pro- 4. To determine compliance with laws, regula- cedures, internal controls, and available tions, and instrument provisions. expertise regarding employee benefit trusts 5. To initiate corrective action when policies, are adequate. practices, procedures, or internal controls are 2. To determine if bank officers are operating in deficient or when violations of laws, regula- conformance with the established guidelines. tions, or the governing instruments have been 3. To evaluate the impact of employee benefit noted. plans and related benefits on the financial condition of the bank.

Commercial Bank Examination Manual May 1996 Page 1 Employee Beneﬁt Trusts Examination Procedures Effective date December 1985 Section 5220.3

PART I (42%), listed stocks (53%) and cash equivalents. Bank of , as trustee, has 1. If selected for implementation, complete or sole investment responsibility. update the Employee Benefit Trusts section of the Internal Controls Questionnaire. 5. If a plan is a defined benefit pension plan, 2. Test for compliance with policies, practices, ascertain the actuarily-determined amount procedures and internal controls in conjunc- of unfunded pension liability, if any, and the tion with performing the remaining exami- bank’s arrangements for amortization. (Note: nation procedures. Also obtain a listing of Unfunded pension liability represents a con- any deficiencies noted in the latest review tingent liability per instructions for the done by internal/external auditors from the Report of Condition.) examiner assigned ‘‘Internal Control,’’ and determine if appropriate corrections have 6. Determine if the current and projected been made. costs of the employee benefit plan(s) is reasonable in light of the bank’s financial 3. Determine the approximate number, size condition. and types of employee benefit plans held for the benefit of the bank’s officers and Complete part II of these procedures, if appli- employees. cable, then continue to step 7, below. Part II is 4. Obtain plan instruments or amendments to be completed when a plan for the bank’s thereto (if any) and summarize key features employees is administered by the bank or a bank for the work papers. As appropriate, add or committee and is not trusteed by the bank itself update the following information: or an affiliate bank subject to supervision by a a. Date of adoption of new plan or amend- federal banking agency. ment and brief summary of the plan or amendment. 7. Determine whether any instances of pos- b. Parties or committees named trustee and sible violations of ERISA have been noted, (if different) person(s) responsible for and that as to each such instance, full making investment decisions. information has been developed for current c. Individuals, committees or outside par- workpapers to support a referral to DOL ties named as responsible for plan pursuant to SR-81-697/TR-81-46. administration. Note: While the final decision on whether d. Basic investment/funding characteristics or not to make a referral to the DOL is to be (e.g., ‘‘non-contributory profit-sharing, made by the Board’s staff after receipt of up to 100% in own BHC stock;’’ ‘‘con- the report of examination, complete infor- tributory defined benefit pension plan, mation should always be obtained regarding purchasing diversified securities,’’ etc.). possible ERISA violations in the event the e. Latest Form 5500 (IRS) filed for decision is made to refer the matter. If plan (may be omitted if plan administra- gathering certain of the information would tor is an affiliate bank or bank holding impose an undue burden upon the resources company). of the examiners or the bank, Board’s staff Example: First Bank established a non- (Trust Activities Program) should be con- contributory profit sharing trust in 1975 for sulted. Where a significant prohibited trans- all officers and employees. Latest amend- action such as self dealing has taken place, ment, as of December 31, 19XX, made the bank should be clearly informed that it technical alterations to the vesting and for- is expected to undertake all such corrective feiture provisions. The most recent avail- and/or remedial actions as are necessary able valuation of the trust’s assets, dated under the circumstances. One measure June 30, 19XX, indicated total assets of would be for the bank to apply to the DOL $22,093,000 (market value). Assets were for a retroactive exemption under ERISA comprised of U.S. government securities section 408(a).

Commercial Bank Examination Manual March 1994 Page 1 5220.3 Employee Beneﬁt Trusts: Examination Procedures

8. Reach a conclusion concerning: PART II a. The adequacy of policies, practices and procedures relating to employee benefit 1. Review plan asset listings, valuations, or trusts. printouts obtained for any instances of possible prohibited transactions (ERISA sec- b. The manner in which bank officers are tions 406(a) and (b)). The listings should operating in conformance with estab- include holdings of: lished policy. a. Loans. c. The accuracy and completeness of any b. Leases. schedules obtained. c. Real Estate. d. Employer stock or other securities or d. Internal control deficiencies or exceptions. obligations. e. The quality of departmental management. e. Own bank time deposits. f. Other matters of significance. f. Other assets which might constitute, or result from, prohibited transactions. 9. Prepare in appropriate report format, and 2. Review transaction(s)/holding(s) in the pre- discuss with appropriate officer(s): vious step for conformity to: a. Violations of laws and regulations. a. ERISA provisions regarding employer securities or real estate (sections 407(a), b. Recommended corrective action when (b) and (c)) and related regulations. policies, practices or procedures are b. Statutory exemptions of ERISA (sec- deficient. tion 408(b)). 10. Update the workpapers with any informa- c. “Exclusive benefit,” prudence and diver- tion that will facilitate future examinations. sification requirements of ERISA (sections 404(a) and (b)).

March 1994 Commercial Bank Examination Manual Page 2 Employee Beneﬁt Trusts Internal Control Questionnaire Effective date December 1985 Section 5220.4

Review the bank’s internal controls, policies, PART II practices and procedures for employee benefit accounts. The bank’s system should be docu- 1. When exercising fiduciary responsibility in mented in a complete and concise manner and the purchase or retention of employer secu- should include, where appropriate, narrative rities or employer real estate, does the bank descriptions, flowcharts, copies of forms used have procedures to assure conformity with and other pertinent information. Part I should be ERISA section 407 and related provisions? completed as part of every examination; both Note: The requirements of ERISA and the parts I and II should be completed whenever the associated DOL regulation with respect to plan, administered by the bank or a bank com- ‘‘employer securities and employer real es- mittee, is not trusteed by the bank itself or by an tate’’ include: affiliate bank subject to supervision by a federal a. A plan may not acquire or hold any but banking agency. ‘‘qualifying employer securities and employer real estate.’’ b. A defined benefit plan may hold no more PART I than 10 percent of the fair market value of 1. Are new employee benefit plans, significant its assets in qualifying employer securities amendments thereto, and related costs and and/or qualifying employer real property, features approved by the bank’s board of except as provided by ERISA sections directors? 407(a)(3) or 414(c)(1) and (2), and adopted regulations. *2. Does the institution obtain and maintain on c. Any dispositions of such property from a file the following minimum documentation: plan to a party-in-interest shall conform to a. The plan and the corporate resolution ERISA sections 414(c)(3) and (5) and adopting it? adopted regulations, but certain acquisi- b. IRS “determination” or “opinion” letter tions and sales may be made pursuant to substantiating the tax-exempt status of the section 408(a) exemption. the plan? d. The plan instrument, for an eligible individual account plan which is to hold in c. The trust agreement and the corporate excess of 10 percent of the fair market resolution appointing the trustee(s), if value of its assets in qualifying employer applicable? (On occasion, fully insured securities or real property, shall provide plans may have no named trustee.) explicitly the extent to which such plan d. Amendments to the plan or trust may hold such assets. [ERISA sec- documents? tions 407(b)(1) and (d)(3)] 3. If the bank or a committee of its officers and 2. Does the bank have procedures to ensure employees acts as plan administrator for conformance to the following statutory any plan(s), does it have internal procedures exemptions (and associated regulations) from and/or has it arranged by contract for exter- the prohibited transactions provisions of nal administrative expertise sufficient to ERISA: assure compliance with reporting, disclo- a. Loans made by the plan to parties-insure and other administrative requirements interest who are participants or beneficia- of ERISA and related regulations? ries? [ERISA section 408(b)(1)] 4. Have the bank, its officers, directors or b. Investment in deposits which bear a rea- employees, or any affiliate(s) entered into sonable rate of interest of a bank which is any transactions to buy or sell assets to the a fiduciary of the plan? [ERISA sec- bank’s employee benefit plan(s)? tion 408(b)(4)] 5. Do plan investments conform to instrument Note: Other statutory exemptions which investment provisions? may on occasion be applicable are:

Commercial Bank Examination Manual March 1994 Page 1 5220.4 Employee Beneﬁt Trusts: Internal Control Questionnaire

c. Arrangements for office space or legal, 3. If exercising or sharing fiduciary responsibil- accounting or other necessary services? ity, does the bank have procedures designed: [ERISA section 408(b)(2)] a. To ensure that duties are executed for the d. Loans to employee stock ownership trusts? exclusive benefit of plan participants and [ERISA section 408(b)(3)] beneficiaries, in accordance with the “pru- e. Transactions between a plan and a collec- dent man” standard? [ERISA sec- tive trust fund maintained by a party-in- tions 404(a)(1)(A) and (B)] interest which is a bank or trust company? [section 408(b)(8)] b. To ensure that investments are diversified, f. Providing of any ancillary service by a unless it is clearly prudent not to do so or bank or trust company which is a fiduciary otherwise excepted by other provisions of of the plan? [ERISA section 408(b)(6)] ERISA? [ERISA section 404(a)(1)(C)]

March 1994 Commercial Bank Examination Manual Page 2 Bank Dealer Activities Effective date October 2007 Section 5230.1

A bank operates as a securities dealer when it The volume of bank dealer activity and the underwrites, trades, or deals in securities. These dealer’s capacity in the transaction are critical to activities may be administered in a separately an examiner’s assessment regarding the exami- identifiable trading department or incorporated nation scope and the required examiner resources within the overall treasury department. The and expertise. Dealers engaging primarily in organizational structure will generally be a agency or riskless-principal transactions are function of the level of activity and the merely accommodating customers’ investment importance of the activity as a product line. If a needs. Market risk will be nominal, and the key repetitive pattern of short-term purchases and examination concern will be operational risk sales demonstrates that the bank holds itself out and efficiency. Active dealers generally carry to other dealers or investors as a securities larger inventory positions and may engage in dealer, the bank is trading, regardless of what some degree of proprietary trading. Their market- department or section of the bank is engaged in risk profile may be moderate to high. the activity. Bank dealers’ securities transactions involve The authority under which a bank may customers and other securities dealers. The word engage in securities trading and underwriting is “customer,” as used in this section, means an found in section 5136 of the Revised Statutes investor. Correspondent banks purchasing secu- (12 USC 24 (seventh)). That authority is rities for an investment account would also be restricted by limitations on the percentage hold- considered a customer. Transactions with other ing of classes of securities as found in 12 CFR dealers are not considered customer transactions 1.3. This regulation allows banks to deal, under- unless the dealer is buying or selling for invest- write, purchase, and sell (1) type I securities ment purposes. without limit and (2) type II securities subject to The following subsections include general a limit of 10 percent of capital and unimpaired descriptions of significant areas of bank trading surplus per issue. Banks are prohibited from and underwriting activities. Foreign exchange is underwriting or dealing in type III securities for covered in detail in the ‘‘International’’ sections their own accounts. See section 2020.1, “Invest- of this manual. Additional bank dealer activities, ment Securities and End-User Activities,” for particularly in derivative products, are exten- further information on types I, II, and III securi- sively covered in the Trading and Capital- ties. Markets Activities Manual. In addition, many Banks are involved in three major types of money-center banks and larger regional banks securities transactions. First, the bank, acting as have transferred dealing activities to separately broker, buys and sells securities on behalf of a capitalized holding company subsidiaries (known customer. These are agency transactions in which as underwriting affiliates). The Bank Holding the agent (bank) assumes no substantial risk and Company Supervision Manual contains a sepa- is compensated by a prearranged commission or rate section on nonbank subsidiaries engaged in fee. A second type of securities transaction underwriting and dealing in bank-ineligible banks frequently execute is a ‘‘riskless-principal’’ securities. trade. Upon the order of an investor, the dealer buys (or sells) securities through its own account, with the purchase and sale originating almost simultaneously. Because of the brief amount of OVERVIEW OF RISK time the security is held in the dealer’s own account, exposure to market risks is limited. For bank dealer activities, risk is generally Profits result from dealer-initiated markup (the defined as the potential for loss on an instrument difference between the purchase and sale prices). or portfolio. Significant risk can also arise from Finally, as a dealer, the bank buys and sells operational weakness and inadequate controls. securities for its own account. This is termed a Risk management is the process by which man- principal transaction because the bank is acting agers identify, assess, and control all risks asso- as a principal, buying or selling qualified secu- ciated with a financial institution’s activities. rities through its own inventory and absorbing The increasing complexity of the financial indus- whatever market gain or loss is made on the try and the range of financial instruments banks transaction. use have made risk management more difficult

Commercial Bank Examination Manual October 2007 Page 1 5230.1 Bank Dealer Activities to accomplish and evaluate. business line, but on a global, consolidated The four fundamental elements for evaluating basis. In more sophisticated institutions, the role the risk-management process for bank dealer of risk management is to identify the risks activities are— associated with particular business activities and to aggregate summary data into generic compo- • active board and management oversight, nents, ultimately allowing exposures to be evalu- • adequate risk-management policies and limits, ated on a common basis. This methodology • appropriate risk measurement and manage- enables institutions to manage risks by portfolio ment information systems, and and to consider exposures in relationship to the • comprehensive internal controls and audit institution’s global strategy and risk tolerance. procedures. A review of the global organization may reveal risk concentrations that are not readily For risk management to be effective, an institu- identifiable from a limited, stand-alone evaluation’s board and senior management must be tion of a branch, agency, Edge Act institution, active participants in the process. They must nonbank subsidiary, or head office. Consolidated ensure that adequate policies and risk-tolerance risk management also allows the institution to limits are developed for managing the risk in identify, measure, and control its risks, while bank dealer activities, and they must understand, giving necessary consideration to the break- review, and approve these limits across all down of exposure by legal entity. Sometimes, if established product lines. For policies and limits applicable rules and laws allow, identified risks to be effective and meaningful, risk measures, at a branch or subsidiary may be offset by reports, and management information systems exposures at another related institution. How- must provide management and the board with ever, risk management across separate entities the information and analysis necessary to make must be done in a way that is consistent with the timely and appropriate responses to changing authorities granted to each entity. Some finan- conditions. Risk management must also be sup- cial institutions and their subsidiaries may not ported by comprehensive internal controls and be permitted to hold, trade, deal, or underwrite audit procedures that provide appropriate checks certain types of financial instruments unless they and balances to maintain an ongoing process of have received special regulatory approval. Ex- identifying any emerging weaknesses in an in- aminers should ensure that a financial institution stitution’s management of risk.1 At a minimum, only engages in those activities for which it has the effectiveness of the institution’s policies, received regulatory approval. Furthermore, ex- limits, reporting systems, and internal controls aminers should verify that the activities are must be reviewed annually. conducted in accordance with any Board condi- In assessing the adequacy of the above ele- tions or commitments attached to the regulatory ments at individual institutions, examiners should approval. consider the nature and volume of a bank’s Ideally, an institution should be able to iden- dealer activities and its overall approach toward tify its relevant generic risks and should have managing the various types of risks involved. measurement systems in place to quantify and The sophistication or complexity of policies and control these risks. While it is recognized that procedures used to manage risk depends on the not all institutions have an integrated risk- bank dealer’s chosen products, activities, and management system that aggregates all business lines of business. Accordingly, examiners should activities, the ideal management tool would expect risk-management activities to differ incorporate a common measurement denomina- among institutions. tor. Risk-management methodologies in the mar- As a financial institution’s product offerings ketplace and an institution’s scope of business and geographic scope expand, examiners must are continually evolving, making risk manage- review the risk-management process not only by ment a dynamic process. Nonetheless, an institution’s risk-management system should always 1. Existing policies and examiner guidance on various be able to identify, aggregate, and control all topics applicable to the evaluation of risk-management sys- risks posed by underwriting, trading, or dealing tems can be found in SR-93-69, “Examining Risk Manage- in securities that could have a significant impact ment and Internal Controls for Trading Activities of Banking on capital or equity. Organizations.” Many of the managerial and examiner practices contained in this document are fundamental and are Trading and market-risk limits should be generally accepted as sound practices for trading activities. customized to address the nature of the products

October 2007 Commercial Bank Examination Manual Page 2 Bank Dealer Activities 5230.1 and any unique risk characteristics. Common • Clearing or settlement risk is (1) the risk that types of limits include earnings-at-risk limits, a counterparty who has received a payment or stop-loss limits, limits on notional amounts delivery of assets defaults before delivery of (both gross and duration-weighted), maturity the asset or payment or (2) the risk that limits, and maturity-gap limits. The level of technical difficulties interrupt delivery or sophistication needed within the limit matrix settlement despite the counterparty’s ability or will depend on the type of instrument involved willingness to perform. and the relative level of trading activity. Straight- • Operations and systems risk is the risk of forward notional and tenor limits may be ad- human error or fraud, or the risk that systems equate for most dealers; however, dealers in- will fail to adequately record, monitor, and volved in a wide array of products and more account for transactions or positions. complex transactions will need stronger tools to • Legal risk is the risk that a transaction cannot measure and aggregate risk across products. be consummated as a result of some legal In general, risk from trading and dealing barrier, such as inadequate documentation, a activities can be broken down into the following regulatory prohibition on a specific counter- categories: party, non-enforceability of bilateral and multilateral close-out netting, or collateral arrange- • Market or price risk is the exposure of an ments in bankruptcy. institution’s financial condition to adverse movements in the market rates or prices of its The Trading and Capital-Markets Activities holdings before such holdings can be liqui- Manual contains a comprehensive discussion of dated or expeditiously offset. It is measured these risks, including examination objectives, by assessing the effect of changing rates or procedures, and internal control questionnaires prices on either the earnings or economic by risk category. value of an individual instrument, a portfolio, or the entire institution. • Funding-liquidity risk refers to the ability to meet investment and funding requirements arising from cash-flow mismatches. GOVERNMENT AND AGENCY • Market-liquidity risk refers to the risk of being SECURITIES unable to close out open positions quickly enough and in sufficient quantities at a reason- The government securities market is dominated able price. by a number of investment banks, broker- • Credit risk is the risk that a counterparty to a dealers, and commercial banks known as pri- transaction will fail to perform according to mary dealers in government securities. These the terms and conditions of the contract, thus dealers make an over-the-counter market in causing the security to suffer a loss in cash- most government and federal-agency securities. flow or market value. Because securities settle- Primary dealers are authorized to deal directly ments are typically “delivery vs. payment” with the Open Market Desk of the Federal and settlement periods are relatively short, Reserve Bank of New York. As market makers, securities transactions do not involve a signifi- primary dealers quote bid-ask prices on a wide cant level of counterparty credit risk. Repur- range of instruments, and many publish daily chase transactions, securities lending, and quotation sheets or provide live electronic data money market transactions, however, involve feeds to larger customers or other dealers. significantly higher levels of credit risk if not Government securities trading inventories are properly controlled. As a result, credit risk is generally held with the objective of making discussed in greater detail in the subsections short-term gains through market appreciation addressing these products. Credit risk can also and dealer-initiated markups. Common factors arise from positions held in trading inventory. that affect the markup differential include the Although U.S. government and agency secu- size of a transaction, the dealer efforts extended, rities do not generally involve credit risk, the type of customer (active or inactive), and the other securities (for example, municipal and nature of the security. Markups on government corporate securities) carried in inventory can securities generally range between 1⁄32 and 4⁄32 of decline in price due to a deterioration in credit a point. Long-maturity issues or derivative prod- quality. ucts may have higher markups due to the higher

Commercial Bank Examination Manual October 2007 Page 3 5230.1 Bank Dealer Activities risk and potentially larger volatility that may be ernment securities should be deducted from the inherent in these products. short sale and purchase spread to determine net According to industry standards, payments proﬁt. Short sales are conducted to (1) accom- for and deliveries of U.S. government and most modate customer orders, (2) obtain funds by agency securities are settled one business day leveraging existing assets, (3) hedge the market following the trade date, although government risk of other assets, or (4) allow a dealer to proﬁt dealers and customers can negotiate same-day from a possible future decline in market price by or delayed settlement for special situations. purchasing an equivalent security at a later date at a lower price.

When-Issued Trading Government Securities Clearing A significant potential source of risk to dealers involves “when-issued” (WI) trading in govern- Securities-clearing services for the bulk of U.S. ment securities. WI trading is the buying and government securities transactions and many selling of securities in the one- to two-week federal-agency securities transactions are pro- interim between the announcement of an offer- vided by the Federal Reserve as part of its ing and the security auction and settlement. electronic securities-transfer system. The vari- Although the vast majority of transactions settle ous Federal Reserve Banks will wire-transfer on the next business day, WI trading results in a most government securities between the book- prolonged settlement period. This could increase entry safekeeping accounts of the seller and both the market risk and counterparty credit risk buyer. The Federal Reserve’s systems are also associated with trading these instruments. The used to facilitate security borrowings, loans, and prolonged settlement period also provides an pledges. opportunity for a dealer to engage in a large volume of off-balance-sheet trading without having to fund the assets or cover the short posi- Government Securities Act tions. In essence, WI trading allows the dealers to create securities. If the overall level of WI In response to the failures of a number of trading is significant in relation to the size of the unregulated government securities dealers issue, the resulting squeeze on the market could between 1975 and 1985, Congress passed the increase volatility and risk. Given these poten- Government Securities Act of 1986 (GSA). tial risk characteristics, WI trading should be GSA established, for the first time, a federal subject to separate sublimits to cap the potential system for the regulation of the entire govern- exposure. ment securities market, including previously unregulated brokers and dealers. The primary goal of GSA was to protect investors and ensure Short Sales the maintenance of a fair, honest, and liquid market. Another area of U.S. government securities The GSA granted the Department of the activity involves short-sale transactions. A short Treasury (Treasury) authority to develop and sale is the sale of a security that the seller does implement rules for transactions in government not own at the time of the sale. Delivery may be and agency securities effected by government accomplished by buying the security or by securities brokers or dealers (that is, securities borrowing the security. When the security deliv- firms as well as other financial institutions), and ered is borrowed, the short seller likely will to develop and implement regulations relating to ultimately have to acquire the security in order the custody of government securities held by to satisfy its repayment obligation. The borrow- depository institutions. The rules were intended ing transaction is collateralized by a security (or to prevent fraudulent and manipulative acts and securities) of similar value or cash (most likely practices and to protect the integrity, liquidity, the proceeds of the short sale). Reverse repur- and efficiency of the government securities mar- chase transactions are also used to obtain the ket. At the same time, the rules were designed to security needed to make delivery on the security preclude unfair discrimination among brokers, sold short. Carrying charges on borrowed gov- dealers, and customers. Enforcement of the rules

October 2007 Commercial Bank Examination Manual Page 4 Bank Dealer Activities 5230.1 for the GSA is generally carried out by an dling only U.S. savings bond transactions or institution’s primary regulatory organization. submitting tender offers on original issue U.S. The rules for the GSA had the most Treasury securities are exempt from registra- significant effect on those entities that were not tion. previously subject to any form of federal Limited government securities brokerage ac- registration and regulation. These entities tivities are also exempt from registration under included not only firms registered as govern- certain circumstances. Banks that engage in ment securities brokers or dealers but also firms fewer than 500 government securities transac- registered as brokers or dealers trading in other tions annually (excluding savings bond transac- securities and financial products. For the first tions and Treasury tender offers) are exempt. time, the government securities activities of Similarly, banks are exempt if they deal with a these entities were subject to the discipline of registered broker-dealer under a ‘‘networking’’ financial responsibility, customer protection, arrangement, assuming they meet the following recordkeeping, and advertising requirements. conditions: (1) the transacting broker must be For nonbank dealers, this regulation is enforced clearly identified, (2) bank employees perform by a self-regulatory organization, the Financial only clerical or administrative duties and do not Industry Regulatory Authority (FINRA), which receive transaction-based compensation, and (3) conducts routine examinations under the the registered broker-dealer receives and main- oversight of the Securities and Exchange Com- tains all required information on each customer. mission (SEC). Exempt networking arrangements must be fully The provisions of the GSA that had the most disclosed to the customer. Finally, banks are significant effect on government securities bro- exempt from registration requirements if their kers and dealers (both bank and nonbank broker- activities are limited to purchases and sales in a dealers) relate to hold-in-custody repurchase fiduciary capacity or purchases and sales of agreement rules. Congress targeted this area repurchase or reverse repurchase agreements. because of abuses that had resulted in customer The preceding exemptions provide relief from losses. Several requirements to strengthen cus- registration, but exempt banks must comply (if tomer protection were imposed: (1) written applicable) with regulations addressing custo- repurchase agreements must be in place, (2) the dial holdings for customers (17 CFR 450). risks of the transactions must be disclosed to the Additionally, banks effecting repurchase/reverse customer, (3) specific repurchase securities must repurchase agreements must comply with be allocated to and segregated for the customer, repurchase-transaction requirements detailed in and (4) confirmations must be made and pro- 17 CFR 403.5(d). vided to the customer by the end of the day on which a transaction is initiated and on any day on which a substitution of securities occurs. For a more detailed description of the rules for the MUNICIPAL SECURITIES GSA requirements, see the procedures for the examination of government securities activities Municipal securities are debt obligations issued issued by the Board of Governors of the Federal by state and local governments and certain Reserve System, or 17 CFR 400–450 for the agencies and authorities. There are two broad actual text of the regulations. categories of municipal bonds: general obligation bonds and revenue bonds. General obligation bonds (GOs) are backed by the full faith and credit and taxing authority of the govern- Registration Exemptions ment issuer. General obligation bonds are either limited or unlimited tax bonds. Limited tax Most banks acting as government securities bonds are issued by government entities whose brokers or dealers are required to file a form taxing authority is limited to some extent by law known as a G-FIN. This form details the bank’s or statute. For instance, a local government may capacity, the locations where government secu- face restrictions on the level of property taxes it rities activities are performed, and the persons can levy on property owners. State and local responsible for supervision. However, certain entities may also issue special tax bonds, which bank government securities activities are ex- are supported by a specific tax. For instance, a empt from the filing requirements. Banks han- highway project may be financed by a special

Commercial Bank Examination Manual October 2007 Page 5 5230.1 Bank Dealer Activities gasoline tax levied to pay for the bonds. Unlim- issued debt in the United States), there is a wide ited tax bonds are issued by government entities variety of municipal securities. Some municipal that are not restricted by law or statute in the security issues have complex structures that amount of taxes they can levy; however, there require an increased level of technical expertise may be some political limitations. to evaluate. As with all areas of banking, dealers Municipal revenue bonds are backed by a who invest in complex instruments are expected specific project or government authority, and to understand the characteristics of the instru- they are serviced by fees and revenues paid by ments and how these instruments might affect users of the government entity. Revenue bonds their overall risk profile. While there are some are backed by public power authorities, non- large issuers, like the states of New York and profit hospitals, housing authorities, transporta- California, most issuers are small government tion authorities, and other public and quasi- entities that place modest amounts of debt. public entities. Many of these issues are exempt from federal, Effective March 13, 2000, well-capitalized state, and local income taxes; these exemptions, state member banks were authorized by the in part, determine the investor base for munici- Gramm-Leach-Bliley Act (GLB Act) to deal in, pal bonds. underwrite, purchase, and sell municipal rev- The customer base for tax-exempt municipal enue bonds without any limitations based on the securities is investors who benefit from income bank’s capital. (See 12 USC 24 (seventh).) that is exempt from federal income tax. This Previously, banks were limited to only under- group includes institutional investors, such as writing, dealing in, or investing in, without insurance companies, mutual funds, and retail limitation, general obligation municipal bonds investors, especially individuals in high income- backed by the full faith and credit of an issuer tax brackets. with general powers of taxation. Member banks could invest in, but not underwrite or deal in, municipal revenue bonds, but the purchases and sales of such investment securities for any Credit Risk obligor were limited to 10 percent of a member bank’s capital and surplus. As a result of the Municipal securities activities involve differing GLB Act amendment, municipal revenue bonds degrees of credit risk depending on the financial are the equivalent of type I securities for well- capacity of the issuer. Larger issuers of munici- 2 capitalized state member banks. (See SR-01- pal securities are rated by nationally recognized 13.) Banks that are not well capitalized may rating agencies (Moody’s, S&P, etc.). Other engage in more limited municipal securities municipalities achieve an investment-grade rat- activities relating to type II and type III securi- ing through the use of credit enhancements, ties. For example, banks may also deal in, usually in the form of a standby letter of credit underwrite, or invest in revenue bonds that are issued by a financial institution. Banks are also backed by housing, university, or dormitory involved in underwriting and placing nonrated projects. municipal securities. Nonrated issues are typi- In addition to municipal bonds, state and local cally small and are placed with a limited number governments issue obligations to meet short- of investors. Liquidity in the secondary market term funding needs. These obligations are nor- is limited, and bank dealers rarely carry non- mally issued in anticipation of some specific rated issues in trading inventory. revenue. The types of debt issued include tax- anticipation notes (TANs), revenue-anticipation Management should take steps to limit undue notes (TRANs), grants-anticipation notes concentrations of credit risk arising from (GANs), bond-anticipation notes (BANs), com- municipal-security underwriting and dealing. Ex- mercial paper, and others. posure to nonrated issuers should be approved Because of the large number and diverse through the bank’s credit-approval process with funding needs of state and local governments appropriate documentation to support the issu- (over 50,000 state and local governments have er’s financial capacity. Activity in nonrated issues outside the bank’s target or geographic market should also be avoided. In addition, 2. The Office of the Comptroller of the Currency published exposure should be aggregated on a consoli- final amendments to its investment securities regulation (12 dated basis, taking into account additional credit CFR 1) on July 2, 2001. (See 66 Fed. Reg. 34784.)

October 2007 Commercial Bank Examination Manual Page 6 Bank Dealer Activities 5230.1 risk arising from traditional banking products Dealer Bank Examination Manual issued by the (loans, letters of credit, etc.). Board of Governors of the Federal Reserve System.

Municipal Securities Rulemaking Board REPURCHASE AGREEMENTS AND SECURITIES LENDING The Securities Act Amendments of 1975 (15 USC 78o-4) extended a comprehensive network of Repurchase agreements (repos) play an impor- federal regulation to the municipal securities tant role in the securities markets. A repo is the markets. Pursuant to the act, municipal securi- simultaneous agreement to sell a security and ties brokers and dealers are required to register repurchase it at a later date. Reverse repos are with the SEC. The act also created a separate, the opposite side of the transaction, securities self-regulatory body, the Municipal Securities purchased with a later agreement to resell. From Rulemaking Board (MSRB), to formulate work- the dealer’s perspective, a repo is a financing ing rules for the regulation of the municipal transaction (liability), and a reverse repo is a securities industry. The Federal Reserve is re- lending transaction (asset). Overnight repos are quired to ensure compliance with those rules as a one-day transaction; anything else is referred they apply to state member banks. to as a ‘‘term repo.’’ Approximately 80 percent A bank engaged in the business of buying and of the repo market is overnight. Although any selling municipal securities must register with security can be used in a repurchase transaction, the SEC as a municipal securities dealer if it is the overwhelming majority of transactions in- involved in— volve government securities. Securities dealers use repos as an important • underwriting or participating in a syndicate or source of liquidity. The majority of government joint account for the purpose of purchasing securities trading inventory will typically be securities; financed with repos. Reverse repos are used to • maintaining a trading account or carrying obtain securities to meet delivery obligations dealer inventory; or arising from short positions or from the failure • advertising or listing itself as a dealer in trade to receive the security from another dealer. publications, or otherwise holding itself out to Reverse repos also are an effective and low-risk other dealers or investors as a dealer. means to invest excess cash on a short-term basis. Generally, a bank that buys and sells municipal The repo rate is a money market rate that is securities for its investment portfolio or in a lower than the federal funds rate due to the fiduciary capacity is not considered a dealer. collateralized nature of the transaction. Oppor- If a bank meets the SEC’s criteria for regis- tunities also arise to obtain below-market-rate tering as a municipal securities dealer, it must financing. This situation arises when demand maintain a separately identifiable department or exceeds supply for a specific bond issue and it division involved in municipal securities dealing goes on ‘‘special.’’ Dealers who own the bond or that is under the supervision of officers desig- control it under a reverse repo transaction can nated by the bank’s board of directors. These earn a premium by lending the security. This designated officers are responsible for municipal premium comes in the form of a below-market- securities dealer activities and should maintain rate financing cost on a repo transaction. separate records. Many of the larger dealers also engage in The Federal Reserve conducts a separate proprietary trading of a matched book, which examination of the municipal securities dealer consists of a moderate to large volume of activities in banks that engage in such activities. offsetting repos and reverse repos. The term This examination is designed to ensure compli- “matched book” is misleading as the book is ance with the rules and standards formulated by rarely perfectly matched. Although profit may the MSRB. For a complete description of the be derived from the capture of a bid/ask spread activities of a municipal securities dealer and on matched transactions, profit is more often detailed procedures performed by the Federal derived from maturity mismatches. In a falling- Reserve examiners, see the Municipal Securities rate environment, traders lend long (reverse

Commercial Bank Examination Manual November 2001 Page 7 5230.1 Bank Dealer Activities repos) and borrow short (repos). It is more increasingly involves loans of large blocks of difficult to profit in rising-rate environments U.S. government and federal-agency securities. because of the shape of the yield curve, which is To participate in this market, a bank may lend usually upward-sloping. The overall size of the securities held in its investment account or matched book and the length of the maturity trading account. Like repos, securities are lent to mismatches will generally decline in a rising cover fails (securities sold but not available for environment. Matched books are also used to delivery) and short sales. Collateral for the create opportunities to control securities that transactions can consist of other marketable may go on special, resulting in potential profit securities or standby letters of credit; however, opportunities. Dealers engaging in matched- the large majority of transactions are secured by book trading provide important liquidity to the cash. Investors are willing to lend securities due repo market. to the additional investment income that can be Risk in a matched book should be minimized earned by investing the cash collateral. When a by establishing prudent limits on the overall size securities loan is terminated, the securities are of the book, size of maturity mismatches, and returned to the lender and the collateral to the restrictions on the maximum tenor of instru- borrower. ments. The overall risk of a matched book is usually small in relation to other trading portfolios. Maturity mismatches are generally short- term, usually 30 to 60 days, but may extend up Credit Risk to one year. Risk can be quickly neutralized by extending the maturity of assets or liabilities. Since repurchase agreements and securities lend- Financial instruments (futures and forward rate ing transactions are collateralized, credit risk is agreements) can also be used to reduce risk. relatively minor if properly controlled. Some Securities dealers may also engage in “dollar- dealers have underestimated the credit risk as- roll” transactions involving mortgage-backed sociated with the performance of the counter- securities, which are treated as secured financ- party and have not taken adequate steps to ings for accounting purposes. The “seller” of the ensure their control of the securities serving as security agrees to repurchase a “substantially collateral. The market volatility of the securities identical” security from the “buyer,” rather than held as collateral can also add to the potential the same security. Many of the supervisory credit risk associated with the transaction. considerations noted above for repurchase agreements also apply to dollar-roll transactions. As an added measure of protection, dealers However, if the security to be repurchased is not require customers to provide excess collateral. substantially identical to the security sold, the This excess is referred to as ‘‘margin.’’ The size transaction generally should be accounted for as of the margin will be a function of the volatility a sale and not as a financing arrangement. The of the instrument serving as collateral and the accounting guidance for “substantially identi- length of the transaction. In addition to initial cal” is described in American Institute of Certi- margin, term repos and security lending arrange- fied Public Accountants (AICPA) Statement of ments require additional margin if the value of Position 90-3, which generally requires debt the collateral declines below a specified level. instruments to have the same primary obligor or Excess margin is usually returned to the coun- guarantor, the same form and type, the identical terparty if the value of the collateral increases. A contractual interest rate, the same maturity or daily ‘‘mark-to-market’’ or valuation procedure weighted average maturity, and other factors. must be in place to ensure that calls for addi- In addition, securities dealers may engage in tional collateral are made on a timely basis. The securities lending or borrowing transactions. In valuation procedures should be independent of substance, these transactions are very similar to the trader and take into account the value of repo transactions except the transactions have no stated maturity. The transactions are con- accrued interest on debt securities. It is impor- ducted through open-ended ‘‘loan’’ agreements tant to point out that credit risk can arise from that may be terminated on short notice by the both asset transactions (reverse repos and secu- lender or borrower. Although lending transac- rities borrowed) and liability transactions (repos tions have historically been centered in corpo- and securities lent) because of market fluctua- rate debt and equity obligations, the market tions in collateral provided and received. Deal-

November 2001 Commercial Bank Examination Manual Page 8 Bank Dealer Activities 5230.1 ers should take steps to ensure that collateral invested in appropriate instruments. Cash should provided is not excessive. be invested in high-quality, short-term money Policies and procedures should be in place to market instruments. Longer-term floating-rate ensure transactions are conducted only with instruments may also be appropriate; however, approved counterparties. Credit-limit approvals illiquid investments and products with custom- should be based on a credit analysis of the ized features (for example, structured notes with borrower. An initial review should be per- imbedded options) should be avoided. Several formed before establishing a relationship, with banks have reported significant losses associated with inappropriate investments in securities lend- periodic reviews thereafter. Credit reviews ing areas. should include an analysis of the bor-rower’s financial statement, capital, management, earnings, business reputation, and any other relevant factors. Analyses should be performed in an Securities-Lending Capacity independent department of the lender institution, by persons who routinely perform credit Securities lending may be done in various ca- analyses. Analyses performed solely by the pacities and with differing associated liabilities. person managing the repo or securities lending It is important that all parties involved under- programs are not sufficient. Credit and concen- stand in what capacity the lender institution is tration limits should take into account other acting. The relevant capacities are described extensions of credit by other departments of the below. bank or affiliates. Procedures should be established to ensure that credit and concentration limits are not exceeded without proper authori- Principal zation from management. A lender institution offering securities from its own account is acting as principal. A lender institution offering customers’ securities on an Other Uses and Implications of undisclosed basis is also considered to be acting Securities Lending as principal.

In addition to lending their own securities, ﬁnancial institutions have become increasingly Agent involved in lending customers’ securities held in custody, safekeeping, trust, or pension accounts. A lender institution offering securities on behalf These activities are typically organized within of a customer-owner is acting as an agent. To be the bank’s trust department. Not all institutions considered a bona ﬁde or ‘‘fully disclosed’’ that lend securities or plan to do so have relevant agent, the lending institution must disclose the experience. Because the securities available for names of the borrowers to the customer-owners lending often greatly exceed the demand, inex- and the names of the customer-owners to the perienced lenders may be tempted to ignore borrowers (or give notice that names are avail- commonly recognized safeguards. Bankruptcies able upon request). In all cases, the agent’s of broker-dealers have heightened regulatory compensation for handling the transaction should sensitivity to the potential for problems in this be disclosed to the customer-owner. Undis- area. closed agency transactions, that is, ‘‘blind bro- Fees received on securities loans are divided kerage’’ transactions in which participants can- between the custodial institution and the cus- not determine the identity of the contra party, are tomer account that owns the securities. In situ- treated as if the lender institution were the ations involving cash collateral, part of the principal. interest earned on the temporary investment of cash is returned to the borrower and the remainder is divided between the lender institution and Directed Agent the customer account that owns the securities. In addition to a review of controls, examiners A lender institution that lends securities at the should take steps to ensure that cash collateral is direction of the customer-owner is acting as a

Commercial Bank Examination Manual November 2001 Page 9 5230.1 Bank Dealer Activities directed agent. The customer directs the lender er’s acceptances, and federal funds, and with institution in all aspects of the transaction, financial instruments such as futures and for- including to whom the securities are loaned, the wards. terms of the transaction (rebate rate and maturity/ Although the risk of money market trading is call provisions on the loan), acceptable collat- relatively straightforward, the potential risk can eral, investment of any cash collateral, and be significant based on the volume of trading collateral delivery. and size of the mismatches. Despite the potential risk, these activities may offer attractive profit opportunities if effectively controlled. Short- Fiduciary term interest-rate markets are very liquid, and risk can be quickly neutralized by changing the A lender institution that exercises discretion in maturity profile of either assets or liabilities. offering securities on behalf of and for the Financial instruments (such as futures and for- benefit of customer-owners is acting as a fidu- ward rate agreements) can also be an effective ciary. For supervisory purposes, the underlying tool to manage risk. Money market trading may relationship may be as agent, trustee, or custo- be managed as a separate product line or may be dian. integrated with trading in other interest-rate products (such as swaps, caps, or floors). Exam- iners should take steps to ensure that appropriate Finder limits are in place for money market trading, including restrictions on aggregate notional size, A finder brings together a borrower and a lender the size of maturity mismatches, and the maxi- of securities for a fee. Finders do not take mum tenor of instruments. possession of the securities or collateral. Deliv- ery of securities and collateral is directly between the borrower and the lender, and the finder does Federal Funds not become involved. The finder is simply a fully disclosed intermediary. Commercial banks actively use the federal funds market as a mechanism to manage fluctuations in the size and composition of their balance MONEY MARKET INSTRUMENTS sheet. Federal funds are also an efficient means to manage reserve positions and invest excess In addition to bank-eligible securities activities, cash on a short-term basis. Although transac- banks may engage in a substantial volume of tions are generally unsecured, they can also be trading in money market instruments. Federal secured. The majority of transactions are con- funds, banker’s acceptances, commercial paper, ducted overnight; however, term transactions and certificates of deposit are forms of money are also common. Federal funds trading will market instruments. While these instruments often involve term transactions in an attempt to may be used as part of the overall funding generate positive net interest spread by varying strategy, many firms actively engage in discre- the maturities of assets and liabilities. tionary or proprietary trading in these instru- Banks have traditionally engaged in federal ments. As in matched-book repo activities, prof- funds transactions as principal, but an increasing its from trading money market instruments are number of banks are conducting business as derived from the bid/ask spread on matched agent. These agency-based federal funds trans- transactions and the net interest spread from actions are not reported on the agent’s balance maturity mismatches. sheet. Dealer banks may also provide federal funds clearing services to their correspondent This activity may result in overall money banks. market arbitrage. Arbitrage is the coordinated purchase and sale of the same security or its equivalent, for which there is a relative price imbalance in the market. The objective of such Banker’s Acceptances activity is to obtain earnings by taking advantage of changing yield spreads. Arbitrage can Banker’s acceptances are time drafts drawn on occur with items such as Eurodollar CDs, bank- and accepted by a bank. They are the customary

November 2001 Commercial Bank Examination Manual Page 10 Bank Dealer Activities 5230.1 means of effecting payment for merchandise were generally prohibited from underwriting sold in import-export transactions, as well as a and dealing in commercial paper. Despite this source of financing used extensively in interna- restriction, banks participated in this market in tional trade. Banker’s acceptances are an obli- an “agency capacity.” When establishing a com- gation of the acceptor bank and an indirect mercial paper dealership, many of the larger obligation of the drawer. They are normally banks pursued business through an aggressive secured by rights to the goods being financed interpretation of an agency-transaction role. In and are available in a wide variety of principal practice, bank dealers engage in riskless-principal amounts. Maturities are generally less than nine or best-efforts placement of commercial paper. months. Acceptances are priced like Treasury Taking this logic a step further, others actively bills, with a discount figured for the actual engage in competitive bidding and intraday number of days to maturity based on a 360-day distribution of newly issued paper. Because the year. The bank can market acceptances to the paper settles on a same-day basis, the transac- general public but must guarantee their perfor- tions are never part of the official end-of-day mance. records of the bank. Although this technical point has been the subject of discussion, the practice has not been subject to regulatory challenge. Commercial Paper Commercial paper may be issued as an interest-bearing instrument or at a discount. Commercial paper is a generic term that is used Market trades are priced at a current yield, net of to describe short-term, unsecured promissory accrued interest due the seller or, if the commer- notes issued by well-recognized and generally cial paper was issued at a discount, at a discount sound corporations. The largest issuers of com- figured for the actual number of days to maturity mercial paper are corporations, bank holding based on a 360-day year. companies, and finance companies, which use The sale of commercial paper issued by bank the borrowings as a low-cost alternative to bank affiliates must conform to legal restrictions and financing. Commercial paper is exempt from avoid conflicts of interest. Each certificate registration under the Securities Act of 1933 if it and confirmation should disclose the facts that meets the following conditions: the commercial paper is not a deposit and is not insured by the Federal Deposit Insurance Cor- • prime quality and negotiable poration. • not ordinarily purchased by the general public • issued to facilitate current operational business requirements • eligible for discounting by a Federal Reserve Certificates of Deposit Bank • maturity does not exceed nine months Negotiable certificates of deposit (CDs) issued by money-center banks are actively traded in Actively traded commercial paper is ordinar- denominations of $100,000 to $1 million. Inter- ily issued in denominations of at least $100,000 est generally is calculated on a 360-day year and and often in excess of $1 million. Commercial paid at maturity. Secondary-market prices are paper issuers usually maintain unused bank computed based on current yield, net of accrued credit lines to serve as a source of back-up interest due the seller. Eurodollar CDs trade like liquidity or contingency financing, principally in domestic CDs except their yields are usually the form of standby letters of credit. Major higher and their maturities are often longer. commercial paper issuers are rated by nationally recognized rating agencies (Moody’s, S&P, and others). Other issuers achieve higher ratings Credit-Risk and Funding through the use of a credit enhancement, usually Concentrations in the form of a standby letter of credit issued by a financial institution. In addition to market risk, money market poli- Based on Supreme Court rulings, commercial cies and guidelines should recognize the credit paper was considered a security for purposes of risk inherent in these products. Federal funds the former Glass-Steagall Act. As a result, banks sold and deposit placements are essentially un-

Commercial Bank Examination Manual November 2001 Page 11 5230.1 Bank Dealer Activities secured advances. To avoid undue concentra- inefficiencies can quickly result in major prob- tions of credit risk, activity with these products lems. should be limited to approved counterparties. Limits should be established for each prospective counterparty. Tenor limits should also be considered to reduce the potential for credit Sound Practices for Front- and deterioration over the life of the transaction. The Back-Office Operations size of limits should be based on both anticipated activity and the counterparty’s financial Bank dealer activities vary significantly among capacity to perform. The credit analysis should financial institutions, depending on the size and be performed by qualified individuals in a credit complexity of the trading products; trading, department that is independent from the money back-office, and management expertise; and the market dealing function. In assessing the cred- sophistication of systems. As a result, practices, itworthiness of other organizations, institutions policies, and procedures in place in one insti- should not rely solely on outside sources, such tution may not be necessary in another. The as standardized ratings provided by independent adequacy of internal controls requires sound rating agencies, but should perform their own judgment on the part of the examiner. The analysis of a counterparty’s or issuer’s financial following is a list of policies and procedures that strength. At a minimum, limits should be reas- should be reviewed: sessed and credit analyses updated annually. Once established, limits should be monitored • Every organization should have comprehen- with exceptions documented and approved by sive policies and procedures in place that the appropriate level of senior management. describe the full range of bank dealer activi- Exposure should also be aggregated on a con- ties performed. These documents, typically solidated basis with any other credit exposure organized into manuals, should at a minimum arising from other product areas. Exposure to address front- and back-office operations; rec- foreign bank counterparties should also be ag- onciliation guidelines and frequency; revalu- gregated by country of domicile to avoid ation and accounting guidelines; descriptions country-risk concentrations. The limit structure of accounts; broker policies; a code of ethics; should be reviewed to ensure compliance with and the risk-measurement and -management the requirements of Regulation F, Limitations on methods, including a comprehensive limit Interbank Liabilities, which places prudent lim- structure. its on credit exposure to correspondent banks. • Every institution should have existing policies Maintaining a presence in the wholesale fund- and procedures to ensure the segregation of ing markets requires a strong reputation and duties among the trading, control, and pay- increases potential liquidity risk. The prolonged ment functions. use of a large volume of purchased funds to • Revaluation sources should be independent support a money market trading operation could from the traders for accounting purposes, risk also reduce the capacity to tap this market, if oversight, and senior management reporting, needed, for core funding. Guidelines should be although revaluation of positions may be con- in place to diversify sources of funding. Contin- ducted by traders to monitor positions. gency plans should include strategies to exit or • Trader and dealer telephone conversations reduce the profile in these markets if the situa- should be taped to facilitate the resolution of tion warrants. disputes and to serve as a valuable source of information to auditors, managers, and examiners. • Trade tickets and blotters (or their electronic OPERATIONS AND INTERNAL equivalents) should be timely and complete to CONTROLS allow for easy reconciliation and for appropriate position and exposure monitoring. The A bank dealer’s operational functions should be volume and pace of trading may warrant designed to regulate the custody and movement virtually simultaneous creation of these re- of securities and to adequately account for cords in some cases. trading transactions. Because of the dollar vol- • Computer hardware and software applications ume and speed of trading activities, operational must have the capacity to accommodate the

November 2001 Commercial Bank Examination Manual Page 12 Bank Dealer Activities 5230.1

current and projected level of trading activity. independent from the dealing function. Docu- Appropriate disaster-recovery plans should be mentation should be completed and exchanged tested regularly. as close to completion of a transaction as • Every institution should have a methodology possible. to identify and justify any off-market transac- • Auditors should review trade integrity and tions. Ideally, off-market transactions would monitoring on a schedule in accordance with be forbidden. its appropriate operational-risk designation. • A clear institutional policy should exist for • Organizations that have customers who trade personal trading. If such trading is permitted on margin should establish procedures for at all, procedures should be established to collateral valuation and segregated custody avoid even the appearance of conflicts of accounts. interest. • Every institution should ensure that the management of after-hours and off-premises trading, if permitted at all, is well documented so Fails that transactions are not omitted from the automated blotter or the bank’s records. In some cases, a bank may not receive or deliver • Every institution should ensure that staff is a security by settlement date. “Fails” to deliver both aware of and complies with inter- for an extended time or a substantial number of nal policies governing the trader-broker rela- cancellations are sometimes characteristic of tionship. poor operational control or questionable trading • Every institution that uses brokers should activities. monitor the patterns of broker usage, be alert Fails should be controlled by prompt report- to possible undue concentrations of business, ing and follow-up procedures. The use of multi- and review the list of approved brokers at least copy confirmation forms enables operational annually. personnel to retain and file a copy by settlement • Every institution that uses brokers should date and should allow for prompt fail reporting establish a policy that minimizes name sub- and resolution. stitutions of brokered transactions. All such transactions should be clearly designated as switches, and relevant credit authorities should be involved. Revaluation • Every institution that uses brokers for foreign- exchange transactions should establish a clear The frequency of independent revaluation should statement forbidding the lending or borrowing be driven by the level of an institution’s trading of brokers’ points as a method to resolve activity. Trading operations with high levels of discrepancies. activity may need to perform daily revaluation; • Every organization should have explicit com- however, it is important to note that independent pensation policies to resolve disputed trades revaluations are less critical when inventory is for all traded products. Under no circum- turning over quickly or end-of-day positions are stances should “soft-dollar” (the exchange of small. In these situations, the majority of profit services in lieu of dollar compensation) or and loss is realized rather than unrealized. Only off-the-books compensation be permitted for unrealized profit and loss on positions carried in dispute resolution. inventory are affected by a revaluation. At a • Every institution should have know-your- minimum, every institution should conduct an customer policies, and they should be under- independent revaluation at the end of each stood and acknowledged by trading and sales standard accounting period (monthly or quar- staff. terly). There will be situations when certain • The designated compliance officer should per- securities will be difficult to price due to lack of form a review of trading practices at least liquidity or recent trading activity. If manage- annually. In institutions with a high level of ment relies on trader estimates in these situa- trading activity, interim reviews may be war- tions, a reasonableness test should be performed ranted. by personnel who are independent from the • The organization should have an efficient trading function. A matrix-pricing approach may confirmation-matching process that is fully also be employed. This involves the use of

Commercial Bank Examination Manual November 2001 Page 13 5230.1 Bank Dealer Activities prices on similar securities (coupon, credit qual- • acceptable types and maturities of collateral ity, and tenor) to establish market prices. securities • initial acceptable margin for collateral securities of various types and maturities • margin maintenance, call, default, and sellout Control of Securities provisions • rights to interest and principal payments Depository institutions need to adopt procedures • rights to substitute collateral to ensure that ownership of securities is ad- • individuals authorized to transact business on equately documented and controlled. While this behalf of the depository institution and its documentation and control once involved taking counterparty physical possession of the securities either directly or through a third-party custodian, the Written agreements should be in place before securities markets are quickly moving to a commencing activities. book-entry system. In this context, safekeeping is more of a concept than a reality. As the markets change, documenting the chain of ownership becomes the primary mechanism to pre- TRADING AND CAPITAL- vent losses arising from a counterparty default. MARKETS ACTIVITIES MANUAL This documentation involves the matching of incoming and outgoing confirmations and fre- The Trading and Capital-Markets Activities quent reconcilements of all accounts holding Manual, developed by the Federal Reserve Sys- securities (Federal Reserve, customer, custo- tem, is a valuable tool to help examiners under- dian, and other dealers). When the dealer holds stand the complex and often interrelated risks securities on behalf of its customers, similar arising from capital-markets activities. The prod- safeguards also need to be in place. Although ucts addressed in the previous subsections and this documentation process can be burdensome, their associated risks are covered in greater it is necessary to protect a dealer’s interest in detail in the manual. securities owned or controlled. Many active dealers have automated the reconcilement and As noted in the preceding sections, and fur- matching process. This reduces the potential for ther addressed in the Trading and Capital- human error and increases the likelihood that Markets Activities Manual, other trading instru- exceptions can be uncovered and resolved ments could be included in the bank dealer or quickly. money market trading operation. Financial instruments such as futures and forward rate Because of the relatively short periods of agreements are often used to modify or hedge actual ownership associated with repurchase the risk associated with cash instruments (dealer agreements, potential losses could be significant inventory and money market positions). The if prudent safeguards are not followed. Signifi- bank dealer may also be involved in other cant repo volume or matched-book trading ac- instruments including asset-backed securities tivities only heighten this concern. To further (mortgage-backed and consumer-receivable- protect their interests, dealers should enter into backed). Other departments of the bank may written agreements with each prospective also use securities products as part of an unre- repurchase-agreement counterparty. Although the lated trading activity. For example, interest-rate- industry is moving toward standardized master swap traders often use cash bonds to hedge or agreements, some degree of customization may modify market-risk exposure. In this capacity, occur. The agreements should be reviewed by the swap desk would be a customer of the legal counsel for their content and compliance government securities dealer. These overlaps in with established minimum documentation stan- product focus and usage make it critical for dards. In general, these agreements should examiners to understand the organizational struc- specify the terms of the transaction and the ture and business strategies before establishing duties of both the buyer and seller. At a mini- examination scope. mum, provisions should cover the following issues:

November 2001 Commercial Bank Examination Manual Page 14 Bank Dealer Activities 5230.1

OTHER ISSUES some parallels can be drawn. An agency relationship would appear to encompass, although not necessarily be limited to, the following Intercompany Transactions elements: • The agent bank must agree to act on behalf of Examiners should review securities and the seller of the federal funds (“seller”) and repurchase-agreement transactions with affili- not on its own behalf. ates to determine compliance with sections 23A • The agent should fully disclose to all parties to and 23B of the Federal Reserve Act. Money the transaction that it is acting as agent on market transactions may also be subject to behalf of the seller and not on its own behalf. limitations under section 23A; however, these • The seller, not the agent bank, must retain title restrictions generally do not apply to trans- to the federal funds before their sale to a actions between bank subsidiaries that are80 purchasing institution. percent or more commonly owned by a bank • The seller, not the agent bank, must bear the holding company. Intercompany transactions risk of loss associated with the federal-funds between securities underwriting affiliates and sale. their bank affiliates should be carefully reviewed • The agent bank’s authority in selling federal to ensure compliance with Board operating stan- funds and accounting for these sales to the dards and sections 23A and 23B. seller should be controlled by the seller or by some guidelines to which the seller has agreed. The agent bank should sell only to those banks Agency Relationships stipulated on a list of banks approved, reviewed, and confirmed periodically by the Many dealer banks engage in securities transac- seller bank. tions only in an agency capacity. Acting as an • The agent bank should be able to identify the agent means meeting customers’ investment specific parties (sellers and purchasers) to a needs without exposing the firm to the price risk federal-funds sale and the amount of each associated with dealing as principal. Risk is transaction for which the agent has acted. relatively low as long as appropriate disclosures • The agent bank’s compensation should gen- are made and the bank does not misrepresent the erally be based on a predetermined fee sched- nature or risk of the security. ule or percentage rate (for example, a percent- Agency-based federal funds transactions are age based on the number or size of transactions). also becoming more common. By serving only The agent should generally not receive com- as an agent to facilitate the transaction, a bank pensation in the form of a spread over a can meet its correspondent’s federal funds needs predetermined rate that it pays to the seller. (If without inflating the balance sheet and using the agent bank’s compensation is in the form capital. Examiners should review agency- of a spread over the rate it pays to the seller, basedmoney market transactions to ensure that this situation would appear to be more analo- the transactions are structured in a manner that gous to acting as a principal and suggests that insulates the bank from potential recourse, either the transactions should be reported on the moral or contractual. If legal agreements are not “agent’s” balance sheet.) structured properly, the courts could conclude that the agent bank was acting a principal. In this By structuring agency agreements to include situation, the loss could be recognized by the provisions that encompass these factors and by agent bank, not its customer. conducting agency activities accordingly, agent Although no single feature can determine banks can lower the possibility that they would whether an agency relationship really exists, the be considered a principal in the event of a failure courts have recognized a variety of factors in of a financial institution that had purchased distinguishing whether the persons to whom funds through the agent. Generally, as a matter “goods” were transferred were buyers or merely of prudent practice, each bank acting as an agent agents of the transferor. Although some of these should have written agreements with principals distinguishing factors may not apply to federal- encompassing the above elements and have a funds transactions because they involve the written opinion from legal counsel as to the transfer of funds rather than material goods, bona fide nature of the agency relationships.

Commercial Bank Examination Manual November 2001 Page 15 5230.1 Bank Dealer Activities

Selling through an agent should not cause a income. Periodic independent revaluation is the bank to neglect a credit evaluation of the ulti- most effective means of measuring the trading mate purchasers of these funds. Under the more decisions of bank management. traditional mode of conducting federal-funds For reporting purposes, the trading depart- transactions, banks sell their federal funds to ment’s income should include not only revalu- other banks, which in many instances are larger ation adjustments, but also profits and losses regional correspondents. These correspondent from the sale of securities, and other items banks in turn may resell the federal funds to related to the purchase and sale of trading other institutions. Since the correspondent is securities. Interest income from trading assets, acting as a principal in these sales, the banks salaries, commissions, and other expenses should selling the funds to the correspondent are gen- be excluded from trading income for reporting erally not concerned about the creditworthiness purposes; however, these items should be con- of those purchasing the federal funds from the sidered by management when evaluating the correspondent/principal. Rather, the original sell- overall profitability of the business. ing banks need to focus solely on the credit- When the lender institution is acting as a fully worthiness of their correspondent banks, with disclosed agent, securities-lending activities need which they should be quite familiar. not be reported on the call report. However, However, when conducting federal-funds sales lending institutions offering indemnification through an agent, selling banks, in addition to against loss to their customer-owners should considering the financial condition of their agent, report the associated contingent liability gross in should also subject the ultimate purchasing banks Schedule RC-L as “other significant commit- to the same type of credit analysis that would be ments and contingencies.” considered reasonable and prudent if the seller banks were lending directly to the ultimate borrowers rather than through agents. Banks selling federal funds through agents should not Recordkeeping and Confirmation relinquish their credit-evaluation responsibilities Rules to their agent banks. Regulation H contains rules establishing uniform standards for bank recordkeeping, confir- REPORTING mation, and other procedures in executing securities transactions for bank customers. The Securities held for trading purposes and the regulation applies, in general, to those retail income and expense that results from trading commercial activities where the bank effects activities should be isolated by specific general securities transactions at the direction and for ledger or journal accounts. The balances in the account of customers. The purpose of the those accounts should be included in the appro- rules is to ensure that purchasers of securities priate reporting categories for regulatory are provided adequate information concerning a reporting. transaction and that adequate records and con- Instructions for the Consolidated Report of trols are maintained for securities transactions. Condition and Income (call report) require that Under the rules, banks are required to maintain securities, derivative contracts, and other items certain detailed records concerning securities held in trading accounts be reported consistently transactions, to provide written confirmations to at market value, or at the lower of cost or market customers under certain circumstances, and to value, with unrealized gains and losses recog- establish certain written policies and proce- nized in current income. For further detail, refer dures. The requirements generally do not apply to the glossary section of the call report instruc- to banks that make 200 or fewer securities tions under ‘‘trading account.’’ With either transactions a year for customers (exclusive of method, the carrying values of trading-security transactions in U.S. government and agency inventories should be evaluated periodically obligations) and to transactions subject to the (monthly or quarterly), based on current market requirements of the MSRB. prices. The increase or decrease in unrealized appreciation or depreciation resulting from that revaluation should be credited or charged to

November 1995 Commercial Bank Examination Manual Page 16 Bank Dealer Activities 5230.1

Due Bills Due bills that are outstanding for more than three days and are unsecured could be construed A “due bill” is an obligation that results when a as funding and should be reported as “liabilities firm sells a security or money market instrument for borrowed monies” on the call report. These and receives payment, but does not deli- balances are subject to reserve requirements ver the item sold. Due bills issued should be imposed by Regulation D. considered as borrowings by the issuing firm, and alternatively, due bills received should be considered as lending transactions. Dealers should not issue due bills as a means of obtain- ESTABLISHING SCOPE ing operating funds or when the underlying security can be delivered at settlement. Custom- Obtaining an overview of the organization, man- ers of the dealer enter transactions with an agement structure, products offered, and control implicit understanding that securities transac- environment is a critical step in the examination tions will be promptly executed and settled process. Based on this assessment, an examiner unless there is a clear understanding to the should determine the appropriate resources and contrary. Consequently, dealers should promptly skill level. In situations where an institution is disclose the issuance of a due bill to a customer active in either the government or municipal when funds are taken but securities or money securities markets, it is essential to allocate market instruments are not delivered to the additional resources for GSA and MSRB com- customer. Such disclosure should reference the pliance. The assigned examiners should be fa- applicable transaction; state the reason for the miliar with the provisions of GSA and MSRB as creation of a due bill; describe any collateral well as with the related examination procedures. securing the due bill; and indicate that to the For active proprietary trading units, it is impor- extent the market value of the collateral is tant to assign examiners who have a reasonable insufficient, the customer may be an unsecured working knowledge of the concepts outlined in creditor of the dealer. the Trading Activities Manual.

Commercial Bank Examination Manual November 1995 Page 17 Bank Dealer Activities Examination Objectives Effective date November 1995 Section 5230.2

1. To determine if the policies, practices, pro- 5. To determine compliance with applicable cedures, and internal controls regarding bank laws and regulations. dealer activities are adequate. 6. To ensure investor protection. 2. To determine if bank ofﬁcers are operating in 7. To initiate corrective action when policies, conformance with the established guidelines. practices, procedures, or internal controls are 3. To evaluate the trading portfolio for credit deﬁcient or when violations of law or regu- quality and marketability. lations have been noted. 4. To determine the scope and adequacy of the audit compliance functions.

Commercial Bank Examination Manual November 1995 Page 1 Bank Dealer Activities Examination Procedures Effective date December 1985 Section 5230.3

1. If selected for implementation, complete or were acquired by negotiation or competi- update the Bank Dealer Activities section of tive bid. the Internal Control Questionnaire. l. A list of all financial advisory 2. Based on the evaluation of internal controls relationships. and the work performed by internal/ 5. Agree balances of appropriate schedules to external auditors determine the scope of the general ledger and review reconciling items examination. for reasonableness. 3. Test for compliance with policies, practices, 6. Determine the extent and effectiveness of procedures, and internal controls in conjunc- trading policy supervision by: tion with performing the remaining examination procedures. Also, obtain a listing of a. Reviewing the abstracted minutes of any deficiencies noted in the latest review meetings of the board of directors and/or done by internal/external auditors from of any appropriate committee. the examiner assigned “Internal Control,” b. Determining that proper authorization and determine if corrections have been for the trading officer or committee has accomplished. been made. 4. Request that the bank provide the following c. Ascertaining the limitations or restric- schedules: tions on delegated authorities. a. An aged schedule of securities that have d. Evaluating the sufficiency of analytical been acquired as a result of underwriting data used in the most recent board or activities. committee trading department review. b. An aged schedule of trading account e. Reviewing the methods of reporting by securities and money market instruments department supervisors and internal au- held for trading or arbitrage purposes. ditors to ensure compliance with estab- Reflect commitments to purchase and lished policy and law. sell securities and all joint account f. Reaching a conclusion about the effec- interests. tiveness of director supervision of the c. A schedule of short-sale transactions. bank’s trading policy. Prepare a memo d. An aged schedule of due bills. for the examiner assigned “Duties and e. A list of bonds borrowed. Responsibilities of Directors” stating your f. An aged schedule of ‘‘fails’’ to receive or conclusions. All conclusions should be deliver securities on unsettled contracts. supported by factual documentation. g. A schedule of approved securities borrowers and approved limits. (Before continuing, refer to steps 14 and h. A schedule of loaned securities. 15. They should be performed in conjunc- i. A schedule detailing account names tion with the remaining examination steps.) and/or account numbers of the following customer accounts: 7. Ascertain the general character of underwrit- • Own bank trust accounts. ing and direct placement activities and the • Own bank permanent portfolio. effectiveness of department management by • Affiliated banks’ permanent portfolio reviewing underwriter files and ledgers, accounts. committee reports and offering statements • Personal accounts of employees of to determine: other banks. a. The significance of underwriting activi- • Accounts of brokers or other dealers. ties and direct placements of type III • Personal accounts of employees of securities as reflected by the volume of other brokers or dealers. sales and profit or loss on operations. j. A list of all joint accounts entered into Compare current data to comparable prior since the last examination. periods. k. A list of underwriting since the last b. Whether there is a recognizable pattern examination and whether such securities in:

Commercial Bank Examination Manual March 1994 Page 1 5230.3 Bank Dealer Activities: Examination Procedures

• The extent of analysis of materialinfor- c. Reviewing significant inventory posi- mation relating to the ability of the tions taken since the prior examination issuer to service the obligation. and determining if: • Rated quality of offerings. • The quality and maturity of the inven- • Point spread of profit margin for tory position was compatible with pru- unrated issues. dent banking practices. • Geographic distribution of issuers. • The size of the position was within • Syndicate participants. prescribed limits and compatible with • Bank’s trust department serving as a sound trading strategy. corporate trustee, paying agent and d. Determining the bank’s exposure on off- transfer agent for issuers. setting repurchase transactions by: • Trustee, paying agent and transfer agent • Reviewing the maturities of offsetting business being placed with institutions re-po and reverse re-po agreements to that purchase a significant percentage ascertain the existence, duration, of the underwriter or private placement amounts and strategy used to manage offering. unmatched maturity ‘‘gaps’’ and c. The volume of outstanding bids. Com- extended (over 30 days) maturities. pare current data to comparable prior • Reviewing records since the last ex- periods. amination to determine the aggregate d. The maturity, rated quality and geo- amounts of: graphic distribution of takedowns from — Matched repurchase transactions. syndicate participations. — Reverse re-po financing extended e. The extent of transfer to the bank’s own to one or related firms(s). or affiliated investment or trading port- • Performing credit analysis of signifi- folios or to trust accounts and any poli- cant concentrations with any single or cies relating to this practice. related entity(ies). 8. Determine the general character of trading • Reporting the relationship of those account activities and whether the activities concentrations to the examiners as- are in conformance with stated policy by signed ‘‘Concentration of Credits’’ and reviewing departmental reports, budgets and ‘‘Funds Management.’’ position records for various categories of trading activity and determining: 10. Determine the extent of risk inherent in a. The significance of present sales volume trading account securities which have been compared to comparable prior periods in inventory in excess of 30 days and: and departmental budgets. a. Determine the dollar volume in extended b. Whether the bank’s objectives are holdings. compatible with the volume of trading b. Determine the amounts of identifiable activity. positions with regard to issue, issuer, 9. Review customer ledgers, securities posi- yield, credit rating, and maturity. tion ledgers, transaction or purchase and c. Determine the current market value for sales journals and analyze the soundness of individual issues which show an internal the bank’s trading practices by: valuation mark-down of 10 percent or a. Reviewing a representative sample of more. agency and contemporaneous principal d. Perform credit analyses on the issuers of trades and determining the commission non-rated holdings identified as signifi- and price mark-up parameters for vari- cant positions. ous sizes and types of transactions. e. Perform credit analyses on those issues b. Selecting principal transactions that have with valuation write-downs considered resulted in large profits and determining significant relative to the scope of trad- if the transaction involved: ing operations. • ‘‘Buy-backs’’ of previously traded f. Discuss plans for disposal of slow mov- securities. ing inventories with management and • Own bank or affiliated bank portfolios. determine the reasonableness of those • A security that has unusual quality and plans in light of current and projected maturity characteristics. market trends.

March 1994 Commercial Bank Examination Manual Page 2 Bank Dealer Activities: Examination Procedures 5230.3

11. Using an appropriate technique, select is- the activity, a copy of the analysis suesfrom the schedule of trading account should be requested by the examiner. inventory. Test valuation procedures by: • For each type of agency relationship, a a. Reviewing operating procedures and sup- summary of the extent of the activity porting workpapers and determining if including: prescribed valuation procedures are be- — The number of institutions ser- ing followed. viced as principals. b. Comparing bank prepared market prices, — The size range of the institutions as of the most recent valuation date, to an (i.e., institutions serviced have independent pricing source (use trade total assets ranging from $ date ‘‘bid’’ prices). to $ ). c. Investigating any price differences noted. — General location of sellers and pur- 12. Using an appropriate technique, select trans- chasers serviced under agency actions from the schedule of short sales and relationships (i.e., New York State, determine: Midwest, etc.) a. The degree of speculation reflected by — Estimate of average daily volume basis point spreads. of federal funds or money market b. Present exposure shown by computing instruments purchased and sold the cost to cover short sales. under agency relationships and the c. If transactions are reversed in a reason- high and low volume over the able period of time. period since the last examination d. If the bank makes significant use of due- inquiry (or since activity was begun, bill transactions to obtain funds for its if more recent). banking business: — Names of individuals in the bank • Coordinate with the examiner assigned that are responsible for these agency “Review of Regulatory Reports” to relationships. determine if the bank’s reports of con- • A historical file of this information dition reflect due bill transactions as should be maintained in order to deter- ‘‘liabilities for borrowed money.’’ mine the nature, extent and growth of • Report amounts, duration, seasonal pat- these activities over time. terns and budgeted projections for due b. Once the examination work in this area bills to the examiner assigned ‘‘Funds has been started, the examiner should Management.’’ attempt to discern any situation, activity 13. If the bank is involved in agency-based or deficiency in this area that might federal funds activity: suggest that an agency relationship does a. At the beginning or in advance of each not actually exist. A negative response to examination of a banking organization the following examination guidelines sec- which has been acting as an agent in the tion dealing with agency agreements may purchase and sale of federal funds for signal such a deficiency. In addition, any other institutions, examiners should other money market agency relationships obtain certain information which will that involve new or unusual financial help them determine the nature and extent transactions should be evaluated to deter- of this activity. The information should mine the nature of the risks involved and include: compliance, to the extent applicable, with • A brief description of the various types the guidelines. of agency relationships (i.e., involving c. The examiner should determine that the federal funds or other money market banking organization’s written policies, activities) and the related transactions. procedures, and other documentation • For each type of agency relationship, associated with this activity are consis- copies of associated forms, agency tent with the Federal Reserve System’s agreements, documents, reports and Examination Guidelines. If the bank does legal opinions. In addition, if the bank- not have written policies the examiner ing organization has documented its should strongly advise that they be analysis of the risks associated with developed due to the complex nature of

Commercial Bank Examination Manual March 1994 Page 3 5230.3 Bank Dealer Activities: Examination Procedures

this activity and the potential risks asso- agent may sell federal funds,2 ciated with it. and d. After reviewing the policies, procedures, 2. limits on the amounts that and appropriate documentation, the can be sold to these banks? examiner should be able to respond posi- — Does the agent have a written opin- tively to the following questions: ion from its legal counsel as to the • Banking organizations acting as agents bona fide nature of the agency in the sale of federal funds1 relationship? — Does the accounting and reporting — Has this form of activity been ap- system of the agent bank enable it proved by the board of directors? to account for the federal funds — Are the bank’s individual agency transactions on a period basis (i.e., arrangements and transactions: at least weekly) to the sellers? • supported by written agency (Although more frequent account- agreements, and ing may not be required by the • reviewed and approved by appro- sellers, the agent on any day should priate officers? have the capacity to identify for the — Do the written agency agreements seller the banks to whom the sell- that support this activity include er’s funds have been sold.) provisions indicating that (a nega- — Does the agent’s accounting sys- tive answer may indicate that the tem identify each bank which has bank is not in fact an agent): purchased federal funds from a • the agent bank will be acting on particular seller bank and include behalf of the original or princi- (at least) the following information pal seller of federal funds for each bank in which the funds (‘‘seller’’) in conducting these are being invested?3 activities and not on the agent • information to clearly identify bank’s own behalf? the name and location of the • the agency relationship will be bank (or other entity) fully disclosed to all banks • amount of federal funds sold and involved in the transactions? amount of interest earned • terms of transaction, and matu- • the seller, and not the agent bank, rity date must retain legal title to the fed- • lending limits agreed to eral funds before they are sold to — Does the agent bank actually dis- a third party bank? close to banks or other organiza- • the seller, and not the agent bank, tions that are part of these agency- bears the risk of loss? based transactions that it is acting • the agent bank’s authority in sell- as agent? ing federal funds and in account- — Is the agent bank’s compensation ing for this activity to the seller in the form of a predetermined fee should be controlled by the seller schedule or percentage rate based, or by standards to which it has for example, on the size of trans- agreed? To implement this, does actions, as opposed to compensa- the agreement or its attachments tion in the form of a spread over include the following seller- the rate that it pays to the seller approved items: bank? (If the agent bank’s compen- 1. lists of banks to whom the 2. Seller banks could conceivably design their lists of approved banks to encompass a large number of financially 1. Although it is conceivable that a purchaser could engage sound institutions and still be considered to be fulfilling this an agent to obtain federal funds on its behalf, these guidelines supervisory requirement. focus primarily on situations where the seller has engaged an 3. The entities referred to as “ultimate purchasers” or agent to sell federal funds on its behalf because the associated ‘‘ultimate borrowers’’ are those that have the responsibility to risks of such transactions are borne by the sellers and their repay the original seller bank, and not any intervening agents agents. that may pass on the federal funds to these purchasers.

March 1994 Commercial Bank Examination Manual Page 4 Bank Dealer Activities: Examination Procedures 5230.3

sation is in the form of a spread has been on the bank’s earnings and over the rate it pays to the selling financial condition. If the impact has bank, this situation would appear been negative, or if the answer to any to be more akin to acting as an of the above questions is negative, the intermediary and suggests that the examiner should discuss these matters transactions should be reported on with bank management and seek reme- its balance sheet.) dial action. • Banking organizations that are in- 14. Analyze the effectiveness of operational volved in agency-based federal funds controls by reviewing recent cancellations relationships as sellers and fail items that are a week or more — Does the bank support its trans- beyond settlement date and determine: actions with written agency agree- a. The amount of extended fails. ments? b. The planned disposition of extended fails. — Does the seller bank evaluate the c. If the control system allows a timely, credit worthiness of the ultimate productive follow-up on unresolved fails. borrowers of federal funds and d. The reasons for cancellations. establish limits for each and are e. The planned disposition of securities that these limits periodically reviewed have been inventoried prior to the recog- at least every six months? 3,4 nition of a fail or a cancellation. — Does the bank periodically (i.e., at 15. Determine compliance with applicable laws, least weekly) receive an account- rulings, and regulations by performing the ing from the agent which includes following for: the following information for each a. 12 CFR 1.3—Eligible Securities: bank to whom the seller bank’s • Review inventory schedules of under- federal funds were sold? writing and trading accounts and deter- • information to identify name and mine if issues whose par value is in location of bank excess of 10 percent of the bank’s • amount of federal funds sold and captial and unimpaired surplus are interest earned type I securities. • federal funds sales limits agreed • Determine that the total par value of to (if the seller bank is a type II investments does not exceed principal) 10 percent of the bank’s capital and — Is the bank’s management and unimpaired surplus, based on the com- board of directors aware of and bination of holdings and permanent have they approved the agency portfolio positions in the same securi- relationship? ties. • Do internal and/or external auditors • Elicit management’s comments and periodically review the policies, proce- review underwriting records on direct dures, and internal controls associated placement of type III securities, and with this activity and the activity’s determine if the bank is dealing in impact on the earnings and financial type III securities for its own account condition of the banking organization? by ascertaining if direct placement Is their evaluation reported to manage- issues have been placed in own bank ment? (Applies to banks acting as or affiliated investment portfolios or if agents in the sale of federal funds, and underwriting proceeds were used to those banks involved as sellers of reduce affiliate loans. federal funds.) b. Section 23A of the Federal Reserve Act • In addition to the items considered (12 USC 371(c) and 375)—Preferential above, the examiner should determine Treatment: Obtain a list of domestic what the impact of these transactions affiliate relationships and a list of directors and principal officers and their busi- 4. This requirement is intended to mean that seller banks ness interests from appropriate examin- should conduct the type of credit analysis that would be ers and determine whether transactions, considered reasonable and prudent for a direct federal funds activity (i.e., those federal funds activities not conducted include securities clearance services, in- through agents). volving affiliates, insiders or their

Commercial Bank Examination Manual March 1994 Page 5 5230.3 Bank Dealer Activities: Examination Procedures

interests are on terms less favorable to tional mark-up and that gains were not the bank than those transactions involv- recognized a second time. ing unrelated parties. d. Reviewing commercial paper sales jour- c. Regulation D (12 CFR 204.2)—Due Bills: nals or confirmations to determine if the • Review outstanding due bills and bank sells affiliate commercial paper. If determine if: so, determine if: • The bank sells affiliate-issued commer- — The customer was informed that a cial paper to institutions and finan- due bill would be issued instead of cially sophisticated individuals only. the purchased security. • Sales are generally denominated in — Safekeeping receipts are sent to amounts of $25,000 or more. safekeeping customers only after • Each sale confirmation discloses that the purchased security has been the affiliate-issued commercial paper delivered. is not an insured bank deposit. • Review due bills outstanding over three e. Reviewing securities position records and business days and determine if they are customer ledgers with respect to large collateralized or properly reserved. volume repetitive purchase and sales • Review collateralized due bills and transactions and: determine if the liability is secured by • Independently testing market prices of securities of the same type and of significant transactions which involve comparable maturity and with a mar- the purchase and resale of the same ket value at least equal to that of the security to the same or related parties. security that is the subject of the due • Investigating the purchase of large bill. blocks of securities from dealer firms d. Regulation H (12 CFR 208.8(k))— just prior to month end and their sub- Recordkeeping and Confirmation Re- sequent resale to the same firm just quirements: If the bank effects securities after the beginning of the next month. transactions at the direction and for the f. Reviewing lists of approved dealer firms account of customers, determine if it is and determining that the approval of any in compliance with this regulation by firm that handles a significant volume substantiating Internal Control ques- of agency transactions is based on tions 24–35. competitive factors rather than deposit 16. Test for unsafe and unsound practices and relationships. possible violations of the Securities g. Reviewing customer complaint files Exchange Act of 1934 by: and determining the reasons for such complaints. a. Reviewing customer account schedules 17. Discuss with an appropriate officer and of own bank and affiliated bank perma- prepare report comments concerning: nent portfolios, trusts, other broker- a. The soundness of trading objectives, poli- dealers, employees of own or other banks cies and practices. and other broker-dealers. Use an appro- b. The degree of legal and market risk priate technique to select transactions assumed by trading operations. and compare trade prices to indepen- c. The effectiveness of analytical, reporting dently established market prices as of the and control systems. date of trade. d. Violations of law. b. Reviewing transactions, including U.S. e. Internal control deficiencies. government tender offer subscription f. Apparent or potential conflicts of interest. files, involving employees and directors g. Other matters of significance. of own or other banks and determine if 18. Reach a conclusion regarding the quality of the funds used in the transactions were departmentmanagementandstateyourconclu- misused bank funds or the proceeds of sions on the management brief pro- reciprocal or preferential loans. vided by the examiner assigned “Manage- c. Reviewing sales to affiliated companies ment Assessment.” to determine that the sold securities were 19. Update workpapers with any information not subsequently repurchased at an addi- that will facilitate future examinations.

March 1994 Commercial Bank Examination Manual Page 6 Bank Dealer Activities Internal Control Questionnaire Effective date December 1985 Section 5230.4

Review the bank’s internal controls, policies, • The bank’s trust department acting as practices and procedures regarding bank dealer trustee, paying agent, and transfer activities. The bank’s system should be docu- agent for issues which have an under- mented in a complete, concise manner and writing relationship with the trading should include, where appropriate, narrative department? descriptions, flowcharts, copies of forms used d. State procedures for periodic, monthly and other pertinent information. Items marked or quarterly, valuation of trading inven- with an asterisk require substantiation by observation or testing. tories to market value or to the lower of This section applies to all bank dealer activi- cost or market price? ties except those involving municipal securities, e. State procedures for periodic indepen- which are reviewed as part of a separate and dent verification of valuations of the distinct Municipal Bond Dealer Examination. trading inventories? f. Outline methods of internal review and reporting by department supervisors and SECURITIES UNDERWRITING internal auditors to insure compliance TRADING POLICIES with established policy? g. Identify permissible types of securities? 1. Has the board of directors, consistent with h. Ensure compliance with the rules of fair its duties and responsibilities, adopted writ- practice that: ten securities underwriting/trading policies that: • Prohibit any deceptive, dishonest or a. Outline objectives? unfair practice? b. Establish limits and/or guidelines for: • Adopt formal suitability checklists? • Price mark-ups? • Monitor gifts and gratuities? • Quality of issues? • Prohibit materially false or mislead- • Maturity of issues? ing advertisements? • Inventory positions (including when issued (WI) positions)? • Adopt a system to determine the • Amounts of unrealized loss on inven- existence of possible control tory positions? relationships? • Length of time an issue will be car- • Prohibit the use of confidential, non- ried in inventory? public information without written • Amounts of individual trades or approval of the affected parties? underwriter interests? • Prohibit improper use of funds held • Acceptability of brokers and syndi- on another’s behalf? cate partners? c. Recognize possible conflicts of interest • Allocate responsibility for transac- and establish appropriate procedures tions with own employees and em- regarding: ployees of other dealers? • Deposit and service relationships with • Require disclosure on all new issues? municipalities whose issues have i. Provide for exceptions to standard underwriting links to the trading policy? department? 2. Are the underwriting/trading policies • Deposit relationships with securities firms handling significant volumes of reviewed at least quarterly by the board to agency transactions or syndicate determine their adequacy in light of chang- participations? ing conditions? • Transfers made between trading 3. Is there a periodic review by the board to account inventory and investment assure that the underwriting/trading depart- portfolio(s)? ment is in compliance with its policies?

Commercial Bank Examination Manual March 1994 Page 1 5230.4 Bank Dealer Activities: Internal Control Questionnaire

OFFSETTING RESALE AND d. Funds are only advanced against pre- REPURCHASE TRANSACTIONS determined collateral margins ordis- counts? 4. Has the board of directors, consistent with • If so, indicate margin or discount its duties and responsibilities, adopted writ- percentage . ten offsetting repurchase transaction poli- e. Collateral margins or discounts are cies that: predicated upon: a. Limit the aggregate amount of offset- • The type of security pledged as ting repurchase transactions? collateral? b. Limit the amounts in unmatched or • Maturity of collateral? extended (over 30 days) maturity • Historic and anticipated price volatil- transactions? ity of the collateral? c. Determine maximum time gaps for • Maturity of the reverse re-po unmatched maturity transactions? agreements? f. Maintenance agreements are required d. Determine minimumly acceptable to support predetermined collateral interest rate spreads for various matu- margin or discount? rity transactions. g. Maintenance agreements are structured e. Determine the maximum amount of to allow margin calls in the event of funds to be extended to any single or collateral price declines? related firms through reverse re-po h. Collateral market value is frequently transactions, involving unsold (through checked to determine compliance with forward sales) securities? margin and maintenance requirements f. Require firms involved in reverse re-po (if so, indicate frequency )? transactions to submit corporate resolutions stating the names and limits of individuals, who are authorized to commit the firm? CUSTODY AND MOVEMENT OF g. Require submission of current financial SECURITIES information by firms involved in reverse re-po transactions? *6. Are the bank’s procedures such that per- h. Provide for periodic credit reviews and sons do not have sole custody of securities approvals for firms involved in reverse in that: re-po transactions? a. They do not have sole physical access i. Specify types of acceptable offsetting to securities? repurchase transaction collateral (if so, b. They do not prepare disposal docu- indicate type ). ments that are not also approved by authorized persons? 5. Are written collateral control procedures c. For the security custodian, supporting designed so that: disposal documents are examined or a. Collateral assignment forms are used? adequately tested by a second b. Collateral assignments of registered custodian? securities are accompanied by powers d. No person authorizes more than one of of attorney signed by the registered the following transactions: execution of owner? trades, receipt and delivery of securi- • Registered securities are registered in ties, and collection or disbursement bank or bank’s nominee name when of payment? they are assigned as collateral for 7. Are securities physically safeguarded to extended maturity (over 30 days) prevent loss, unauthorized disposal or use? reverse re-po transactions? And: c. Funds are not disbursed until reverse a. Are negotiable securities kept under re-po collateral is delivered into the dual control? physical custody of the bank or an b. Are securities counted frequently, on a independent safekeeping agent? surprise basis, reconciled to the securi-

March 1994 Commercial Bank Examination Manual Page 2 Bank Dealer Activities: Internal Control Questionnaire 5230.4

ties record, and the results of such pleteness (coupons, warrants, etc.) before counts reported to management? they are placed in the vault? c. Does the bank periodically test for compliance with provisions of its insurance policies regarding custody of securities? RECORDS MAINTENANCE d. For securities in the custody of others: • Are custody statements agreed peri- 16. Does the bank maintain: odically to position ledgers and a. Order tickets which include: any differences followed up to a • Capacity as principal or agent? conclusion? • If order is firm or conditional? • Are statements received from brokers and other dealers reconciled promptly, • Terms, conditions or instructions and and any differences followed up to a modifications? conclusion? • Type of transaction (purchase or sale)? • Are positions for which no statements • Execution price? are received confirmed periodically, • Description of security? and stale items followed up to a • Date and time of order receipt? conclusion? • Date and time of execution? 8. Are trading account securities segregated • Dealer’s or customer’s name? from other bank owned securities or secu- • Delivery and payment instructions? rities held in safekeeping for customers? • Terms, conditions, date and time of *9. Is access to the trading securities vault cancellation of an agency order? restricted to authorized employees? b. Customer confirmations: 10. Do withdrawal authorizations require • Bank dealer’s name, address and countersignature to indicate security count phone number? verifications? • Customer’s name? 11. Is registered mail used for mailing securi- • Designation of whether transaction ties, and are adequate receipt files main- was a purchase from or sale to the tained for such mailings (if registered mail customer? is used for some but not all mailings, • Par value of securities? indicate criteria and reasons)? • Description of securities, including at 12. Are prenumbered forms used to control a minimum: securities trades, movements and — Name of issuer? payments? — Interest rate? 13. If so, is numerical control of prenumbered forms accounted for periodically by per- — Maturity date? sons independent of those activities? — Designation, if securities are sub- 14. Do alterations to forms governing the ject to limited tax? trade, movement, and payment of securi- — Subject to redemption prior to ties require: maturity (callable)? *a. Signature of the authorizing party? — Designation, if revenue bonds and b. Use of a change of instruction form? the type of revenue? 15. With respect to negotiability of registered — The name of any company or securities: person in addition to the issuer a. Are securities kept in non-negotiable who is obligated, directly or indi- form whenever possible? rectly, to pay debt service on b. Are all securities received, and not revenue bonds? (In the case of immediately delivered, transferred to more than one such obligor, the the name of the bank or its nominee and phrase ‘‘multiple obligors’’ will kept in non-negotiable form whenever suffice.) possible? — Dated date, if it affects price or c. Are securities received checked for nego- interest calculations? tiability (endorsements, signature, guar- — First interest payment date, if other antee, legal opinion, etc.) and for com- than semi-annual?

Commercial Bank Examination Manual March 1994 Page 3 5230.4 Bank Dealer Activities: Internal Control Questionnaire

— Designation, if securities are — The source and amount of any ‘‘fully registered’’ or ‘‘registered commission or other remunera- as principal’’? tion to the bank dealer? — Designation, if securities are • Payment and delivery instructions? ‘‘pre-refunded’’? • Special instructions, such as: — Designation, if securities have — ‘‘Ex-legal’’ (traded without legal been ‘‘called,’’ maturity date fixed opinion)? by call notice and amount of call — ‘‘Flat’’ (traded without interest)? price? — ‘‘In default’’ as to principal or — Denominations of bearer bonds, interest? if other than denominations of c. Dealer confirmations: $1,000 and $5,000 par value? • Bank dealer’s name, address and tele- — Denominations of registered phone number? bonds, if other than multiples of • Contra-party identification? $1,000 par value up to $100,000 • Designation of purchase from or sale par value? to? — Denominations of municipal • Par value of securities? notes? • Description of securities, including at • Trade date and time of execution, or a a minimum: statement that time of execution will — Name of issuer? be furnished upon written request of — Interest rate? the customer? — Maturity date? • Settlement date? — Designation, if securities are lim- • Yield and dollar price? Only the dol- ited tax? lar price need to be shown for secu- — Subject to redemption prior to rities traded at par. maturity (callable)? — For transactions in callable secu- — Designation, if revenue bonds and rities effected on a yield basis, the the type of revenue? resulting price calculated to the — Dated date, if it affects price or lowest of price to call premium, interest calculations? par option (callable at par) or to — First interest payment date, if other maturity, and if priced to pre- than semi-annual? mium call or par option, a state- — Designation, if securities are ment to that effect and the call or ‘‘fully registered’’ or ‘‘registered option date and price used in the as principal’’? calculation? — Designation, if securities are • Amount of accrued interest? ‘‘pre-refunded’’? • Extended principal amount? — Designation, if securities have been ‘‘called,’’ maturity date fixed • Total dollar amount of transaction? by call notice and amount of call • The capacity in which the bank dealer price? effected the transaction: — Denominations of bearer bonds, — As principal for own account? if other than denominations of — As agent for customer? $1,000 and $5,000 par value? — As agent for a person other than — Denominations of registered the customer? bonds, if other than multiples of — As agent for both the customer $1,000 par value up to $100,000 and another person (dual agent)? par value? • If a transaction is effected as agent for • CUSIP number, if assigned (effective the customer or as dual agent: January 1, 1979)? — Either the name of the contra- • Trade date? party or a statement that the in- • Settlement date? formation will be furnished upon • Yield to maturity and resulting dollar request? price? Only the dollar price need be

March 1994 Commercial Bank Examination Manual Page 4 Bank Dealer Activities: Internal Control Questionnaire 5230.4

shown for securities traded at par or f. Security position ledgers, showing sepa- on a dollar basis. rately for each security positioned for — For transactions in callable secu- the bank’s own account: rities effected on a yield basis, the • Description of the security? resulting price calculated to the • Posting date (either trade or settle- lowest of price to call premium, ment date, provided posting date is par option (callable at par) or to consistent with other records of origi- maturity? nal entry)? — If applicable, the fact that securi- • Aggregate par value? ties are priced to premium call or • Cost? par option and the call or option • Average cost? date and price used in the • Location? calculation? • Count differences classified by the • Amount of accrued interest? date on which they were discovered? • Extended principal amount? g. Securities transfer or validation ledgers • Total dollar amount of transaction? which include: • Payment and delivery instructions? • Address where securities were sent? • Special instructions, such as: • Date sent? — ‘‘Ex-legal’’ (traded without legal • Description of security? opinion)? • Aggregate par value? — ‘‘Flat’’ (traded without interest)? • If registered securities: — ‘‘In default’’ as to principal or — Present name of record? interest? — New name to be registered? d. Purchase and sale journals or blotters • Old certificate or note numbers? which include: • New certificate or note numbers? • Trade date? • Date returned? • Description of securities? h. Securities received and delivered jour- • Aggregate par value? nals or tickets which include: • Unit dollar price or yield? • Date of receipt or delivery? • Aggregate trade price? • Name of sender and receiver? • Accrued interest? • Description of security? • Name of buyer or seller? • Aggregate par value? • Name of party received from or • Trade and settlement dates? delivered to? • Certificate numbers? • Bond or note numbers? i. Cash or wire transfer receipt and dis- • Indication if securities are in regis- bursement tickets which include: tered form? • Draft or check numbers? • Receipts or disbursements of cash? • Customer accounts debited or • Specific designation of ‘‘when issued’’ credited? transactions? • Notation of the original entry item • Transaction or confirmation numbers that initiated the transaction? recorded in consecutive sequence to j. Cash or wire transfer journals which insure that transactions are not additionally include: omitted? • Draft or check reconcilements? • Other references to documents of • Daily totals of cash debits and original entry? credits? e. Short sale ledgers which include: • Daily proofs? • Sale price? k. Fail ledgers which include: • Settlement date? • Description of security? • Present market value? • Aggregate par value? • Basis point spread? • Price? • Description of collateral? • Fail date? • Cost of collateral or cost to acquire • Date included on fail ledger? collateral? • Customer or dealer name? • Carrying charges? • Resolution date?

Commercial Bank Examination Manual March 1994 Page 5 5230.4 Bank Dealer Activities: Internal Control Questionnaire

• A distinction between a customer and • Customer complaints including: a dealer fail? — Records of all written customer • Follow-up detail regarding efforts to complaints? resolve the fail? — Record of actions taken concern- l. Securities borrowed and loaned ledgers ing those complaints? which include: o. Customer and the bank dealer’s own • Date of transaction? account ledgers which include: • Description of securities? • All purchases and sales of securities? • Aggregate par value? • All receipts and deliveries of • Market value of securities? securities? • Contra-party name? • All receipts and disbursements of • Value at which security was loaned? cash? • Date returned? • All other charges or credits? • Description of collateral? p. Records of syndicates’ joint accounts or • Aggregate par value of collateral? similar accounts formed for the pur- • Market value of collateral? chase of municipal securities which • Collateral safekeeping location? include: • Dates of periodic valuations? • Underwriter agreements? And: m. Records concerning written or oral put — Description of the security? options, guarantee and repurchase agree- — Aggregate par value of the issue? ments which include: • Syndicate or selling group agree- • Description of the securities? ments? And: • Aggregate par value? — Participants’ names and percent- • Terms and conditions of the option, ages of interest? agreement or guarantee? — Terms and conditions governing n. Customer account information which the formation and operation of the includes: syndicate? • Customer’s name and residence or — Date of closing of the syndicate principal business address? account? • Whether customer is of legal age? — Reconcilement of syndicate prof- • Occupation? its and expenses? • Name and address of employer? And: • Additional requirements for syndi- — Whether customer is employed cate or underwriting managers which by a securities broker or dealer or include: by a municipal securities dealer? — All orders received for the pur- • Name and address of beneficial owner chase of securities from the syn- or owners of the account if other than dicate or account, except bids at customer? And: other than the syndicate price? — Whether transactions are confirmed with such owner or — All allotments of securities and owners? the price at which sold? • Name and address of person(s) autho- — Date of settlement with the rized to transact business for a corpo- issuer? rate, partnership or trusteed account? — Date and amount of any good And: faith deposit made with the — Copy of powers of attorney, reso- issuer? lutions or other evidence of author- q. Files which include: ity to effect transactions for such • Advertising and sales literature an account? • Prospectus delivery information? • With respect to borrowing or pledg- r. Internal supervisory records which ing securities held for the accounts of include: customers: • Account reconcilement and follow- — Written authorization from the up? customer authorizing such • Profit analysis by trader? activities? • Sales production reports?

March 1994 Commercial Bank Examination Manual Page 6 Bank Dealer Activities: Internal Control Questionnaire 5230.4

• Periodic open position reports com- RECORDKEEPING AND puted on a trade date or when issued CONFIRMATION REQUIREMENTS basis? FOR CUSTOMER SECURITIES • Reports of own bank credit exten- TRANSACTIONS sions used to finance the sale of (REGULATION H) trading account securities? 24. Are chronological records of original entry containing an itemized daily record of all purchases and sales of securities PURCHASE AND SALES maintained? TRANSACTIONS 25. Do the original entry records reflect: a. The account or customer for which 17. Are all transactions promptly confirmed in each such transaction was effected? writing to the actual customers or dealers? b. The description of the securities? c. The unit and aggregate purchase or sale 18. Are confirmations compared or adequately price (if any)? tested to purchase and sales memoranda d. The trade date? and reports of execution of orders, and any differences investigated and corrected e. The name or other designation of the (including approval by a designated respon- broker-dealer or other person from sible employee)? whom purchased or to whom sold? a. Are confirmations and purchase and If the bank has had an average of 200 or sale memoranda checked or adequately more securities transactions per year for tested for computation and terms by a customers over the prior three-calendar- second individual? year period, exclusive of transactions in U.S. government and federal agency obli- 19. Are comparisons received from other deal- gations, answer questions 26, 27 and 28. ers or brokers compared with confirmations, and any differences promptly 26. Does the bank maintain account records investigated? for each customer which reflect: a. Are comparisons approved by a desig- a. All purchases and sales of securities? nated individual (if so, give name b. All receipts and deliveries of securities? )? c. All receipts and disbursements of cash for transactions in securities for such account? d. All other debits and credits pertaining to transactions in securities? CUSTOMER AND DEALER 27. Does the bank maintain a separate memo- ACCOUNTS randum (order ticket) of each order to purchase or sell securities (whether ex- 20. Do account bookkeepers periodically trans- ecuted or cancelled) which includes: fer to different account sections or other- a. The account(s) for which the transac- wise rotate posting assignments? tion was effected? 21. Are letters mailed to customers requesting b. Whether the transaction was a market confirmation of changes of address? order, limit order, or subject to special instructions? 22. Are separate customer account ledgers c. The time the order was received by the maintained for: trader or other bank employee respon- • Employees? sible for affecting the transaction? • Affiliates? d. The time the order was placed with the broker-dealer, or if there was no broker- • Own bank’s trust accounts? dealer, the time the order was executed 23. Are customer inquiries and complaints or cancelled? handled exclusively by designated indi- e. The price at which the order was viduals who have no incompatible duties? executed?

Commercial Bank Examination Manual March 1994 Page 7 5230.4 Bank Dealer Activities: Internal Control Questionnaire

f. The broker-dealer used? amount of any other remuneration to be 28. Does the bank maintain a record of all received by the bank in connection with broker-dealers selected by the bank to the transaction, unless remuneration effect securities transactions and the amount is determined pursuant to a written of commissions paid or allocated to each agreement between the bank and the such broker during the calendar year? customer? 29. Does the bank, subsequent to effecting a c. The name of the broker-dealer used. securities transaction for a customer, mail Where there is no broker-dealer, the or otherwise furnish to such customer name of the person from whom the either a copy of the confirmation of a security was purchased or to whom it broker-dealer relating to the securities was sold, or the fact that such informa- transaction or a written trade confirmation tion will be furnished within a reason- of a broker-dealer relating to the securities able time upon written request? transaction or a written trade confirmation 33. Does the bank maintain the above records prepared by the bank? and evidence of proper notification for a 30. If customer notification is provided by period of at least three years? furnishing the customer with a copy of the 34. Does the bank furnish the written notifica- confirmation of a broker-dealer relating to tion described above within five business the transaction, and if the bank is to days from the date of the transaction, or if receive remuneration from the customer or a broker-dealer is used, within five busi- any other source in connection with the ness days from the receipt by the bank of transaction, and the remuneration is not the broker-dealer’s confirmation? If not, determined pursuant to a written agree- does the bank use one of the alternative ment between the bank and the customer, procedures described in Regulation H? does the bank also provide a statement of the source and amount of any remunera- 35. Unless specifically exempted in Regula- tion to be received? tion H, does the bank have established 31. If customer notification is provided by written policies and procedures ensuring: furnishing the customer with a trade con- a. That bank officers and employees who firmation prepared by the bank, does the make investment recommendations or confirmation disclose: decisions for the accounts of customers, a. The name of the bank? who particpate in the determination of b. The name of the customer? such recommendations or decisions, or c. Whether the bank is acting as agent for who, in connection with their duties, such customer, as principal for its own obtain information concerning which account, or in any other capacity? securities are being purchased or sold d. The date of execution and a statement or recommended for such action, report that the time of execution will be fur- to the bank, within 10 days after the end nished within a reasonable time upon of the calendar quarter, all transactions written request of such customer? in securities made by them or on their e. The identity, price and number of shares behalf, either at the bank or elsewhere of units (or principal amount in the case in which they have a beneficial interest of debt securities) of such securities (subject to certain exemptions)? purchased or sold by such customer? b. That in the above required report the 32. For transactions which the bank effects in bank officers and employees identify the capacity of agent, does the bank, in the securities purchased or sold and addition to the above, disclose: indicate the dates of the transactions a. The amount of any remuneration and whether the transactions were pur- received or to be received, directly or chases or sales? indirectly, by any broker-dealer from c. The assignment of responsibility for such customer in connection with the supervision of all officers or employees transaction? who (1) transmit orders to or place b. The amount of any remuneration orders with broker-dealers, or (2) ex- received or to be received by the bank ecute transactions in securities for from the customer and the source and customers?

March 1994 Commercial Bank Examination Manual Page 8 Bank Dealer Activities: Internal Control Questionnaire 5230.4

d. The fair and equitable allocation of d. Are stale items valued periodically and, securities and prices to accounts when if any potential loss is indicated, is a orders for the same security are re- particular effort made to clear such ceived at approximately the same time items or to protect the bank from loss and are placed for execution either by other means? individually or in combination? 39. With respect to securities loaned and bor- e. Where applicable, and where permis- rowed positions: sible under local law, the crossing of a. Are details periodically reconciled to buy and sell orders on a fair and equi- the general ledger, and any differences table basis to the parties to the transac- followed up to a conclusion? tion? b. Are positions confirmed periodically (if so, indicate frequency )? 40. Is the compensation of all department OTHER employees limited to salary and a non- departmentalized bonus or incentive plan? 36. Are the preparation, additions, and posting a. Are sales representatives’ incentive proof subsidiary records performed and/or grams based on sales volume and not adequately reviewed by persons who do department income? not also have sole custody of securities? 37. Are subsidiary records reconciled, at least monthly, to the appropriate general ledger CONCLUSION accounts and are reconciling items adequately investigated by persons who do 41. Is the foregoing information an adequate not also have sole custody of securities? basis for evaluating internal control in that 38. Are fails to receive and deliver under a there are no significant deficiencies in separate general ledger control? areas not covered in this questionnaire that a. Are fail accounts periodically recon- impair any controls? Explain negative ciled to the general ledger, and any answers briefly, and indicate any addi- differences followed up to a conclu- tional examination procedures deemed sion? necessary. b. Are periodic aging schedules prepared 42. Based on a composite evaluation, as evi- (if so, indicate frequency )? denced by answers to the foregoing c. Are stale fail items confirmed and fol- questions, internal control is considered lowed up to a conclusion? (adequate/inadequate).

Commercial Bank Examination Manual March 1994 Page 9 Information Technology Effective date November 2020 Section 5300.1

Banking organizations increasingly rely on importance of IT to the organization and any information technology (IT) to conduct their unique characteristics or issues. operations and manage risks. The use of IT can • Incorporate an analysis of IT activities into have important implications for a banking orga- risk assessments, supervisory plans, and scope nization’s financial condition, risk profile, and memoranda. An organization’s IT systems operating performance and should be incorpo- should be considered in relation to the size, rated into the safety-and-soundness assessment activities, and complexity of the organization, of each organization. As a result, all safety-and- as well as the degree of reliance on these soundness examinations (or examination cycles) systems across particular business lines. conducted by the Federal Reserve should include Although IT concerns would clearly affect an an assessment and evaluation of IT risks and institution’s operational risk profile, IT also risk management. Further information about can affect other business risks (such as credit, banks’ IT activities and examination methodol- market, liquidity, legal, and reputational risk), ogy can be found in the FFIEC Information depending upon the specific circumstances, Technology Examination Handbook (the IT and should be incorporated into these assess- Handbook) and in supervisory guidance issued ments as appropriate. by the Federal Reserve and the other federal • Assess the organization’s critical systems, that banking agencies. is, those that support its major business activities, and the degree of reliance those activities have on IT systems. The level of review should be sufficient to determine that the ASSESSING INFORMATION systems are delivering the services necessary TECHNOLOGY IN THE for the organization to conduct its business in RISK-FOCUSED SUPERVISORY a safe and sound manner. FRAMEWORK • Determine whether the board of directors and senior management are adequately identify- The risk-focused supervisory process is evolving, measuring, monitoring, and controlling ing to adapt to the changing role of IT in the significant risks associated with IT for the banking organizations, with greater emphasis on overall organization and its major business an assessment of IT’s effect on an organization’s activities. safety and soundness. Accordingly, examiners should explicitly consider IT when developing risk assessments and supervisory plans. Exam- INTERAGENCY GUIDELINES iners should use appropriate judgment in deter- ESTABLISHING INFORMATION mining the level of review, given the character- SECURITY STANDARDS istics, size, and business activities of the organization. Moreover, to determine the scope The federal banking agencies jointly issued of supervisory activities, close coordination is interagency guidelines establishing information needed between general safety-and-soundness security standards (the information security stan- examiners and IT specialists during the risk- dards), which became effective July 1, 2001.1 assessment and planning phase, as well as dur- (See the appendix to this section.) The Board of ing on-site examinations. Given the variability Governors of the Federal Reserve System ap- of IT environments, the level of technical exper- proved amendments to the standards on Decem- tise needed for a particular examination will ber 16, 2004 (effective July 1, 2005). The vary across institutions and should be identified amended information security standards imple- during the planning phase of the examination. In ment sections 501 and 505 of the Gramm-Leach- general, examiners should accomplish the fol- Bliley Act (15 U.S.C. 6801 and 6805) and lowing goals during a risk-focused examination: section 216 of the Fair and Accurate Credit • Develop a broad understanding of the organization’s approach to, and strategy and struc- 1. See 66 Fed. Reg. 8616–8641 (February 1, 2001) and 69 Fed. Reg. 77,610–77,612 (December 28, 2004); Regula- ture for, IT activities within and across busi- tion H, 12 CFR 208, appendix D-2; Regulation K, 12 CFR ness lines. Determine also the role and 211.9 and 211.24; and Regulation Y, 12 CFR 225, appendix F.

Commercial Bank Examination Manual November 2020 Page 1 5300.1 Information Technology

Transactions Act of 2003 (15 U.S.C. 1681w). critical components of an effective information The Gramm-Leach-Bliley Act requires the agen- security program. Financial institutions are re- cies to establish financial-institution information quired to oversee their service-provider security standards for administrative, technical, arrangements in order to (1) protect the security and physical safeguards for customer records of customer information maintained or pro- and information. (See SR-01-15.) cessed by service providers; (2) ensure that its Under the information security standards, in- service providers properly dispose of custo- stitutions must establish an effective written mer and consumer information; and (3) where information security program to assess and con- warranted, monitor its service providers to control risks to customer information. An institu- firm that they have satisfied their contractual tion’s information security program should be obligations. appropriate to its size and complexity and to the The Federal Reserve recognizes that banking nature and scope of its operations. The board of organizations are highly sensitive to the impor- directors should oversee the institution’s devel- tance of safeguarding customer information and opment, implementation, and maintenance of the need to maintain effective information secu- the information security program and also ap- rity programs. Existing examination procedures prove written information security policies and and supervisory processes already address infor- programs. mation security. As a result, most banking orga- The information security program should nizations may not need to implement any new include administrative, technical, and physical controls and procedures. safeguards appropriate to the size and complex- Examiners should assess compliance with the ity of the bank and the nature and scope of its standards during each safety-and-soundness activities. The program should be designed to examination, which may include targeted reviews ensure the security and confidentiality of cus- of information technology. Ongoing compliance tomer information;2 protect against anticipated with the standards should be monitored, as threats or hazards to the security or integrity of needed, during the risk-focused examination such information; protect against unauthorized process. Material instances of noncompliance access to, or use of, such information that could should be noted in the examination report. result in substantial harm or inconvenience to The information security standards apply to any customer;3 and ensure the proper disposal of customer information maintained by, or on behalf customer information and consumer informa- of, state member banks and bank holding com- tion. Each institution must assess risks to cus- panies and the nonbank subsidiaries of each.4 tomer information and implement appropriate The information security standards also address policies, procedures, training, and testing to standards for the proper disposal of consumer manage and control these risks. Institutions information, pursuant to sections 621 and 628 of must also report annually to the board of direc- the Fair Credit Reporting Act (15 U.S.C. 1681s tors or a committee of the board of directors. and 1681w). To address the risks associated The information security standards outline with identity theft, a financial institution is specific security measures that banking organi- generally required to develop, implement, and zations should consider in implementing a secu- maintain, as part of its existing information rity program based on the size and complexity security program, appropriate measures to prop- of their operations. Training and testing are also erly dispose of consumer information derived from consumer reports. Consumer information is defined as any re- 2. Customer information is defined to include any record, cord about an individual, whether in paper, whether in paper, electronic, or other form, containing nonpublic personal information, as defined in Regulation P, about electronic, or other form, that is a consumer a financial institution’s customer that is maintained by, or on report or is derived from a consumer report and behalf of, the institution. that is maintained or otherwise possessed by or 3. A customer is defined in the same manner as in Regulation P: a consumer who has established a continuing relationship with an institution under which the institution 4. The information security standards do not apply to provides one or more financial products or services to the brokers, dealers, investment companies, and investment ad- consumer to be used primarily for personal, family, or visers, or to persons providing insurance under the applicable household purposes. The definition of customer does not state insurance authority of the state in which the person is include a business, nor does it include a consumer who domiciled. The appropriate federal agency or state insurance has not established an ongoing relationship with the financial authority regulates insurance entities under sections 501 institution. and 505 of the GLB Act.

April 2009 Commercial Bank Examination Manual Page 2 Information Technology 5300.1 on behalf of the bank for a business purpose. holding company is expected, however, to coor- Consumer information also means a compilation dinate all the elements of its information secu- of such records. rity program. Institutions must exercise due diligence when The following are examples of consumer infor- selecting service providers, including reviewing mation: the service provider’s information security program or the measures the service provider uses • a consumer report that a bank obtains to protect the institution’s customer informa- • information from a consumer report that the tion.5 All contracts must require that the service bank obtains from its afﬁliate after the con- provider implement appropriate measures sumer has been given a notice and has elected designed to meet the objectives of the standards. not to opt out of that sharing Institutions must also conduct ongoing oversight • information from a consumer report that the to conﬁrm that the service provider maintains bank obtains about an individual who applies appropriate security measures. An institution’s for but does not receive a loan, including any methods for overseeing its service-provider ar- loan sought by an individual for a business rangements may differ depending on the type of purpose services or service provider or the level of risk. • information from a consumer report that the For example, if a service provider is subject to bank obtains about an individual who guaran- regulations or a code of conduct that imposes a tees a loan (including a loan to a business duty to protect customer information consistent entity) with the objectives of the standards, the institu- • information from a consumer report that the tion may consider that duty in exercising its due bank obtains about an employee or prospec- diligence and oversight of the service provider. tive employee In situations where a service provider hires a subservicer (or subcontractor), the subservicer Consumer information does not include any would not be considered a “service provider” record that does not personally identify an under the guidelines. individual, nor does it include the following:

• aggregate information, such as the mean score, derived from a group of consumer reports Response Programs for Unauthorized • blind data, such as payment history on accounts Access to Customer Information and that are not personally identifiable, that may Customer Notice be used for developing credit scoring-models or for other purposes Response programs specify actions that are to be • information from a consumer report that the taken when a financial institution suspects or bank obtains about an individual who applies detects that unauthorized individuals have gained for but does not receive a loan, including any access to customer information systems, includ- loan sought by an individual for a business ing appropriate reports to regulatory and law purpose enforcement agencies.6 A response program is • information from a consumer report that the the principal means for a financial institution to bank obtains about an individual who guaran- protect against unauthorized “use” of customer tees a loan (including a loan to a business information that could lead to “substantial harm entity) or inconvenience” to the institution’s customer. • information from a consumer report that the For example, customer notification is an impor- bank obtains about an employee or prospec- tant tool that enables a customer to take steps to tive employee prevent identity theft, such as by arranging to have a fraud alert placed in his or her credit file. An institution or banking organization is not required to implement a uniform information security program. For example, a bank holding 5. A service provider is deemed to be a person or entity that company may include subsidiaries within the maintains, processes, or is otherwise permitted access to scope of its information security program, or the customer information through its provision of services directly to the bank. subsidiaries may implement separate informa- 6. See the information security standards, 12 CFR 208, tion security programs. The institution or bank appendix D-2, section III.C.

Commercial Bank Examination Manual May 2005 Page 3 5300.1 Information Technology

The measures enumerated in the information involving federal criminal violations requiring security standards include “response programs immediate attention; (4) taking appropriate steps that specify actions to be taken when the bank to contain and control the incident to prevent suspects or detects that unauthorized individuals further unauthorized access to or use of cus- have gained access to customer information tomer information, such as by monitoring, freez- systems, including appropriate reports to regu- ing, or closing affected accounts, while preserv- latory and law enforcement agencies.”7 Prompt ing records and other evidence; and (5) notifying action by both the institution and the customer customers when warranted. following the unauthorized access to customer The guidance does not apply to a financial information is crucial to limiting identity theft. institution’s foreign offices, branches, or affili- As a result, every financial institution should ates. However, a financial institution subject to develop and implement a response program the information security standards is responsible appropriate to its size and complexity and to the for the security of its customer information, nature and scope of its activities. The program whether the information is maintained within or should be designed to address incidents of outside of the United States, such as by a service unauthorized access to customer information. provider located outside of the United States. The Interagency Guidance on Response Pro- The guidance also applies to customer infor- grams for Unauthorized Access to Customer mation, meaning any record containing “non- Information and Customer Notice8 (the guid- public personal information” about a financial ance) interprets section 501(b) of the Gramm- institution’s customer, whether the information Leach-Bliley Act (the GLB Act) and the infor- is maintained in paper, electronic, or other form, mation security standards.9 The guidance that is maintained by or on behalf of the describes the response programs, including cus- institution.10 (See the Board’s privacy rule, Regu- tomer notification procedures, that a financial lation P, at section 216.3(n)(2) (12 CFR 216.3 institution should develop and implement to (n)(2).) Consequently, the guidance applies only address unauthorized access to or use of cus- to information that is within the control of the tomer information that could result in substan- institution and its service providers. The guid- tial harm or inconvenience to a customer. ance would not apply to information directly When evaluating the adequacy of an institu- disclosed by a customer to a third party, for tion’s information security program that is re- example, through a fraudulent web site. quired by the information security standards, The guidance also does not apply to informa- examiners are to consider whether the institution tion involving business or commercial accounts. has developed and implemented a response Instead, the guidance applies to nonpublic per- program equivalent to the guidance. At a mini- sonal information about a customer, as that term mum, an institution’s response program should is used in the information security standards, contain procedures for (1) assessing the nature namely, a consumer who obtains a financial and scope of an incident, and identifying what product or service from a financial institution to customer information systems and types of cus- be used primarily for personal, family, or house- tomer information have been accessed or mis- hold purposes and who has a continuing rela- used; (2) notifying its primary federal regulator tionship with the institution.11 as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer informa- Response Programs tion, as defined later in the guidance; (3) immediately notifying law enforcement in situations Financial institutions should take preventative measures to safeguard customer information 7. See the information security standards, section III.C.1.g. against attempts to gain unauthorized access to 8. The guidance was jointly issued on March 23, 2005 the information. For example, financial institu- (effective March 29, 2005), by the Board of Governors of the tions should place access controls on customer Federal Reserve System, the Federal Deposit Insurance Cor- poration, the Office of the Comptroller of the Currency, and information systems and conduct background the Office of Thrift Supervision. 9. See 12 CFR 208, appendix D-2, and 12 CFR 225, 10. See the information security standards, 12 CFR 208, appendix F. The Interagency Guidelines Establishing Infor- appendix D-2, section I.C.2.e. mation Security Standards were formerly known as the 11. See the information security standards, 12 CFR 208, Interagency Guidelines Establishing Standards for Safeguard- appendix D-2, section I.C.2.d., and the Board’s privacy rule ing Customer Information. (Regulation P), section 216.3(h) (12 CFR 216.3(h)).

May 2005 Commercial Bank Examination Manual Page 4 Information Technology 5300.1 checks for employees who are authorized to • consistent with the Suspicious Activity Report access customer information.12 However, every regulations,16 notifying appropriate law en- financial institution should also develop and forcement authorities, in addition to filing a implement a risk-based response program to timely SAR in situations involving federal address incidents of unauthorized access to cus- criminal violations requiring immediate atten- tomer information in customer information sys- tion, such as when a reportable violation is tems13 that occur nonetheless. A response pro- ongoing gram should be a key part of an institution’s • taking appropriate steps to contain and control information security program.14 The program the incident to prevent further unauthorized should be appropriate to the size and complexity access to or use of customer information, for of the institution and the nature and scope of its example, by monitoring, freezing, or closing activities. affected accounts, while preserving records In addition, each institution should be able to and other evidence address incidents of unauthorized access to cus- • notifying customers when warranted tomer information in customer information systems maintained by its domestic and foreign Where an incident of unauthorized access to service providers. Therefore, consistent with the customer information involves customer infor- obligations in the information security standards mation systems maintained by an institution’s that relate to these arrangements, and with service providers, it is the responsibility of the existing guidance on this topic issued by the financial institution to notify the institution’s agencies,15 an institution’s contract with its customers and regulator. However, an institution service provider should require the service pro- may authorize or contract with its service provider to take appropriate actions to address vider to notify the institution’s customers or incidents of unauthorized access to the financial regulator on its behalf. institution’s customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to Customer Notice expeditiously implement its response program. Financial institutions have an affirmative duty to Components of a response program. At a mini- protect their customers’ information against un- mum, an institution’s response program should authorized access or use. Notifying customers of contain procedures for the following: a security incident involving the unauthorized access or use of the customer’s information in • assessing the nature and scope of an incident, accordance with the standard set forth below is and identifying what customer information a key part of that duty. Timely notification of systems and types of customer information customers is important to managing an institu- have been accessed or misused tion’s reputation risk. Effective notice also may • notifying its primary federal regulator as soon reduce an institution’s legal risk, assist in main- as possible when the institution becomes aware taining good customer relations, and enable the of an incident involving unauthorized access institution’s customers to take steps to protect to or use of sensitive customer information, as themselves against the consequences of identity defined below theft. When customer notification is warranted, an institution may not forgo notifying its cus- 12. Institutions should also conduct background checks of tomers of an incident because the institution employees to ensure that the institution does not violate 12 believes that it may be potentially embarrassed U.S.C. 1829, which prohibits an institution from hiring an or inconvenienced by doing so. individual convicted of certain criminal offenses or who is subject to a prohibition order under 12 U.S.C. 1818(e)(6). 13. Under the information security standards, an institution’s customer information systems consist of all the methods 16. An institution’s obligation to file a SAR is set out in used to access, collect, store, use, transmit, protect, or dispose regulations and supervisory guidance. See 12 CFR 208.62 of customer information, including the systems maintained by (state member banks); 12 CFR 211.5(k) (Edge and agreement its service providers. See the information security standards, corporations); 12 CFR 211.24(f) (uninsured state branches 12 CFR 208, appendix D-2, section I.C.2.f. and agencies of foreign banks); and 12 CFR 225.4(f) (bank 14. Reserved footnote. holding companies and their nonbank subsidiaries). See the 15. See SR-13-19/CA-13-21, “Guidance on Managing Out- FFIEC BSA/AML Examination Manual and also SR-01-11, sourcing Risk.” “Identity Theft and Pretext Calling.”

Commercial Bank Examination Manual May 2005 Page 5 5300.1 Information Technology

Standard for providing notice. When a financial the unauthorized access lead the institution to institution becomes aware of an incident of determine that misuse of the information is unauthorized access to sensitive customer infor- reasonably possible, it should notify all custom- mation, the institution should conduct a reason- ers in the group. able investigation to promptly determine the likelihood that the information has been or will Content of customer notice. Customer notice be misused. If the institution determines that should be given in a clear and conspicuous misuse of its information about a customer has manner. The notice should describe the incident occurred or is reasonably possible, it should in general terms and the type of customer notify the affected customer as soon as possible. information that was the subject of unauthorized Customer notice may be delayed if an appropri- access or use. It should also generally describe ate law enforcement agency determines that what the institution has done to protect the notification will interfere with a criminal inves- customers’ information from further unauthor- tigation and provides the institution with a ized access. In addition, it should include a written request for the delay. However, the telephone number that customers can call for institution should notify its customers as soon as further information and assistance.17 The notice notification will no longer interfere with the also should remind customers of the need to investigation. remain vigilant over the next 12 to 24 months, and to promptly report incidents of suspected Sensitive customer information. Under the infor- identity theft to the institution. The notice should mation security standards, an institution must include the following additional items, when protect against unauthorized access to or use of appropriate: customer information that could result in substantial harm or inconvenience to any customer. • a recommendation that the customer review Substantial harm or inconvenience is most likely account statements and immediately report to result from improper access to sensitive any suspicious activity to the institution customer information because this type of infor- • a description of fraud alerts and an explana- mation is most likely to be misused, as in the tion of how the customer may place a fraud commission of identity theft. For purposes of alert in the customer’s consumer reports to put the guidance, sensitive customer information the customer’s creditors on notice that the means a customer’s name, address, or telephone customer may be a victim of fraud number, in conjunction with the customer’s • a recommendation that the customer periodi- Social Security number, driver’s license number, cally obtain credit reports from each nation- account number, credit or debit card number, or wide credit reporting agency and have infor- a personal identification number or password mation relating to fraudulent transactions that would permit access to the customer’s deleted account. Sensitive customer information also • an explanation of how the customer may includes any combination of components of obtain a credit report free of charge customer information that would allow someone • information about the availability of the FTC’s to log onto or access the customer’s account, online guidance regarding steps a consumer such as a user name and password or a password can take to protect against identity theft (The and an account number. notice should encourage the customer to report any incidents of identity theft to the FTC Affected customers. If a financial institution, on and should provide the FTC’s web site ad- the basis of its investigation, can determine from dress and toll-free telephone number that its logs or other data precisely which customers’ customers may use to obtain the identity theft information has been improperly accessed, it guidance and to report suspected incidents of may limit notification to those customers for identity theft.18 whom the institution determines that misuse of their information has occurred or is reasonably 17. The institution should, therefore, ensure that it has possible. However, there may be situations in reasonable policies and procedures in place, including trained which the institution determines that a group of personnel, to respond appropriately to customer inquiries and files has been accessed improperly but is unable requests for assistance. 18. The FTC website for the ID theft brochure and the FTC to identify which specific customers’ informa- hotline phone number are www.ftc.gov/bcp/edu/microsites/ tion has been accessed. If the circumstances of idtheft/ and 1-877-IDTHEFT. The institution may also refer

April 2015 Commercial Bank Examination Manual Page 6 Information Technology 5300.1

Financial institutions are encouraged to notify gram (Program).22 A Program is to be designed the nationwide consumer reporting agencies be- to detect, prevent, and mitigate identity theft in fore sending notices to a large number of cus- connection with the opening of a covered account tomers when those notices include contact in- or any existing covered account. The Program formation for the reporting agencies. must be tailored to the entity’s size, complexity, and the nature and scope of its operations and Delivery of customer notice. Customer notice activities. should be delivered in any manner designed to The Board’s approval of the rule and guide- ensure that a customer can reasonably be lines was on October 16, 2007. The effective expected to receive it. For example, the institu- date for the joint final rules and guidelines is tion may choose to contact all affected custom- January 1, 2008. The mandatory compliance ers by telephone, by mail, or by electronic mail, date for the rules is November 1, 2008. See in the case of customers for whom it has a valid section 222 of the Board’s Regulation V—Fair e-mail address and who have agreed to receive Credit Reporting (12 CFR 222) and 72 Fed. communications electronically. Reg. 63718- 63775, November 9, 2007. This section incorporates certain financial institution safety and soundness provisions of the rule (Regulation V and its guidelines (Ap- IDENTITY THEFT RED FLAGS pendix J)). See also the October 10, 2008, PROGRAM Federal Reserve Board letter (SR-08-7/CA-08- 10) and its interagency attachments. The federal financial institution regulatory agen- cies19 and the Federal Trade Commission (FTC) have issued joint regulations and guidelines on Risk Assessment the detection, prevention, and mitigation of identity theft in connection with opening of Prior to the development of the Program, a certain accounts or maintaining certain existing financial institution must initially and then peri- accounts in response to the Fair and Accurate odically conduct a risk assessment to determine Credit Transactions Act of 2003 (The FACT whether it offers or maintains covered accounts. Act).20 The regulations require (debit and credit) It must take into consideration: (1) the methods card issuers to validate notifications of changes it provides to open its accounts, (2) the methods of address under certain circumstances. The it provides to access accounts, and (3) its previ- joint rules also provide guidelines regarding ous experiences with identity theft. If the finan- reasonable policies and procedures that a user of cial institution has covered accounts, it must consumer reports must employ when a con- evaluate its potential vulnerability to identity sumer reporting agency sends the user a notice theft. The institution should also consider of address discrepancy. Financial institutions or whether a reasonably foreseeable risk of identity creditors21 that offer or maintain one or more theft may exist in connection with the accounts “covered accounts” must develop and imple- it offers or maintains and those that may be ment a written Identity Theft Prevention Pro- opened or accessed remotely, through methods that do not require face-to-face contact, such as through the internet or telephone. Financial customers to any materials developed pursuant to section institutions that offer or maintain business 151(b) of the Fair and Accurate Credit Transactions Act of 2003 (the FACT Act) (educational materials developed by the accounts that have been the target of identity FTC to teach the public how to prevent identity theft). theft should factor those experiences with iden- 19. The Board of Governors of the Federal Reserve System tity theft into their determination. (FRB), the Office of the Comptroller of the Currency (OCC), If the financial institution determines that it the Office of Thrift Supervision (OTS), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union has covered accounts, the risk assessment will Administration (NCUA). 20. Section 111 of the FACT Act defines “identity theft” as 22. “Covered accounts” are (1) accounts that a financial “a fraud committed or attempted using the identifying infor- institution offers or maintains, primarily for personal, family, mation of another person.” or household purposes, that involves or is designed to permit 21. The term financial institution should be interpreted to multiple payments or transactions and (2) any other account mean a “financial institution or creditors” with regard to the that the financial institution offers or maintains for which there Red Flags Program joint regulations and the accompanying is a reasonably foreseeable risk to customers or to the safety interagency guidance. and soundness of the financial institution from identity theft.

Commercial Bank Examination Manual April 2010 Page 7 5300.1 Information Technology enable it to identify which of its accounts the have been identified as reflecting changes in Program must address. If a financial institution identity theft risks, and (3) applicable supervi- initially determines that it does not have covered sory guidance. accounts, it must periodically reassess whether it must develop and implement a Program in light of changes in the accounts that it offers or Categories of Red Flags maintains. Section II of the Guidelines, “Categories of Red Flags,” provides some guidance in identifying Elements of the Program relevant Red Flags. A financial institution should include, as appropriate,23 The elements of the actual Program will vary • alerts, notifications, or other warnings re- depending on the size and complexity of the ceived from consumer reporting agencies or financial institution. A financial institution that service providers, such as fraud detection determines that it is required to establish and services maintain an Identity Theft Prevention Program • the presentation of suspicious documents must (1) identify relevant Red Flags for its • the presentation of suspicious personal iden- covered accounts, (2) detect and respond to the tifying information, such as a suspicious ad- Red Flags that have been incorporated into its dress change Program, and (3) respond appropriately to the • the unusual use of, or other suspicious activity detected Red Flags. The Red Flags are patterns, related to, a covered account practices, or specific activities that indicate the • a notice received from customers, victims of possible existence of identity theft or the poten- identity theft, law enforcement authorities, or tial to lead to identity theft. A financial institu- other persons regarding possible identity theft tion must ensure that its Program is updated in connection with covered accounts held by periodically to address the changing risks asso- the financial institution ciated with its customers and their accounts and to the safety and soundness of the financial The above categories do not represent a com- institution from identity theft. prehensive list of all types of Red Flags that may indicate the possibility of identity theft. Institu- tions must also consider specific business lines Guidelines and any previous exposures to identity theft. No specific Red Flag is mandatory for all financial Each financial institution that is required to institutions. Rather, the Program should follow implement a written Program must consider the the risk-based, nonprescriptive approach regard- Guidelines for Identity Theft Detection, Preven- ing the identification of Red Flags. tion, and Mitigation’s in Appendix J (12 CFR 222, Appendix J of the rule) (the Guidelines) and include those guidelines that are appropriate in Detect the Program’s Red Flags its Program. Section I of the Guidelines, “The Program,” discusses a Program’s design that In accordance with Section III of the Guidelines, may include, as appropriate, existing policies, each financial institution’s Program should ad- procedures, and arrangements that control fore- dress the detection of Red Flags in connection seeable risks to the institution’s customers or to with the opening of covered accounts and exist- the safety and soundness of the financial insti- ing covered accounts. A financial institution is tution from identity theft. required to detect, prevent, and mitigate identity theft in connection with such accounts. The policies and procedures regarding opening a Identification of Red Flags covered account subject to the Program should explain how an institution could identify infor- A financial institution should incorporate rel- mation about, and verify the identity of, a person evant Red Flags into the Program from sources such as (1) incidents of identity theft that it has 23. Examples of Red Flags from each of these categories experienced, (2) methods of identity theft that are appended as supplement A to appendix J.

April 2010 Commercial Bank Examination Manual Page 8 Information Technology 5300.1 opening an account.24 In the case of existing theft, based on (but not limited to) factors such covered accounts, institutions could authenticate as customers, monitor transactions, and verify the validity of change of address requests. • the experiences of the financial institution with identity theft; • changes in methods of identity theft; Respond Appropriately to any Detected • changes in methods to detect, prevent, and Red Flags mitigate identity theft; • changes in the types of accounts that the A financial institution should consider precur- financial institution offers or maintains; and sors to identity theft to stop identity theft before • changes in the financial institution’s structure, it occurs. Section IV of the Guidelines, “Preven- including its mergers, acquisitions, joint vention and Mitigation,” states that an institution’s tures, and any business arrangements, such as procedures should provide for appropriate alliances and service provider arrangements. responses to Red Flags that it has detected that are commensurate with the degree of risk posed. When determining an appropriate response, the institution should consider aggravating factors Administration of Program that may heighten its risk of identity theft. Such factors may include (1) a data security incident A financial institution that is required to imple- that results in unauthorized disclosures of non- ment a Program must provide for the continued public personal information (NPPI), (2) records oversight and administration of its Program. The the financial institution holds or that are held by following are the steps that are needed in the another creditor or third party, or (3) notice that administration of a Red Flags Program: the institution’s customer has provided information related to its covered account to someone 1. Obtain approval from either the institution’s fraudulently claiming to represent the financial board of directors or any appropriate com- institution or creditor or to a fraudulent website. mittee of the board of directors of the initial Appropriate responses may include the follow- written Program; ing: (1) monitoring a covered account for evi- 2. Involve either the board of directors, a des- dence of identity theft; (2) contacting the cus- ignated committee of the board of directors, tomer; (3) changing any passwords, security or a designated senior-management-level em- codes, or other security devices that permit ployee in the oversight, development, imple- access to a secured account; (4) reopening a mentation, and administration of the Pro- covered account with a new account number; gram. This includes (5) not opening a new covered account; (6) clos- • assigning specific responsibility for the ing an existing covered account; (7) not attempt- Program’s implementation, ing to collect on a covered account or not selling • reviewing reports prepared by staff regard- a covered account to a debt collector; (8) noti- ing the institution’s compliance (the re- fying law enforcement; or (9) determining that ports should be prepared at least annually), no response is warranted under the particular and circumstances. • reviewing material changes to the Program as necessary to address changing identity theft risks. Periodically Updating the Program’s 3. Train staff. The financial institution must Relevant Red Flags train relevant staff to effectively implement and monitor the Program. Training should be Section V of the Guidelines, “Updating the provided as changes are made to the financial Program,” states that a financial institution institution’s Program based on its periodic should periodically update its Program (includ- risk assessment. ing its relevant Red Flags) to reflect any 4. Exercise appropriate and effective oversight changes in risks to its customers or to the safety of service provider arrangements. Section and soundness of the institution from identity VI of the Guidelines, “Methods for Admin- istering the Program,” indicates a financial 24. 31 U.S.C. 5318(l) (31 CFR 103.121). institution is ultimately responsible for com-

Commercial Bank Examination Manual October 2016 Page 9 5300.1 Information Technology

plying with the rules and guidelines for out- ness rating for the institution, rather than through sourcing an activity to a third-party service the assignment of an URSIT rating. The scope of provider. Whenever a financial institution the IT assessment for such institutions should engages a service provider to perform an evaluate the adequacy of the institution’s over- activity in connection with one or more cov- sight of service providers for critical processing ered accounts, the institution should ensure activities and should incorporate the results of that the activity of the service provider is any relevant supervisory reviews of these service conducted in accordance with reasonable providers. The assessment should also include policies and procedures designed to detect, reviews of any significant in-house activities, prevent, and mitigate the risk of identity such as management information systems and theft. With regard to the institution’s over- local networks, and the implementation of new sight of its Program, periodic reports from technologies, such as Internet banking. As noted service providers are to be issued on the above, the assessment of IT should be reflected Program’s development, implementation, in the overall safety-and- soundness examination and administration. report and in the appropriate components of the safety-and-soundness examination rating assigned to the institution, as well as in the associated risk-profile analysis. (See SR-00-3.) IT EXAMINATION FREQUENCY Targeted IT examinations may be conducted AND SCOPE more frequently, if deemed necessary, by the Reserve Bank. A composite URSIT rating should All safety-and-soundness examinations (or be assigned for targeted reviews when possible. examination cycles) of banking organizations In addition, institutions for which supervisory conducted by the Federal Reserve should include concerns have been raised (normally those rated an assessment and evaluation of IT risks and URSIT 3, 4, or 5) should be subject to more risk management. The scope of the IT assess- frequent IT reviews, until such time as the ment should generally be sufficient to assign a Reserve Bank is satisfied that the deficiencies composite rating under the Uniform Rating have been corrected. System for Information Technology (URSIT). URSIT component ratings may be updated at the examiner’s discretion, based on the scope of the assessment. The scope would normally be RISK ELEMENTS based on factors such as— To provide a common terminology and consis- • implementation of new systems or technolo- tent approach for evaluating the adequacy of an gies since the last examination; organization’s IT, five IT elements are defined • significant changes in operations, such as below. These elements may be used to evaluate mergers or systems conversions; the IT processes at the functional business level • new or modified outsourcing relationships for or for the organization as a whole and to critical operations; determine the impact on the business risks • targeted examinations of business lines whose outlined in SR-95-51 and SR-16-11, as well as internal controls or risk-management systems their impact on the IT rating (URSIT) discussed depend heavily on IT; and below. (See SR-98-9.) • other potential problems or concerns that may have arisen since the last examination or the 1. Management processes. Management pro- need to follow up on previous examination or cesses encompass planning, investment, audit issues. development, execution, and staffing of IT from a corporate-wide and business-specific Institutions that outsource core processing perspective. Management processes over IT functions, although not traditionally subject to IT are effective when they are adequately and examinations, are exposed to IT-related risks. For appropriately aligned with and support the these institutions, some or all components of the organization’s mission and business objec- URSIT rating may not be meaningful. In these tives. Management processes include strate- cases, the assessment of IT activities may be gic planning; budgeting; management and incorporated directly into the safety-and sound- reporting hierarchy; management succession;

October 2016 Commercial Bank Examination Manual Page 10 Information Technology 5300.1

and a regular, independent review function. sure of sensitive information during creation, Examiners should determine if the IT strat- transmission, processing, maintenance, or egy for the business activity or organization storage. Examiners should ensure that oper- is consistent with the organization’s mission ating procedures and controls are commen- and business objectives and whether the IT surate with the potential for and risks asso- function has effective management processes ciated with security breaches, which may be to execute that strategy. either physical or electronic, inadvertent or 2. Architecture. Architecture refers to the under- intentional, internal or external. lying design of an automated information 5. Availability. Availability refers to the timely system and its individual components. The delivery of information and processes to end- underlying design encompasses both physi- users in support of business and decision- cal and logical architecture, including oper- making processes and customer services. In ating environments, as well as the organiza- assessing the management of availability risk, tion of data. The individual components refer examiners should consider the capability of to network communications, hardware, and IT functions to provide information to the software, which includes operating systems, end-users from either primary or secondary communications software, database- sources, as well as consider the ability of management systems, programming lan- back-up systems, as presented in contingency guages, and desktop software. Effective plans, to mitigate business disruption. Con- architecture meets current and long-term tingency plans should set out a process for an organizational objectives, addresses capacity organization to restore or replace its requirements to ensure that systems allow information-processing resources; reconstruct users to easily enter data at both normal and its information assets; and resume its busi- peak processing times, and provides satisfac- ness activity from disruption caused by hu- tory solutions to problems that arise when man error or intervention, natural disaster, or information is stored and processed in two or infrastructure failure (including loss of utili- more systems that cannot be connected elec- ties and communication lines and the opera- tronically. When assessing the adequacy of tional failure of hardware, software, and IT architecture, examiners should consider network communications). the ability of the current infrastructure to meet operating objectives, including the effective integration of systems and sources of data. UNIFORM RATING SYSTEM FOR 3. Integrity. Integrity refers to the reliability, INFORMATION TECHNOLOGY accuracy, and completeness of information delivered to the end-user. Integrity risk could The Uniform Rating System for Information arise from insufficient controls over systems Technology (URSIT) is an interagency exami- or data, which could adversely affect critical nation rating system adopted by the Federal financial and customer information. Examin- Financial Institutions Examination Council ers should review and consider whether the (FFIEC) agencies to evaluate the IT activities of organization relies on information system financial institutions. The rating system includes audits or independent reviews of applications component- and composite-rating descriptions to ensure the integrity of its systems. Exam- and the explicit identification of risks and iners should review the reliability, accuracy, assessment factors that examiners consider inas- and completeness of information delivered in signing component ratings. This rating system key business lines. helps examiners assess risk and compile exami- 4. Security. Security risk is the risk of unauthor- nation findings. However, the rating system ized disclosure or destruction of critical or should not drive the scope of an examination. In sensitive information. To mitigate this risk, particular, not all assessment factors or physical access and logical controls are gen- component-rating areas are required to be as- erally provided to achieve a level of protec- sessed at each examination. Examiners should tion commensurate with the value of the use the rating system to help evaluate the information. Security risk is managed effec- entity’s overall risk exposure and risk- tively when controls prevent unauthorized management performance and to determine the access, modification, destruction, or disclo- degree of supervisory attention believed neces-

Commercial Bank Examination Manual May 2005 Page 11 5300.1 Information Technology sary to ensure that weaknesses are addressed less quickly to changes in the market, business, and that risk is properly managed. (See SR-99-8.) and technological needs of the entity. Manage- The URSIT rating framework is based on a ment normally identifies weaknesses and takes risk evaluation of four general areas: audit, appropriate corrective action. However, greater management, development and acquisition, and reliance is placed on audit and regulatory inter- support and delivery. These components are vention to identify and resolve concerns. While used to assess the overall IT functions within an internal control weaknesses may exist, there are organization and arrive at a composite URSIT no significant supervisory concerns. As a result, rating. Examiners evaluate the areas identified supervisory action is informal and limited. within each component to assess the institu- Financial institutions rated URSIT composite tion’s ability to identify, measure, monitor, and 3 exhibit some degree of supervisory concern control IT risks. due to a combination of weaknesses that may In adopting the URSIT rating system, the range from moderate to severe. If weaknesses FFIEC recognized that management practices persist, further deterioration in the condition and vary considerably among financial institutions performance of the institution is likely. Risk- depending on their size and sophistication, the management processes may not effectively iden- nature and complexity of their business activi- tify risks and may not be appropriate for the ties, and their risk profile. For less complex size, complexity, or risk profile of the entity. information systems environments, detailed or Strategic plans are vaguely defined and may not highly formalized systems and controls are not provide adequate direction for IT initiatives. As required to receive the higher composite and a result, management often has difficulty component ratings. responding to changes in the business, market, and technological needs of the entity. Self- assessment practices are weak and generally reactive to audit and regulatory exceptions. URSIT Composite-Rating Definitions Repeat concerns may exist, indicating that management may lack the ability or willingness to Financial institutions rated URSIT composite 1 resolve concerns. While financial or operational exhibit strong performance in every respect and failure is unlikely, increased supervision is nec- generally have components rated 1 or 2. Weak- essary. Formal or informal supervisory action nesses in IT functions are minor and are easily may be necessary to secure corrective action. corrected during the normal course of business. Financial institutions rated URSIT composite Risk-management processes provide a compre- 4 operate in an unsafe and unsound environment hensive program to identify and monitor risk that may impair the future viability of the entity. relative to the size, complexity, and risk profile Operating weaknesses are indicative of serious of the entity. Strategic plans are well defined and managerial deficiencies. Risk-management pro- fully integrated throughout the organization. cesses inadequately identify and monitor risk, This allows management to quickly adapt to the and practices are not appropriate given the size, changing market, business, and technology needs complexity, and risk profile of the entity. Stra- of the entity. Management identifies weaknesses tegic plans are poorly defined and not coordi- promptly and takes appropriate corrective action nated or communicated throughout the organi- to resolve audit and regulatory concerns. zation. As a result, management and the board Financial institutions rated URSIT composite are not committed to, or may be incapable of, 2 exhibit safe and sound performance but may ensuring that technological needs are met. Man- demonstrate modest weaknesses in operating agement does not perform self-assessments and performance, monitoring, management pro- demonstrates an inability or unwillingness to cesses, or system development. Generally, senior correct audit and regulatory concerns. Failure of management corrects weaknesses in the normal the financial institution may be likely unless IT course of business. Risk-management processes problems are remedied. Close supervisory atten- adequately identify and monitor risk relative to tion is necessary and, in most cases, formal the size, complexity, and risk profile of the enforcement action is warranted. entity. Strategic plans are defined but may require Financial institutions rated URSIT compos- clarification, better coordination, or improved ite 5 exhibit critically deficient operating perfor- communication throughout the organization. As mance and are in need of immediate remedial a result, management anticipates, but responds action. Operational problems and serious weak-

May 2005 Commercial Bank Examination Manual Page 12 Information Technology 5300.1 nesses may exist throughout the organization. the effectiveness of internal controls and audit Risk-management processes are severely defi- trails; cient and provide management little or no • the adequacy of the overall audit plan in perception of risk relative to the size, complex- providing appropriate coverage of IT risks; ity, and risk profile of the entity. Strategic plans • the auditor’s adherence to codes of ethics and do not exist or are ineffective, and management professional audit standards; and the board provide little or no direction for • the qualifications of the auditor, staff succes- IT initiatives. As a result, management is sion, and continued development through unaware of or inattentive to the technological training; needs of the entity. Management is unwilling • the existence of timely and formal follow-up or incapable of correcting audit and regulatory and reporting on management’s resolution of concerns. Ongoing supervisory attention is identified problems or weaknesses; and necessary. • the quality and effectiveness of internal and external audit activity as it relates to IT controls.

URSIT Component Ratings A rating of 1 indicates strong audit performance. Audit independently identifies and reports weaknesses and risks to the board of directors or Audit its audit committee in a thorough and timely manner. Outstanding audit issues are monitored Financial institutions and service providers are until resolved. Risk analysis ensures that audit expected to provide independent assessments of plans address all significant IT operations, pro- their exposure to risks and of the quality of curement, and development activities with internal controls associated with the acquisition, appropriate scope and frequency. Audit work is implementation, and use of IT. Audit practices performed in accordance with professional should address the IT risk exposures throughout auditing standards, and report content is timely, the institution and the exposures of its service constructive, accurate, and complete. Because provider(s) in the areas of user and data center audit is strong, examiners may place substantial operations, client/server architecture, local and reliance on audit results. wide area networks, telecommunications, infor- A rating of 2 indicates satisfactory audit mation security, electronic data interchange, sys- performance. Audit independently identifies and tems development, and contingency planning. reports weaknesses and risks to the board of This rating should reflect the adequacy of the directors or audit committee, but reports may be organization’s overall IT audit program, includ- less timely. Significant outstanding audit issues ing the internal and external auditor’s abilities to are monitored until resolved. Risk analysis detect and report significant risks to manage- ensures that audit plans address all significant ment and the board of directors on a timely IT operations, procurement, and development basis. It should also reflect the internal and activities; however, minor concerns may be external auditor’s capability to promote a safe, noted with the scope or frequency. Audit work is sound, and effective operation. The performance performed in accordance with professional of an audit is rated based on an assessment of auditing standards; however, minor or infre- factors such as— quent problems may arise with the timeliness, completeness, and accuracy of reports. Because • the level of independence maintained by audit audit is satisfactory, examiners may rely on and the quality of the oversight and support audit results but because minor concerns exist, provided by the board of directors and examiners may need to expand verification pro- management; cedures in certain situations. • the adequacy of audit’s risk-analysis method- A rating of 3 indicates less-than-satisfactory ology used to prioritize the allocation of audit audit performance. Audit identifies and reports resources and to formulate the audit schedule; weaknesses and risks; however, independence • the scope, frequency, accuracy, and timeliness may be compromised and reports presented to of internal and external audit reports; the board or audit committee may be less than • the extent of audit participation in application satisfactory in content and timeliness. Outstand- development, acquisition, and testing, to ensure ing audit issues may not be adequately moni-

Commercial Bank Examination Manual May 2005 Page 13 5300.1 Information Technology tored. Risk analysis is less than satisfactory. As administration of third-party service providers, a result, the audit plan may not provide suffi- organization and human resources, and regula- cient audit scope or frequency for IT operations, tory and legal compliance. Generally, directors procurement, and development activities. Audit need not be actively involved in day-to-day work is generally performed in accordance with operations; however, they must provide clear professional auditing standards; however, occa- guidance regarding acceptable risk-exposure lev- sional problems may be noted with the timeli- els and ensure that appropriate policies, proce- ness, completeness, or accuracy of reports. dures, and practices have been established. Sound Because audit is less than satisfactory, examin- management practices are demonstrated through ers must use caution if they rely on the audit active oversight by the board of directors and results. management, competent personnel, sound IT A rating of 4 indicates deficient audit perfor- plans, adequate policies and standards, an effec- mance. Audit may identify weaknesses and tive control environment, and risk monitoring. risks, but it may not independently report to the The management rating should reflect the board’s board or audit committee, and report content and management’s ability as it applies to all may be inadequate. Outstanding audit issues aspects of IT operations. The performance of may not be adequately monitored and resolved. management and the quality of risk management Risk analysis is deficient. As a result, the audit are rated based on an assessment of factors such plan does not provide adequate audit scope or as— frequency for IT operations, procurement, and development activities. Audit work is often • the level and quality of oversight and support inconsistent with professional auditing stan- of the IT activities by the board of directors dards, and the timeliness, accuracy, and com- and management; pleteness of reports is unacceptable. Because • the ability of management to plan for and audit is deficient, examiners cannot rely on audit initiate new activities or products in response results. to information needs and to address risks A rating of 5 indicates critically deficient that may arise from changing business audit performance. If an audit function exists, it conditions; lacks sufficient independence and, as a result, • the ability of management to provide informa- does not identify and report weaknesses or risks tion reports necessary for informed planning to the board or audit committee. Outstanding and decision making in an effective and effi- audit issues are not tracked and no follow-up is cient manner; performed to monitor their resolution. Risk • the adequacy of, and conformance with, inter- analysis is critically deficient. As a result, the nal policies and controls addressing the IT audit plan is ineffective and provides inappro- operations and risks of significant business priate audit scope and frequency for IT opera- activities; tions, procurement, and development activities. • the effectiveness of risk-monitoring systems; Audit work is not performed in accordance with • the timeliness of corrective action for reported professional auditing standards and major defi- and known problems; ciencies are noted regarding the timeliness, • the level of awareness of and compliance with accuracy, and completeness of audit reports. laws and regulations; Because audit is critically deficient, examiners • the level of planning for management cannot rely on audit results. succession; • the ability of management to monitor the services delivered and to measure the organi- Management zation’s progress toward identified goals effectively and efficiently; The management rating reflects the abilities of • the adequacy of contracts and management’s the board and management as they apply to all ability to monitor relationships with third- aspects of IT acquisition, development, and party servicers; operations. Management practices may need to • the adequacy of strategic planning and risk- address some or all of the following IT-related management practices to identify, measure, risks: strategic planning, quality assurance, proj- monitor, and control risks, including manage- ect management, risk assessment, infrastructure ment’s ability to perform self-assessments; and architecture, end-user computing, contract and

May 2005 Commercial Bank Examination Manual Page 14 Information Technology 5300.1

• the ability of management to identify, mea- address existing IT problems and risks success- sure, monitor, and control risks and to address fully. emerging IT needs and solutions. A rating of 3 indicates less-than-satisfactory performance by management and the board. A rating of 1 indicates strong performance by Risk-management practices may be weak and management and the board. Effective risk- offer limited guidance for IT activities. Most IT management practices are in place to guide IT risks are generally identified; however, pro- activities, and risks are consistently and effec- cesses to measure and monitor risk may be tively identified, measured, controlled, and moni- flawed. As a result, management’s ability to tored. Management immediately resolves audit control risk is less than satisfactory. Regulatory and regulatory concerns to ensure sound opera- and audit concerns may be addressed, but time tions. Written technology plans, policies and frames are often excessive and the corrective procedures, and standards are thorough and action taken may be inappropriate. Management properly reflect the complexity of the IT envi- may be unwilling or incapable of addressing ronment. They have been formally adopted, deficiencies. Technology plans, policies and pro- communicated, and enforced throughout the cedures, and standards exist but may be incom- organization. IT systems provide accurate, timely plete. They may not be formally adopted, effec- reports to management. These reports serve as tively communicated, or enforced throughout the basis for major decisions and as an effective the organization. IT systems provide requested performance-monitoring tool. Outsourcing reports to management, but periodic problems arrangements are based on comprehensive plan- with accuracy, consistency, and timeliness lessen ning; routine management supervision sustains the reliability and usefulness of reports and may an appropriate level of control over vendor adversely affect decision making and perfor- contracts, performance, and services provided. mance monitoring. Outsourcing arrangements Management and the board have demonstrated may be entered into without thorough planning. the ability to promptly and successfully address Management may provide only cursory super- existing IT problems and potential risks. vision that limits their understanding of vendor A rating of 2 indicates satisfactory perfor- contracts, performance standards, and services mance by management and the board. Adequate provided. Management and the board may not risk-management practices are in place and be capable of addressing existing IT problems guide IT activities. Significant IT risks are and risks, which is evidenced by untimely cor- identified, measured, monitored, and controlled; rective actions for outstanding IT problems. however, risk-management processes may be A rating of 4 indicates deficient performance less structured or inconsistently applied and by management and the board. Risk-management modest weaknesses exist. Management rou- practices are inadequate and do not provide tinely resolves audit and regulatory concerns to sufficient guidance for IT activities. Critical IT ensure effective and sound operations; however, risks are not properly identified, and processes corrective actions may not always be imple- to measure and monitor risks are deficient. As a mented in a timely manner. Technology plans, result, management may not be aware of and is policies and procedures, and standards are unable to control risks. Management may be adequate and formally adopted. However, minor unwilling or incapable of addressing audit and weaknesses may exist in management’s ability regulatory deficiencies in an effective and timely to communicate and enforce them throughout manner. Technology plans, policies and proce- the organization. IT systems provide quality dures, and standards are inadequate and have not reports to management which serve as a basis been formally adopted or effectively communi- for major decisions and a tool for performance cated throughout the organization, and manage- planning and monitoring. Isolated or temporary ment does not effectively enforce them. IT problems with timeliness, accuracy, or consis- systems do not routinely provide management tency of reports may exist. Outsourcing arrange- with accurate, consistent, and reliable reports, ments are adequately planned and controlled by thus contributing to ineffective performance management, and they provide for a general monitoring or flawed decision making. Outsourc- understanding of vendor contracts, performance ing arrangements may be entered into without standards, and services provided. Management planning or analysis, and management may and the board have demonstrated the ability to provide little or no supervision of vendor contracts, performance standards, or services pro-

Commercial Bank Examination Manual May 2005 Page 15 5300.1 Information Technology vided. Management and the board are unable to and acquisition and related risk-management address existing IT problems and risks, as evi- practice is rated based on an assessment of denced by ineffective actions and long-standing factors such as— IT weaknesses. Strengthening of management and its processes is necessary. • the level and quality of oversight and support A rating of 5 indicates critically deficient of systems-development and acquisition performance by management and the board. activities by senior management and the board Risk-management practices are severely flawed of directors; and provide inadequate guidance for IT activi- • the adequacy of the organizational and man- ties. Critical IT risks are not identified, and agement structures to establish accountability processes to measure and monitor risks do not and responsibility for IT systems and technol- exist or are not effective. Management’s inabil- ogy initiatives; ity to control risk may threaten the continued • the volume, nature, and extent of risk expo- viability of the institution. Management is unable sure to the financial institution in the area of or unwilling to correct audit- and regulatory- systems development and acquisition; identified deficiencies, and immediate action by • the adequacy of the institution’s Systems the board is required to preserve the viability of Development Life Cycle (SDLC) and pro- the institution. If they exist, technology plans, gramming standards; policies and procedures, and standards are criti- • the quality of project-management programs cally deficient. Because of systemic problems, and practices that are followed by developers, IT systems do not produce management reports operators, executive management or owners, that are accurate, timely, or relevant. Outsourc- independent vendors or affiliated servicers, ing arrangements may have been entered into and end-users; without management planning or analysis, result- • the independence of the quality-assurance ing in significant losses to the financial institu- function and the adequacy of controls over tion or ineffective vendor services. program changes; • the quality and thoroughness of system documentation; Development and Acquisition • the integrity and security of the network, system, and application software; The rating of development and acquisition • the development of IT solutions that meet the reflects an organization’s ability to identify, needs of end-users; and acquire, install, and maintain appropriate IT • the extent of end-user involvement in the resources. Management practices may need to system-development process. address all or parts of the business process for implementing any kind of change to the hard- A rating of 1 indicates strong systems- ware or software used. These business processes development, acquisition, implementation, and include an institution’s purchase of hardware or change-management performance. Management software, development and programming per- and the board routinely demonstrate success- formed by the institution, purchase of services fully the ability to identify and implement from independent vendors or affiliated data cen- appropriate IT solutions while effectively man- ters, or a combination of these activities. The aging risk. Project-management techniques and business process is defined as all phases taken to the SDLC are fully effective and supported by implement a change, including researching written policies, procedures, and project con- alternatives available, choosing an appropriate trols that consistently result in timely and effi- option for the organization as a whole, and cient project completion. An independent quality- converting to the new system or integrating the assurance function provides strong controls over new system with existing systems. This rating testing and program-change management. Tech- reflects the adequacy of the institution’s systems- nology solutions consistently meet end-user development methodology and related risk- needs. No significant weaknesses or problems management practices for acquisition and exist. deployment of IT. This rating also reflects the A rating of 2 indicates satisfactory systems- board and management’s ability to enhance and development, acquisition, implementation, and replace IT prudently in a controlled environ- change-management performance. Management ment. The performance of systems development and the board frequently demonstrate the ability

May 2005 Commercial Bank Examination Manual Page 16 Information Technology 5300.1 to identify and implement appropriate IT solu- ate IT solutions. If they exist, project- tions while managing risk. Project management management techniques and the SDLC are and the SDLC are generally effective; however, critically deficient and provide little or no direc- weaknesses may exist that result in minor proj- tion for development of systems or technology ect delays or cost overruns. An independent projects. The quality-assurance function is quality-assurance function provides adequate su- severely deficient or not present, and unidenti- pervision of testing and program-change man- fied problems in testing and program-change agement, but minor weaknesses may exist. Tech- management have caused significant IT risks. nology solutions meet end-user needs. However, Technology solutions do not meet the needs of minor enhancements may be necessary to meet the organization. Serious problems and signifi- original user expectations. Weaknesses may ex- cant risks exist, which raise concern for the ist; however, they are not significant and are financial institution’s ongoing viability. easily corrected in the normal course of business. A rating of 3 indicates less-than-satisfactory Support and Delivery systems-development, acquisition, implementation, and change-management performance. The rating of support and delivery reflects an Management and the board may often be unsuc- organization’s ability to provide technology ser- cessful in identifying and implementing appro- vices in a secure environment. It reflects not priate IT solutions; therefore, unwarranted risk only the condition of IT operations but also exposure may exist. Project-management tech- factors such as reliability, security, and integrity, niques and the SDLC are weak and may result in which may affect the quality of the information- frequent project delays, backlogs, or significant delivery system. The factors include user sup- cost overruns. The quality-assurance function port and training, as well as the ability to may not be independent of the programming manage problems and incidents, operations, sys- function, which may have an adverse impact on tem performance, capacity planning, and facility the integrity of testing and program-change and data management. Risk-management prac- management. Technology solutions generally tices should promote effective, safe, and sound meet end-user needs but often require an inor- IT operations that ensure the continuity of dinate level of change after implementation. operations and the reliability and availability of Because of weaknesses, significant problems data. The scope of this component rating includes may arise that could result in disruption to operational risks throughout the organization. operations or significant losses. The rating of IT support and delivery is based on A rating of 4 indicates deficient systems- a review and assessment of requirements such development, acquisition, implementation, and as— change-management performance. Management and the board may be unable to identify and • the ability to provide a level of service that implement appropriate IT solutions and do not meets the requirements of the business; effectively manage risk. Project-management • the adequacy of security policies, procedures, techniques and the SDLC are ineffective and and practices in all units and at all levels of the may result in severe project delays and cost financial institution; overruns. The quality-assurance function is not • the adequacy of data controls over prepara- fully effective and may not provide independent tion, input, processing, and output; or comprehensive review of testing controls or • the adequacy of corporate contingency plan- program-change management. Technology solu- ning and business resumption for data centers, tions may not meet the critical needs of the networks, and business units; organization. Problems and significant risks exist that require immediate action by the board and • the quality of processes or programs that management to preserve the soundness of the monitor capacity and performance; institution. • the adequacy of controls and the ability to A rating of 5 indicates critically deficient monitor controls at service providers; systems-development, acquisition, implementa- • the quality of assistance provided to users, tion, and change-management performance. including the ability to handle problems; Management and the board appear to be inca- • the adequacy of operating policies, proce- pable of identifying and implementing appropri- dures, and manuals;

Commercial Bank Examination Manual May 2005 Page 17 5300.1 Information Technology

• the quality of physical and electronic security, periodically do not adhere to service-level agree- including the privacy of data; and ments or meet business requirements. A corpo- • the adequacy of firewall architectures and the rate contingency and business-resumption plan security of connections with public networks. is in place but may not be considered comprehensive. The plan is periodically tested; A rating of 1 indicates strong IT support and however, the recovery of critical systems and delivery performance. The organization pro- applications is frequently unsuccessful. A data- vides technology services that are reliable and security policy exists; however, it may not be consistent. Service levels adhere to well-defined strictly enforced or communicated throughout service-level agreements and routinely meet or the organization. The logical and physical secu- exceed business requirements. A comprehensive rity for critical IT platforms is less than satis- corporate contingency and business-resumption factory. Systems are monitored; however, secu- plan is in place. Annual contingency-plan test- rity incidents and weaknesses may not be ing and updating is performed, and critical resolved in a timely manner. Relationships with systems and applications are recovered within third-party service providers may not be acceptable time frames. A formal written data- adequately monitored. IT operations are not security policy and awareness program is com- acceptable, and unwarranted risk exposures municated and enforced throughout the organi- exist. If not corrected, weaknesses could cause zation. The logical and physical security for all performance degradation or disruption to IT platforms is closely monitored, and security operations. incidents and weaknesses are identified and A rating of 4 indicates deficient IT support quickly corrected. Relationships with third- and delivery performance. The organization pro- party service providers are closely monitored. IT vides technology services that are unreliable and operations are highly reliable, and risk exposure inconsistent. Service-level agreements are poorly is successfully identified and controlled. defined and service performance usually fails to A rating of 2 indicates satisfactory IT support meet business requirements. A corporate contin- and delivery performance. The organization pro- gency and business-resumption plan may exist, vides technology services that are generally but its content is critically deficient. If contin- reliable and consistent; however, minor discrep- gency testing is performed, management is typi- ancies in service levels may occur. Service cally unable to recover critical systems and performance adheres to service agreements and applications. A data-security policy may not meets business requirements. A corporate con- exist. As a result, serious supervisory concerns tingency and business-resumption plan is in over security and the integrity of data exist. The place, but minor enhancements may be neces- logical and physical security for critical IT sary. Annual plan testing and updating is per- platforms is deficient. Systems may be moni- formed, and minor problems may occur when tored, but security incidents and weaknesses are recovering systems or applications. A written not successfully identified or resolved. Relation- data-security policy is in place but may require ships with third-party service providers are not improvement to ensure its adequacy. The policy monitored. IT operations are not reliable and is generally enforced and communicated through- significant risk exposure exists. Degradation in out the organization, for example, through a performance is evident and frequent disruption security-awareness program. The logical and in operations has occurred. physical security for critical IT platforms is A rating of 5 indicates critically deficient IT satisfactory. Systems are monitored, and secu- support and delivery performance. The organi- rity incidents and weaknesses are identified and zation provides technology services that are not resolved within reasonable time frames. Rela- reliable or consistent. Service-level agreements tionships with third-party service providers are do not exist, and service performance does not monitored. Critical IT operations are reliable meet business requirements. A corporate contin- and risk exposure is reasonably identified and gency and business-resumption plan does not controlled. exist. Contingency testing is not performed, and A rating of 3 indicates that the performance management has not demonstrated the ability to of IT support and delivery is less than satisfac- recover critical systems and applications. A tory and needs improvement. The organization data-security policy does not exist, and a serious provides technology services that may not be threat to the organization’s security and data reliable or consistent. As a result, service levels integrity exists. The logical and physical secu-

May 2005 Commercial Bank Examination Manual Page 18 Information Technology 5300.1 rity for critical IT platforms is inadequate, and transactions, the integrity or security of cus- management does not monitor systems for tomer account information, or the integrity of security incidents and weaknesses. Relation- risk-management information systems. Under ships with third-party service providers are not outsourcing arrangements, however, the risk- monitored, and the viability of a service pro- management measures commonly used to address vider may be in jeopardy. IT operations are these risks, such as internal controls and proce- severely deficient, and the seriousness of weak- dures, are generally under the direct operational nesses could cause failure of the financial insti- control of the service provider. Nevertheless, the tution if not addressed. serviced institution would bear the associated risk of financial loss, reputational damage, or other adverse consequences. OUTSOURCING INFORMATION Some outsourcing arrangements also involve direct financial risks to the serviced institution. TECHNOLOGY For example, in some transaction-processing activities, a service provider has the ability to Banking organizations are increasingly relying process transactions that result in extensions of on services provided by other entities to support credit on behalf of the serviced institution.25 A a range of banking operations. Outsourcing of service provider may also collect or disburse information- and transaction-processing activi- funds, exposing the institution to liquidity and ties, either to affiliated institutions or third-party credit risks if the service provider fails to service providers, may help banking organiza- perform as expected. tions manage data processing and related personnel costs, improve services, and obtain expertise not available internally. At the same time, the reduced operational control over out- Risk Management sourced activities may expose an institution to additional risks. The federal banking agencies The Federal Reserve expects institutions to have established procedures to examine and ensure that controls over outsourced information- evaluate the adequacy of institutions’ controls and transaction-processing activities are equiva- over service providers, which can be found in lent to those that would be implemented if the the FFIEC’s IT Handbook and related guidance. activity were conducted internally. The institu- Additional information on specific areas is pro- tion’s board of directors and senior management vided later in this section. should understand the key risks associated with In the development of the examination scope the use of service providers for its critical and risk profile, examiners should determine operations, commensurate with the scope and which information- and transaction-processing risks of the outsourced activity and its impor- activities critical to the institution’s core opera- tance to the institution’s business. They should tions are outsourced. During the on-site exami- ensure that an appropriate oversight program is nation, the adequacy of the institution’s risk in place to monitor each service provider’s management for these critical service providers controls, condition, and performance. The fol- should be assessed and evaluated. The overall lowing eight areas should be included in this assessment should be reflected in the relevant process: components of the URSIT examination rating or the Uniform Financial Institution Rating Sys- 1. Risk assessment. Before entering into an tem, if an information-systems rating is not outsourcing arrangement, the institution assigned. should assess the key risks that may arise and options for controlling these risks. Factors influencing the risk assessment could include how critical the outsourced function is to the Outsourcing Risks institution; the nature of activities to be performed by the service provider, including The outsourcing of information and transaction processing involves operational risks that are similar to those that arise when the functions are 25 For example, an institution may authorize a service provider to originate payments, such as ACH credit transfers, performed internally, such as threats to the on behalf of customers. The institution is required by law or availability of systems used to support customer contract to honor these types of transactions.

Commercial Bank Examination Manual May 2005 Page 19 5300.1 Information Technology

handling funds or implementing credit deci- of critical functions should be reviewed by sions; the availability of alternative service the institution’s legal counsel. providers for the particular function; insur- 4. Policies, procedures, and control. The ser- ance coverage available for particular risks; vice provider should implement internal con- and the cost and time required to switch trol policies and procedures, data-security service providers if problems arise. and contingency capabilities, and other 2. Selection of service provider. In selecting a operational controls analogous to those that service provider for critical information- or the institution would use if it performed the transaction-processing functions, an institu- activity internally. Appropriate controls should tion should perform sufficient due diligence be placed on transactions processed or funds to satisfy itself of the service provider’s handled by the service provider on behalf of competence and stability, both financially the institution. The service provider’s poli- and operationally, to provide the expected cies and procedures should be reviewed by services and meet any related commitments.26 client institutions. 3. Contracts. The written contract between the 5. Ongoing monitoring. The institution should institution and the service provider should review the operational and financial perfor- clearly specify, at a level of detail commen- mance of critical service providers on an surate with the scope and risks of the out- ongoing basis to ensure that the service sourced activity, all relevant terms, condi- provider is meeting and can continue to meet tions, responsibilities, and liabilities of both the terms of the arrangement. The institu- parties. These would normally include terms tion’s staff should have sufficient training such as— and expertise to review the service provider’s • required service levels, performance stan- performance and risk controls. dards, and penalties; 6. Information access. The institution must • internal controls, insurance, disaster- ensure that it has complete and immediate recovery capabilities, and other risk- access to information that is critical to its management measures maintained by the operations and that is maintained or pro- service provider; cessed by a service provider. Records main- • data and system ownership and access; tained at the institution must be adequate to • liability for delayed or erroneous transac- enable examiners to review its operations tions and other potential risks; fully and effectively, even if a function is • provisions for the institution to require and outsourced. have access to internal or external audits or 7. Audit. The institution’s audit function should other reviews of the service provider’s review the oversight of critical service pro- operations and financial condition; viders. Audits of the outsourced function • compliance with any applicable regulatory should be conducted according to a scope requirements and access to information and frequency appropriate for the particular and operations by the institution’s supervi- function. Serviced institutions should con- sory authorities; and duct audits of the service provider or regu- • provisions for handling disputes, contract larly review the service provider’s internal or changes, and contract termination. external audit scope and findings. Service Terms and conditions should be assessed by providers should have an effective internal the institution to ensure that they are appro- audit function or should commission compre- priate for the particular service being pro- hensive, regular audits from a third-party vided and result in an acceptable level of risk organization. The reports of external auditors to the institution.27 Contracts for outsourcing are commonly based on the AICPA’s State- ment of Auditing Standards [SAS] No. 70 “Reports on the Processing of Transactions 26. When the service provider is affiliated with the serviced by Service Organizations,” as amended by institution, sections 23A and 23B of the Federal Reserve Act may apply. In particular, section 23B provides that the terms SAS No. 78, “Consideration of Internal Con- of transactions between a bank and its nonbank affiliate must trol in a Financial Statement Audit: An be comparable to the terms of similar transactions between Amendment to Statement on Auditing Stan- nonaffiliated parties. 27. Additional information regarding common contract provisions can be found later in this section and in the icy SP-5 requires each serviced institution to evaluate the FFIEC’s IT Handbook. In addition, FFIEC Supervisory Pol- adequacy of its service provider’s contingency plans.

May 2005 Commercial Bank Examination Manual Page 20 Information Technology 5300.1

dards No. 55.” These statements contain the U.S. supervisors to effectively review the domes- external-auditor reporting tools commonly tic or foreign operations of U.S. banking orga- used for service providers. SAS 70 reports, nizations and the U.S. operations of foreign however, should not be relied on to the same banking organizations. In particular, examiners extent as an audit. There are two types of should evaluate the adequacy of outsourcing SAS 70 reports: arrangements in the following six areas: • Reports on controls placed in operation is an auditor’s report on a service oganiza- 1. Oversight and compliance. The institution is tion’s description of the controls that may expected to demonstrate adequate oversight be relevant to a user organization’s internal of a foreign service provider, such as through control as it relates to an audit of financial comprehensive audits conducted by the ser- statements. It also reports on whether such vice provider’s internal or external auditors, controls were suitably designed to achieve the institution’s own auditors, or foreign specified control objectives. Lastly, it bank supervisory authorities. The arrange- reports on whether the controls had been ment must not hinder the ability of the placed in operation as of a specific date. institution to comply with all applicable U.S. • Reports on controls placed in operation laws and regulations, including, for example, and tests of operating performance is an requirements for accessibility and retention auditor’s report on a service organization’s of records under the Bank Secrecy Act. (See controls as described above, but the report FinCEN’s rule at 31 CFR 1020.320. See also also includes information on whether the section 208.62 of the Board’s Regulation H controls that were tested were operating (12 CFR 208.62) for suspicious-activity re- with sufficient effectiveness to provide rea- porting and section 208.63 (12 CFR 208.63) sonable, but not absolute, assurance that for the Bank Secrecy Act compliance pro- the related control objectives were achieved gram.) during the period specified. 2. Information access. The outsourcing arrangement should not hinder the ability of U.S. Audit results, audit reports, and management supervisors to reconstruct the U.S. activities responses must be available to examiners of the organization in a timely manner, if upon request. necessary. Outsourcing to jurisdictions where 8. Contingency plans. The serviced institution full and complete access to information may should ensure adequate business-resumption be impeded by legal or administrative restric- planning and testing by the service provider. tions on information flows will not be accept- When appropriate based on the scope and able unless copies of records pertaining to risks of the outsourced function and the U.S. operations are also maintained at the condition and performance of the service institution’s U.S. office. provider, the serviced institution’s contin- 3. Audit. Copies of the most recent audits of the gency plan may also include plans for the outsourcing arrangement must be maintained continuance of processing activities, either in English at the institution’s U.S. office and in-house or with another provider, in the must be made available to examiners upon event that the service provider is no longer request. able to provide the contracted services or 4. Contingency plan. The institution’s contin- the arrangement is otherwise terminated gency plan must include provisions to ensure unexpectedly. timely access to critical information and service resumption in the event of unexpected national or geographic restrictions or International Considerations disruptions affecting a foreign service provider’s ability to provide services. Depending on In general, the arrangements for outsourcing the scope and risks of the outsourced func- critical information- or transaction-processing tion, this may necessitate backup arrange- functions to service providers outside the United ments with other U.S. or foreign service States should be conducted according to the providers in other geographic areas. risk-management guidelines described above. In 5. Foreign banking organizations. With the addition, the Federal Reserve expects that these exception of a U.S. branch or agency of a arrangements will not diminish the ability of foreign bank that relies on the parent organi-

Commercial Bank Examination Manual May 2005 Page 21 5300.1 Information Technology

zation for information- or transaction- such a decision should thoroughly review and processing services, foreign banking organi- consider alternatives before proceeding. While a zations should maintain at the U.S. office bank may gain a number of competitive advan- documentation of the home office’s approval tages from an in-house facility, there are also of outsourcing arrangements supporting its many risks associated with this decision. Tech- U.S. operations, whether to a U.S. or foreign nological advances have reduced the price of service provider. The organization’s U.S. small computer networks and made them more office should also maintain documentation affordable, but banks should not use this as the demonstrating appropriate oversight of the sole justification for an internal data processing service provider’s activities, such as written center. contracts, audit reports, and other monitoring A comprehensive feasibility study should pre- tools. When appropriate, the Federal Reserve cede any decision to develop an in-house sys- will coordinate with a foreign banking orga- tem. This study should describe the costs, bene- nization’s home-country supervisor to ensure fits, and risks and also give management the that it does not object to the outsourcing opportunity to compare current and future needs arrangement. with existing abilities. The FFIEC’s IT Hand- 6. Foreign branches or subsidiaries of U.S. book contains a complete discussion of feasibil- banks and Edge corporations. Documenta- ity studies. tion relating to outsourcing arrangements of The management of a financial institution the foreign operations of U.S. banking orga- must carefully identify the organization’s needs nizations with foreign service providers for data processing. After these needs are prop- should be made available to examiners upon erly identified (including the customers’ needs request. for these services), management must carefully evaluate how the institution can best meet them. The costs and complexity of changing data processing arrangements can be substantial, so INFORMATION-PROCESSING management must ensure that all related costs ENVIRONMENT and benefits are identified and considered before deciding on a service. The following are the Many factors influence an institution’s decision major external providers of data processing and about whether to use internal or external data IT services for financial institutions. processing services, including the initial investment, operating costs, and operational flexibility. Historically, small financial institutions, which usually lack the funds or transaction Correspondent Banks volume to justify an in-house information sys- Small financial institutions sometimes receive tem, were the chief users of external data their IT services from a major correspondent processing companies. However, as advances in bank. These services may be just one of a host of technology have decreased the cost of data services available from the correspondent. His- processing, small institutions have become much torically, the correspondent bank has been the more willing to invest in an in-house informa- least expensive servicer for many institutions. tion system. At the same time, some financial Correspondent banks may offset some of their institutions with internal information systems own IT costs by using their excess processing have discovered that they can save money by capacity to provide services to correspondents. using external data processing companies for certain banking applications. Other financial institutions have engaged national companies or facilities-management organizations to assume Affiliated Financial Institutions and their processing operations, while certain hold- Banking Organizations ing companies have organized their data processing departments as subsidiaries to centralize IT departments in holding companies or subsid- operations for their affiliate institutions. iaries are one common form of an affiliated The decision to establish an internal data servicer. An affiliated data center may offer cost processing center is a major one. Any bank’s savings to other affiliates, since all parties are board of directors and management considering generally using the same software system. The

April 2015 Commercial Bank Examination Manual Page 22 Information Technology 5300.1 serviced institutions can eliminate the duplica- Cooperative Service Corporations tion of tasks, and the affiliated data center and the overall organization can realize cost savings A cooperative service corporation is a data through economies of scale. Thus, charges for processing facility formed by a group of finan- IT services to affiliates are generally very cial institutions that agrees to share the operat- competitive. ing costs. Under the right circumstances, this Regulatory guidelines strictly govern IT- arrangement works well. For this strategy to servicing arrangements between affiliated insti- succeed, however, all members of the group tutions. Sections 23A and 23B of the Federal must be the same approximate size and have Reserve Act (12 U.S.C. 371c and 371c-1) ad- similar IT requirements. Typically, each institu- dress the question of allowable transactions tion owns a share of the facility or bears a share between affiliates. This statute also states that of the costs on a pro rata basis through invest- the terms of transactions between affiliated par- ment in a bank service corporation. There must ties must be comparable to the terms of similar be a strong working relationship among the transactions between nonaffiliated parties. An institutions. Although the institutions are not affiliated data center is allowed to set fees to directly involved in the data processing center’s recover its costs or to recover its costs plus a daily operations, they are ultimately responsible reasonable profit, or to set charges for data for the center’s success or failure. processing services that are comparable to those One advantage of a cooperative service cor- of a nonaffiliated servicer. Other restrictions poration is that individual institutions have may also apply. increased control over the design of the data processing operation. Therefore, institutions can tailor computerized applications to meet their own needs. Resource pooling often provides for Independent Service Bureaus economies of scale as well, and cooperative ventures normally attract more highly skilled Independent service bureaus are present in most and more experienced employees. areas, but mergers and acquisitions have caused the number of bureaus to decline. When management investigates a service bureau’s operations, it should determine if the servicer is Facilities-Management Providers familiar with the IT needs of financial institutions. Determining the percentage of the service Medium- and large-sized financial institutions bureau’s business that comes from financial that already have an in-house data processing institutions will help the institution select a facility are the most likely users of facilities- vendor that specializes in this type of process- management (FM) contracts. Small institutions ing. Independent service bureaus are normally typically do not have the work volume that is a responsive to user requests for specialized pro- prerequisite to hiring an FM company. Service grams, since developing these programs for contracts with FM companies are usually for a clients is generally a significant source of rev- minimum term of five years, during which time enue. Tailoring a software program to a particu- the FM company assumes full responsibility for lar institution’s needs becomes less attractive to the institution’s data processing operations. The the independent service bureau if the institution institution pays the FM company a monthly fee accounts for only a small portion of the bureau’s to reimburse it for the costs of providing IT workload or if the bureau offers a standardized services plus a profit. The FM company usually software package as its primary product. How- carries out its tasks in the institution’s former ever, some standardized software systems allow data processing center. a modest amount of processing and report adjustments without requiring servicer modifi- Financial institutions have various reasons for cations. Also, report-generator software, which using FM companies, such as controlling or provides clients with customized reports they reducing the growth of data processing costs, can prepare without any help from the service ensuring better management of data center per- bureau, is sometimes available from service sonnel, or using more modern software systems. bureaus. Management of financially strained institutions may enter into FM arrangements to augment

Commercial Bank Examination Manual April 2015 Page 23 5300.1 Information Technology their capital position by selling their equipment ment, management should be concerned about or facilities to the FM company. ensuring logical and physical access to the Although an institution’s contract with an FM terminal and about the availability of audit trails company may provide a quick and easy solution that indicate who has made changes to master to data processing problems with minimal files. Management should establish and monitor involvement of senior officials, management controls over passwords, terminals, and access should be aware of potential problems. FM to master files. For a complete discussion of contracts can have clauses that require the insti- controls over passwords and terminals, see the tution to pay more for services as work volume FFIEC’s IT Handbook. grows and can also contain provisions for periodic increases. The contract may include a substantial penalty for cancellation. Another Satellite Processing risk is that the FM company may make personnel changes that are not advantageous to the Satellite (remote) processing has become popu- institution, such as reassigning its best workers lar with some financial institutions that are elsewhere or reducing the size of the data located far away from an external servicer and processing staff. Bank management should make that must process a large volume of transactions. sure that FM service contracts contain specific A distinguishing characteristic of satellite pro- quality-measurement clauses and should moni- cessing is that the institution and the data center tor the quality of data processing services each perform a portion of the processing. provided. Although the institution collects the data and sometimes prepares reports, the servicer makes the necessary master-file updates. To capture data and print reports, the serviced institution Other Purchased Services must acquire a terminal-entry device, a printer, an MICR reader/sorter, and a tape or disk unit. Computer Time Since the system is usually online, the serviced institution must install modems and communi- A financial institution that designed its own data cations lines linking it to the servicer. The level processing system and that maintains its own of skill necessary to perform remote job entry in files only needs to rent computer time from an a satellite system is less sophisticated than the external servicer. This arrangement usually level needed to operate an in-house system. occurs when the financial institution’s equip- Most of the traditional control functions remain ment or schedule makes it unable to handle at the institution. The FFIEC’s IT Handbook some unusual processing task. contains further information on satellite processing, remote job entry, and distributive processing systems. Time-Shared Computer Services

Most external providers of time-sharing services Standard Program Packages have a library of standardized programs available to any user. A user also may generate Most bank data centers and service bureaus programs and store them in a reserved library. specialize in processing one or more standard Financial institutions frequently use time-sharing software packages. By using the same software services for financial analysis rather than rec- for several users, external servicers achieve ordkeeping. Applications with low input and certain operating economies, which allow them output requirements and repetitive calculations, to recover initial development costs more such as those required for a securities portfolio, quickly. Most standard software packages are lend themselves to a time-sharing arrangement. parameter driven, providing the user with some The external servicer in this arrangement nor- degree of flexibility. For example, in demand mally does not maintain the client institution’s deposit and savings applications, standard pro- data files. Financial institutions that store master gram modules or common subroutines often files on the external servicer’s equipment should allow the user to designate the format and maintain adequate documentation to facilitate frequency of reports. In addition, the user may the examination process. Under this arrange- select the parameters necessary to generate cer-

May 2005 Commercial Bank Examination Manual Page 24 Information Technology 5300.1 tain reports, such as the number of inactive days information security controls that are designed before an account becomes dormant or the to— minimum dollar amount for checks listed on the large-item report. The user can also be involved • ensure the integrity and accuracy of manage- in selecting the criteria for interest rates, balance ment information systems; requirements, and other operating values, allow- • prevent unauthorized alteration during data ing for a tailored application within a standard- creation, transfer, and storage; ized software system. • maintain confidentiality; • restrict physical access; Tailored Applications • authenticate user access; • verify the accuracy of processing during input If standard program packages do not meet a and output; financial institution’s needs, an external servicer • maintain backup and recovery capability; and can be hired to design tailored applications to • provide environmental protection against dam- process the institution’s data. The institution age or destruction of information. must clearly describe the proposed system and its operations to the servicer. Internal or external Although security features vary, they are usually auditor participation in reviewing controls is available for all computer systems. The controls also advisable. The initial cost of this approach adopted should apply to information produced is high, as are the costs of maintaining and and stored by both automated and manual updating the tailored applications. methods. Written policies are generally recommended and, in most cases, institutions have chosen to OPERATIONAL AND establish and communicate security principles in TECHNOLOGICAL USER writing. However, if an institution follows sound CONTROLS fundamental principles to control the risks discussed here, a written policy is not necessarily required. If sound principles are not effectively Using computerized programs and networks, practiced, management may be required to banks maintain a large number of accounts and establish written policies to formally communi- record a high volume of transactions every day. cate risk parameters and controls. Federal Text-processing systems store vast amounts of Reserve System policy does, however, require correspondence. Transmission of data and funds written contingency and disaster-recovery plans. regularly occurs over public communications links, such as telephone lines and satellite net- Examiners should regularly conduct reviews works. The use of new technologies to transfer of information security. These reviews may funds and records, while improving customer include an assessment of— service and the institution’s internal operations, has increased the potential for errors and abuse, • the adequacy of security practices, which can result in loss of funds, lawsuits • compliance with security standards, and arising from damaged reputations, improper dis- • management supervision of information secu- closure of information, and regulatory sanctions. rity activities. Controls must be implemented to minimize the vulnerability of all information and to keep When conducting reviews of controls over funds secure. Bank management must assess the information security, examiners must under- level of control necessary in view of the degree stand the difference between master files and of exposure and the impact of unexpected losses transaction files. A master file is a main refer- on the institution. Certain practices can strengthen ence file of information used in a computer information and financial security. The most system, such as all mortgage loans. It provides basic practices are the implementation of sound information to be used by the program and can policies, practices, and procedures for physical be updated and maintained to reflect the results security, separation of duties, internal quality of the processed operation. A transaction file or control, hardware and software access controls, detail file contains specific transaction informa- and audits. Bank management should institute tion, such as mortgage loan payments.

Commercial Bank Examination Manual May 2005 Page 25 5300.1 Information Technology

Manual Controls over the end of an accounting period or are for two consecutive weeks. Written policies and The following discussion covers basic opera- procedures may require job rotation. tional controls in a financial institution receiving Application manuals usually consist of a user’s external IT services. Similar controls should guide provided by the servicer that is supple- also be applied to information processed by an mented by procedures written by the user. Manu- IT department within a user’s own institution. als normally cover the preparation and control of source documents, certain control practices for moving documents or electronic images to Separation of Duties and from the user and servicer, the daily reconcilement of totals to the general ledger, and A basic form of operational control is separation master-file changes. of duties. With this control in place, no one Management should implement dual control person should be able to both authorize and over automated systems. Personnel should place execute a transaction, thereby minimizing the supervisory holds on customer accounts requir- risk of undetected improper activities. Data ing special attention. For example, dormant center personnel should not initiate transactions accounts, collateral accounts, and accounts with or correct data except when it is necessary to large uncollected funds balances generally have complete processing in a reasonable time period. holds that can be removed only by authoriza- If this unusual situation arises, proper authori- tions from two bank officials. In addition, cer- zation should be obtained from data center and tain types of transactions (for example, master- bank management. Both the servicer and the file changes) should require authorization from serviced institution should maintain documenta- two bank officials by means of special codes or tion of these approvals, including details of the terminal keys. When employees add or remove circumstances requiring the action. The same a hold on an account or when the system person normally should not perform input and completes a transaction requiring supervisory output duties. However, in some instances, staff approval, the computer should generate an limitations may make one person responsible for exception report. Assigned personnel not in- several activities, such as— volved in the transaction should promptly review these reports for unusual or unauthorized activity. • preparing batches and blocks or other input for entry to the system or shipment to the servicer; Internal Quality Controls • operating data entry equipment, including check reader/sorter machines, proof machines, Generally, there are three basic types of infor- or data-conversion devices; mation systems, with many combinations and • preparing rejects and nonreaders for reentry variations: into the system; • reconciling output to input or balancing the • Inquiry-only system. This system allows the system; user to search and review machine-readable • distributing output to ultimate users; and records but not to alter them. Controls and security concerns related to this system are • posting the general ledger and balancing com- few; the major concern is unauthorized access puter output to the general ledger. to confidential information. Rotation of assignments and periodic sched- • Memo-post system. More sophisticated than uled absences may improve internal controls by the inquiry-only system, the memo-post sys- preventing one person from controlling any one tem allows the user to create interim records. job for an extended time period (and by provid- The servicer performs permanent posting rou- ing cross-training and backup for all personnel). tines using batch-processing systems. Con- When vacations are scheduled, management trols for a memo-post system include limiting may require staff to take uninterrupted vacations physical and logical access to the system and that are long enough to allow pending transac- restricting certain transactions to supervisory tions to clear. These practices are most effective personnel only. Appropriate levels of manage- if vacations or other types of absences extend ment should review memo-post reports daily.

May 2005 Commercial Bank Examination Manual Page 26 Information Technology 5300.1

• Online-post system. This system, sometimes Technological Controls called a real-time system, requires the strictest controls. Online-post systems are vulnerable because all accepted transactions are trans- Encryption ferred to machine-readable records. In addi- Encryption is a process by which mathematical tion to access controls, system reports should algorithms are used to convert plain text into record all activity and exceptions. Appropriate encrypted strings of meaningless symbols and levels of management should review these characters. This helps prevent unauthorized reports daily. viewing and altering of electronic data during transmission or storage. The industry commonly Internal controls fall into three general categories: uses the Data Encryption Standard (DES) for encoding personal identification numbers (PINs) • Administrative controls. Administrative con- on access cards, storing user passwords, and trols usually consist of management review of transferring funds on large-dollar payment daily operations and output reports. Each networks. application includes basic controls and exception reports that are common to all operations. To be effective, operations personnel must properly use exception reports and controls. Message-Authentication Code This is especially true for controlling dormant A message-authentication code (MAC) is a code accounts, check kiting, draws against uncol- designed to protect against unauthorized altera- lected funds, overdrafts, and the posting of tion of electronic data during transmission or computer-generated income and expense storage. This code is used with data encryption entries. to further secure the transmission of large-dollar • Dollar controls. Dollar controls ensure pro- payments. cessing for all authorized transactions. Opera- tions personnel should establish work and control totals before forwarding data records User Passwords to the data processor. Those same employees should not complete balancing procedures by User passwords consist of a unique string of reconciling trial balances to input, control characters that a programmer, computer opera- sheets, and the general ledger. Report distri- tor, or user must supply before gaining access to bution should follow a formal procedure. the system or data. These are individual access Personnel should account for all rejects cor- codes that should be specific to the user and rected and resubmitted. known only to the user. Other security features • Condoler controls. Condoler controls are used of passwords should, at a minimum, require the when dollar values are not present in the data, users to change them periodically and store as in name and address changes. Controls them in encrypted files. In addition, the pass- should be established before forwarding work words should be composed of a sufficient num- for processing. Management should also ber of alphanumeric characters to make them implement procedures designed to ensure that difficult to guess. User passwords should not be its servicer processes all condoler transac- displayed during the access process and should tions. For example, personnel should check not be printed on reports. new-account reports against new-account input forms or written customer-account applications to make sure that data are properly Security Software entered. To protect data integrity, management should develop procedures to control master- Security software is software designed to restrict file and program changes. These procedures access to computer-based data, files, programs, should also verify that the servicer is making utilities, and system commands. Some systems only authorized changes and ensure that data can control access by user, transaction, and processing employees do not initiate master- terminal. The software can generate reports that file changes. log actual and attempted security violations as well as access to the system.

Commercial Bank Examination Manual May 2005 Page 27 5300.1 Information Technology

Restricted Terminals record of every event, making it cumbersome and more difficult to identify problems. Limiting certain types of transactions to certain terminals or groups of terminals can help reduce exposure to loss. The offsetting problem is that Controls over Software-Program- loss of the ability to use these terminals can stop processing for an entire application. Bank man- Change Requests agement should therefore evaluate both the exposure and processing risks. Requests for system changes, such as software- An automatic time-out feature can minimize program changes, should be documented on a the exposure risk. Since unauthorized users may standard change-request form. The form is used target an unattended terminal, this feature auto- to describe the request and document the review matically signs off the user when there has been and approval process. It should contain the no activity for a certain period of time. Using following information: time-of-day restrictions can also limit unauthorized use of terminals during periods when an • date of the change request entire department or section would be unattended. • sequential control number • program or system identification • reason for the change Restricted Transactions • description of the requested change • person requesting the change Restricted transactions are specialized transac- • benefits contemplated from the change tions that can be performed only by supervisory • projected cost or management personnel. Examples include • signed approval authorizing the change includ- reversing transactions, dollar adjustments to cus- ing, at a minimum, the user, IT personnel with tomer accounts, and daily balancing transac- the proper authority, and an auditor (at least tions. Management should periodically review for significant changes) user needs and the appropriateness of restricting • name of programmer assigned to make the the performance of these transactions. System- change generated reports can be used to review this • anticipated completion date activity more frequently. • user and information systems approval of the completed program change • implementation procedures (steps for getting Activity and Exception Reports the program into the production library) • audit review of change (if deemed necessary) Report output will vary, depending on the • documented sign-off sophistication of the data communications and applications software. Management should receive activity reports that detail transactions by terminal, operator, and type. More sophisti- End-User Computing cated software will produce activity and exception reports on other criteria, such as the number End-user computing results from the transfer of of inquiries by terminal, unsuccessful attempts information-processing capabilities from central- to access the system, unauthorized use of ized data centers onto the user’s desktop. End- restricted information, and any unusual activi- user computing systems may range in size and ties (that is, infrequently used transactions). computing power from laptop notebook comput- Activity reports are used to monitor system ers to standalone personal computers, client use and may not be printed daily. However, server networks, or small systems with sufficient management should periodically review and computing power to process all significant summarize these reports in an effort to ensure applications for a financial institution. Small that machines are used efficiently. Exception systems that are entirely supported by a hard- reports should be produced and reviewed daily ware or software vendor are referred to as by designated personnel who have no conflict- turnkey systems. Control considerations dis- ing responsibilities. A problem with many cussed throughout this subsection generally apply reporting systems is that the log contains a to all end-user computing systems.

May 2005 Commercial Bank Examination Manual Page 28 Information Technology 5300.1

In many cases, end-user systems are linked by ern the ability of users to access information. As distributed processing networks. Linking sev- a general rule, no user should be able to access eral microcomputers together and passing infor- information that is beyond what is needed to mation between them is called networking. A perform the tasks required by his or her job system configured in this manner is commonly description. In this new environment, manage- called a local area network (LAN). The ability to ment and staff should assume responsibility for decentralize the data processing function is the information assets of the organization. largely a result of the development of powerful microcomputers or PCs. Microcomputers are now powerful enough to process significant applications when used as standalone systems. CONTINGENCY PLANNING, These microcomputers can also be connected to RECORD PROTECTION, AND a host computer and configured to serve as a RETENTION data entry or display terminal. In this terminal- emulation mode, information can be passed Data communications systems are susceptible to between the host and the PC with the processing software, hardware, and transmission problems occurring at either machine. that may make them unusable for extended When linked by a network, end-user comput- periods of time. If a financial institution depends ing offers several advantages to financial insti- on data communication for its daily operations, tutions, including— appropriate back-up provisions are necessary. Back-up is the ability to continue processing • low cost compared with other platforms, applications in the event the communications • efficiency through the sharing of resources, system fails. Management can provide back-up • ease of expansion for future growth, by various methods, including batch-processing • enhanced communication capabilities, systems, intelligent terminals or PCs operating • portability, in an off-line mode, data capture at the controller • data availability, and if transmission lines are lost, redundant data • ease of use. communication lines, and back-up modems. Regardless of the method used, FFIEC inter- While end-user computing systems provide sev- agency issuances and specific supporting Fed- eral advantages, they also have greater risks to eral Reserve System policy issuances that address data integrity and data security, including— corporate contingency planning require a comprehensive back-up plan with detailed proce- • difficulty in controlling access to the system dures. When using a batch back-up system, and in controlling access to confidential infor- operations personnel must convert data to a mation that may be stored on individual per- machine-readable format and transport the data sonal computers and not on the system (such to the servicer. This process may require addi- as payroll records, spreadsheets, budgets, and tional personnel (data-entry operators and mes- information intended for the board of directors sengers) and equipment. An institution’s contin- of the financial institution), gency plan should include detailed procedures • the lack of sophisticated software to ensure on how to obtain and use the personnel and security and data integrity, equipment. Because on-line systems are updated • insufficient capabilities to establish audit trails, or improved frequently, a batch back-up may • inadequate program testing and documentation, not remain compatible. Institution personnel • lack of segregated duties of data entry should perform periodic tests of batch and other personnel. back-up capabilities to ensure that protection is available and that employees are familiar with As the trend toward distributed processing the plan. continues, financial institutions should have Institutions should create computerized proper policies, procedures, and reporting to back-up copies of the institution’s critical re- ensure the accurate and timely processing of cords and have alternative methods of process- information. The controls governing access in ing those records. When IT operations are per- an end-user computing environment should be formed outside the institution, both the servicer no less stringent than those used in a traditional and the financial institution should have adequate mainframe environment. Strict rules should gov- control over the records. Bank management

Commercial Bank Examination Manual May 2005 Page 29 5300.1 Information Technology should determine which records are best pro- copy and machine-readable formats. In addition tected by the servicer and which are best pro- to determining the types of back-up records, tected internally. Service contracts should out- management should determine whether it is line the servicer’s responsibility for storing bank possible to re-create current data from older records. If the servicer does not or will not records. Certain records also have uses apart permit specific reference to record retention in from their value in reconstructing current data, the contract, a general reference may be suffi- such as meeting institutional and regulatory cient. The institution should obtain a copy of the reporting requirements. These records usually servicer’s back-up policy and retention proce- include month-end, quarter-end, and year-end dures, and bank management should thoroughly files. understand which records are protected by whom The location of an external data center is and to what extent. another factor to consider when evaluating The bank should also review the servicer’s retention procedures. If the external data center software and hardware back-up arrangements. It is located in a building adjacent to the institu- should review the service provider’s contin- tion, the possibility that a disaster may affect gency plan and results of routine tests of the both organizations increases. Such a situation contingency plan. The review should determine may make off-site storage of back-up materials how often data and software back-ups are made, even more important. If, on the other hand, the the location of stored materials, and which serviced institution is located far from the data materials are stored at that site. Management center, physical shipment of both input and should also determine the availability of soft- output may become necessary. Management ware replacement and vendor support, as well as should determine if fast, reliable transportation the amount and location of duplicate software between the two sites is available. documentation. Software replacement and docu- If a major disaster occurs, an alternate facility mentation procedures should be developed for may not be available to process duplicated both operating and application systems. machine-readable media. Management should Management should review the servicer’s consider remote record storage that would fa- hardware back-up arrangements to determine if cilitate the manual processing of records, if (1) the servicer has a contract with a national necessary. Furthermore, microfilming all items recovery service and, if so, the amount and type before shipment would protect the institution if of back-up capacity provided under the contract; any items are lost, misplaced, or destroyed. (2) the servicer has an alternate data center with Optical-disk storage, which involves scanning sufficient capacity and personnel to provide full and storing a document electronically, offers service if necessary; or (3) multiple processing another alternative for storage and retrieval of sites within the same facility are available for original data after processing has occurred. The disaster-processing problems and if each site has FFIEC’s IS Handbook and related FFIEC and an alternate power supply. The alternate site Federal Reserve System issuances are sources of should be able to provide continued processing information about planning for unexpected of data and transmission of reports. contingencies. Contracts or contingency plans should specify Processing personnel should regularly copy the availability of source documentation in the and store critical institution records in an off- event of a disaster, including insolvency of the site location that is sufficiently accessible to servicer. FFIEC interagency issuances and Fed- obtain records in a reasonable time period. eral Reserve System policy statements require These records should include data files, pro- financial institutions to evaluate the adequacy of grams, operating systems, and related documen- a servicer’s contingency plan and to ensure that tation. This also applies to critical data in its own contingency plan is compatible with the hard-copy documents. In addition, an inventory servicer’s plan. of the stored information should be maintained Since the duplication of records may vary along with a defined retention period. from site to site, most organizations develop schedules for automatic retention of records on a case-by-case basis. The only way to ensure AUDITS sufficient record protection is to continually review the flow of documents, data, and reports. Examiners need to determine the appropriate- Some records may be available in both hard- ness of the scope and frequency of audit activi-

November 2000 Commercial Bank Examination Manual Page 30 Information Technology 5300.1 ties related to information systems and the • tracing transactions to final disposition to reliability of internal or third-party audits of ensure audit trails are adequate; servicer-processed work. Furthermore, examin- • reviewing source documents to ascertain ers should review the methods by which the whether sensitive master-file change requests board of directors is apprised of audit findings, were given the required supervisory approval; recommendations, and corrective actions taken. • assessing the current status of controls by In reviewing audit activities, examiners should either visiting the servicer or reviewing inde- consider the following factors (if applicable): pendent third-party reviews of the servicer; • reviewing processing procedures and controls; • the practicality of the financial institution’s and having an internal IT auditor and, if the institution has an internal IT auditor, the • evaluating other audits of the servicer. auditor’s level of training and experience In addition, “through-the-computer” audit tech- • the training and experience of the institution’s niques allow the auditor to use the computer to external auditors check data processing steps. Audit software • the audit functions performed by the institu- programs are available to test extensions and tion’s outside auditors, the servicer, the ser- footings and to prepare verification statements. vicer’s outside auditor, and supervisory Regardless of whether an institution pro- personnel cesses data internally or externally, the board of • internal IT audit techniques currently being directors must provide an adequate audit pro- followed gram for all automated records. If the institution has no internal IT audit expertise, the nontech- The audit function should review controls and nical “around-the-computer” methods will pro- operating procedures that help protect the insti- vide minimum coverage, but not necessarily tution from losses caused by irregularities and adequate coverage. A comprehensive external willful manipulations of the data processing IT audit, similar to those discussed in the system. Thus, a regular, comprehensive audit of FFIEC’s IS Handbook, should be carried out to IT activities is necessary. Additionally, desig- supplement nontechnical methods. nated personnel at each serviced institution should periodically perform “around-the- computer” audit examinations, such as:

• developing data controls (proof totals, batch INSURANCE totals, document counts, number of accounts, and prenumbered documents) at the institution A financial institution should periodically review before submitting data to the servicer and its insurance coverage to ensure that the amount sampling the controls periodically to ensure of coverage is adequate to cover any exposure their accuracy; that may arise from using an external IT provider. To determine what coverage is needed, • spot-checking reconcilement procedures to the institution should review its internal opera- ensure that output totals agree with input tions, the transmission or transportation of re- totals, less any rejects; cords or data, and the type of processing per- • sampling rejected, unpostable, holdover, and formed by the servicer. This review should suspense items to determine why they cannot identify risks to data, namely the accountability be processed and how they were disposed of for data, at both the user and servicer locations (to make sure they were properly corrected and while in transit. Insurance covering physical and re-entered on a timely basis); disasters, such as fires, floods, and explosions, • verifying selected master-file information (such should be sufficient to cover replacement of the as service-charge codes), reviewing exception data processing system. Coverage that protects reports, and cross-checking loan extensions to specialized computer and communications equip- source documents; ment may be more desirable than the coverage • spot-checking computer calculations, such as provided by regular hazard insurance. Expanded the dollar amounts of loan rebates, interest on coverage protects against water infiltration, deposits, late charges, service charges, and mechanical breakdown, electrical disturbances, past-due loans, to ensure proper calculations; changes in temperature, and corrosion. The use

Commercial Bank Examination Manual November 2000 Page 31 5300.1 Information Technology of an “agreed-amount” endorsement can provide that covers the physical shipment of source for full recovery of covered loss. documents. Additionally, electronic funds trans- Bank management should also review the fer system (EFTS) liability coverage is available servicer’s insurance coverage to determine if the for those operations that use electronic amounts and types are adequate. Servicer cov- transmission. erage should be similar to what the financial Several factors may influence an institution’s institution would normally purchase if it were decision to purchase insurance coverage or to performing its data processing internally. self-insure: the cost of coverage versus the Servicer-provided coverage should complement probability of occurrence of a loss, the cost of and supplement the bank’s coverage. coverage versus the size of the loss of each If a loss is claimed under the user’s coverage, occurrence, and the cost of coverage versus the the user need only prove that a loss occurred to cost of correcting a situation that could result in make a claim. However, if the loss is claimed a loss. Some institutions engage risk consultants under the servicer’s coverage, the institution to evaluate these risks and the costs of insuring must prove that a loss occurred and also that the against them. servicer was responsible for the loss. Examiners should review the serviced institution’s blanket bond coverage, as well as simi- SERVICE CONTRACTS lar coverage provided by the servicer. The coverage period may be stated in terms of a fixed time period. The loss, the discovery, and Contract Practices the reporting of the loss to the insurer must occur during that stated period. Extended dis- A poorly written or inadequately reviewed con- covery periods are generally available at addi- tract can be troublesome for both the serviced tional cost if an institution does not renew its financial institution and the servicer. To avoid or bond. The dollar amount of the coverage now minimize contract problems, bank legal counsel represents an aggregate for the stated period. who are familiar with the terminology and Each claim paid, including the loss, court costs, specific requirements of a data processing con- and legal fees, reduces the outstanding amount tract should review it to protect the institution’s of coverage, and recoveries do not reinstate interests. Since the contract likely sets the terms previous levels of coverage. Since coverage for a multiyear understanding between the par- extends only to locations stated in the policy, the ties, all items agreed on during negotiations policy must individually list all offices. Addi- must be included in the final signed contract. tionally, policies no longer cover certain types Verbal agreements are generally not enforce- of documents in transit. able, and contracts should include wording such The bank’s board of directors should be as “no oral representations apply” to protect involved in determining insurance coverage since both parties from future misunderstandings. The each board member will be acknowledging the contract should also establish baseline perfor- terms, conditions, fees, riders, and exclusions of mance standards for data processing services the policy. Insurance companies consider any and define each party’s responsibilities and provided information as a warranty of coverage. liabilities, where possible. Any omission of substantive information could Although contracts between financial institu- result in voided coverage. tions and external data processing companies The bank or servicer should consider buying are not standardized in a form, they share a additional coverage. Media-reconstruction poli- number of common elements. For a further cies defray costs associated with recovering data discussion of IT contract elements and consid- contained on the magnetic media. Media- erations, see the FFIEC’s IS Handbook. replacement policies replace blank media. Extra- Additionally, section 225 of the Financial expense policies reimburse organizations for Institutions Reform, Recovery, and Enforcement expenses incurred over and above the normal Act of 1989 (FIRREA) states, “An [FDIC-] cost of operations. In addition, servicers often insured depository institution may not enter into purchase policies covering unforeseen business a written or oral contract with any person to interruptions and the liabilities associated with provide goods, products or services to or for the errors and omissions. Both servicer and banking benefit of such depository institution if the organizations may purchase transit insurance performance of such contract would adversely

November 2000 Commercial Bank Examination Manual Page 32 Information Technology 5300.1 affect the safety or soundness of the institution.” The servicer, not the serviced institution, is An institution should ascertain during contract responsible for the major provisions of its negotiations whether the servicer can provide a back-up contingency plan. However, the institu- level of service that meets the needs of the tion must have a plan that complements the institution over the life of the contract. The servicer’s. institution is also responsible for making sure it Termination caused by bankruptcy of the accounts for each contract in accordance with servicer is potentially the most devastating to a GAAP. Regulatory agencies consider contract- serviced institution. There may not be advance ing for excessive servicing fees and/or failing to notice of termination or an effective contingency properly account for such transactions an unsafe plan (because servicer personnel may not be and unsound practice. When entering into ser- available). In this situation, the serviced institu- vice agreements, banks must ensure that the tion is responsible for finding an alternate pro- method by which they account for such agree- cessing site. ments reflects the substance of the transaction Although user institutions can ordinarily and not merely its form. See FFIEC Supervisory obtain data files from a bankrupt servicer with Policy SP-6, “Interagency Statement on EDP little trouble, the programs (source code) and Service Contracts.” documentation required to process those files are normally owned by the servicer and are not available to the user institutions. These programs are often the servicer’s only significant Risk of Termination assets. Therefore, a creditor of a bankrupt servicer, in an attempt to recover outstanding debts, Many financial institutions have become so will seek to attach those assets and further limit dependent on outside data processing servicers their availability to user institutions. The bank- that any extended interruption or termination of ruptcy court may provide remedies to the user service would severely disrupt normal opera- institutions, but only after an extended length of tions. Termination of services generally occurs time. according to the terms of the service contract. An escrow agreement is an alternative to Banks may also experience an interruption of giving vendors sole control of the source code. services that is caused by a physical disaster to In this agreement, which should either be part of the servicer, such as a fire or flood, or by the service contract or a separate document, the bankruptcy. The serviced institution must pre- financial institution would receive the right to pare differently for each type of termination. access source programs under certain condi- The contract should allow either party to termi- tions, such as discontinued product support or nate the agreement by notifying the other party the financial insolvency of the vendor. A third 90 to 180 days in advance of the termination party would retain these programs and related date, which should give a serviced institution documents in escrow. Periodically, the financial adequate time to locate and contract with another institution should determine that the source code servicer. maintained in escrow is up-to-date, for example, Termination caused by physical disaster occurs an independent party should verify the version infrequently, but it may present the institution number of the software. Without an escrow with a more serious problem than termination by agreement, a serviced institution has two alter- contract. However, if the servicer has complied natives: (1) pay off the creditor and hire outside with basic industry standards and maintains a specialists to operate the center or (2) convert proper contingency plan, disruption of services data files to another servicer. Either alternative to users will ordinarily be minimal. The contin- is likely to be costly and cause severe operating gency plan must require the servicer to maintain delays. current data files and programs at an alternate Institutions should normally determine the site and arrange for back-up processing time financial viability of its servicer annually. Once with another data center. At a minimum, these the review is complete, management must report provisions should allow the servicer to process the results to the board of directors or a desig- the most important data applications. Since nated committee. At a minimum, management’s equipment vendors can often replace damaged review should contain a careful analysis of the machines within a few days, the servicer should servicer’s annual financial statement. Manage- be able to resume processing with little delay. ment may also use other sources of information

Commercial Bank Examination Manual November 2000 Page 33 5300.1 Information Technology to determine a servicer’s condition, such as wide branch or subsidiary accounts into one investment analyst reports and bond ratings. central account and other recurring contractual Reports of independent auditors and examina- payments. tion reports for certain service providers obtain- While several organizations can be involved able from appropriate regulatory agencies may in processing ACH transactions, the Federal contain useful information. Reserve System is the principal ACH processor. For the Federal Reserve ACH system, depository institutions send ACH transactions to and receive ACH transactions from one of the Fed- AUTOMATED CLEARINGHOUSE eral Reserve processing sites via a communications system linking each location. Access may Automated clearinghouses (ACHs) form a be by direct computer interface or intelligent nationwide electronic payments system used by terminal connections. a large number of depository institutions and As with any funds-transfer system, the ACH corporations. ACH rules and regulations are system has inherent risks, including error, credit established by the National Automated Clearing risk, and fraud. When reviewing ACH activities, House Association (NACHA) and the local examiners should evaluate the following: ACH associations, and they are referenced in the ACH operating circulars of the Federal Reserve • agreements covering delivery and settlement Banks. arrangements maintained by the depository ACH is a value-based system that supports institution as an originator or receiver of ACH both credit and debit transactions. In ACH credit transactions transactions, funds flow from the depository • monitoring of the institution’s and customer’s institution originating the transaction to the intraday positions institutions receiving the transactions. Examples • balancing procedures of ACH transactions of credit payments include direct deposits of processed payroll, dividend and interest payments, Social • the credit policy and effectiveness of proce- Security payments, and corporate payments to dures to control intraday and overnight over- contractors and vendors. In a debit transaction, drafts, resulting from extensions of credit to funds flow from the depository institutions an ACH customer, to cover the value of credit receiving the transaction instructions to the in- transfers originated (Since ACH transactions stitution originating the transaction. Examples may be originated one or two days before the of ACH debit transactions include collection of settlement date, the originating institution is insurance premiums, mortgage and loan pay- exposed to risk from the time it submits ACH ments, consumer bill payments, and transactions credit transfers to the ACH processor to the to facilitate corporate cash management. ACH time its customer funds those transfers.) transactions are deposited in batches at Federal • uncollected-funds controls and the related Reserve Banks (or private-sector ACH proces- credit policy for deposits created through sors) for processing one or two business days ACH debit transactions (ACH debits can be before the settlement date. These transactions returned for insufficient funds in the payor’s are processed and delivered to the receiving account or for other reasons, such as a court institutions through the nightly processing cycle order.) for a given day. • exception reports (that is, large-item and new- account reports) ACH transactions continue to grow signifi- • control procedures for terminals through which cantly. Additional uses of the ACH continue to additions, deletions, and other forms of main- be developed as depository institutions, corpo- tenance could be made to customer databases rations, and consumers realize its efficiency and • the retention of all entries, return entries, and low cost compared with large-dollar payments adjustment entries transmitted to and received systems and check payments. One area of growth from the ACH for a period of six years after is the use of debit transactions for the collection the date of transmittal of large payments due to the originator, such as the cash concentration of a company’s nation-

November 2000 Commercial Bank Examination Manual Page 34 Information Technology 5300.1

RETAIL FUNDS-TRANSFER ATMs operate in either off-line or on-line SYSTEMS mode. Off-line transactions are those that occur when the customer’s account balance is not Automation has enabled banks to electronically available for verification. This situation can be perform many retail banking functions formerly the result of telecommunication problems handled manually by tellers, bookkeepers, data- between the financial institution and the ATM entry clerks, and other banking personnel. network. In addition, an off-line transaction can Accordingly, the need for physical banking occur when a customer’s account balance is not facilities and related staff has been reduced. available because the financial institution is Electronic funds transfer (EFT) and related bank- updating its files. Financial institutions usually ing services have also brought access to and update their files during low-volume periods. In control of accounts closer to the consumer either case, transactions are usually approved up through the use of widely distributed unmanned to the daily withdrawal limit, which is a risk to terminals and merchant facilities. EFT-related the bank because a customer can withdraw more risk to a financial institution for individual than is available in the account. On-line systems customer transactions is generally low, since the are directly connected to a financial institution’s transactions are usually for relatively small computer system and the corresponding cus- amounts. However, weaknesses in controls that tomer account information. The computer pro- could lead to incorrect or improper use of cesses each transaction immediately and pro- several accounts could lead to significant losses vides immediate account-balance verification. or class action suits against a financial institu- With either system, a card is normally captured tion. Examinations of retail EFT facilities should (kept by the ATM) if misuse is indicated (for focus on the potential large-scale risks of a example, the card has been reported stolen or given product. Examples of retail EFT systems too many attempts have been made with an include automated teller machines, point-of-sale invalid PIN). networks, debit and “smart” cards, and home Financial institutions are usually members of banking. several ATM networks, which can be regional and national. Through these networks, separate institutions allow each other’s customers to use their ATM machines. This is known as an Automated Teller Machines interchange system. To be involved in an interchange system, a financial institution must either An automated teller machine (ATM) is a termi- be an owner or member of the ATM network. nal that is capable of performing many routine Fraud, robbery, and malfunction are the major banking services for the customer. ATMs handle risks of ATMs. The use of plastic cards and PINs deposits, transfers between savings and check- are a deterrent, but there is still the risk that an ing accounts, balance inquiries, withdrawals, unauthorized individual may obtain them. Cus- small short-term loans, and loan payments. tomers may even be physically accosted while ATMs may also handle other transactions, such making withdrawals or deposits at ATM loca- as cash advances on credit cards, statement tions. Institutions have decreased this risk by printing, and postage-stamp dispensing. ATMs installing surveillance cameras and access- usually operate 24 hours a day and are located control devices. For example, the ATM card can not only on bank premises but in other locations, be used as an access-control device, unlocking such as shopping malls and businesses. Daily the door to a separate ATM enclosure and withdrawals are usually, and should be, limited relocking it after the customer has entered. to relatively small amounts ($200 to $500). Fraud may also result from risks associated with Deposits are processed in the same manner as if the issuance of ATM cards, the capture of cards, they were handled by a teller. ATMs are gener- and the handling of customer PINs. Appropriate ally activated through the use of a plastic card controls are needed to prevent the financial encoded with a machine-readable customer iden- institution’s personnel from unauthorized access tification number and the customer’s entry of a to unissued cards, PINs, and captured cards. corresponding personal identification number (PIN). Some financial institutions may refer to this identification number as the personal identification code (PIC).

Commercial Bank Examination Manual November 2000 Page 35 5300.1 Information Technology

Point-of-Sale Systems • policies and procedures for credit and check authorization, floor limits, overrides, and settle- A point-of-sale (POS) system transaction is ment and balancing defined as an electronic transfer of funds from a • maintenance of transaction journals to provide customer’s checking or savings account to a an adequate audit trail merchant’s account to pay for goods or services. • generation and review of daily exception Transactions are initiated from POS terminals reports with provisions for follow-up of located in department stores, supermarkets, gaso- exception items line stations, and other retail outlets. In an • provisions for back-up and contingency electronic POS system, a customer pays for planning purchases using a plastic card (such as an ATM, • physical security surrounding POS terminals credit, or debit card). The store clerk enters the payment information into the POS terminal, and the customer verifies the transaction by entering a PIN. This results in a debit to the Internal Controls for Retail EFT customer’s account and a credit to the mer- Systems chant’s account. POS transactions may be processed through Regardless of the EFT system employed, finan- either single-institution unshared systems or cial institutions should ensure that adequate multi-institution shared networks. Participants in internal controls are in place to minimize errors, a shared system settle daily, on a net transaction discourage fraud, and provide an adequate audit basis, between each other. In unshared systems, trail. Recommended internal-control guidelines the merchants and customers have accounts with for all systems include: the same financial institution. Thus, the need to settle between banks is eliminated. • establishing measures to establish proper cus- As with other EFT systems, POS transactions tomer identification (such as PINs) and main- are subject to the risk of loss from fraud, tain their confidentiality mistakes, and system malfunction. POS fraud is • installing a dependable file-maintenance and caused by stolen cards and PINs, counterfeit retention system to trace transactions cards, and unauthorized direct computer access. • producing, reviewing, and maintaining excep- The system is also susceptible to errors such as tion reports to provide an audit trail debiting or crediting an account by too much or too little, or entering unauthorized transactions. The most critical element of EFT systems is the For the most part, POS systems usually deal need for undisputed identification of the cus- with these risks by executing bank-merchant tomer. Particular attention should be given to the and bank-customer contracts that delineate each customer-identification systems. The most com- party’s liabilities and responsibilities. Also, con- mon control is the issuance of a unique PIN that sumers are protected by state and federal stat- is used in conjunction with a plastic card or, for utes limiting their liability if they give notice of noncard systems, an account number. The fol- a lost, stolen, or mutilated card within a speci- lowing PIN control guidelines, as recommended fied time period. Other risks inherent in POS by the American Bankers Association, are systems are computer malfunction or downtime. encouraged. Financial institutions offering POS services should provide for back-up of their records Storage: through adequate contingency planning. Internal control guidelines for POS systems should • PINs should not be stored on other source address the following: instruments (for example, plastic cards). • Unissued PINs should never be stored before • confidentiality and security of customer- they are issued. They should be calculated account information, including protection of when issued, and any temporary computer PINs storage areas used in the calculation should be • maintenance of contracts between banks and cleared immediately after use. merchants, customers and banks, and banks • PINs should be encrypted on all files and and networks databases.

November 2000 Commercial Bank Examination Manual Page 36 Information Technology 5300.1

Delivery: System design:

• PINs should not appear in printed form where • PIN systems should be designed so that PINs they can be associated with customers’ account can be changed without reissuing cards. numbers. • Bank personnel should not have the capability • PINs used on interchange systems should be to retrieve or display customers’ PIN designed so that they can be used or changed numbers. without any modification to other participants’ • All the maintenance to PINs stored in data- systems. bases should be restricted. Console logs and • Financial institutions electing to use encryp- security reports should be reviewed to deter- tion as a security technique for bank card mine any attempts to subvert the PIN security systems are strongly encouraged to consider system. the data encryption standards established by • PIN mailers should be processed and deliv- the National Institute of Standards and ered with the same security accorded the Technology. delivery of bank cards to cardholders. (They should never be mailed to a customer together In addition, institutions should consider con- with the card). trols over other aspects of the process. Control guidelines appropriate for plastic cards include Usage: those covering procurement, embossing or encoding, storage, and mailing. Controls over • The PIN should be entered only by the card- terminal sharing and network switching are also holder and only in an environment that deters appropriate. Institutions should address backup casual observation of entries. procedures and practices for retail funds-transfer • The PIN should never be transmitted in unen- systems and insurance coverage for these crypted form. activities. • PIN systems should record the number of unsuccessful PIN entries and should restrict access to a customer’s account after a limited number of attempts. APPENDIX—INTERAGENCY • If a PIN is forgotten, the customer should GUIDELINES ESTABLISHING select a new one rather than have bank per- INFORMATION SECURITY sonnel retrieve the old one, unless the bank STANDARDS has the ability to generate and mail a hard copy of the PIN directly to the customer without giving bank personnel the ability to Sections II and III of the information security view the PIN. standards are provided below. For more information, see the Interagency Guidelines Estab- Control and security: lishing Information Security Standards, in Regu- lation H, section 208, appendix D-2 (12 CFR • Systems should be designed, tested, and con- 208, appendix D-2). The guidelines were previ- trolled to preclude retrieval of stored PINs in ously titled Interagency Guidelines Establishing any form. Standards for Safeguarding Customer Informa- • Application programs and other software con- tion. The information security standards were taining formulas, algorithms, and data used to amended, effective July 1, 2005, to implement calculate PINs must be subject to the highest section 216 of the Fair and Accurate Credit level of access control for security purposes. Transactions Act of 2003 (the FACT Act). To • Any data-recording medium, for example, address the risks associated with identity theft, magnetic tape and removable disks, used in the amendments generally require financial in- the process of assigning, distributing, calcu- stitutions to develop, implement, and maintain, lating, or encrypting PINs must be cleared as part of their existing information security immediately after use. program, appropriate measures to properly dis- • Employees with access to PIN information pose of consumer information derived from must be subject to security clearance and must consumer reports. The term consumer informa- be covered by an adequate surety bond. tion is defined in the revised rule.

Commercial Bank Examination Manual November 2000 Page 37 5300.1 Information Technology

II. Standards for Safeguarding 2. oversee the development, implementation, Customer Information and maintenance of the bank’s information security program, including assigning spe- A. Information Security Program cific responsibility for its implementation and reviewing reports from management. Each bank is to implement a comprehensive written information security program that includes B. Assess Risk administrative, technical, and physical safeguards appropriate to the size and complexity of Each bank is to— the bank and the nature and scope of its activities. While all parts of the bank are not required 1. identify reasonably foreseeable internal and to implement a uniform set of policies, all external threats that could result in unauthor- elements of the information security program ized disclosure, misuse, alteration, or destruc- are to be coordinated. A bank is also to ensure tion of customer information or customer that each of its subsidiaries is subject to a information systems; comprehensive information security program. 2. assess the likelihood and potential damage of The bank may fulfill this requirement either by these threats, taking into consideration the including a subsidiary within the scope of the sensitivity of customer information; bank’s comprehensive information security pro- 3. assess the sufficiency of policies, procedures, gram or by causing the subsidiary to implement customer information systems, and other ar- a separate comprehensive information security rangements in place to control risks; and program in accordance with the standards and 4. ensure the proper disposal of customer infor- procedures in sections II and III that apply to mation and consumer information. banks. C. Manage and Control Risk B. Objectives Each bank is to— A bank’s information security program shall be designed to— 1. Design its information security program to control the identified risks, commensurate 1. ensure the security and confidentiality of with the sensitivity of the information as well customer information; as the complexity and scope of the bank’s 2. protect against any anticipated threats or activities. Each bank must consider whether hazards to the security or integrity of such the following security measures are appropri- information; ate for the bank and, if so, adopt those 3. protect against unauthorized access to or use measures the bank concludes are appropriate: of such information that could result in a. access controls on customer information substantial harm or inconvenience to any systems, including controls to authenti- customer; and cate and permit access only to authorized 4. ensure the proper disposal of customer infor- individuals and controls to prevent mation and consumer information. employees from providing customer information to unauthorized individuals who may seek to obtain this information III. Development and Implementation through fraudulent means of Information Security Program b. access restrictions at physical locations containing customer information, such as A. Involve the Board of Directors buildings, computer facilities, and records storage facilities to permit access only to The board of directors or an appropriate com- authorized individuals mittee of the board of each bank is to— c. encryption of electronic customer information, including while in transit or in 1. approve the bank’s written information secu- storage on networks or systems to which rity program; and unauthorized individuals may have access

May 2005 Commercial Bank Examination Manual Page 38 Information Technology 5300.1

d. procedures designed to ensure that cus- 2. require its service providers by contract to tomer information system modifications implement appropriate measures designed to are consistent with the bank’s information meet the objectives of the information secu- security program rity standards; and e. dual control procedures, segregation of 3. where indicated by the bank’s risk assess- duties, and employee background checks ment, monitor its service providers to confor employees with responsibilities for or firm that they have satisfied their obligations access to customer information with regard to the requirements for oversee- f. monitoring systems and procedures to de- ing provider arrangements. As part of this tect actual and attempted attacks on or monitoring, a bank should review audits, intrusions into customer information summaries of test results, or other equivalent systems evaluations of its service providers. g. response programs that specify actions to be taken when the bank suspects or de- E. Adjust the Program tects that unauthorized individuals have gained access to customer information Each bank is to monitor, evaluate, and adjust, as systems, including appropriate reports to appropriate, the information security program in regulatory and law enforcement agencies light of any relevant changes in technology, the h. measures to protect against destruction, sensitivity of its customer information, internal loss, or damage of customer information or external threats to information, and the bank’s due to potential environmental hazards, own changing business arrangements, such as such as fire and water damage or techno- mergers and acquisitions, alliances and joint logical failures ventures, outsourcing arrangements, and changes 2. Train staff to implement the bank’s informa- to customer information systems. tion security program. 3. Regularly test the key controls, systems, and F. Report to the Board procedures of the information security program. The frequency and nature of such tests Each bank is to report to its board or an should be determined by the bank’s risk appropriate committee of the board at least assessment. Tests should be conducted or annually. This report should describe the overall reviewed by independent third parties or staff status of the information security program and independent of those that develop or main- the bank’s compliance with the information tain the security programs. security standards. The reports should discuss 4. Develop, implement, and maintain, as part of material matters related to its program, address- its information security program, appropriate ing issues such as risk assessment; risk manage- measures to properly dispose of customer ment and control decisions; service-provider information and consumer information in arrangements; results of testing; security breaches accordance with each of the requirements in or violations and management’s responses; and this section III. recommendations for changes in the information security program. D. Oversee Service-Provider Arrangements G. Implement the Standards

Each bank is to— (For the effective dates, see 12 CFR 208, appendix D-2, section III.G.) 1. exercise appropriate due diligence in selecting its service providers;

Commercial Bank Examination Manual May 2005 Page 39 Information Technology Examination Objectives Effective date October 2008 Section 5300.2

1. To explicitly consider IT when developing disposal of consumer information; and all risk assessments and supervisory plans. applicable laws, rules, and regulations. 2. To assess the types and levels of risks 12. To find out if the financial institution (the associated with information technology. bank and its respective operating subsidi- 3. To exercise appropriate judgment in deter- aries) has developed, implemented, and mining the level of review, given the char- maintained a written Identity Theft Preven- acteristics, size, and business activities of tion Program (Program) for its new and the organization. existing accounts that are covered by the 4. To develop a broad understanding of the Fair and Accurate Transactions Act of 2003 organization’s approach, strategy, and struc- (FACT Act) and the Federal Reserve Board’s ture for IT activities within and across rules on Fair Credit Reporting, section 222, business lines. Subpart J—Identity Theft Red Flags 5. To assess the adequacy of IT architecture (12 CFR 222, Subpart J), which implements and the ability of the current infrastructure provisions of the FACT Act. to meet operating objectives, including the 13. To make a determination of whether the effective integration of systems and sources financial institution’s Program is of data. a. designed to detect, prevent, and mitigate 6. To assess the adequacy of the system of identity theft in connection with the open- controls to safeguard the integrity of the ing of a new, or an existing, covered data processed in critical information account and that the Program includes systems. the detection of relevant Red Flags;1 and 7. To determine if the board has developed, b. appropriate to the size and complexity of implemented, and tested contingency plans the financial institution and the nature that will ensure the continued operation of and scope of its activities. the institution’s critical information 14. To ascertain whether the financial institu- systems. tion assesses the validity of change of 8. To ensure that operating procedures and address notifications that it receives for the controls are commensurate with the poten- credit and debit cards that it has issued to tial for and risks associated with security customers. breaches, which may be either physical or 15. To prepare comments for the report of electronic, inadvertent or intentional, or examination on significant deficiencies and internal or external. recommended corrective action. 9. To determine the scope and adequacy of the 16. To assign a Uniform Rating System for IT audit function. Information Technology (URSIT) rating or 10. To evaluate IT outsourcing risk and out- determine the impact of IT risks on the sourcing arrangements involving major lines CAMELS or risk ratings. of business. 17. To update the workpapers with any infor- 11. To determine if the institution is comply- mation that will facilitate future ing with its written information security examinations. program and the minimum governing interagency standards on information 1. Red Flag means a pattern, practice, or specific activity security; the guidelines on the proper that indicates the possible existence of identity theft.

Commercial Bank Examination Manual October 2008 Page 1 Information Technology Examination Procedures Effective date October 2008 Section 5300.3

1. Determine the role and importance of IT to the integrity, security, and availability of the the organization and whether any unique IT organization’s systems. characteristics or issues exist. Identify and 11. Complete or update the information tech- list or update the major automated banking nology internal control questionnaire (sec- applications. For those applications pro- tion 4060.4) for the specific applications cessed by outside service providers, indi- identified in step 1 of these procedures, cate the name and location of each service noting any of the following: provider. a. internal control exceptions and noncom- 2. Incorporate an analysis of IT activities into pliance with written policies, practices, risk assessments, supervisory plans, and and procedures scope memoranda, considering the size, b. violations of law activities, and complexity of the organiza- c. exceptions to IT-servicing contracts tion, as well as the degree of reliance on d. overall evaluation of services provided these systems across particular business to the bank, including any problems lines. experienced with the servicer 3. Assess the organization’s critical IT 12. Complete or update the “Establishing systems—those that support its major busi- Information Security Standards” portion of ness activities—and the degree of reliance the internal control questionnaire. (See sec- those activities have on IT systems. (See the tion 4060.4.) Examiners should use this FFIEC Information Systems Examination information to assess an institution’s Handbook for more information on review- compliance with the interagency informa- ing the IT function.) tion security standards and the guidelines 4. Determine if the systems are delivering the for the proper disposal of consumer services necessary for the organization to information. Depending on the nature of the conduct its business in a safe and sound institution’s operations and the extent of manner. prior supervisory review, all questions may 5. Determine whether the board of directors not need to be answered fully. Other and senior management are adequately examination resources may also be used identifying, measuring, monitoring, and (for example, the FFIEC Information controlling risks associated with IT for the Systems Examination Handbook). Examin- overall organization and its major business ers should conduct a review that is a suf- activities. ficient basis for evaluating the overall writ- 6. Determine if the IT strategy for the signifi- ten information security program of the cant business activities or the organization institution and its compliance with the is consistent with the organization’s mis- interagency guidelines. sion and business objectives. Determine 13. Verify that the financial institution has deter- whether the IT function has effective man- mined initially, and periodically thereafter, agement processes to execute that strategy. whether it offers or maintains accounts 7. Review the reliability, accuracy, and com- covered by the Fair and Accurate Transac- pleteness of information delivered in key tions Act of 2003 (FACT Act) and section business lines. 222, Subpart J—Identity Theft Red Flags of 8. Review the bank’s information security pro- the Board’s rules on Fair Credit Reporting gram. Assess the adequacy of the organiza- (12 CFR 222, Subpart J). tion’s policies, procedures, and controls, as 14. Determine if the financial institution has well as its compliance with them. adequately developed and maintains a writ- 9. Determine the capability of backup sys- ten Identity Theft Prevention Program (Pro- tems, as presented in contingency plans, to gram) that is designed to detect, prevent, mitigate business disruption. and monitor transactions to mitigate iden- 10. Ascertain the quality and adequacy of the tity theft in connection with the opening of internal or external IT audit function or any certain new and existing accounts covered independent application reviews to ensure by the FACT Act.

Commercial Bank Examination Manual October 2008 Page 1 5300.3 Information Technology: Examination Procedures

15. Evaluate whether the Program includes rea- a. outsourcing risk assessment sonable policies and procedures to b. selection of service providers a. identify and detect relevant Red Flags1 c. contracts for the financial institution’s covered d. policies, procedures, and controls accounts and whether it incorporated e. ongoing monitoring those Red Flags into its Program; f. information access b. respond appropriately to any detected g. audit Red Flags to prevent and mitigate iden- h. contingency plan tity theft; and 19. Determine whether the bank has properly c. ensure that the program is updated peri- notified the Federal Reserve Bank of new odically to reflect changes in identity outsourced services in accordance with the theft risks to customers and the safety Bank Service Corporation Act and soundness of the financial institution. (12 U.S.C. 1865). 16. If a required Program has been established 20. Review any recent IT reports of examina- by the financial institution, ascertain if it has tion on the institution’s service providers provided for the Program’s continued performed by the Federal Reserve or other administration, including regulatory authorities, and note any defi- a. involving the board of directors, an ap- ciencies. Obtain a listing of any deficiencies propriate committee thereof, or a desig- noted in the latest audit review. Determine nated employee at the level of senior that all deficiencies have been properly management in the continued oversight, corrected. development, implementation, and 21. For banks with material in-house process- administration of the Program; ing, use the Uniform Rating System for b. training staff, as necessary, to effectively Information Technology (URSIT) rating sys- implement the Program; and tem to help evaluate the entity’s overall risk c. appropriate and effective oversight of exposure and risk-management performance. service provider arrangements; and Evaluate the areas identified within each 17. If the financial institution has established relevant URSIT component to assess the and maintains a required Program that ap- institution’s ability to identify, measure, plies to its covered accounts, determine if monitor, and control IT risks. the institution’s Program includes the rel- 22. Determine the extent of supervisory atten- evant and appropriate guidelines within the tion needed to ensure that IT weaknesses rule’s appendix J (12 CFR 222, appendix J). are addressed and that associated risk is 18. Determine whether the institution’s con- properly managed. Determine the impact on trols over outsourcing information- and CAMELS, the operational-risk rating, and transaction-processing activities are ade- any other risk ratings. quate. Evaluate the adequacy of controls over outsourcing arrangements in the fol- 23. Prepare comments for the report of exami- lowing areas: nation on any significant deficiencies and recommended corrective action. 1. Red Flag means a pattern, practice, or specific activity 24. Update the workpapers with any informa- that indicates the possible existence of identity theft. tion that will facilitate future examinations.

October 2008 Commercial Bank Examination Manual Page 2 Information Technology Internal Control Questionnaire Effective date October 2008 Section 5300.4

Review the bank’s internal controls, policies, f. the notice required (by either party) for practices, and procedures for information tech- termination of service and the return of nology. The bank’s system should be docu- customer records in a machine-readable mented completely and concisely and should form? include, where appropriate, narrative description, g. time schedules for receipt and deliv- flow charts, copies of forms used, and other ery of work, including processing pertinent information. Items below that are priorities? marked with an asterisk require substantiation h. the insurance carried by the servicer? by observation or testing. i. liability for documents in transit? j. audit responsibility? k. a provision to supply the serviced insti- SERVICER SELECTION tution with yearly financial statements (preferably audited with both consoli- 1. Before entering into any service arrange- dated and unconsolidated figures when ment, did management consider— applicable)? a. alternative servicers and related costs? b. the financial stability of the servicer? c. the control environment at the data INSURANCE center? d. emergency backup provisions? *1. Does the serviced institution’s insurance e. the ability of the servicer to handle coverage include the following provisions: future processing requirements? a. extended blanket bond fidelity coverage f. requirements for termination of service? to employees of the servicer? g. the quality of reports? b. insurance on documents in transit, h. insurance requirements? including the cash letter? 2. Is there an annual reevaluation of the c. if the serviced institution is relying on servicer’s performance that includes— the servicer or an independent courier a. its financial condition? for the insurance described above, is b. costs? adequate evidence of that coverage on c. its ability to meet future needs? file? d. its quality of service?

CONTRACTS OPERATIONAL CONTROLS

*1. Is each automated application covered by *1. Are duties adequately separated for the a written contract? following functions: *2. Were contracts reviewed by legal counsel? a. input preparation? 3. Does each service contract cover the fol- b. operation of data-entry equipment? lowing areas: c. preparation of rejects and unposted a. ownership and confidentiality of files items for reentry? and programs? d. reconcilement of output to input? b. liability limits for errors and omissions? e. output distribution? c. frequency, content, and format of input f. reconcilement of output to general and output? ledger? d. the fee structure, including— g. posting general ledger? • current fees? 2. Are employee duties periodically rotated • provisions for changing fees? for control and training purposes? • fees for special requests? 3. Do supervisors or officers— e. provisions for backup and record a. adequately review exception reports? protection? b. approve adjusting entries?

Commercial Bank Examination Manual October 2008 Page 1 5300.4 Information Technology: Internal Control Questionnaire

4. Are servicer personnel prohibited from b. physical keys? initiating transactions or correcting data? c. passwords? 5. Are individuals prohibited from initiating d. other safeguards (explain)? or authorizing a transaction and then 2. Are periodic changes made to numbers, executing it? keys, or passwords, and are they adequately 6. Are employees at the serviced institution controlled? required to be absent from their duties (by 3. Are identification numbers or passwords vacation or job rotation) for two consecu- suppressed on all printed output and video tive weeks? displays? 7. Are master-file changes— 4. Are terminals controlled as to— a. requested in writing? b. approved by a supervisor? a. what files can be accessed? c. verified as correct after processing? b. what transactions can be initiated? *8. Are exception reports prepared for— c. specific hours of operations? a. unposted and rejected items? 5. Do controls over restricted transactions b. supervisory-override transactions? and overrides include— c. master-file changes (before and after)? a. supervisory approval? d. dormant-account activity? b. periodic management review? *9. Does each user department— *6. Are there exception reports that indicate— a. establish dollar and nondollar control a. all transactions made at a terminal? totals before they are sent for processing? b. all transactions made by an operator? b. receive all scheduled output reports even c. restricted transactions? when the reports contain no activity? c. review all output and exception reports? d. correcting and reversing entries? *10. Are current user manuals available for e. dates and times of transactions? each application, and do employees use f. unsuccessful attempts to gain access them? to the system or to restricted 11. Does each user manual cover— information? a. preparation and control of source g. unusual activity? documents? 7. Overall, are there adequate procedures in b. control, format, and use of output? effect that prevent unauthorized use of the c. settlement and reconcilement pro- data communication systems? cedures? 8. To back up online systems— d. error-correction procedures? a. are offline capabilities available 12. Are users satisfied with the servicer’s per- (explain)? formance and output reports? (If not, b. are the offline capabilities periodically explain.) tested? 13. Are computer-generated entries subsequently reviewed and approved by appropriate officials? *14. Does the serviced institution copy all AUDITING source documents, including cash letters, on microfilm before they leave the prem- 1. Is there an internal auditor or member of ises? If so— management not directly involved in EDP a. is the microfilm stored in a secure activities who has been assigned responsi- location with limited access? bility for the audit function? b. is an inventory and usage log 2. Does that individual have any specialized maintained? audit or EDP training? 3. Are there written internal audit standards COMMUNICATION CONTROLS and procedures that require— a. review of all automated applications? *1. Is user access to the data communication b. reports to the board of directors? network controlled by— c. audit workpapers? a. user number? 4. Does the person responsible for the

October 2008 Commercial Bank Examination Manual Page 2 Information Technology: Internal Control Questionnaire 5300.4

audit function perform the following methods for compliance and enforcement? procedures: 3. Does the bank periodically update its a. test the balancing procedures of all information security program to reflect automated applications, including the changes in the bank’s operations and sys- disposition of rejected and unposted tems, as well as changes in threats or risks items? to the bank’s customer information? b. periodically sample master-file infor- 4. Does the examination review of the bank’s mation to verify it against source process for assessing risk to its custo- documents? mer information address the following c. spot-check computer calculations, such questions: as interest on deposits, loans, securities, a. Has the bank identified the locations, loan rebates, service charges, and past- systems, and methods for storing, pro- due loans? cessing, transmitting, and disposing of d. verify output report totals? its customer information? e. check accuracy of exception reports? b. Has the bank identified reasonably fore- f. review master-file changes for accuracy seeable internal and external threats and authorization? that could result in unauthorized disclo- g. trace transactions to final disposition to sure, misuse, alteration, or destruction determine the adequacy of audit trails? of customer information or customer h. review controls over program-change information systems, and has the bank requests? assessed the likelihood of these threats i. perform customer confirmations? and their potential damage to the bank j. other (explain)? and its customers? 5. Does the serviced institution obtain and 5. With respect to the bank’s risk-management review the servicer’s internal or external processes for implementing effective mea- audits or third-party reviews? (If yes, detail sures to protect customer information, does exceptions and corrective action.) the bank adopt and review appropriate 6. Has the serviced institution used an inde- risk-based internal controls and proce- pendent auditor to evaluate EDP servicing dures for the following: (if yes, detail exceptions and corrective a. accessing controls on computer systems action)? containing customer information in 7. Is the overall audit program for serviced order to prevent access by unauthorized applications considered adequate? staff or other individuals? b. preventing employees from providing customer information to unauthorized individuals, including ‘‘pretext call- ESTABLISHMENT OF ing,’’ that is, someone calling a bank INFORMATION SECURITY and posing as a customer to fraudu- STANDARDS lently obtain an individual’s personal information? (See SR-01-11.) 1. Does the bank have a written information c. providing access restrictions at physical security program or policy that complies locations containing customer informa- with the Interagency Guidelines Establish- tion, such as buildings, computer facili- ing Information Security Standards, in ties, and records-storage facilities, in Regulation H, appendix D-2 (12 CFR 208, order to permit access to authorized appendix D-2)? Has the board of directors individuals only? or an appropriate designated committee of d. encrypting electronic customer informa- the board approved the written information, including information that is in tion security program? transit or in storage on networks or 2. Is the written information security pro- systems, when unauthorized individu- gram appropriate given the size and com- als are able to gain access to it? plexity of the organization and its opera- e. ensuring that modifications to customer tions? Does the program contain the information systems are consistent with objectives of the program, assign respon- the bank’s information security sibility for implementation, and provide program?

Commercial Bank Examination Manual April 2015 Page 3 5300.4 Information Technology: Internal Control Questionnaire

f. maintaining dual-control procedures, ers, taking into consideration informa- segregation of duties, and background tion security? checks for employees with access to b. do the bank’s contracts with its service customer information to minimize the providers require implementation of risk of internal misuse of customer appropriate information security pro- information? grams and measures? g. monitoring systems and procedures to c. where appropriate and based on risk, detect unauthorized access to customer does the bank monitor its service pro- information systems that could com- viders to confirm that they are maintain- promise the security of customer ing appropriate security measures to information? safeguard the bank’s customer informa- h. maintaining and complying with the tion? Does the bank, for example, con- minimum requirements for response duct or review the results of audits, programs that specify actions to be security reviews or tests, or other taken when the bank suspects or detects evaluations? that unauthorized individuals have gained access to customer information 9. Does the bank’s management report at systems? (These programs include least annually to the board of directors, or appropriate reports, such as Suspicious to a designated appropriate board commit- Activity Reports, disseminated to regu- tee, on the overall status of the information latory and law enforcement agencies.) security program and the extent of the See the requirements for suspicious- bank’s compliance with the standards and activity reporting in section 208.62 of guidelines? the Board’s Regulation H (12 CFR 208.62), and the Bank Secrecy Act compliance program in section 208.63 (12 CFR 208.63). IDENTITY THEFT RED FLAGS i. providing measures to protect against destruction, loss, or damage of cus- 1. Did the bank (financial institution) deter- tomer information due to potential mine initially, and has it periodically deter- environmental hazards, such as fire and mined, whether it offers or maintains water damage or technological failures? accounts covered by the Fair and Accurate j. providing measures to ensure the proper Transactions Act of 2003 (FACT Act) and disposal of consumer information section 222, Subpart J—Identity Theft Red derived from consumer reports? Flags of the Board’s rules on Fair Credit 6. Have the bank’s employees been trained Reporting (12 CFR 222, Subpart J)? to implement the information security program? 2. Has the financial institution adequately de- 7. Does the bank regularly test the effective- veloped and maintained a written Identity ness of the key controls, systems, and Theft Prevention Program (Program) that is procedures of its information security pro- designed to detect, prevent, and mitigate gram? These tests may include, for exam- identity theft in connection with the open- ple, tests of operational contingency plans, ing of new and existing accounts that are system security audits or ‘‘penetration’’ covered by the FACT Act? tests, and tests of critical internal controls 3. Did the financial institution evaluate whether over customer information. Are tests con- its Program includes reasonable policies ducted and reviewed independently by the and procedures to bank’s designated staff? a. identify relevant Red Flags1 for the finan- 8. Does the bank provide customer informa- cial institution’s covered accounts and tion to any service providers, or do any has it incorporated those Red Flags into service providers have access to customer its Program; information as a result of providing services directly to the bank? If so— a. has the bank conducted appropriate due 1. Red Flag means a pattern, practice, or specific activity diligence in selecting its service provid- that indicates the possible existence of identity theft.

April 2015 Commercial Bank Examination Manual Page 4 Information Technology: Internal Control Questionnaire 5300.4

b. respond appropriately to prevent and c. the methods it provides to access its mitigate identity theft detected by any covered accounts; Red Flags; and d. its previous experiences with identity c. ensure that the Program is updated peri- theft; and odically to reflect changes in identity e. changes in the financial institution’s busi- theft risks to customers and to the safety ness arrangements, including its merg- and soundness of the financial institution? ers, acquisitions, and joint ventures, and 4. Has the Program included Red Flags from its alliances and service provider sources such as arrangements? a. incidents that the financial institution has 8. Does the Program’s policies and procedures experienced; address the detection of Red Flags in con- b. methods of identity theft that the finan- nection with the financial institution’s open- cial institution has identified that reflects ing of covered accounts and existing cov- changes in identity theft risks; and ered accounts such as by c. applicable supervisory guidance? a. obtaining identifying information about, 5. Does the Program include relevant Red and verifying the identity of, a person Flags from the following categories (see opening a covered account; and supplement A to appendix J): b. authenticating customers, monitoring a. alerts, notifications, or other warnings transactions; and verifying the validity received from consumer reporting agen- of change of address requests? cies or service providers, such as a fraud 9. If a required Program has been established detection services; by the financial institution, has it provided b. the presentation of suspicious documents; for the Program’s continued administration c. the presentation of suspicious personal by identifying information, such as a suspi- a. involving the board of directors, an ap- cious address change; propriate committee thereof, or a desig- d. the unusual use of, or other suspicious nated employee at the level of senior activity related to, a covered account; management in the continued oversight, and development, implementation, and ad- e. notice from customers, victims of iden- ministration of the Program? tity theft, law enforcement authorities, or b. training staff, as necessary, to effectively other persons regarding possible identity implement the Program? theft in connection with covered accounts c. providing appropriate and effective over- held by the financial institution or sight of its service provider arrangements? creditor? 6. If the financial institution has established and maintained a required Program, has the CONCLUSION institution’s Program included the relevant and appropriate guidelines that are found in 1. Does the foregoing information constitute the Board’s rule’s appendix J (12 CFR 222, an adequate basis for evaluating internal appendix J)? control (that is, no significant deficiencies 7. Were the examples of factors in appendix in areas not covered in this questionnaire J’s guidelines considered initially, and peri- impair any controls)? Explain negative odically, to determine the relevancy and answers briefly and indicate any additional appropriateness of the Program’s Red Flags, examination procedures deemed necessary. such as 2. On the basis of a composite evaluation, as a. the types of accounts it offers or maintains; evidenced by answers to the foregoing b. the methods it provides to open its cov- questions, is internal control considered ered accounts; adequate or inadequate?

Commercial Bank Examination Manual April 2015 Page 5 Electronic Banking Effective date October 2011 Section 5310.1

Electronic and Internet banking products and institutions and should be identified during the services have been widely adopted by financial planning phase of the examination. When the institutions and are now a regular component of bank has developed the electronic and Internet the business strategies at most institutions. Elec- banking products or services internally or when tronic and Internet delivery of services can have a direct connection exists between the institu- many far-reaching benefits for financial institution’s electronic and Internet banking systems tions and their customers. In some cases, how- and its core data processing system, consider- ever, these activities can have implications for a ation should be given to involving an informa- financial institution’s financial condition, risk tion technology specialist examiner in the on- profile, and operating performance. site review. The determination of the examination scope should be based on factors such as the following:

EXAMINATION APPROACH • implementation of significant new electronic banking products and services since the last In general, examiners should review electronic examination and Internet banking activities when these ser- • significant changes in the composition or level vices are newly implemented, particularly in of customers, earnings, assets, or liabilities institutions that may not have significant expe- generated or affected by the electronic bank- rience or expertise in this area or when an ing activities institution is conducting novel activities that • new or significantly modified systems or out- may pose a heightened risk. Periodic reviews sourcing relationships for activities related to should be conducted thereafter based on any electronic banking significant changes to the scope of services or • the need for targeted examinations of business nature of the operations, as indicated by an lines that rely heavily on the electronic bank- assessment of risk to the institution. ing systems or activities Clearly, electronic and Internet banking con- • other potential problems or concerns that may cerns could affect an institution’s operational- have arisen since the last examination or the risk profile. Yet, these activities could also affect need to follow up on previous examination or other financial and business risks, depending on audit issues the specific circumstances. Accordingly, examiners should consider an institution’s electronic Many resources are available to examiners for and Internet banking activities when developing reviewing electronic and Internet banking activi- risk assessments and supervisory plans. Although ties. In addition to the procedures in this section, electronic and Internet banking may be assessed further information can be found in section within the context of an information technology 4060.1, ‘‘Information Technology,’’ and in the review, the nontechnical aspects of an electronic Federal Financial Institutions Examination banking operation should be reviewed and coor- Council (FFIEC) Information Systems Exami- dinated closely with other examination areas. nation Handbook. Other federal banking agen- Rather than conduct detailed technical reviews, cies have issued examination guidance relating examiners should assess the overall level of risk to electronic and Internet banking, information any electronic and Internet banking activities technology, and information security that may pose to the institution and the adequacy of its be helpful to examiners in reviewing electronic approach to managing these risks. banking activities. Consumer compliance issues To determine the scope of supervisory are not addressed in this section.1 activities, close coordination is needed with information technology specialist examiners and consumer compliance examiners during the risk- assessment and planning phase, as well as during on-site examinations. Given the variability 1. See the Federal Reserve regulations, FFIEC, and other of electronic and Internet banking environ- interagency supervisory guidance. See also the FFIEC’s ‘‘Guidance on Electronic Financial Services and Consumer ments, the level of technical expertise required Compliance’’ (July 15, 1998), for further information regard- for a particular examination will differ across ing compliance with consumer laws and regulations.

Commercial Bank Examination Manual October 2011 Page 1 5310.1 Electronic Banking

OVERVIEW OF ELECTRONIC net service provider (ISP) to provide Internet BANKING SERVICES access and ‘‘host,’’ or maintain and operate, the institution’s web site. In some cases, the web site is maintained on the institution’s own com- Types of Services puters (web servers). Even if access to account information is not possible through the web site, Electronic banking services (including Internet institutions may receive e-mail inquiries from banking services) are designed to provide bank- customers through their web site. ing customers with the capability to conduct Transactional Internet banking sites allow banking business remotely through personal customers to obtain online access to their account computers and other electronic devices. Elec- information and initiate transactions over the tronic banking comprises personal computer Internet. With most Internet banking services, (PC) banking through traditional proprietary the customer interacts with a stand-alone Inter- communication channels; retail and corporate net banking system that has been preloaded with Internet banking services; telephone banking; the customer’s account balances, transaction and, potentially, other forms of remote elec- history, and other information. Transactions ini- tronic access to banking services. tiated through the Internet banking system are Both large and small institutions offer a processed by a separate Internet banking appli- variety of Internet-based financial services. cation and periodically posted to the institu- Many financial institutions are using the tion’s general ledger, deposit, and loan account- Internet to enhance their service offerings to ing systems. Interface or connection with the existing customers. Other organizations may financial institution’s core data processing and choose to expand their customer base to a wider accounting systems typically occurs through geographic area by accepting online appli- either (1) a direct connection to the core pro- cations for loan and deposit products. A very cessing system over a network or (2) a manual small number of banking organizations are download or transfer of transaction data to a focusing on the Internet as their primary diskette or other portable media, which is then delivery channel, whether or not they maintain uploaded or sent to the core processing system. physical branches. Most standardized Internet banking software Current electronic banking products and ser- packages now available have been designed vices typically allow customers to obtain infor- with standard interfaces between Internet bank- mation on bank products and services through ing systems and common core-processing sys- the bank’s Internet web sites, apply online for tems and software. new products and services, view loan- and Electronic bill-payment services are typically deposit-account balances and transactions, trans- provided to customers as part of most standard fer funds between accounts, and perform other electronic banking services. These services gen- banking functions. Most electronic banking ser- erally include capabilities to pay any third party vices operate using standard Internet browser the customer designates, as well as pay compa- software installed on the customer’s personal nies designated for routine bill payments, such computer and do not require that the customer as utilities and credit card issuers. Electronic have any additional software or hardware. While bill-presentment services, which are much less electronic banking services have been oriented common, involve the electronic transmission of toward retail customers, many banking organi- billing statements to the customer through e-mail zations offer small-business applications and or a web site, for subsequent payment through corporate cash-management services through the the electronic banking service. Internet. These services typically include pay- Telephone banking, a fairly conventional form roll, automated clearinghouse (ACH), and wire of electronic banking, is provided by many transfers. Wholesale banking services, which institutions. Telephone banking services gener- have been conducted electronically for many ally allow customers to check account balances years, are also beginning to move from propri- and transactions and to pay bills through touch- etary networks and communications channels to tone or voice-response systems. Banking orga- the Internet. nizations also offer consumer products and ser- Information-only web sites provide the most vices through wireless devices, such as cellular basic and common form of electronic banking telephones, pagers, personal digital assistants, service. Most institutions contract with an Inter- handheld computers, or other devices that can

October 2011 Commercial Bank Examination Manual Page 2 Electronic Banking 5310.1 provide wireless access to an institution’s ser- often provide hardware, software, and ongoing vices, either directly or through the Internet. system service and maintenance. Account aggregation is a web-based service Bill-payment processing is generally con- offered by some financial institutions that conducted through a specialized third-party proces- solidates customer-account information from sor. The payment processor receives payment multiple financial or commercial web sites and instructions from the financial institution or the presents it on a single web site. Aggregated Internet banking service provider, initiates an information may include information from finan- ACH debit to the account of the customer, and cial and nonfinancial accounts held by the cus- credits the account of the payee. Payments to tomer. Some institutions have established ‘‘por- payees not set up to receive ACH payments, tals,’’ web sites that link customers to a variety such as individuals and smaller companies, are of third-party sites, and alliances with other transmitted by mailing a paper check to the companies to provide banking or nonbanking payee. services.

RISK MANAGEMENT Operations Board and Management Oversight There are a variety of operational methods for providing electronic banking services. Banking Financial institutions commonly implement elec- organizations may perform their core data pro- tronic banking services as a means of delivering cessing internally but outsource the Internet existing banking products and services to exist- banking activities to a different vendor or ser- ing customers. As a result, not all institutions vice provider. A dedicated workstation at the have established a distinct risk-management pro- financial institution is often used to transmit gram for electronic banking. In many cases, transaction data files between the institution’s policies and procedures for electronic banking core processing system and the Internet appli- activities will be incorporated into existing poli- cation; the workstation also allows the financial cies and procedures, such as those governing institution to update parameters and perform deposit accounts, payments processing, informa- other maintenance. Alternatively, the service tion security, and lending functions. provider for Internet banking may interface Bank management should assess the financial directly with the bank’s core-processing service impact of the implementation and ongoing main- provider, if that function is also outsourced. In tenance of electronic banking services. For exam- addition, many banking organizations purchase ple, ongoing maintenance and marketing costs Internet banking services from their primary of Internet banking operations can be substan- core-processing service provider, eliminating the tial, particularly for smaller banks, depending on need for external data transmissions. Even with the institution’s business plan. Bank manage- this last structure, the institution maintains a ment should consider the potential impact on the local workstation to provide access to customer institution’s customer base, loan quality and information or perform other administrative and composition, deposit volume, volatility, liquid- maintenance functions for the Internet banking ity sources, and transaction volume, as well as system. the impact on other relevant factors that may be Other institutions operate an electronic bank- affected by the adoption of new delivery chan- ing system in their own computer facilities by nels. These areas should be monitored and purchasing an ‘‘off-the-shelf’’ or turnkey elec- analyzed on an ongoing basis to ensure that any tronic banking software application from a soft- impact on the institution’s financial condition ware vendor and then installing the software on resulting from electronic banking services is their own system. Turnkey options vary from a appropriately managed and controlled. bank’s purchase and use of templates or mod- In addition, bank management may wish to ules, in which the bank chooses from a selection review periodic reports tracking customer usage, of standard services, to more complex situations problems such as complaints and downtime, in which the software vendor designs and devel- unreconciled accounts or transactions initiated ops the electronic banking software application through the electronic banking system, and sys- to the bank’s specifications. Turnkey vendors tem usage relative to capacity. Management

Commercial Bank Examination Manual October 2011 Page 3 5310.1 Electronic Banking should also consider the expertise of internal or ing, disclosure, or other compliance requirements. external auditors to review electronic banking In addition, some institutions provide activities and the inclusion of electronic banking financial-calculator, financial-management, tax- activities within audit plans. Insurance policies preparation, and other interactive programs to may need to be updated or expanded to cover customers. Institutions may provide online losses due to system security breaches, system resources for customers to research available downtime, or other risks from electronic bank- options associated with savings products, mort- ing activities.2 gages, investments, insurance, or other products A change in an institution’s business strategy and services. To protect the institution from to an Internet-only or Internet-focused operation potential liability or reputational harm, the bank is generally considered a significant change in should test or otherwise verify the accuracy and business plan.3 In addition, certain technology appropriateness of these tools. operations, such as providing ISP services to the Banks should carefully consider how links to general public, may not be considered permis- third-party Internet web sites are presented. sible banking activities or may be considered Hyperlinks to other web pages provide custom- permissible by the institution’s chartering author- ers with convenient access to related or local ity only within certain limitations. information, as well as provide a means for A financial institution should also consider targeted cross-marketing through agreements legal ownership of its Internet address (for between the institution and other web site example, www.bankname.com), also known as operators. However, such linkages may imply an its ‘‘domain name.’’ Contracts with third-party endorsement of third-party products, services, or vendors may specifically address any arrange- information that could lead to implicit liability ments to have the third-party vendor register the for the institution. As a result, institutions com- domain name on behalf of the institution. monly provide disclaimers when such links take the customer to a third-party web site. Institu- tions should ensure that they clearly understand Operational and Internal Controls any potential liabilities arising out of any cross- marketing arrangements or other agreements with third parties. Any links to sites offering Web Site Information Maintenance nondeposit investment or insurance products must comply with relevant interagency guide- Because an institution’s web site is available on lines.4 Links to other sites should be verified an ongoing basis to the general public, appro- regularly for their accuracy, functionality, and priate procedures should be established to ensure appropriateness. the accuracy and appropriateness of its information. Key information changes and updates, such as loan rates, are normally subject to docu- Customer Authentication in an Electronic mented authorization and dual verification. Banking Environment and Administrative Establishing procedures and controls to fre- Controls quently monitor and verify web site information may help prevent any inadvertent or unauthor- Customer authentication guidance issuances. ized modifications or content, which could lead The federal banking agencies have issued vari- to reputational damage or violations of advertis- ous iterations of examination guidance on authentication in an Internet banking environ- 2. See section 4040.1, ‘‘Management of Insurable Risks,’’ ment to assist examiners with this evolving for further information about fraud and computer-related insurance that may be applicable to electronic banking issue. On August 8, 2001, the FFIEC initially activities. released ‘‘Authentication in an Electronic Bank- 3. Regulation H sets forth the requirements for member- ing Environment,’’ which reviewed the risks and ship of state-chartered banks in the Federal Reserve System risk-management controls of authentication and imposes certain conditions of membership on applicant banks. A member bank must ‘‘at all times conduct its business tools used to verify the identity of new cus- and exercise its powers with due regard to safety and soundness’’ and ‘‘may not, without the permission of the Board, cause or permit any change in the general character of 4. See section 4170.3, ‘‘Examination Procedures—Retail its business or in the scope of the corporate powers it exercises Sales of Nondeposit Investment Products,’’ and the consumer at the time of admission to membership’’ (12 CFR 208.3(d)(1) protection rules for sales of insurance (65 Fed. Reg. 75,822 and (2)). (December 4, 2000)).

October 2011 Commercial Bank Examination Manual Page 4 Electronic Banking 5310.1 tomers and authenticate existing customers. In • the type of funding accepted for initial response to significant legal and technological deposits; changes, the FFIEC issued a similarly titled • funds-availability policies for deposits in new statement on October 12, 2005, which replaced accounts; the 2001 guidance. As discussed in this sec- • the timing of account-number, check, and tion, the 2005 guidance addressed the need for ATM-card issuance; risk-based assessments, customer awareness, • the minimum customer information required and enhanced security measures to authenticate to open new accounts; customers using Internet-based products and • single-factor, tiered single-factor, and multi- services that process high-risk transactions factor authentication procedures for verifica- involving access to customer information or the tion of information provided by the applicant movement of funds to other parties. One of the (for example, verifying customer information key points of emphasis of the guidance was that against credit bureau reports); and single-factor authentication, as the only control • screening for prior fraudulent account activity, mechanism, is inadequate for high-risk transac- typically using fraud-detection databases.5 tions involving access to customer information or the movement of funds to other parties. (See Strong customer-authentication practices are SR-05-19.) To assist the banking industry and necessary to help institutions detect and reduce examiners, the Board, the FFIEC, and the other fraud, detect and reduce identity theft, and federal banking and thrift agencies issued enforce anti-money-laundering measures. Cus- frequently asked questions (FAQs) on tomer interaction with institutions continues to August 15, 2006. (See SR-06-13.) The FAQs migrate from physical recognition and paper- are designed to assist the financial institutions based documentation to remote electronic ac- and their technology service providers in cess and transaction initiation. Significant risks conforming to the guidance by addressing com- potentially arise when an institution accepts new mon questions on the scope, risk assessments, customers through the Internet or other purely timing, and other issues. electronic channels because of the absence of On June 29, 2011, the FFIEC released the physical cues that bankers traditionally use ‘‘Supplement to Authentication in an Internet to identify individuals. The risks of doing busi- Banking Environment.’’ (See SR-11-9.) The ness with unauthorized or incorrectly identified purpose of the 2011 supplement is to reinforce individuals in an electronic banking environ- the existing guidance on risk-management frame- ment could result in financial loss and reputation work and update the agencies’ expectations damage. regarding customer authentication, layered secu- In addition to limiting unauthorized access, rity, or other controls in the increasingly hostile effective authentication provides institutions online environment. The supplement establishes with the appropriate foundation for electronic minimum control expectations for certain online agreements and transactions. First, effective au- banking activities and identifies controls that are thentication provides the basis for the valida- less effective in certain situations. tion of parties to the transaction and their agreement to its terms. Second, authentication Customer authentication background. is a necessary element to establish the authen- Authentication describes the process of verify- ticity of the records evidencing the electronic ing the identity of a person or entity. The transaction if there is ever a dispute. Third, au- authentication process is one method used to thentication is a necessary element for estab- control access to customer accounts and lishing the integrity of the records evidencing personal information, and is dependent upon the electronic transaction. Because state laws customers providing valid identification data vary, management should involve legal counsel followed by one or more authentication in the design and implementation of authentica- credentials (factors) to prove their identity. tion systems. Many banks use the same account-opening The success of a particular authentication procedures for electronic applications as they do method depends on more than the technology. for mailed or in-person applications. Procedures for accepting electronic account applications 5. For information on practices that my help prevent generally address areas such as— fraudulent account activity, see SR-01-11, ‘‘Identity Theft and Pretext Calling.’’

Commercial Bank Examination Manual October 2011 Page 5 5310.1 Electronic Banking

Success also depends on an institution’s having wide basis to ensure that controls and authenti- appropriate policies, procedures, and controls. cation tools are adequate among all products, An effective authentication method has the services, and lines of business. Authentication following characteristics: customer acceptance, processes should be designed to maximize reliable performance, scalability to accommo- interoperability and should be consistent with date growth, and interoperability with existing the financial institution’s overall strategy for systems and future plans. The June 29, 2011, electronic banking and e-commerce customer ‘‘Supplement to Authentication in an Internet services. The level of authentication a financial Banking Environment’’ discusses the effective- institution uses in a particular application should ness of certain authentication techniques, namely be appropriate to the level of risk in that device identification and the use of challenge application. questions. The implementation of appropriate authenti- Institutions can use a variety of authentication cation methods starts with an assessment of the tools and methodologies to authenticate custom- risk posed by the institution’s electronic banking ers. These tools include the use of passwords systems. The risk-assessment process should and personal identification numbers (PINs), digital certificates using a public key infrastructure • identify all transactions and levels of access (PKI), physical devices such as smart cards or associated with Internet-based customer prod- other types of ‘‘tokens,’’ database comparisons, ucts and services; and biometric identifiers. The level of risk • identify and assess the risk-mitigation tech- protection afforded by each of these tools varies niques, including authentication methodolo- and is evolving as technology changes. gies, employed for each transaction type and Existing authentication methodologies involve level of access; and three basic ‘‘factors’’: • include the ability to gauge the effectiveness of risk-mitigation techniques for current and • something the user knows (a password or PIN) changing risk factors for each transaction type • something the user possesses (an ATM card or and level of access. a smart card) • something the user is (a biometric character- The risk should be evaluated in light of the istic, such as a fingerprint or retinal pattern) type of customer (retail or commercial), the institution’s transactional capabilities (bill pay- Authentication methods that depend on more ment, wire transfer, or loan origination), the than one factor typically are more difficult to sensitivity and value of the stored information to compromise than single-factor systems. Accord- both the institution and the customer, the ease of ingly, properly designed and implemented mul- using the authentication method, and the size tifactor authentication methods are more reliable and volume of transactions. indicators of authentication and are stronger For example, online retail transactions gener- fraud deterrents. For example, the use of a ally involve accessing account information, bill log-on ID or password is single-factor authenti- payment, intrabank funds transfers, and occa- cation (something the user knows), whereas a sional interbank funds transfers or wire trans- transaction using an ATM typically requires fers. Since the frequency and dollar amounts of two-factor authentication (something the user these transactions are generally lower than com- possesses—the card—combined with something mercial transactions, they pose a comparatively the user knows—the PIN). In general, multifac- lower level of risk. Online commercial transac- tor authentication methods should be used on tions generally involve ACH file origination and higher-risk systems. Further, institutions should frequent interbank wire transfers. Since the be sensitive to the fact that proper implementa- frequency and dollar amounts of these transaction is key to the reliability and security of any tions are generally higher than consumer trans- authentication system. For example, a poorly actions, they pose a comparatively increased implemented two-factor system may be less level of risk to the institution and its customer. secure than a properly implemented single- As such, it is recommended that institutions factor system. offer multifactor authentication to their business customers. Risk assessment. An effective authentication The Federal Reserve expects financial insti- program should be implemented on an enterprise- tutions to assess the risks to the institution and

October 2011 Commercial Bank Examination Manual Page 6 Electronic Banking 5310.1 its customers and to implement appropriate techniques in light of changing or new risks (for authentication methods to effectively manage example, the increasing ability of hackers to risk. Financial institutions should review and compromise less robust single-factor techniques update their existing risk assessments as new or the risks posed by phishing, pharming, or information becomes available, prior to imple- malware). Financial institutions should no lon- menting new electronic ﬁnancial services, or at ger rely on one form of customer authentication. least every 12 months. (See FFIEC IT Exami- A one-dimensional customer authentication pro- nation Handbook, Information Security Book- gram is simply not robust enough to provide the let, July 2006, Key Risk Assessment Practices level of security that customers expect and that section.) Updated risk assessments should con- protects institutions from ﬁnancial and reputa- sider, but not be limited to, the following factors: tion risk. Instead, multifactor techniques are appropriate for high-risk applications and trans- • changes in the internal and external threat actions, which involve access to customer infor- environment (see the attachment to SR 11-9 mation or the movement of funds to other for more information) parties. Institutions should recognize that a • changes in the customer base adopting elec- single-factor system may be ‘‘tiered’’ to enhance tronic banking security without implementing a two-factor sys- • changes in the customer functionality offered tem. A tiered single-factor authentication sys- through electronic banking tem would include the use of multiple levels of • actual incidents of security breaches, identity a single factor (for example, the use of two or theft, or fraud experienced by the institution more passwords or PINs employed at different or industry points in the authentication process).

A comprehensive approach to authentication Account origination and customer verification. requires development of and adherence to cor- Institutions need to use reliable methods for porate standards and architecture, integration of originating new customer accounts online. authentication processes within the overall in- Customer-identity verification during account formation security framework, risk assessments origination is important in reducing the risk of within the institution’s lines of business that identity theft, fraudulent account applications, support the selection of authentication tools, and and unenforceable account agreements or trans- a central authority for oversight and risk moni- actions. In an electronic banking environment, toring. The authentication process should be reliance on traditional forms of paper-based consistent and support the financial institution’s authentication is decreased substantially. Accord- overall security and risk-management programs. ingly, financial institutions need to use reliable The methods of authentication used in a alternative methods. For example, verification specific electronic application should be appro- of personal information could include the priate and ‘‘reasonable,’’ from a business per- following: spective, in light of the reasonably foreseeable risks in that application. Because the standards • Positive verification to ensure that material for implementing a commercially reasonable information provided by an applicant matches system may change over time as technology and information available from trusted third-party other procedures develop, financial institutions sources. More specifically, an institution can and service providers should periodically review verify a potential customer’s identity by com- authentication technology and ensure appropri- paring the applicant’s answers to a series of ate changes are implemented. detailed questions against information in a Single-factor authentication tools, including trusted database (for example, a reliable credit passwords and PINs, have been widely utilized report) to see if the information supplied by in a variety of retail e-banking activities, includ- the applicant matches information in the ing account inquiry, bill payment, and account database. As the questions become more spe- aggregation. However, not every online transac- cific and detailed, correct answers provide the tion poses the same level of risk. Therefore, institution with an increasing level of confi- financial institutions should implement more dence that the applicants are who they say robust controls as the risk level of the transac- they are. tion increases. Financial institutions should as- • Logical verification to ensure that information sess the adequacy of existing authentication provided is logically consistent. (For example,

Commercial Bank Examination Manual October 2011 Page 7 5310.1 Electronic Banking

do the telephone area code, ZIP code, and banking system and funds transfer systems, such street address match?) as capabilities for uploading ACH or Fedwire • Negative verification to ensure that informa- transactions initiated through the electronic bank- tion provided has not previously been associ- ing system to Fedline terminals, should be ated with fraudulent activity. For example, subject to system-access controls and appropri- applicant information can be compared ate internal controls, such as segregation of against fraud databases to determine whether duties. Some institutions also permit electronic any of the information is associated with banking customers to initiate electronic (ACH) known incidents of fraudulent behavior. In the debits against accounts held at other institutions; case of commercial customers, however, a reliable controls to verify that the customer is sole reliance on online electronic database entitled to draw funds from the particular account comparison techniques is not adequate since are needed if this feature is offered. certain documents needed to establish an Electronic bill-payment services are com- individual’s right to act on a company’s monly provided as a component of electronic behalf (for example, bylaws) are not avail- banking services. The institution should have a able from databases. Institutions must still direct agreement with bill-payment providers, rely on traditional forms of personal which may be subcontractors of the provider for identification and document validation the institution’s Internet banking services. In combined with electronic verification tools. this situation, it may be difficult for the institution or its customers to obtain timely and accu- Transaction initiation and authentication of rate information regarding the status of payment established customers. Once an institution has requests. As a result, contracts with service successfully verified a customer’s identity dur- providers that encompass bill-payment services ing the account-origination process, it should should generally address how payments are authenticate customers who wish to gain access made, when payments are debited from a cus- to the online banking system. Institutions can tomer account, the treatment of payments when use a variety of methods to authenticate existing the account has insufficient funds on the settle- customers. These methods include the use of ment date, reconcilement procedures, and passwords, PINs, digital certificates and a PKI, problem-resolution procedures. physical devices such as tokens, and biometrics. Even when Internet banking operations are outsourced to a service provider, institutions Minimizing fraud risk. An institution’s policies will generally have access to the electronic and procedures should address the management banking system through a dedicated desktop of existing customers’ accounts to minimize the computer or workstation. This hardware allows risk of fraudulent activity. For example, the the institution to upload and download transac- customer’s ability to expand an existing account tion information; review transaction logs or relationship through the electronic banking sys- audit trails; print daily reports; or, in some cases, tem may warrant added controls, such as send- reset customer passwords, resolve errors, or ing a separate notification to a customer’s physi- respond to customer inquiries. These worksta- cal address when online account access is first tions should be located in secure areas and be requested or when PINs, e-mail addresses, or subject to normal authorization and access con- other key parameters are changed. trols and transaction audit trails. To mitigate fraud risk, institutions may establish dollar limits on transactions initiated through the electronic banking application, or they may Information Security monitor transactions above specified limits, depending on the type of account (for example, Electronic banking activities should be consumer versus corporate). These limits or a addressed in an institution’s information similar monitoring system may help detect security program, which should include compli- unusual account activity, which could indicate ance with the federal banking agencies’ fraudulent transactions or other suspicious information security standards.6 Institutions activity. 6. See section 4060.1 under ‘‘Standards for Safeguarding Funds transfer systems and Internet banking. Customer Information’’ for further details and examination Any manual interface between the electronic procedures. See also SR-01-25. See also the FFIEC IT

October 2011 Commercial Bank Examination Manual Page 8 Electronic Banking 5310.1 need to pay particular attention to the security • the use of out-of-band verification for of customer information, given the heightened transactions; security concerns associated with providing • the use of ‘‘positive pay,’’ debit blocks, and access to customer information over the other techniques to appropriately limit the Internet. An institution’s written information transactional use of the account; security policies and procedures should include • enhanced controls over account activities, such electronic banking activities. Institutions should as transaction value thresholds, payment re- implement prudent controls that limit the risk of cipients, number of transactions allowed per unauthorized access to key systems, including day, and allowable payment windows (e.g., password-administration controls, firewalls, days and times); encryption of sensitive information while it is in • Internet protocol (IP) reputation-based tools transit or being stored, maintenance of all cur- to block connection to banking servers from rent updates and security patches to software IP addresses known or suspected to be asso- and operating systems, and controls to prevent ciated with fraudulent activities; insider misuse of information. Sound informa- • policies and practices for addressing customer tion security practices include procedures and devices identified as potentially compromised systems to detect changes to software or files, and customers who may be facilitating fraud; intrusion-detection systems, and security- • enhanced control over changes to account vulnerability assessments. maintenance activities performed by custom- Sound information security practices are also ers either online or through customer service based on the concept of layered security, which channels; and is the use of different controls at different points • enhanced customer education to increase in a transaction process so that a weakness in awareness of the fraud risk and effective one control is generally compensated for by the techniques customers can use to mitigate the strength of a different control. Layered security risk. can substantially strengthen the overall security of Internet-based services and be effective in At a minimum, an institution’s layered secu- protecting sensitive customer information, pre- rity program should (1) detect and respond to venting identity theft, and reducing account suspicious activity and (2) control administra- takeovers and the resulting financial losses. tive functions. To detect and respond to suspi- Financial institutions should implement a lay- cious activities, appropriate control processes ered approach to security for high-risk Internet- should be instituted that detect anomalies and based systems. Other regulations and guidelines effectively respond to suspicious or anomalous also specifically address financial institutions’ activity related to initial login and authentica- responsibilities to protect customer information tion of customers requesting access to the insti- and prevent identity theft.7 tution’s electronic banking system, as well as Effective controls that may be included in a the initiation of electronic transactions involv- layered security program include, but are not ing the transfer of funds to other parties. limited to Manual or automated transaction monitoring or anomaly detection and response may prevent • fraud detection and monitoring systems that instances of ACH/wire transfer fraud since include consideration of customer history and fraudulent wire activities are typically anoma- behavior and enable a timely and effective lous when compared with the customer’s estab- institution response; lished patterns of behavior. • the use of dual customer authorization through A layered security program should also con- different access devices; trol administrative functions. For business accounts, layered security should include enhanced controls for system administrators who are granted privileges to set up or change system Examination Handbook, Information Security Booklet, July 2006, Key Concept section. configurations, such as setting access privileges 7. See Interagency Final Regulation Guidelines on Identity and application configurations and/or limita- Theft Red Flags, 12 CFR parts 41, 222, 334, 571, and 717; tions. These enhanced controls should exceed Interagency Guidelines Establishing Information Security Stan- the controls applicable to routine business cus- dards, 12 CFR parts 30, 208, 225, 364, and 570, Appendix B. See also Section 4060.1 under ‘‘Identity Theft Red Flags tomer users. For example, a preventive control Program’’ for further details and examination procedures. could include requiring an additional authenti-

Commercial Bank Examination Manual October 2011 Page 9 5310.1 Electronic Banking cation routine or a transaction verification rou- matically default to easily guessed numbers or tine prior to final implementation of the access names. Passwords and PINs are (1) generally or application changes. An example of a detec- encrypted while in transit or storage on insecure tive control could include a transaction verifica- networks or computers, (2) suppressed on screen tion notice immediately following implementa- when entered on a keyboard, and (3) suspended tion of the submitted access or application after a predetermined number of failed log-in changes. Out-of-band authentication, verifica- attempts. Institutions should establish clear poli- tion, or alerting can be effective controls. Over- cies and procedures for retrieving or resetting all, enhanced controls over administrative ac- customer passwords when customers lose or cess and functions can effectively reduce money forget their password to minimize the risk that transfer fraud. passwords are disclosed to unauthorized While the technical aspect of information individuals.8 security considerations for electronic banking activities is complex, widely used turnkey soft- Firewalls ware applications for Internet banking generally conform to accepted industry standards for tech- A firewall is a security control consisting of nical security. Detailed assessments of the tech- hardware, software, and other security measures nical security of specific systems are the respon- established to protect the bank’s internal data sibility of the institution and its qualified and networks, as well as its web sites, from engineers and internal and external auditors. unauthorized external access and use through Examiners should focus on the institution’s the Internet. A number of banks and their implementation of key security controls for the vendors use various firewall products that meet particular software application. industry standards to secure their Internet bank- Any security breaches of an institution’s ing services, web sites, and other bank networks. electronic banking service or web site that may For a firewall to adequately protect a bank’s lead to potential financial losses or disclosure of internal networks and systems, it must be prop- sensitive information should be reported to an erly installed and configured. Firewalls are most appropriate management level within the effective when all updates and patches to the institution. If necessary, the appropriate firewall systems are installed and when the suspicious-activity report should be filed. firewall configuration is reassessed after every Institutions should ensure that their service system change or software update. providers notify them of any computer security breaches in their operations that may affect the Viruses institution. Institutions should determine the cause of any such intrusions and develop an ap- Computer viruses can pose a threat to informa- propriate plan to limit any resulting financial tion systems and networks that are connected to losses to the bank and its customers and to the Internet. In addition to destroying data and prevent recurrence. possibly causing system failure, viruses can potentially establish a communication link with an external network, allow unauthorized system Passwords and System-Access Controls access, or even initiate unauthorized data transmission. Widely used protection measures Most institutions use identifiers such as account include using anti-virus products that are numbers or ATM card numbers, together with installed and are resident on a computer or passwords or PINs, to verify the authorization of network or providing for virus scanning during users accessing the retail electronic banking downloads of information or the execution of system. (Wholesale or corporate cash- any program. Bank employees and electronic management systems may use more secure meth- banking customers should be educated about the ods, such as smart cards that contain customer risks posed to systems by viruses and other credentials, real-time passwords (passwords that malicious programs, as well as about the proper can be immediately changed online), or dedi- procedures for accessing information to help cated terminals, to authenticate users.) Prudent avoid these threats. password-administration procedures generally require that customer passwords be changed if 8. See SR-05-19 for further information on password- compromised and that passwords do not auto- administration practices.

October 2011 Commercial Bank Examination Manual Page 10 Electronic Banking 5310.1

Encryption of Communications activities. Intrusion-detection systems, which can be installed on individual computers and at Information transmitted over the Internet may locations on a network, can be configured to be accessible to parties other than the sender and alert appropriate system personnel to potential receiver. As a result, most retail electronic intrusions at the time they occur. In addition, the commerce services use industry-standard secure detection systems provide ongoing reporting sockets layer (SSL) technology to encrypt sen- and monitoring of unusual events such as poten- sitive transactional information between the cus- tial intrusions or patterns of misuse. tomer and the web site to minimize the risk of unauthorized access to this information while it is in transit. Although stronger encryption tech- Customer Awareness and Education niques may be warranted for higher-value corporate or wholesale transactions, SSL is gener- Because customer awareness is a key defense ally considered adequate for retail Internet against fraud and identity theft, financial insti- banking transactions. tutions should make efforts to educate their In addition, many banks accept communica- customers. Institutions should evaluate their con- tions through standard Internet e-mail; in some sumer education efforts to determine if addi- cases, account applications containing sensitive tional steps are necessary. The June 29, 2011, customer data may be sent to the bank. These ‘‘Supplement to Authentication in an Internet communications are generally not protected by Banking Environment’’ states that financial in- SSL or a similar technology but are open to stitution’s customer awareness and educational potential unauthorized access. If the electronic efforts should address both retail and commer- banking system does not provide for encrypted cial account holders and, at a minimum, include e-mail, the bank should ensure that customers the following elements: (and customer-service representatives) are alerted not to send confidential information by unen- • an explanation of protections provided, and crypted e-mail. not provided, to account holders relative to electronic funds transfers under Regulation E, Security Testing and Monitoring and a related explanation of the applicability of Regulation E to the types of accounts with Assessments of information security vulnerabil- Internet access ity, penetration testing, and monitoring help • an explanation of under what, if any, circum- ensure that appropriate security precautions have stances and through what means the institu- been implemented and that system security con- tion may contact a customer on an unsolicited figurations are appropriate. Some institutions basis and request the customer’s provision of contract with third-party security experts to electronic banking credentials provide these services. Vulnerability assess- • a suggestion that commercial online banking ments provide an overall analysis of system customers perform a related risk assessment security and report any system vulnerabilities. and controls evaluation periodically Such assessments can detect known security • a listing of alternative risk control mecha- flaws in software and hardware, determine sys- nisms that customers may consider implement- tem susceptibility to known threats, and identify ing to mitigate their own risk, or alternatively, vulnerabilities such as settings that are contrary a listing of available resources where such to established security policies. information can be found Penetration testing and vulnerability assess- • a listing of institutional contacts for custom- ments identify an information system’s vulner- ers’ discretionary use in the event they notice ability to intrusion. Penetration tests examine suspicious account activity or experience cus- system security by mimicking external intrusion tomer information security-related events attempts to circumvent the security features of a system. However, a penetration test is only a snapshot in time and does not guarantee that the Contingency Planning system is secure. Intrusion detection is an ongoing process that Periodic downtime and outages are common monitors the system for intrusions and unusual with online services. But when the duration or

Commercial Bank Examination Manual October 2011 Page 11 5310.1 Electronic Banking disruption of these outages is significant, it can vider’s contingency and business-recovery lead to reputational risk for the institution. For commitments.9 many institutions, short disruptions of electronic banking services may not have a material effect on their operations or customers, as other Outsourcing Arrangements delivery channels are available. Nevertheless, electronic banking services should be covered Many institutions outsource electronic banking by an institution’s business-continuity plans. operations to an affiliate or third-party vendor. Institutions should assess their disaster- In addition to operating the Internet banking recovery needs by considering the length of software application, service providers may pro- time that electronic banking services could be vide services such as web site hosting and unavailable to customers or for internal process- development, Internet access, and customer ser- ing, and then design backup capabilities accord- vice or call-center maintenance. As with other ingly. In some cases, institutions may need to areas of a bank’s operations, examiners should establish the capability to move processing to a evaluate the adequacy of the institution’s over- different network or data center, or to move sight of its critical service providers.10 electronic banking services to a backup web Banking organizations should consider requir- site. ing Internet banking service providers to obtain Typically, the electronic banking system periodic security reviews performed by an inde- includes capabilities to generate backup files on pendent party. The client institution should tapes, diskettes, or other portable electronic receive reports summarizing the findings. media containing key transaction and customer data. Web site information should also be subject to periodic backup. Security and internal 9. For additional information on business resumption and controls at backup locations should be as sophis- contingency planning in relation to outsourcing, see section ticated as those in place at the primary site. 5300.1, ‘‘Information Technology,’’ and the FFIEC Informa- If a bank outsources electronic banking operation Systems Examination Handbook. 10. See section 5300.1, ‘‘Information Technology,’’ and the tions to a service provider, the institution should FFIEC Information Systems Examination Handbook for have a full understanding of the service pro- information on risk management for outsourcing arrangements.

October 2011 Commercial Bank Examination Manual Page 12 Electronic Banking Examination Objectives Effective date November 2001 Section 5310.2

1. To develop an understanding of the signifi- 6. To determine if the institution is complying cance of the bank’s electronic banking activi- with other applicable laws, rules and ties within and across business lines. regulations. 2. To assess the types and levels of risks asso- 7. To prepare examination report comments on ciated with the bank’s electronic banking significant deficiencies and recommended activities. corrective action. 3. To exercise appropriate judgment when 8. To determine the impact, if any, of electronic determining the level of review, given the banking risks on the CAMELS rating, infor- characteristics, size, and business activities mation technology rating, and risk- of the organization. management ratings. 4. To assess the current and potential impact of 9. To update the workpapers with any informa- electronic banking activities on the institution that will facilitate future examinations. tion’s financial profile and condition. 5. To assess the adequacy of risk management and oversight of electronic banking activities, including outsourced activities.

Commercial Bank Examination Manual November 2001 Page 1 Electronic Banking Examination Procedures Effective date October 2011 Section 5310.3

1. Identify the bank’s current and planned d. costs and fees to operate the system and electronic banking activities and review the related services or marketing programs bank’s public Internet web sites. Consider 5. Incorporate an analysis of electronic bank- whether the bank provides the following ing activities into risk assessments, super- types of services: visory plans, and scope memoranda, con- a. telephone banking sidering the size, activities, and complexity b. retail Internet banking services of the organization, as well as the signifi- c. corporate or wholesale Internet banking cance of the activities across particular services business lines. d. Internet service provider (ISP) 6. Assess the level of risk and the current or e. brokerage services over the Internet potential impact of electronic banking f. insurance services over the Internet activities on the organization’s earnings, g. trust services over the Internet liquidity, asset quality, operational risk, and h. account aggregation consumer compliance. Communicate any i. electronic bill payment concerns to examiners reviewing these areas. j. other activities (for example, web por- 7. Determine if the bank operates its web sites, tals, financial calculators, cross-marketing electronic banking systems, or core data arrangements and alliances, or unique processing systems internally and whether services) any activities are outsourced to a vendor. If 2. Review prior examination findings and outsourced, all activities should be sup- workpapers related to electronic banking, ported by written agreements that have been including consumer compliance, informa- reviewed by the bank’s legal counsel. Iden- tion technology, and other examination areas tify the location of the following operations: that may be relevant. a. design and maintenance of the bank’s 3. Determine if material changes have been public web site or home page made to electronic banking products, ser- b. computer or server for the bank’s public vices, or operations since the last examina- web site tion and if any significant changes are c. development and maintenance of the planned in the near future. bank’s electronic banking systems a. Ensure the bank has reviewed and up- d. computer or server for the bank’s elec- dated the existing risk assessment prior tronic banking systems to implementing new electronic financial services. e. customer service (for example, a call b. If the bank has not materially changed its center) for electronic banking services electronic banking services, determine if f. electronic bill-payment processing or the board or senior management has other ancillary services reviewed the risk assessment within the 8. If the bank operates the electronic banking past 12 months. system or core data processing system 4. Determine the significance of the bank’s in-house, review the topology (schematic electronic banking activities. Consider the diagram) of the systems and networks, and following areas: determine whether there is a direct, online a. approximate percentages and numbers of connection between the bank’s core process- customers (for example, loan and deposit) ing systems and the electronic banking that regularly use electronic banking system. products and services 9. If the bank operates the electronic banking b. lending and deposit volumes generated system or core data processing system from Internet applications in-house, review the transaction-processing c. the current monthly transaction and flows between the electronic banking sys- dollar volume for electronic banking tem and the bank’s core processing systems services and identify key control points. Determine

Commercial Bank Examination Manual October 2011 Page 1 5310.3 Electronic Banking: Examination Procedures

whether information is exchanged in a real- e. vendor and outsourcing management, and time, batch (overnight), or hybrid-processing f. board and management oversight. mode. 12. Determine if the bank engages in any ‘‘high- 10. Review any available audits or third-party risk’’ transactions involving access to cus- reviews of vendors or service providers the tomer information or the movement of funds bank uses, such as Service Organization to other parties. Control Reports (formerly SAS 70 re- a. If the bank engages in high-risk transac- ports).1 Review any Federal Financial Insti- tions, ensure the institution has imple- tutions Examination Council (FFIEC) Shared mented a layered security program and Application Software Review (SASR) re- does not rely solely on any single control ports or any FFIEC or other supervisory for authorizing such transactions.3 examination reports of service providers b. Ensure the bank’s layered security pro- that the institution uses. gram is consistent with the risk for cov- 11. Determine the adequacy of risk manage- ered consumer and business (commer- ment for electronic banking activities (includ- cial) transactions. ing authentication methods for prospective 13. Perform additional analysis and review, con- and existing customers), given the level of sulting with information technology special- risk these activities pose to the institution.2 ists, consumer compliance specialists, or Complete or update relevant portions of the other subject-matter experts as needed, on electronic banking internal control question- areas of potential concern. naire as needed for the specific electronic 14. Determine the impact of any electronic banking activities identified in the previous banking activities or internal-control defi- steps of these procedures to evaluate the ciencies on the financial condition of the adequacy of— organization. a. policies and procedures governing elec- 15. Determine the extent of supervisory atten- tronic banking activities, tion needed to ensure that any weaknesses b. internal controls and security for elec- are addressed and that associated risk is tronic banking activities, adequately managed. c. audit coverage for electronic banking 16. Determine the impact of any deficiencies on activities, the CAMELS rating, information technol- d. monitoring and compliance efforts, ogy rating, operational-risk rating, and any other relevant supervisory ratings. 1. Effective June 15, 2011, the Statement on Standards for 17. Prepare comments for the examination report Attestation Engagements (SSAE) No. 16, ‘‘Reporting on on any significant deficiencies and recom- Controls at a Service Organization,’’ replaces the guidance for service auditors in the American Institute of Certified Public mended corrective action. Accountants (AICPA) Statement of Auditing Standards (SAS) 18. Update the workpapers with any informa- No. 70 ‘‘Service Organizations.’’ tion that will facilitate future examinations. 2. See SR-05-19, ‘‘FFIEC Guidance on Authentication in an Internet Banking Environment,’’ and SR-11-19, ‘‘Inter- agency Supplement to Authentication in an Internet Banking Environment.’’ 3. See SR-11-9 and Section 4063.1.

October 2011 Commercial Bank Examination Manual Page 2 Electronic Banking Internal Control Questionnaire Effective date May 2007 Section 5310.4

Review the bank’s internal controls, policies, 4. Do written information security policies practices, and procedures for electronic banking and procedures address electronic banking activities. Complete those questions necessary products and services? to assess whether any potential concerns warrant 5. Are business-recovery procedures adequate? further review. Do the procedures address— a. events that could affect the availability of the electronic banking system, such as system outages, natural disasters, or other POLICIES AND PROCEDURES disruptions? b. planned recovery times that are consis- 1. Are updates and changes to the bank’s tent with how important electronic bank- public web sites— ing activities are to the institution? a. made only by authorized staff? 6. Has management established an adequate b. subject to dual verification? incident-response plan to handle and report 2. Are web site information and links to other potential system security breaches, web site web sites regularly verified and reviewed by disruptions, malicious tampering with the the bank for— web site, or other problems? a. accuracy and functionality? b. potential reputational, compliance, and legal risk? AUDIT AND INDEPENDENT c. appropriate disclaimers? REVIEW 3. Do operating policies and procedures include— 1. Do the bank’s internal and external audit a. procedures for and controls over the programs address electronic banking activi- opening of new customer accounts sub- ties and systems? mitted through electronic channels in 2. Is the level of audit review commensurate order to verify potential customer iden- with the risks in electronic banking activi- tity and financial condition? ties and systems? b. single-factor and tiered single-factor or 3. Do audits address— multifactor procedures for authenticating a. the review and testing of the bank’s the identity of prospective and existing internal controls relating to electronic customers when administering access to banking? the electronic banking system (for exam- b. the review of service-provider perfor- ple, customer passwords, personal iden- mance relative to contract terms, if ser- tification numbers (PINs), or account vices are outsourced? numbers)? c. the review of the service providers’ in- c. requirements for review of or controls ternal or external audits or third-party over wire transfers or other large trans- reviews, if services are outsourced? fers initiated through the electronic bank- 4. Is management’s response to any audit ing system, to watch for potentially sus- recommendations timely and appropriate? picious activity? d. appropriate authorizations for electronic debits initiated against accounts at other INTERNAL CONTROLS AND institutions, if such transfers are allowed? SECURITY e. depending on the type of account, dollar limits on transactions over a given time 1. Has the bank or service provider imple- period initiated through the electronic mented a firewall to protect the bank’s web banking service? site? f. reconcilement and accounting controls 2. Are ongoing monitoring and maintenance over transactions initiated through the arrangements for the firewall in place to electronic banking system, including ensure that it is properly maintained and electronic bill-payment processing? configured?

Commercial Bank Examination Manual April 2015 Page 1 5310.4 Electronic Banking: Internal Control Questionnaire

3. If the bank uses a turnkey electronic bank- 7. If e-mail is used to communicate with ing software package or outsources to a customers, are communications encrypted service provider— or does the bank advise customers not to a. are bank staff familiar with key controls send confidential information through detailed by the vendor’s security and e-mail? operating manuals and training materials? b. are workstations that interface with the service provider’s system for administra- MONITORING AND COMPLIANCE tive procedures or for the transfer of files and data kept in a secure location with 1. Are adequate summary reports made avail- appropriate password or other access able to management to allow for monitoring control, dual-verification procedures, and of— other controls? a. web site usage? 4. Does the bank’s control of customer access b. transaction volume? to the electronic banking system include— c. system-problem logs? a. procedures to ensure that only appropri- d. exceptions? ate staff are authorized to access elec- e. unreconciled transactions? tronic banking systems and data, includ- f. other customer or operational issues? ing access to any workstations connected 2. Has management established adequate pro- to a remote system located at a service cedures for monitoring and addressing cus- provider? tomer problems with electronic banking b. levels of authentication methods that products and services? are commensurate with the level of 3. Does management accurately report its pri- risk in the bank’s electronic banking mary public web-site address on its Con- applications? solidated Report of Condition and Income? c. the length and composition of passwords and PINs? 4. Have required Suspicious Activity Reports d. encryption of passwords and PINs in involving electronic banking, including any transit and storage? computer intrusions, been filed? See the e. the number of unsuccessful log-on requirements for suspicious-activity report- attempts before the password is ing in section 208.62 of the Board’s Regu- suspended? lation H (12 CFR 208.62), and the Bank f. procedures for resetting customer pass- Secrecy Act compliance program in sec- words and PINs? tion 208.63 (12 CFR 208.63). g. automatic log-off controls for user inactivity? 5. Have security-vulnerability assessments and VENDORS AND OUTSOURCING penetration tests of electronic banking systems been conducted? Has the bank 1. Is each significant vendor, service provider, reviewed the results? consultant, or contractor relationship that is 6. Has the bank or its service provider involved in the development and mainte- established— nance of electronic banking services cov- a. an intrusion-detection system for elec- ered by a written, signed contract? Depend- tronic banking applications? ing on the nature and criticality of the b. procedures to detect changes in elec- services, do contracts specify— tronic banking files and software? a. minimum service levels and remedies or c. measures to protect the electronic bank- penalties for nonperformance? ing system from computer viruses? b. liability for failed, delayed, or erroneous d. procedures for ensuring on an ongoing transactions processed by the service basis that electronic banking applica- provider and for other transactions in tions, operating systems, and the related which losses may be incurred (for exam- security infrastructure incorporate patches ple, insufficient funds)? and upgrades that are issued to address c. contingency plans, recovery times in the known security vulnerabilities in these event of a disruption, and responsibility systems? for backup of programs and data?

April 2015 Commercial Bank Examination Manual Page 2 Electronic Banking: Internal Control Questionnaire 5310.4

d. data ownership, data usage, and compli- h. ensuring the bank’s staff receives adequate ance with the bank’s information secu- training and documentation from the ven- rity policies? dor or service provider? e. bank access to the service provider’s 5. If the bank operates a turnkey electronic financial information and results of audits banking software package— and security reviews? a. is software held under an escrow f. insurance to be maintained by the service agreement? provider? b. has the bank established procedures to 2. Has legal counsel reviewed the contracts to ensure that relevant program files and ensure they are legally enforceable and that documentation held under the software they reasonably protect the bank from risk? escrow agreement are kept current and 3. Has the bank ensured that any service complete? provider responsible for hosting or main- 6. If a vendor maintains the bank’s electronic taining the bank’s web site has banking system, does the bank monitor the implemented— on-site or remote access of its systems by a. controls to protect the bank’s web site the vendor, through activity logs or other from unauthorized alteration and mali- measures? cious attacks? b. procedures to notify the bank in the event of such incidents? c. regular backup of the bank’s web site BOARD AND MANAGEMENT information? OVERSIGHT 4. Depending on the nature and criticality of the services, does the bank conduct initial 1. Does the board or an appropriate committee and periodic due-diligence reviews of ser- approve the introduction of new electronic vice providers, including— banking products and services on the basis a. reviewing the service provider’s stan- of a written business plan and risk analysis dards, policies, and procedures relating that are commensurate with the proposed to internal controls, security, and busi- planned activity? ness contingency to ensure they meet the 2. Has the bank considered— bank’s minimum standards? a. whether the service is designed to pro- b. monitoring performance relative to vide information on existing services to service-level agreements and communi- existing customers or to attract new cating any deficiencies to the service customers? provider and to bank management? b. whether financial incentives will be c. reviewing reports provided by the ser- offered to attract customers through the vice provider on response times, avail- electronic banking service? What is the ability and downtime, exception reports, financial impact of such incentives on and capacity reports, and communicating the bank? any concerns to bank management and c. the potential impact of electronic bank- the vendor? ing products and services on the compo- d. periodically reviewing the financial con- sition of the bank’s customer base? dition of the service provider and deter- d. the projected financial impact of the new mining whether backup arrangements are service, including up-front and operating warranted as a result? costs and any impact on fees or other e. reviewing third-party audits, SAS 70 revenue or expenses? reports, and regulatory examination e. internal controls appropriate for the new reports on the service provider, if avail- product or service? able, and following up on any findings f. whether adequate management reports with the service provider? are provided and subject to periodic f. conducting on-site audits of the service review? provider, if appropriate based on the g. whether any new nonbanking activities level of risk? are permissible under applicable state g. participating in user groups? and federal banking laws?

Commercial Bank Examination Manual April 2015 Page 3 5310.4 Electronic Banking: Internal Control Questionnaire

h. the extent of outsourcing and responsi- ments with third-party vendors)? Has the bilities for managing vendor and service- bank’s legal counsel also been involved in provider relationships? the development and review of its authen- 3. Has the bank evaluated the adequacy of its tication methods to ensure that the methods insurance coverage to cover operational provide a foundation to enforce agreements risks in its electronic banking activities? and transactions and to validate the parties 4. Has the bank’s legal counsel been involved involved, consistent with applicable state in the development and review of electronic laws? banking agreements (for example, agree-

April 2015 Commercial Bank Examination Manual Page 4 Payment System Risk and Electronic Funds Transfer Activities Effective date April 2009 Section 5320.1

Modern economies require an efficient system exposures, such as counterparty or customer for transferring funds between financial institu- default, operational problems, fraud, or legal tions and between financial institutions and their uncertainty about the finality of settled pay- customers. Banks and other depository institu- ments. A major source of payment system risk tions use payment systems both to transfer funds arises when participants in, or the operator of, a related to their own operations—for example, payment system extends unsecured, intraday when engaging in federal-funds transactions— credit to facilitate the smooth and efficient flow and to transfer funds on behalf of their custom- of payments. For example, the aggregate value ers. Depository institutions and the Federal of intraday credit extended by the Federal Reserve together provide the basic infrastructure Reserve, in the form of daylight overdrafts in for the nation’s payment system. institutions’ Federal Reserve accounts, is sub- Commercial banks maintain accounts with stantial and creates significant credit exposure each other and with the Federal Reserve Banks; for the Federal Reserve Banks. through these accounts, the payments of the A daylight overdraft occurs whenever an general public are recorded and ultimately institution has a negative account balance during settled. The demand for electronic funds transfer the business day. Such a credit exposure can (EFT) services has increased with improved occur in an account that an institution maintains data communication and computer technology. with a Federal Reserve Bank or with a private- Community banks that previously executed EFT sector financial institution. At a Reserve Bank, a transactions through a correspondent can now daylight overdraft occurs when an institution initiate their own same-day settlement transac- has insufficient funds in its Federal Reserve tions nationwide. The need for same-day settle- account to cover Fedwire funds transfers, incom- ment transactions has precipitated financial ing book-entry securities transfers, or other institutions’ increased reliance on EFT systems. payment activity processed by the Reserve Bank, Financial institutions commonly use their EFT such as automated clearinghouse or check trans- operations to make and receive payments, buy actions. Similarly, banks are exposed to credit and sell securities, and transmit payment instruc- risk when they permit their customers to incur tions to correspondent banks worldwide. In the daylight overdrafts in their accounts. More spe- United States, most of the dollar value of all cific information about the types of risks in- funds transfers is concentrated in two electronic volved under the rubric of payment systems risk payment systems: the Fedwire Funds Service, is discussed later in this section. which is a real-time gross settlement system When developing an institution’s overview, provided by the Federal Reserve Banks, and the performing annual and quarterly risk assess- Clearing House Interbank Payments System ments, and conducting the institution’s exami- (CHIPS), which is a private-sector multilateral nation, examiners should review an institution’s settlement system owned and operated by the payment system risk and EFT practices. Super- Clearing House Payments Company. visory and examination guidance and proce- Final settlement occurs when payment obli- dures should be followed to determine the risk gations between payment-system participants assessment, matrix, supervisory plan, and scope are extinguished with unconditional and irrevo- of an examination. This guidance should also be cable funds. For transactions settled in physical used when conducting the examination. An currency, payment and settlement finality occur overall initial analysis of an institution’s pay- simultaneously. On occasion, settlement finality ment system risk practices can provide examin- may not occur on the same day a payment is ers with quick insight on the adequacy of its made. Without immediate settlement finality, current internal controls and risk-management the recipient of a payment faces the uncertainty practices, and on whether the institution’s pay- of not receiving the value of funds that has been ment activity creates intraday exposures that promised. The exposure to this uncertainty is may pose significant risk if not managed generally referred to as payment system risk properly. (PSR). In general, examiners should review the fre- Payment system risk refers to the risk of quency, magnitude, and trend of daylight over- financial loss to the participants in, and opera- drafts in an institution’s Federal Reserve account, tors of, payment systems due to a variety of as well as any breaches of its net debit cap.

Commercial Bank Examination Manual April 2010 Page 1 5320.1 Payment System Risk and Electronic Funds Transfer Activities

Examiners should analyze the reasons for the pants send instructions through a mainframe or daylight overdrafts and cap breaches; the nature PC connection to Fedwire, and no manual proof the transactions causing the overdrafts (for cessing by the Federal Reserve Banks is neces- example, correspondent check clearings or funds sary. Offline participants give instructions to the transfers); whether the number of customers, Reserve Banks by telephone. Once the tele- correspondents, and respondents is concentrated phone request is authenticated, the Reserve among only a few entities; whether there is a Bank enters the transfer instruction into the clear pattern of transactions; and the types of Fedwire system for execution. The manual pro- activities involved. In addition, examiners should cessing required for offline requests makes them review and determine the adequacy of the reso- more costly; thus, they are suitable only for lution by the board of directors authorizing the institutions that have small, infrequent transfers. institution’s net debit cap and use of Federal (For further information, see www.federal Reserve intraday credit (as required by the PSR reserve.gov/paymentsystems/) policy). The examiners’ most important goal is to ensure that banks have and use appropriate risk-management policies and procedures that CHIPS effectively monitor and control their exposure to payment system risk. The Clearing House Interbank Payments System (CHIPS) is a large-value funds-transfer system for U.S. dollar payments between domestic or foreign banks that have offices located in the TYPES OF PAYMENT SYSTEMS United States. CHIPS provides a final intraday settlement system, continuously matching, net- An understanding of the mechanics of the vari- ing, and settling queued payment orders through- ous payment systems is necessary to evaluate out the business day. the operational procedures depository institu- All CHIPS payment orders are settled against tions use to control payment-processing risks for positive balances and are simultaneously offset their own or their customers’ accounts. by incoming payment orders, or some combination of both. To facilitate this process, the funding participants jointly maintain an account (CHIPS Funds Transfer Systems account) on the books of the Federal Reserve Bank of New York. Each CHIPS participant must fund this account via a Fedwire funds transfer to Fedwire Funds Service fulfill its pre-funded opening-position requirement. These required balances are then used to The Fedwire funds-transfer system is a real-time settle payment orders throughout the day. gross settlement system in which depository During the operating day, participants submit institutions initiate funds transfers that are im- payment orders to a centralized queue main- mediate, final, and irrevocable when processed. tained by CHIPS. Payment orders that do not Depository institutions that maintain a master pass certain settlement conditions are held in the account with a Federal Reserve Bank may use central queue until an opportunity for settlement Fedwire to directly send or receive payments to, occurs or until the end-of-day settlement pro- or receive payments from, other account holders cess. The sending and receiving participants are directly. Depository institutions use Fedwire to not obligated to settle these queued payment handle large-value and time-critical payments, orders. such as payments for the settlement of interbank Each afternoon, each participant with a purchases and sales of federal funds; the pur- closing-position requirement must transfer, chase, sale, and financing of securities transac- through Fedwire, its requirement to the CHIPS tions; the disbursement or repayment of loans; account at the Federal Reserve Bank of New and the settlement of real estate transactions. York.1 These requirements, when delivered, are In the Fedwire funds-transfer system, only the credited to participants’ balances at CHIPS. originating financial institution can remove funds from its Federal Reserve account. Originators 1. Although CHIPS no longer makes distinctions between provide payment instructions to the Federal settling and nonsettling participants, CHIPS participants can Reserve either online or offline. Online partici- use nostro banks to make transfers on their behalf.

April 2010 Commercial Bank Examination Manual Page 2 Payment System Risk and Electronic Funds Transfer Activities 5320.1

After completion of this process, CHIPS will issuing bank, they do result in the issuing bank’s transfer to those participants who have any having an immediate liability, which is payable balances remaining, that is, participants in an to the disbursing bank. Therefore, the internal overall net positive position for the day, the full operating controls of these systems should be as amount of those positions. stringent as the ones implemented for systems such as Fedwire and CHIPS.

Manual Systems SWIFT Not all financial institutions employ an EFT The Society for Worldwide Interbank Financial system. Some banks execute such a small num- Telecommunications (SWIFT) is a nonprofit ber of EFT transactions that the cost of a cooperative of member banks that serves as a computer-based system such as Fedwire is pro- worldwide interbank telecommunications net- hibitive. Instead, these banks will continue to work for structured financial messaging. Based execute EFTs by a telephone call to a correspon- in Brussels, Belgium, SWIFT is the primary dent bank. Executing EFT transactions in this system employed by financial institutions world- way is an acceptable practice as long as the bank wide to transmit either domestic or international has adequate internal control procedures. payment instructions. (For further information, see www.swift.com.) Message Systems TELEX The message systems employed by financial institutions, corporations, or other organizations Several private telecommunications companies to originate payment orders—either for their offer worldwide or interconnected services that own benefit or for payment to a third party—are provide a printed permanent record of each indispensable components of funds-transfer ac- message transmitted. Telex is the primary mes- tivities. Unlike payment systems, which trans- sage system for institutions that do not have mit actual debit and credit entries, message access to SWIFT. The Telex systems do not systems process administrative messages and include built-in security features. Telex users instructions to move funds. The actual move- exchange security codes, and senders sequen- ment of the funds is then accomplished by tially number messages sent to another institu- initiating the actual entries to debit the originat- tion. ing customer’s account and to credit the beneficiary’s account at one or more financial institutions. If the beneficiary’s account or the beneficiary bank’s account is also with the Automated Clearinghouse and Check originator’s bank, the transaction is normally Transactions handled internally through book entry. If the beneficiary-related accounts are outside the origi- The automated clearinghouse (ACH) is an elec- nating customer’s bank, the transfer may be tronic payment delivery system used to process completed by use of a payment system such as low-dollar retail payments. The system is used Fedwire or CHIPS. The means of arranging for preauthorized recurring payments and one- payment orders ranges from manual methods time payments. First introduced in the early (for example, memos, letters, telephone calls, 1970s as a more efficient alternative to checks, fax messages, or standing instructions) to elec- ACH has evolved into a nationwide mechanism tronic methods using telecommunications net- that processes electronically originated credit works. These networks may include those oper- and debit transfers for any participating institu- ated by the private sector, such as SWIFT or tion nationwide. An alternative to paper checks, Telex, or other networks operated internally by the ACH handles billions of payments annually. particular financial institutions. Financial institutions are encouraged to obtain Even though the transfers initiated through a copy of the ACH rules of the National Auto- systems such as SWIFT and Telex do not result mated Clearing House Association (NACHA): A in the immediate transfer of funds from the Complete Guide to Rules and Regulations Gov-

Commercial Bank Examination Manual April 2010 Page 3 5320.1 Payment System Risk and Electronic Funds Transfer Activities erning the ACH Network. The ACH rules pro- from one to three business days, depending on vide detailed information on rule changes, their when the customer (the employer) funds the operational impact, and whether any software payments it originates. If the customer fails to changes are required. The rulebook is designed fund the payments on the settlement day, the to help financial institutions comply with the potential loss faced by the originating bank is current NACHA rules, which are applicable to equal to the total value of payments from the all ACH participants and include a system of time the payments are sent to the ACH operator national fines. (For further information, see until the customer funds these payments. www.nacha.org.) The Federal Reserve ACH is governed by Operating Circular #4, “Automated Clearing House Items.” Other important federal legislation concerning the ACH can be found in SECURITIES CLEARING AND Regulation E (primarily regarding consumer SETTLEMENT SYSTEMS rights pertaining to electronic funds transfers) and Regulation CC (concerning the availability Fedwire Securities of funds). (For further information, see www. frbservices.org.) There are two types of ACH transactions: The Fedwire Securities Service is a securities ACH debits and ACH credits. In an ACH debit settlement system that provides safekeeping ser- transaction, the originator of the transaction is vices and transfer and settlement services. The debiting the receiver’s account. Therefore, funds safekeeping services enable eligible participants flow from the receiver to the originator of the to hold securities issued by the U.S. Department transaction. Mortgage payments for which con- of the Treasury, federal agencies, government- sumers authorize the mortgage company to debit sponsored enterprises (GSEs), and certain inter- their accounts each month are examples of ACH national organizations in securities accounts at debit transactions. ACH debits are also being the Reserve Banks. The transfer and settlement used increasingly for one-time payments autho- services enable eligible participants to transfer rized through the telephone, Internet, or mail. securities to other eligible participants against ACH debit transactions have similarities to payment or free of payment. check transactions. Both receivers of ACH debit Participants in the Fedwire Securities Service files and payers of checks have the right to generally maintain a master account and have return transactions for various reasons, such as routine access to Reserve Bank intraday credit. insufficient funds in the account or a closed Like the Fedwire Funds Service, access to the account. The major risk facing institutions that Fedwire Securities Service is limited to deposi- originate ACH debit transactions and collect tory institutions and a few other organizations, checks for customers is return-item risk. Return- such as federal agencies, state government trea- item risk extends from the day funds are made surers’ offices (which are designated by the U.S. available to the customer until the individual Department of the Treasury to hold securities return items are received. accounts), and limited-purpose trust companies In an ACH credit transaction, the originator of that are members of the Federal Reserve Sys- the transaction is crediting the receiver’s account. tem. Nonbank brokers and dealers typically hold An ACH credit transaction is similar to Fedwire and transfer their securities through clearing funds transfers in that funds flow from the banks, which are Fedwire participants that pro- originator of the transaction to the receiver. A vide specialized government securities clearing company payroll payment to its employee would services. (For more information, see www. be an example of an ACH credit transaction: the federalreserve.gov/paymentsystems/) bank sending payments on behalf of a customer Securities transfers can be made free of pay- (the employer in this instance) has a binding ment or against a designated payment. Most commitment to settle for the payments when the securities transfers involve the delivery of secu- bank sends them to the ACH operator. Since the rities and the simultaneous exchange of payment ACH is a value-dated mechanism, that is, trans- for the securities, a transaction called delivery- actions may be originated one or two days versus-payment. The transfer of securities and before the specified settlement day, the bank is related funds (if any) is final at the time of exposed to temporal credit risk that may extend transfer.

April 2010 Commercial Bank Examination Manual Page 4 Payment System Risk and Electronic Funds Transfer Activities 5320.1

Transfer-Size Limit on Book-Entry ernment bonds, are held at the Depository Trust Securities Company (DTC) in New York. Settlement of securities cleared through the NSCC is effected Secondary-market book-entry securities trans- by book-entry transfers at the DTC. The DTC fers on Fedwire are limited to a transfer size of and the NSCC are owned by the Depository $50 million par value. This limit is intended to Trust and Clearing Corporation, an industry- encourage partial deliveries of large trades in owned holding company. (For more informa- order to reduce position building by dealers, a tion, see www.dtcc.com.) major cause of book-entry securities overdrafts U.S. Treasury, federal-agency, and mortgage- before the introduction of the transfer-size limit backed securities are generally traded in over- and daylight-overdraft fees. This limitation does the-counter markets. The Fixed Income Clear- not apply to— ing Corporation (FICC) compares and nets its members’ trades in most U.S. Treasury and • original-issue deliveries of book-entry securi- federal-agency securities. The FICC relies on ties from a Reserve Bank to an institution, or the Fedwire securities service, discussed above, • transactions sent to or by a Reserve Bank in to effect final delivery of securities to its par- its capacity as fiscal agent of the United ticipants. The FICC is owned by the States, government agencies, or international DTCC. (For more information see www. organizations. dtcc.com.) The FICC also provides automated post-trade Thus, requests to strip or reconstitute Treasury comparison, netting, risk-management, and pool- securities or to convert bearer or registered notification services to the mortgage-backed securities to or from book-entry form are ex- securities market. The FICC provides its spe- empt from this limitation. Also exempt are cialized services to major market participants pledges of securities to a Reserve Bank as active in various Government National Mort- principal (for example, discount window collat- gage Association (GNMA), Federal Home Loan eral) or as agent (for example, Treasury Tax and Mortgage Corporation (Freddie Mac or FHLMC), Loan collateral). and Federal National Mortgage Association (Fan- nie Mae or FNMA) mortgage-backed securities programs. The net settlement obligations of Private Systems FICC participants are settled through the Fed- wire book-entry securities system. In addition to U.S. Treasury and government- agency securities, major categories of financial instruments commonly traded in the United POLICY ON PAYMENT SYSTEM States include corporate equities and bonds, RISK municipal (state and local) government securities, money market instruments, and derivatives The Federal Reserve’s Policy on Payment Sys- such as swaps and exchange-traded options and tem Risk (the PSR policy) addresses in part, the futures. These instruments are generally traded risks that payment and securities settlement through recognized exchanges or over-the- systems present to the Federal Reserve Banks, counter dealer markets. The mechanisms for the banking system, and other sectors of the clearance and settlement vary by type of instru- economy. Part II of the PSR policy focuses on ment and generally involve specialized financial institutions’2 use of Federal Reserve intraday intermediaries, such as clearing corporations credit.3 An integral component of the PSR and depositories. Clearing corporations provide policy is a program to control the risks in the trade comparison and multilateral netting of payment system, including institutions’ use of trade obligations. Securities depositories, in con- trast, hold physical securities and provide book- 2. The PSR policy uses the term institutions, which refers entry transfer and settlement services for their to depository institutions, U.S. branches and agencies of members. foreign banking organizations, Edge and agreement corpora- The vast majority of corporate equity and tions, bankers’ banks, limited-purpose trust companies, bond trades are cleared through the National government-sponsored enterprises, and international organizations, unless the context indicates a different meaning. Securities Clearing Corporation (NSCC). Most 3. Part I of the PSR policy addresses risks in private-sector corporate securities, as well as municipal gov- payment systems and settlement.

Commercial Bank Examination Manual April 2010 Page 5 5320.1 Payment System Risk and Electronic Funds Transfer Activities

Federal Reserve intraday credit, commonly re- day or over a two-week period. These limits are ferred to as daylight credit or daylight over- sufficiently flexible to reflect the overall finan- drafts. Individual Reserve Banks are responsible cial condition and operational capacity of each for administering the Board’s PSR policy and institution using Federal Reserve payment ser- ensuring compliance by institutions. A primary vices. The policy also permits Reserve Banks to objective of examiners when evaluating pay- protect themselves from the risk of loss through ment system risk is to ensure that banks using measures such as reducing net debit caps; im- Federal Reserve payment services comply with posing collateralization or clearing-balance re- the Board’s PSR policy. quirements; and rejecting certain transactions during the day until balances are available in its Federal Reserve account; or, in extreme cases, PSR Policy Objectives taking the institution offline or prohibiting it from using Fedwire. Like institutions that offer payment services to customers, Federal Reserve Banks encounter credit risk when they process payments for FEDERAL RESERVE INTRADAY institutions that hold accounts with them. The CREDIT POLICIES (PART II) Federal Reserve guarantees settlement on Fed- wire funds and book-entry securities transfers, In December 2008, the Board adopted major net settlement service (NSS) entries,4 and ACH revisions to part II of the PSR policy that are credit originations made by account holders. If designed to improve intraday liquidity manage- an institution were to fail after sending a trans- ment and payment flows for the banking system, action that placed its account in an overdraft while also helping to mitigate the credit expo- position, the Federal Reserve would be obli- sures of the Federal Reserve Banks.5 The gated to cover the payment and bear any result- changes included an approach that explicitly ing losses. Risk is present even when an insti- recognizes the role of the central bank in pro- tution overdraws its account at a Reserve Bank viding intraday balances and credit to healthy for only a few minutes during the day. depository institutions. In addition, the Board Similar types of risk are generated when revised other elements of the PSR policy dealing customers of private financial institutions and with daylight overdrafts, which included adjust- participants in some private-sector payment ar- ing net debit caps, voluntary collateralization of rangements incur daylight overdrafts. In addi- intraday credit, a limit on total daylight over- tion, daylight credit may be a source of systemic drafts in institutions’ Federal Reserve accounts, risk in the payment system. Systemic risk refers and eliminating the current deductible for day- to the potential that the failure of one participant light overdraft fees. in a payment system, or in the financial markets The Board also approved for certain foreign generally, to meet its required obligations will banking organizations a policy change related to cause other participants or financial institutions the calculation of the deductible amount from to be unable to meet their settlement obligations daylight overdraft fees and early implementa- when due. tion of the streamlined procedure for maximum The PSR policy allows Reserve Banks to daylight overdraft capacity (max cap). The pol- mitigate their credit risk in several ways. For icy changes and the early implementation of the instance, institutions that access daylight credit streamlined max cap became effective on must satisfy safety-and-soundness requirements. March 26, 2009. In addition, the policy permits Reserve Banks to protect themselves from risk exposure of individual institutions through such measures as Daylight-Overdraft Capacity restricting account activity or imposing collateral requirements. Under the Federal Reserve’s PSR policy, each The PSR policy establishes limits on the institution that maintains an account at a Federal maximum amount of Federal Reserve daylight Reserve Bank is assigned or may establish a net credit that an institution may use during a single

4. The Federal Reserve’s NSS provides settlement services 5. See Board’s press release at www.federalreserve.gov/ to various clearinghouses. newsevents/press/other/20081219a.htm.

April 2010 Commercial Bank Examination Manual Page 6 Payment System Risk and Electronic Funds Transfer Activities 5320.1

Table 1—Net debit cap multiples

Net debit cap multiples

Cap categories Single-day Two-week average

High 2.25 1.50 Above average 1.875 1.125 Average 1.125 0.75 De minimis 0.40 0.40 Exempt-from-ﬁling* $10 million or 0.20 $10 million or 0.20 Zero 0 0

* The net debit cap for the exempt-from-filing category is equal to the lesser of $10 million or 0.20 multiplied by the institution’s capital measure. debit cap, as outlined below. The net debit cap net debit cap = limits the amount of intraday Federal Reserve cap multiple × capital measure credit that the institution may use during a given interval. The policy allows financially healthy Because a net debit cap is a function of an institutions that have regular access to the dis- institution’s capital measure, the dollar amount count window to incur daylight overdrafts in of the cap will vary over time as the institution’s their Federal Reserve accounts up to their indi- capital measure changes. Unless circumstances vidual net debit caps. In addition, the policy warrant a revision, an institution’s cap category, allows certain institutions to pledge collateral to however, is normally fixed over a one-year the Federal Reserve to access additional daylight- period. Cap categories and their associated cap overdraft capacity above their net debit caps. In levels, set as multiples of capital, are listed in these instances, the institution can incur daylight table 1. overdrafts equaling the lesser of its net debit cap An institution is expected to avoid incurring and pledged collateral or max cap if it is fully daylight overdrafts whose daily maximum level, collateralized. averaged over a two-week period, would exceed its two-week average cap, and, on any day, would exceed its single-day cap. The two-week NET DEBIT CAPS average cap provides flexibility, recognizing that fluctuations in payments can occur from day An institution’s net debit cap refers to the to day. The purpose of the single-day cap is to maximum dollar amount of uncollateralized day- limit excessive daylight overdrafts on any day light overdrafts that the institution may incur in and to ensure that institutions develop internal its Federal Reserve account. An institution’s cap controls that focus on the exposures each day, as category and its capital measure determine the well as over time. Institutions in the zero, dollar amount of its net debit cap.6 An institu- exempt-from-filing, and de minimis cap catego- tion’s net debit cap is calculated as its cap ries have one cap that applies to both the multiple, as listed in table 1, times its capital single-day peak overdraft and the average over- measure: draft for a two-week period. The Board’s policy on net debit caps is based on a specific set of guidelines and some degree 6. The capital measure used in calculating an institution’s of examiner oversight. Under the Board’s pol- net debit cap depends on its home-country supervisor and chartering authority. For institutions chartered in the United icy, a Reserve Bank may limit or prohibit an States, net debit caps are multiples of “qualifying” or similar institution’s use of Federal Reserve intraday capital measures, that is, those capital instruments that can be credit if (1) the institution’s use of daylight used to satisfy risk-based capital standards, as set forth in the credit is deemed by the institution’s supervisor capital adequacy guidelines of the federal financial institution regulatory agencies. to be unsafe or unsound, (2) the institution does

Commercial Bank Examination Manual April 2010 Page 7 5320.1 Payment System Risk and Electronic Funds Transfer Activities not qualify for a positive net debit cap (see the Internet at www.federalreserve.gov/ section II.C.2., “Cap Categories,” of the PSR paymentsystems/psr_relpolicies.htm.) policy), or (3) the institution poses excessive risk to a Reserve Bank by incurring chronic Creditworthiness. Of the four self-assessment overdrafts in excess of what the Reserve Bank factors, creditworthiness is the most influential determines is prudent. in determining an overall net debit cap for a given institution. The creditworthiness factor is principally determined by a combination of the Cap Categories institution’s capital adequacy and most recent supervisory rating. In the self-assessment, an The PSR policy defines six cap categories: high, institution’s creditworthiness is assigned one of above average, average, de minimis, exempt- the following ratings: excellent, very good, ad- from-filing, and zero. The high, above-average, equate, or below standard. An excellent or a and average cap categories are referred to as very good rating indicates that an institution “self-assessed” caps. demonstrates a sustained level of financial performance above its peer-group norm. As a general matter, fundamentally sound institutions Self-Assessed that experience only modest weaknesses receive a rating of very good. To establish a net debit cap category of high, Most institutions will use the creditworthiness above-average, or average, an institution must matrix to determine this component’s rating. If perform a self-assessment of its creditworthi- an institution’s creditworthiness rating is ad- ness, intraday funds management and control, equate or better, it then proceeds to rate the other customer credit policies and controls, and oper- three factors in the self-assessment process. The ating controls and contingency procedures. The institution’s assessment of the other three fac- assessment of creditworthiness is based on the tors determines whether its composite rating institution’s supervisory rating and prompt- will be lower than or equal to that determined by corrective-action designation. An institution may the creditworthiness factor. If the overall cred- be required to perform a full assessment of its itworthiness is below standard, then the institu- creditworthiness in certain limited circum- tion does not qualify for a positive daylight- stances, for example, if its condition has changed overdraft cap. In certain limited circumstances, significantly since the last examination. An an institution may conduct a full analysis of this institution performing a self-assessment must component. The matrix and information regard- also evaluate its intraday funds-management ing the full analysis are available in the Guide to procedures and its procedures for evaluating the the Federal Reserve’s Payment System Risk financial condition of, and establishing intraday Policy. credit limits for, its customers. Finally, the institution must evaluate its operating controls Intraday funds management and control. The and contingency procedures to determine if they purpose of analyzing intraday funds manage- are sufficient to prevent losses due to fraud or ment and control is to assess an institution’s system failures. ability to fund its daily settlement obligations An examiner’s review of an institution’s as- across all payment systems in which it partici- sessment is an important part of determining the pates. The analysis requires a review of funds institution’s compliance with the PSR policy. management, credit, operations personnel, and An examiner is responsible for ensuring that the payment activity over a period of time. institution has applied the guidelines appropri- To obtain an accurate understanding of funds ately and diligently, that the underlying analysis movements, an institution must fully understand and methodology were reasonable, and that the its daily use of intraday credit as well as its use resulting self-assessment was generally consis- of intraday credit on average over two-week tent with examination findings. The following periods. The analysis should cover a sufficient discussion is a simplified explanation of the period of time so that an institution can deter- self-assessment factors. A more detailed expla- mine its peak demand for intraday credit and nation of the self-assessment process is provided establish its average use of such credit. The in the Guide to the Federal Reserve’s Payment more volatile an institution’s payments activity, System Risk Policy. (The guide is available on the longer the interval that is selected for analy-

April 2010 Commercial Bank Examination Manual Page 8 Payment System Risk and Electronic Funds Transfer Activities 5320.1 sis. The analysis incorporates all operational dents and all counterparties on privately oper- areas with access to payment systems. In addi- ated clearing and settlement systems must be tion to large-dollar funds and book-entry assessed. securities-transfer activity, the review should address check clearing, ACH, currency opera- Operating controls and contingency procedures. tions, and other payment activity that results in The purpose of the analysis of operating con- relatively large-value settlement obligations. trols and contingency procedures is to assess the Thus, the analysis should not be limited to integrity and the reliability of an institution’s online payment systems or to payment systems payment operations to ensure that they are not a to which the institution has online access. Ad- source of operating risk. The integrity of opera- ditionally, institutions with direct access to Fed- tions is of particular concern because opera- wire or to other payment systems in more than tional errors and fraud can increase the cost of one Federal Reserve District must combine all payment services and undermine public confi- of these access points into a single integrated dence in the payments mechanism. Similar analysis. results can occur if payment systems are unre- In performing the analysis, the institution liable and if parties making and receiving pay- considers both liquidity demands and the poten- ments do not have confidence that timely pay- tial credit risks associated with participation in ments will be made. each payment system. The institution’s capacity Overall assessment rating. Once the four self- to settle its obligations in both routine and assessment components are analyzed and an nonroutine circumstances must be carefully as- overall rating is determined, the institution’s sessed. In many cases, a complete assessment of self-assessment and recommended cap category an institution’s ability to control its intraday must be reviewed and approved by the institu- obligations extends beyond its ability to control tion’s board of directors at least once each its use of Federal Reserve intraday credit within 12-month period. A cap determination may be the constraints of its net debit cap. Rather, the reviewed and approved by the board of directors assessment extends to the institution’s ability to of a holding company parent of an institution, control its position across all payment systems provided that (1) the self-assessment is per- to a level that permits it to fund its obligations formed by each entity incurring daylight over- regularly. This type of assurance requires an drafts, (2) the entity’s cap is based on the institution to fully understand the nature of its measure of the entity’s own capital, and (3) each obligations and to establish systems that permit entity maintains for its primary supervisor’s it to monitor daily activity and respond to review its own file with supporting documents unusual circumstances. for its self-assessment and a record of the Customer credit policies and controls. The as- parent’s board-of-directors review. The direc- sessment of an institution’s customer credit tors’ approval must be communicated to the policies and controls requires two distinct analy- Reserve Bank by submission of a board-of- ses: directors resolution. The Reserve Bank then reviews the cap resolution for appropriateness, • an analysis of the institution’s policies and in conjunction with the institution’s primary procedures for assessing the creditworthiness regulator. If the Reserve Bank determines that of its customers, counterparties, and correspon- the cap resolution is not appropriate, the insti- dents and tution is informed that it must re-evaluate its • an analysis of the institution’s ability to moni- self-assessment and submit another resolution. tor the positions of individual customers and A resolution to establish a different cap category to control the amount of intraday and interday may be submitted by the institution, or it may be credit extended to each customer. required by the Reserve Bank before the annual renewal date, if circumstances warrant such a The analyses require the involvement of both change. credit and operations personnel, and both analyses should focus on the creditworthiness of all De Minimis customers, including corporate and other institutions that are active users of payment services. Institutions that qualify for a de minimis net In addition, the creditworthiness of correspon- debit cap incur relatively small daylight over-

Commercial Bank Examination Manual April 2009 Page 9 5320.1 Payment System Risk and Electronic Funds Transfer Activities drafts and thus pose little risk to the Federal institution that has adopted a zero cap incurs a Reserve. To ease the burden of performing a daylight overdraft, the Reserve Bank counsels self-assessment for these institutions, the PSR the institution and may monitor the institution’s policy allows institutions that meet reasonable activity in real time and reject or delay certain safety-and-soundness standards to incur de mini- transactions that would cause an overdraft. If the mus amounts of daylight overdrafts without institution qualifies for a positive cap, the performing a self-assessment. Such an institu- Reserve Bank may suggest that the institution tion may incur daylight overdrafts of up to adopt an exempt-from-filing cap or file for a 40 percent of their capital measure if it submits higher cap, if the institution believes that it will a board-of-directors resolution. continue to incur daylight overdrafts. In addi- An institution with a de minimis cap must tion, a Reserve Bank may assign an institution a submit to its Reserve Bank at least once in each zero net debit cap. Institutions that may pose 12-month period a copy of its board-of-directors special risks to the Reserve Banks, such as those resolution (or a resolution by its holding com- institutions without regular access to the dis- pany’s board) approving the institution’s use of count window, those incurring daylight over- daylight credit up to the de minimis level. If an drafts in violation of this policy, or those in institution with a de minimis cap exceeds its cap weak financial condition, are generally assigned during a two-week reserve-maintenance period, a zero cap. New account holders may also be its Reserve Bank will decide whether the de assigned a zero net debit cap. minimis cap should be maintained or whether the institution will be required to perform a self- assessment for a higher cap. Maximum Daylight Overdraft Capacity (Max Cap)

Exempt-from-Filing While net debit caps provide sufficient liquidity to most institutions, some institutions may ex- The majority of institutions that hold Federal perience liquidity pressures. Consequently, cer- Reserve accounts have an exempt-from-filing tain institutions with self-assessed net debit caps net debit cap. Granted at the discretion of the may pledge collateral to their administrative Reserve Bank, the exempt-from-filing cap cate- Reserve Bank (ARB) to secure daylight- gory permits institutions that use small amounts overdraft capacity in excess of their net debit of Federal Reserve daylight credit to incur caps, subject to Reserve Bank approval. This daylight overdrafts that exceed the lesser of policy is intended to provide extra liquidity $10 million or 20 percent of their capital mea- through the pledge of collateral to the few sure. The Reserve Banks will review the status institutions that might otherwise be constrained of an exempt institution that incurs overdrafts in from participating in risk-reducing payment sys- its Federal Reserve account in excess of $10 mil- tem initiatives. Institutions that request daylight- lion or 20 percent of its capital measure on more overdraft capacity beyond the net debit cap must than two days in any two consecutive two-week have already explored other alternatives to ad- reserve-maintenance periods. The Reserve Bank dress their increased liquidity needs.7 An insti- will decide if the exemption should be main- tution that wishes to expand its daylight- tained or if the institution will be required to file overdraft capacity by pledging collateral should for a higher cap. Granting of the exempt-from- consult with its ARB.8 The ARB will work with filing net debit cap is at the discretion of the an institution that requests additional daylight- Reserve Bank. overdraft capacity to decide on the appropriate max cap level. When considering the institu- Zero

Some ﬁnancially healthy institutions that could 7. Some potential alternatives available to a depository institution to address increased intraday credit needs include obtain positive net debit caps choose to have (1) shifting funding patterns, (2) delaying the origination of zero caps. Often these institutions have very funds transfers in a way that does not signiﬁcantly increase conservative internal policies regarding the use operational risks, or (3) transferring some payments-processing of Federal Reserve daylight credit, or they business to a correspondent bank. 8. The ARB is responsible for the administration of Federal simply do not want to incur daylight overdrafts Reserve credit, reserves, and risk-management policies for a and any associated daylight-overdraft fees. If an given institution or other legal entity.

April 2009 Commercial Bank Examination Manual Page 10 Payment System Risk and Electronic Funds Transfer Activities 5320.1 tion’s request, the Reserve Bank will evaluate Institutions with exempt-from-filing and de mini- the institution’s rationale for requesting addi- mis net debit caps may not obtain additional tional daylight-overdraft capacity as well as its daylight-overdraft capacity by pledging collat- financial and supervisory information. The finan- eral. These institutions must first obtain a self- cial and supervisory information considered may assessed net debit cap. Institutions with zero net include, but is not limited to, capital and liquid- debit caps also may not obtain additional ity ratios, the composition of balance-sheet daylight-overdraft capacity by pledging collat- assets, CAMELS or other supervisory ratings eral. If an institution has adopted a zero cap and assessments, and SOSA rankings (for U.S. voluntarily, but qualifies for a positive cap, it branches and agencies of foreign banks).9 Insti- may not obtain additional daylight-overdraft tutions are also expected to submit the following capacity by pledging collateral without first information when requesting a max cap level obtaining a self-assessed net debit cap. Institu- under general procedures: tions that have been assigned a zero net debit cap by their ARB are not eligible for additional • the amount of maximum daylight-overdraft daylight-overdraft capacity. capacity requested • written justification for requesting additional daylight-overdraft capacity • written approval from the institution’s board ROLE OF DIRECTORS of directors or, in the case of U.S. branches and agencies of foreign banks, written ap- The directors of an institution establish and proval from the bank’s most senior officer implement policies to ensure that its manage- responsible for formulating policy at the for- ment follows safe and sound operating prac- eign bank’s U.S. head office tices, complies with applicable banking laws, • a principal contact at the institution and prudently manages financial risks. Given these responsibilities, the directors play a vital When deciding whether an institution is eligible role in the Federal Reserve’s efforts to reduce for collateralized capacity, the ARB will con- risks within the payment system. As part of the sider the institution’s reasons for applying for PSR policy, the Federal Reserve requests that additional collateralized capacity; the informa- directors, at a minimum, undertake the follow- tion related to the institution’s condition; and ing responsibilities: other information, as applicable. If the ARB approves the request for a max cap level, the • Understand the institution’s practices and con- institution must submit a board-of-directors reso- trols for the risks it assumes when processing lution for the max cap level at least once in each large-dollar transactions for both its own 12-month period, indicating its board-of- account and the accounts of its customers or directors approval of that level. An institution’s respondents. max cap is defined as follows: • Establish prudent limits on the daylight overdrafts that the institution incurs in its Federal maximum daylight-overdraft capacity Reserve account and on its privately operated or max cap = clearing and settlement systems. single-day net debit cap + collateralized capacity10 • Periodically review the frequency and dollar levels of daylight overdrafts to ensure that the institution operates within the guidelines established by its board of directors. Directors 9. See the full text of the PSR policy to view the streamlined procedures a qualified foreign banking organization may should be aware that, under the Federal request from its Reserve Bank to obtain a max cap. Reserve’s PSR policy, repeated policy viola- 10. Collateralized capacity represents the collateralized tions could lead to reductions in the institu- component of the max cap approved by the Reserve Bank. tion’s daylight-overdraft capacity, or to the The amount of collateralized capacity cannot exceed the difference between the institution’s max cap level and its net imposition of restrictions on its Federal debit cap. For example, if an institution’s single-day net debit Reserve account activity, either of which could cap increases as a result of an increase in capital at the affect the institution’s operations. institution, its max cap is unchanged, so its collateralized capacity is reduced. The institution’s overdraft position will be measured against the lesser of (1) its max cap or (2) its net Each institution that performs a self-assessment debit cap plus the amount of collateral pledged. for a net debit cap should establish daylight-

Commercial Bank Examination Manual April 2009 Page 11 5320.1 Payment System Risk and Electronic Funds Transfer Activities overdraft policies and controls after considering identify the ratings assigned to each of the four its creditworthiness, intraday funds management components of the assessment as well as the and control, customer credit policies and con- overall rating used to determine the actual net trols, and operating controls and contingency debit cap. In addition, the institution should procedures. indicate if it did not use the creditworthiness- The directors may appoint a committee of matrix approach in determining its creditworthi- directors to focus on the institution’s participa- ness rating. tion in payment systems and its use of daylight An institution’s primary supervisor may credit. Furthermore, a higher-level board of the review resolutions, and any information and same corporate family may conduct a self- materials the institution’s directors used to fulfill assessment review, if necessary, and approve a their responsibilities under the PSR policy. They resolution. The board of directors should be must be made available to the bank supervisor’s aware that delegating the review process to a examiners. Supporting documentation used in committee or higher-level board does not ab- determining an appropriate cap category must solve the directors from the responsibilities be maintained at the institution. At a minimum, stated in the Federal Reserve’s PSR policy. The the following items must be maintained in the directors cannot delegate this responsibility to institution’s “cap resolution file”: an outside consultant or third-party service provider. • an executed copy of the resolution adopting For institutions requesting max caps, the board the net debit cap and/or max cap; of directors must understand the use and pur- • worksheets and supporting analysis used in its poses of the pledged collateral under the PSR self-assessment of its own cap category; policy. The directors must understand the rea- • for institutions with self-assessed caps, copies sons that the institution is applying for addi- of management’s self-assessment of creditwor- tional daylight-overdraft capacity, the amount of thiness, intraday funds management and con- the collateralized capacity, and the total amount trol, customer credit policies and controls, and of the net debit cap plus collateralized capacity. operating controls and contingency proce- The Federal Reserve recognizes that directors dures; of foreign banks do not necessarily serve in the • minutes and other documentation that serve as same capacity as directors of banks in the a formal record of any directors’ discussions United States. Therefore, individuals who are on the self-assessment and/or request for max responsible for formulating policy at the foreign cap; bank’s head office may substitute for directors in • status reports the board of directors received performing the responsibilities specified in the on the institution’s compliance with both the PSR policy. resolutions adopted by the directors and the PSR policy; and • other materials that provide insight into the directors’ involvement in carrying out their Cap Resolutions responsibilities under the PSR policy, including special studies or presentations made to A board-of-directors resolution is required to the directors. establish a cap in the de minimis or self-assessed cap categories (high, above average, or average). The board-of-directors resolution for de mini- In addition, a separate resolution is required for mis and self-assessed institutions and for self-assessed institutions that wish to obtain collateralized-capacity resolutions is valid for collateralized capacity above their net debit caps one year after the Reserve Bank approves the (max cap). These resolutions must follow a net debit cap or the amount of maximum prescribed format. Specifically, resolutions must daylight-overdraft capacity. An institution with include (1) the official name of the institution, a de minimis cap must renew its cap resolution (2) the city and state in which the institution is annually by submitting a new resolution to its located, (3) the date the board acted, (4) the cap Reserve Bank. An institution with a self- category adopted, (5) the appropriate official assessed cap must perform a new self-assessment signature, and (6) the ABA routing number of the annually and submit an updated cap resolution institution. For a board resolution approving the to its Reserve Bank. An institution that has a results of a self-assessment, the resolution must self-assessed cap and has obtained a max cap

April 2009 Commercial Bank Examination Manual Page 12 Payment System Risk and Electronic Funds Transfer Activities 5320.1 must submit a board-of-directors resolution to Daylight-Overdraft Measurement its Reserve Bank annually. Procedures for submitting these resolutions are the same as those To determine whether a daylight overdraft has for establishing the initial cap; however, an occurred in an institution’s account, the Federal institution may submit a resolution for a differ- Reserve uses a set of transaction-posting rules ent cap category or a different amount of collat- that define explicitly the time of day that debits eralized capacity, if appropriate. The Reserve and credits for transactions processed by a Bank, in conjunction with an institution’s pri- Reserve Bank will post to the account.11 All mary supervisor, will review the appropriateness Fedwire funds transfers, book-entry securities of each resolution. transfers, and NSS transactions are posted to an Because the self-assessment process may, in institution’s account as they occur throughout the some cases, require considerable time to com- day. Other transactions, including ACH and plete and approve, institutions should be aware check transactions, are posted to institutions’ of the expiration date of their cap resolutions accounts according to a defined schedule. These well in advance. If a new cap resolution is not posting rules should help institutions control received by the expiration date, an institution their use of intraday credit because they allow may be assigned a zero cap, which would institutions to monitor the time that each generally preclude the institution from using any transaction is credited or debited to their account. Federal Reserve daylight credit. Note that these posting times affect the calculation of the account balance for daylight-overdraft- monitoring and pricing purposes but do not affect the finality or revocability of the entry to the Confidentiality account. An important feature of the posting rules is a choice of posting times for check The Federal Reserve considers institutions’ credits. daylight-overdraft caps; cap categories; and collateralized capacity, if applicable, to be confi- Monitoring Daylight Overdrafts dential information and will only share this information with an institution’s primary super- To monitor an institution’s overdraft activity visor. Institutions are also expected to treat cap and its compliance with the PSR policy and to and collateralized-capacity information as con- calculate daylight-overdraft charges, the Federal fidential. Cap and collateralized-capacity infor- Reserve uses the Daylight-Overdraft Reporting mation should not be shared with outside parties and Pricing System (DORPS). DORPS captures or mentioned in any public documents. all debits and credits resulting from an institution’s payment activity and calculates end-of- minute account balances using the daylight- overdraft posting rules. As measured by DORPS, DAYLIGHT-OVERDRAFT an institution’s account balance is calculated at MONITORING AND CONTROL the end of each minute, based on its opening balance and all payment transactions posted to All institutions that maintain Federal Reserve the institution’s account up until that moment. accounts and use Federal Reserve Services are The daylight-overdraft measurement period be- expected to monitor their account balances on an gins with the current official opening time of intraday basis. Institutions should be aware of payments they are making from their accounts 11. Posting rules were last amended on June 20, 2006, each day and how those payments are funded. when the Board revised its PSR policy (effective July 20, Institutions are encouraged to use their own 2006) concerning interest and redemption payments on secu- systems and procedures, as well as the available rities issued by government-sponsored enterprises (GSEs) and certain international organizations. The revised policy re- Federal Reserve’s systems, to monitor their quires Reserve Banks to release these interest and redemption Federal Reserve account balance and payment payments as directed by the issuer, provided the issuer’s activity. Federal Reserve account contains sufficient funds to cover them. Each issuer is required to fund its interest and redemption payments by 4 p.m. eastern time for the payments to be processed that day. For further information on the posting rules, see the PSR policy.

Commercial Bank Examination Manual April 2009 Page 13 5320.1 Payment System Risk and Electronic Funds Transfer Activities

Fedwire and continues until the official closing An institution with a self-assessed cap that time. Although DORPS records positive as well has been approved for maximum daylight- as negative account balances, positive balances overdraft capacity should avoid incurring day- do not offset negative balances for purposes of light overdrafts that, on average over a two- determining compliance with net debit caps or week period, exceed its two-week-average limit, for calculating daylight-overdraft fees. In cases and that, on any day, exceed its single-day limit. of unscheduled extensions of Fedwire hours, the The two-week-average limit is equal to the final closing account balance is recorded as if it two-week average cap plus the amount of appli- was the balance at the standard closing time, and cable collateralized capacity, averaged over a balances between the scheduled and actual clos- two-week reserve-maintenance period. The ing times are not recorded. DORPS generates single-day limit is equal to an institution’s net reports at the end of each two-week reserve- debit cap plus the amount of collateralized maintenance period.12 These reports provide capacity. useful information for monitoring daylight over- For daylight-overdraft purposes, accounts of drafts, such as peak daily overdrafts for the U.S. branches and agencies of foreign banks and period; overdrafts in excess of net debit cap; accounts involved in merger-transitions are end-of-minute account balances for a particular monitored on a consolidated basis; that is, a day; and related ratios, such as the peak daily single account balance is derived by adding overdraft relative to net debit cap.13 together the end-of-minute balances of each account. The accounts of affiliated institutions are monitored separately if they are separate Monitoring PSR Policy Compliance legal entities. In addition, for institutions with accounts in more than one Federal Reserve Reserve Banks generally monitor institutions’ District, an ARB is designated. The ARB coor- compliance with the PSR policy over each dinates the Federal Reserve’s daylight-overdraft two-week reserve-maintenance period. In most monitoring for the consolidated accounts or cases, a policy violation occurs when an insti- institutions. tution’s account balance for a particular day shows one or more negative end-of-minute account balances in excess of its single-day net Consequences of Violations debit cap or when an institution’s average peak daily overdraft over a reserve-maintenance A PSR policy violation may initiate a series of period exceeds its two-week average cap.14 The Reserve Bank actions aimed at deterring an exceptions to this general rule are discussed institution’s excessive use of Federal Reserve below. intraday credit. These actions depend on the Institutions in the exempt-from-filing cap cate- institution’s history of daylight overdrafts and gory are normally allowed two cap breaches in its financial condition. Initially, the Reserve two consecutive, two-week, reserve-maintenance Bank may assess the causes of the overdrafts, periods without violating the PSR policy. For send a counseling letter to the institution, and institutions in all other cap categories or for review account-management practices. In addi- institutions that have been approved for maxi- tion, the Reserve Bank may require an institu- mum daylight-overdraft capacity, each cap tion to submit documentation specifying the breach is considered a policy violation. A actions it will take to address the overdraft Reserve Bank may waive a violation in limited problems. If policy violations continue, the circumstances such as an operational problem at Reserve Bank may take additional actions. For a Reserve Bank. example, if a financially healthy institution in the zero, exempt-from-filing, or de minimis cap category continues to breach its cap, the Reserve 12. Reserve Banks may make these reports available to Bank may recommend that the institution file a institutions to assist in their internal account monitoring and control, and for the assessment of daylight overdraft fees. cap resolution or perform a self-assessment to 13. For further information on the reports see the Account obtain a higher net debit cap. Management Guide at www.frbservices.org. If an institution continues to violate the PSR 14. An institution’s average peak daily overdraft is calcu- policy, and if counseling and other Reserve lated by adding the largest overdraft incurred for each day during a reserve-maintenance period and dividing that sum by Bank actions have been ineffective, the Reserve the number of business days in the period. Bank may assign the institution a zero cap. In

April 2009 Commercial Bank Examination Manual Page 14 Payment System Risk and Electronic Funds Transfer Activities 5320.1 addition, the Reserve Bank may impose other funds transfer, NSS transaction, or ACH credit account controls that it deems prudent, such as origination that would cause an overdraft above requiring increased clearing balances; rejecting a specified threshold, such as the institution’s Fedwire funds transfers, ACH credit origina- available funds, would be immediately rejected tions, or NSS transactions in excess of the back to the sending institution. The institution available account balance; or requiring the in- could then initiate the transfer again when suf- stitution to fund certain transactions in advance. ficient funds became available in its account. If Reserve Banks also keep institutions’ primary an institution’s account is monitored in the regulators apprised of any recurring overdraft “intercept” mode, sometimes referred to as the problems. “pend” mode, outgoing funds transfers, NSS transactions, or ACH credit originations that would cause an overdraft in excess of the threshold will not be processed but will be held. Real-Time Monitoring These intercepted transactions will either be released by the Reserve Bank once funds are The Account Balance Monitoring System available in the institution’s account or rejected (ABMS) is the system Reserve Banks use to back to the institution. Reserve Banks will monitor in real time the payment activity of normally be in direct contact with an institution institutions that potentially expose the Federal in the event any of its funds transfers are Reserve and other payment-system participants intercepted. to excessive risk exposure. ABMS is both an Institutions can view Federal Reserve information source and an account-monitoring accounting information on the web through and control tool. It allows institutions to obtain FedLine. The Account Management Informa- intraday balance information for purposes of tion (AMI) application provides real-time ac- managing their use of daylight credit and avoid- cess to intraday account-balance and daylight- ing overnight overdrafts. All institutions that overdraft balance information, detailed have an electronic connection to the Federal transaction information, and a variety of reports Reserve’s Fedwire funds-transfer service, such and inquiry services. Institutions can obtain as a FedLine® terminal or a computer interface information on accessing ABMS and AMI from connection, are able to review their intraday any Federal Reserve Bank or in the Account Federal Reserve account position in ABMS. Management Guide. While ABMS is not a substitute for an institution’s own internal tracking and monitoring systems, it does provide real-time account information based on Fedwire funds and securities SPECIAL TYPES OF transfers and NSS transactions. Additionally, INSTITUTIONS ABMS captures debits and credits resulting from other payment activity as those transac- U.S. Branches and Agencies of tions are processed in the Reserve Bank’s Foreign Banks accounting system. ABMS also provides authorized Federal Reserve Bank personnel with a Under the PSR policy, U.S. branches and agen- mechanism to monitor and control account ac- cies of foreign banks are typically treated the tivity for selected institutions. same as domestic institutions. However, several ABMS has the capability to reject or intercept unique considerations affect the way in which funds transfers from an institution’s account. the policy is applied to U.S. branches and This capability is called real-time monitoring. agencies of foreign banks. In general, net debit The Federal Reserve Banks use real-time moni- caps for foreign banking organizations (FBOs) toring to prevent selected institutions from trans- are calculated in the same manner as they are for ferring funds from their accounts if there are domestic banks, that is, by applying cap mul- insufficient funds to cover the payments. Insti- tiples for one of the six cap categories to a tutions are generally notified before a Reserve capital measure. For U.S. branches and agencies Bank begins monitoring their account in real of foreign banks, net debit caps on daylight time. overdrafts in Federal Reserve accounts are cal- If an institution’s account is monitored in the culated by applying the cap multiples for each “reject” mode in ABMS, any outgoing Fedwire cap category to the FBO’s U.S. capital equiva-

Commercial Bank Examination Manual April 2009 Page 15 5320.1 Payment System Risk and Electronic Funds Transfer Activities lency measure. U.S. capital equivalency is equal information provided to the ARB in connection to the following: with an institution’s daylight-overdraft capacity to be confidential. • 35 percent of capital for FBOs that are finan- Effective March 26, 2009, a foreign bank that cial holding companies (FHCs) (1) is an FHC or (2) has a SOSA rating of 1 and • 25 percent of capital for FBOs that are not has a self-assessed net debit cap may request FHCs and have a strength-of-support assess- from its Reserve Bank a streamlined procedure ment (SOSA) ranking of 115 to obtain a maximum daylight overdraft capac- • 10 percent of capital for FBOs that are not ity up to 100 percent times the net debit cap FHCs and are ranked a SOSA 2 multiple. Also effective March 26, 2009, eli- • 5 percent of “net due to related institutions” gible foreign banks are granted a capital mea- for FBOs that are not FHCs and are ranked a sure of 100 percent of capital for the purposes of SOSA 3. calculating the deductible for daylight overdraft pricing.16 The provision regarding the deduct- U.S. branches and agencies of foreign banks ible will remain in effect until the implementa- that (1) wish to establish a non-zero net debit tion of the revised PSR policy, which eliminates cap, (2) are an FHC, or (3) are ranked a SOSA the deductible for all institutions. 1 or 2 are required to file the Annual Daylight Overdraft Capital Report for U.S. Branches and Agencies of Foreign Banks (FR 2225). Grant- Allocation of Caps ing a net debit cap or any extension of intraday credit to an institution is at the discretion of the The Federal Reserve monitors the daylight over- Reserve Bank. If a Reserve Bank grants a net drafts of U.S. branches and agencies of foreign debit cap or extends intraday credit to a banks on a consolidated basis; that is, each financially healthy FBO ranked a SOSA 3, the foreign-bank family, consisting of all of the U.S. Reserve Bank may require such credit to be branches and agencies of a particular foreign fully collateralized, given the heightened bank, has a single daylight-overdraft cap. Intra- supervisory concerns associated with these day account balances of all the U.S. branches FBOs. and agencies in a foreign-bank family are added As it does with U.S. institutions, the ARB together for purposes of monitoring against its must have the ability to assess regularly the daylight-overdraft cap, in the same way that the financial condition of a foreign bank in order to account balances of institutions with accounts in grant the institution a daylight-overdraft cap more than one Federal Reserve District are other than zero. The ARB will generally require added together. information regarding tier 1 and total risk-based For purposes of real-time monitoring, how- capital ratios for the consolidated foreign bank. ever, a foreign bank that has offices in more than Accordingly, U.S. branches and agencies of one District may choose to allocate a portion of foreign banks seeking a positive daylight- its net debit cap to branches or agencies in overdraft cap (exempt, de minimis, or self- Districts other than that of the ARB. Unless a assessment cap categories) should provide the foreign-bank family instructs otherwise, the Fed- ARB with capital ratios at the time the cap is eral Reserve will assign the dollar value of the established and annually thereafter. Workpapers family’s single-day daylight-overdraft cap to the for capital ratios need to be maintained at a branch or agency located in the District of the designated U.S. branch or agency and are sub- ARB. The foreign-bank family may indicate to ject to review by the institution’s primary super- the ARB the dollar amount of cap to be allo- visor. The Federal Reserve considers capital cated to offices in other Districts. Any dollar amount of the cap that is not allocated to offices 15. The SOSA ranking is composed of four factors: the FBO’s financial condition and prospects, the system of supervision in the FBO’s home country, the record of the home 16. A deductible is a calculated amount that is subtracted country’s government in support of the banking system or from an institution’s daylight overdraft charges. In order to be other sources of support for the FBO, and transfer-risk eligible for the interim deductible, FBOs must request and concerns. Transfer risk relates to the FBO’s ability to access receive Reserve Bank approval for a streamlined max cap and and transmit U.S. dollars, which is an essential factor in have unencumbered collateral pledged at all times to its determining whether an FBO can support its U.S. operations. Reserve Bank equal to or greater than the amount of the The SOSA ranking is based on a scale of 1 through 3, with 1 deductible. Some max caps received under the general proce- representing the lowest level of supervisory concern. dure may also be eligible.

April 2009 Commercial Bank Examination Manual Page 16 Payment System Risk and Electronic Funds Transfer Activities 5320.1 in other Districts will be assigned to the branch collateral sufficient to cover the peak amount of or agency in the District of the ARB. Annually, the overdraft for an appropriate period. a foreign bank should update or confirm its cap The penalty fee is intended to provide a allocation to its ARB. strong incentive for these institutions to avoid incurring any daylight overdrafts in their Fed- eral Reserve accounts. The penalty fee assessed Nonbank Banks and Industrial Banks is equal to the annual rate applicable to the daylight overdrafts of other institutions (36 basis Institutions subject to the Competitive Equality points) plus 100 basis points multiplied by the Banking Act of 1987 (CEBA), such as nonbank fraction of a 24-hour day during which Fedwire banks or certain industrial banks, may not incur is scheduled to operate (currently 21.5 divided daylight overdrafts on behalf of affiliates, except by 24). The daily overdraft penalty fee is calcu- in three circumstances. First, the prohibition lated by dividing the annual penalty rate by 360. does not extend to overdrafts that are a result of The daylight-overdraft penalty rate applies to inadvertent computer or accounting errors beyond the institution’s average daily daylight overdraft the control of both the nonbank bank or indus- in its Federal Reserve account. Institutions that trial bank and its affiliate. Second, nonbank are subject to the daylight-overdraft penalty fee banks are permitted to incur overdrafts on behalf are subject to a minimum penalty fee of $25 on of affiliates that are primary U.S. government any daylight overdrafts incurred in their Federal securities dealers, provided such overdrafts are Reserve accounts. fully collateralized. Third, overdrafts incurred in connection with an activity that is financial in nature are also permitted. A nonbank bank or SPECIAL SITUATIONS industrial bank loses its exemption from the definition of bank under the Bank Holding Edge Act and Agreement Company Act if it permits or incurs prohibited Corporations overdrafts. In enforcing these restrictions, the Federal Reserve uses a separate formula for Edge Act and agreement corporations17 do not calculating intraday Federal Reserve account have regular access to the discount window and positions for these institutions. should refrain from incurring daylight overdrafts in their Federal Reserve accounts. If any daylight overdrafts occur, the Edge Act or agree- Institutions with Federal Reserve ment corporation will be required to post collat- Accounts and No Access to the eral to cover them. Like foreign banks, Edge Act Federal Reserve Discount Window and agreement corporations that have branches in more than one Federal Reserve District are Under the PSR policy, institutions that have monitored on a consolidated basis. In addition to Federal Reserve accounts but lack regular access posting collateral, the Edge or agreement corpo- to the discount window are not eligible for a ration would be subject to the daylight-overdraft positive daylight-overdraft cap. Institutions that penalty rate levied against the average daily do not have regular access to the discount daylight overdrafts incurred by the institution. window include Edge and agreement corporations, bankers’ banks that are not subject to reserve requirements, limited-purpose trust com- Bankers’ Banks panies, government-sponsored enterprises (GSEs), and certain international organizations. Bankers’ banks18 are exempt from reserve Institutions that have been assigned a zero cap by requirements and do not have regular access to their Reserve Banks are also subject to special considerations under the PSR policy because of 17. These institutions are organized under section 25A of the risks they pose. All of these institutions are the Federal Reserve Act (12 USC 611–631) or have an strongly discouraged from incurring any daylight agreement or undertaking with the Board of Governors under overdrafts and are subject to a penalty fee on any section 25 of the Federal Reserve Act (12 USC 601–604a). average daily overdraft incurred. If any such 18. For the purposes of the PSR policy, a bankers’ bank is a financial institution that is not required to maintain reserves institutions were to incur an overdraft, however, under the Federal Reserve’s Regulation D (12 CFR 204) the Reserve Bank would require it to pledge because it is organized solely to do business with other

Commercial Bank Examination Manual April 2009 Page 17 5320.1 Payment System Risk and Electronic Funds Transfer Activities the discount window. Bankers’ banks may institutions generally have Federal Reserve voluntarily waive their exemption from reserve accounts and issue securities over the Fedwire requirements, thus gaining access to the Securities Service. The securities of these insti- discount window. These bankers’ banks would tutions are not obligations of, or fully guaran- then be free to establish caps and would be teed as to principal and interest by, the United subject to the PSR policy in the same manner as States. Furthermore, these institutions are not other institutions. Bankers’ banks that have not subject to reserve requirements and do not have waived their exemption from reserve require- regular access to the discount window. GSEs ments should refrain from incurring overdrafts and certain international organizations are to and must post collateral to cover any daylight avoid incurring daylight overdrafts and must overdrafts that they incur. post collateral to cover any daylight overdrafts they do incur. In addition to posting collateral, these institutions are subject to the same daylight- Limited-Purpose Trust Companies overdraft penalty rate as other institutions that do not have regular access to the discount The Federal Reserve Act (FRA) permits the window. Board to grant Federal Reserve membership to limited-purpose trust companies,19 subject to conditions the Board may prescribe pursuant to Problem Institutions the FRA. Limited-purpose trust companies that maintain Federal Reserve accounts should re- For institutions that are in weak ﬁnancial con- frain from incurring overdrafts and must post dition, the Reserve Banks will impose a zero collateral to cover any daylight overdrafts that cap. The Reserve Bank will also monitor a they incur. problem institution’s activity in real time and reject or delay certain transactions that would create an overdraft. Problem institutions should Government-Sponsored Enterprises refrain from incurring daylight overdrafts and and Certain International must post collateral to cover any daylight over- Organizations drafts they do incur.

The Federal Reserve Banks act as fiscal agents for certain government-sponsored enterprises (GSEs) and international organizations.20 These ELECTRONIC FUNDS TRANSFER ACTIVITIES financial institutions, is owned primarily by the financial institutions with which it does business, and does not do business with the general public and is not an institution as EFT MANAGEMENT defined in the Federal Reserve’s Regulation A (12 CFR 201.2(a)). For the purposes of the PSR policy, bankers’ banks Economic and financial considerations have led also include corporate credit unions. financial institutions and their customers to rec- 19. For the purposes of the PSR policy, a limited-purpose ognize the need to manage cash resources more trust company is a trust company that, because of limitations on its activities, does not meet the definition of “depository efficiently. The PSR policy calls on private institution” in section 19(b)(1)(A) of the Federal Reserve Act networks and institutions to reduce their own (12 USC 461(b)(1)(A)). credit and operational risks. It also depends on 20. The GSEs include Fannie Mae, the Federal Home Loan the role of the Federal Reserve and other finan- Mortgage Corporation (Freddie Mac), entities of the Federal Home Loan Bank System (FHLBS), the Farm Credit System, cial institution regulators in examining, moni- the Federal Agricultural Mortgage Corporation (Farmer Mac), toring, and counseling institutions. To ensure the Student Loan Marketing Association (Sallie Mae), the that banking institutions are following prudent Financing Corporation, and the Resolution Funding Corpora- banking practices in their funds-transfer activi- tion. The international organizations include the World Bank, the Inter-American Development Bank, the Asian Develop- ties, examinations should focus equally on the ment Bank, and the African Development Bank. The Student evaluation of credit, liquidity, and operational Loan Marketing Association Reorganization Act of 1996 risks. requires Sallie Mae to tbe completely privatized by 2008; however, Sallie Mae completed privatization at the end of 2004. The Reserve Banks no longer act as fiscal agents for new issues of Sallie Mae securities, and Sallie Mae is not considered a GSE.

April 2009 Commercial Bank Examination Manual Page 18 Payment System Risk and Electronic Funds Transfer Activities 5320.1

The bank should establish guidelines for types Authentication or Verification of allowable transfers. Procedures should be in Methods effect to prevent transfers drawn against uncollected funds. Thus, banks should not transfer The same due care that financial institutions use funds against simple ledger balances unless when executing EFT transactions must be used preauthorized credit lines have been established when accepting EFT requests from customers. for that account. Management must implement security proce- Errors and omissions, as well as the fraudu- dures for ensuring that the transfer requests are lent alteration of the amount of a transfer or of authentic. As stated in Uniform Commercial the account number to which funds are to be Code (UCC) section 4A-201, “Authorized and deposited, could result in losses to the bank. Verified Payment Orders,” security procedures Losses may include total loss of the transferred may require the use of algorithms or other funds, loss of availability of funds, interest codes, identifying words, or numbers; encryp- charges, and administrative expenses associated tion; callback procedures; or similar security with the recovery of the funds or correction of devices. An explanation of authorized and veri- the problem. fied payment orders is detailed in UCC sec- Management is responsible for assessing the tion 4A-202. inherent risks in the EFT system, establishing policies and controls to protect the institution against unreasonable exposures, and monitoring Signature Verification the effectiveness of safeguards. Regulatory agencies will ensure that each financial institution One method to verify the authenticity of a cus- has evaluated its own risks realistically and has tomer’s EFT request is to verify the cus- adequate accounting records and internal con- tomer’s signature. Unfortunately, this procedure trols to keep exposures within reasonable, estab- cannot be performed when the customer lished limits. requests the transaction by telephone. Some The risks associated with any computerized financial institutions have implemented poli- EFT system can be reduced if management cies whereby the customer completes and signs implements the controls that are available on the a transfer request, and then faxes the request to system. For example, the authority to enter, the bank. However, this is not a safe EFT verify, and send transfers can be segregated, and procedure because, although the bank can verify the dollar amount of transactions can be limited. the signature on the faxed request, it cannot be Effective risk management requires that man- certain that the transfer request is legitimate. agement establish and maintain— Any document that is transmitted electronically can be altered (for example, by changing • reasonable credit limits (payments in excess the amount or account number). The alteration of these limits that involve significant credit can occur before the document is digitalized risk must be properly approved by appropriate (that is, before being fed into the fax machine) lending authorities), or after. In most instances, these alterations can- • adequate recordkeeping to determine the extent not be detected by the receiving entity. If there of any intraday overdrafts and potential over- is any question about a document’s authentic- night overdrafts before releasing payments, ity, the transaction should be reconfirmed and through other sources. • proper monitoring of respondents’ accounts when the institution sets the positions of others. Responsibility for this function should Personal Identification Numbers be assigned to an appropriate supervisory level of management that will ensure the use One way for financial institutions to authenticate of adequate internal controls. transfers initiated over the telephone is through the use of personal identification numbers (PINs) issued to each customer. When a customer requests a transfer, his or her identity is verified by comparing the supplied PIN with the customer’s PIN-request form that is on file. At a

Commercial Bank Examination Manual April 2009 Page 19 5320.1 Payment System Risk and Electronic Funds Transfer Activities minimum, the following safeguards should be Statements of Activity implemented for these types of transfers: Some larger banks have implemented a • All nonretail customers should be requested procedure whereby customers are electroni- to sign an agreement whereby the bank is held cally sent a summary statement at the end of harmless in the event of an unauthorized each day. The statement lists the transfers transfer if the bank follows routine executed and received on their behalf. The authentication procedures. The customer is statement can be sent through a fax machine, a responsible for informing the bank about personal computer, or a remote printer. This changes in who is authorized to execute procedure quickly identifies any transfers the EFTs. These procedures should minimize the customer did not authorize. risk to the bank if someone is able to execute a fraudulent transaction. (These procedures are described in detail in UCC Test Keys section 4A-202.) • All transactions over a specific dollar amount EFT requests can be authenticated using test should be re-verified by a callback routine. keys. A test key is a calculated number that is The bank should require that the person being derived from a series of codes that are contained called for re-verification is someone other in a test-key book. The codes in a test-key book than the person who initially requested the represent such variables as the current date, hour transaction. of the day, receiving institution, receiving • Whenever new PINs are issued, they should account number, and amount of the transfer. The be mailed in sealed, confidential envelopes value derived from these variables equals the (preferably computer-generated) by someone test key. The financial institution or corporate who does not have the ability to execute wire customer initiating the transfer will give its EFT transfers. information, along with the test-key value. The • The number of bank employees who have receiving bank will recalculate the test key and, access to PINs should be very limited. if the two test keys equal the same amount, the EFT request is considered authenticated. Test- key code books should be properly secured to Tape Recording prevent unauthorized access or fraudulent use. The use of test keys has declined in recent years The tape recording of EFT requests made over as more and more institutions implement PC- the telephone is another internal control prac- based EFT systems. tice. When possible, verifying and recording the incoming telephone number (that is, using a caller-ID system) is also a good practice. The Blanket Bond laws addressing telephone recording vary by state. Some states require that the caller be Although computer-related employee misappro- informed that the conversation is being re- priations are normally covered, financial institu- corded; others do not have this requirement. tion blanket bond policies generally exclude Regardless of the state’s law, the bank should certain types of EFT activities from standard inform callers that, for their protection, conver- coverage. Separate coverage for EFT systems is sations are being recorded. Moreover, banks available and should be suggested to manage- should have in place a policy for archiving the ment, particularly if a significant risk exposure taped telephone records and should retain them exists. A bank’s fidelity bond insurance could be for a specified period of time, at least until the declared null and void by the carrier if a statements from the Federal Reserve or corre- fraudulent transfer were to occur and the loss spondent banks have been received and recon- was directly attributable to weak internal con- ciled. trols. (See section 4040.1, “Management of Insurable Risks.”)

April 2009 Commercial Bank Examination Manual Page 20 Payment System Risk and Electronic Funds Transfer Activities 5320.1

SUPERVISORY RISK risk, or the possibility of loss to institutions EVALUATION extending credit; and (3) systemic risk, which is the possibility of loss to multiple creditors when Bank management is responsible for assessing borrowing institutions fail to cover their obliga- the inherent risks in the EFT system (or tions to creditor institutions. Variants of credit systems) it uses. Management should establish risk include sender risk, receiver risk, and policies and controls to protect the institution return-item risk. against unreasonable exposures, as well as monitor the effectiveness of the established Systemic risk. Stated more clearly, systemic risk safeguards. occurs when one participant in a payment system, or in the financial markets generally, fails to repay its required obligation when due, and this failure prevents other private or market Examiner Responsibilities participants or financial institutions from meeting their settlement obligations when due. Sys- Examiners are responsible for ensuring that temic risk may result from extraneous events, financial institutions have assessed and evalu- actions, or reasons that are independent of the ated their risks realistically and have adopted institution, or from developments in the pay- internal controls that are adequate to keep those ment system. Changes in the capital markets, risks within acceptable limits. The types of risks domestic political or government announce- involved in EFT systems, as well as payment ments or actions, unplanned events, or sovereign systems generally, are discussed below. actions of other countries are examples of events that may cause systemic risk.

Credit Risk Sender risk. Sender risk is the risk that results if a depository institution uses an extension of Credit risk is the risk that a counterparty will credit to make an irrevocable payment on behalf not settle an obligation for full value when due, of a customer. This credit can be a loan or an nor at any time subsequently. Any time an extension of payment against uncollected or institution extends credit to a customer or provisional funds or against insufficient bal- permits a customer to use provisional funds to ances. make a payment, the institution is exposed to the risk that the customer will not be able to Receiver risk. Receiver risk arises when an meet its payment obligation. If the customer is institution accepts funds from a sender who may unable or unwilling to repay the credit exten- be a customer, another institution, or the pay- sion, the institution could incur a financial loss. ment system. As the receiver of funds, the Similarly, an institution that receives a pay- institution relies on the sender’s ability to settle ment in provisional funds has a credit exposure its obligations. The risk exists while payments to the sender until such time as the payment is are revocable within the system and remains settled with finality, that is, until the payment until final settlement. becomes unconditional and irrevocable. If an institution permits a customer to withdraw or Return-item risk. The major risk in originating make a payment with provisional funds ACH debit transactions and collecting checks received, then the institution incurs credit for customers is return-item risk. Return-item exposure to both the sender of the provisional risk extends from the day funds are made funds and the customer. Those credit exposures available to customers until the individual items are not extinguished until the provisional funds can no longer legally be returned. The receiver received are settled with finality. With respect to of ACH debit transactions, or the payer of payment systems risk, overall credit risk checks, has the right to return transactions for consists of (1) direct-credit risk to the Federal various reasons, including insufficient funds in Reserve, that is, a borrowing institution may be its customer’s account. To minimize its expo- unable to cover its intraday overdraft arising sure, an institution should perform credit assess- from a transfer of funds or receipt of book- ments of all customers that originate large dollar entry securities, thus causing a Federal Reserve volumes of ACH debit transactions, and for all Bank to incur a loss; (2) private direct-credit customers for which the institution collects large

Commercial Bank Examination Manual April 2009 Page 21 5320.1 Payment System Risk and Electronic Funds Transfer Activities volumes of checks. Such assessments ensure Legal Risk that if ACH or check items are returned after the customer has been granted use of the funds, the Any transaction occurring in a payment system customer will be able to return the funds to the is subject to the interpretation of courts in institution. different countries and legal systems. This issue is normally addressed by adopting “governing- law” provisions in the rules of the systems Liquidity Risk themselves. These provisions provide for all disputes between members to be settled under Liquidity risk is the risk that a counterparty will the laws of a speciﬁc jurisdiction. However, if a not settle an obligation for full value when due, local court refuses to recognize the jurisdiction even though the counterparty may later settle the of a foreign court, the rules may be of limited obligation. Liquidity risk may result from unex- use. This risk is difﬁcult to address because pected market or operational disruptions or from there is no binding system of international catastrophic or unplanned events. It may also commercial law for electronic payments. Banks result from sovereign actions; therefore, sover- should seek a legal opinion regarding the en- eign risk can give rise to liquidity risk. forceability of transactions settled through a particular system.

Sovereign Risk Operational Risk Sovereign risk refers to the financial capacity of governments to generate foreign-currency Operational risk may arise from— revenues to repay their obligations. This capacity is generally limited because government • a system failure caused by a breakdown in the assets are predominantly the discounted value of hardware or software supporting the system, future taxes denominated in the local currency. possibly resulting from design defects, insuf- Governments have direct access to foreign- ficient system capacity to handle transaction currency revenues only when the economy is volumes, or a mechanical breakdown, includ- dominated by a public sector that derives most ing telecommunications; of its revenues from exports (for example, oil or • a system disruption if the system is unavail- gold). Sovereign risk is not limited to the able to process transactions, possibly due to country’s federal government debt. It also system failure, destruction of the facility (from includes debt contracted by all public and natural disasters, fires, or terrorism), or opera- publicly guaranteed entities (such as provincial, tional shutdown (from employee actions, a state, or local governments and all other debt business failure, or government action); or with a government’s guarantee). • the system being compromised as a result of Actions taken by nondomestic governments fraud, malicious damage to data, or error. can affect the payments of certain participants in a payment system, and these actions can be Whatever the source, the loss of availability of a detrimental to other participants in the system. payment system can adversely affect major par- Sovereign risk can include the imposition of ticipants, their correspondents, markets, and in- exchange-control regulations on a bank partici- terdependent payment mechanisms. pating in international foreign-exchange activi- Banks should control operational risk through ties. While the bank itself may be both willing a sound system of internal controls, including and able to settle its position, government inter- physical security, data security, systems testing, vention may prevent it from doing so. The risk segregation of duties, backup systems, and con- can be controlled by regularly monitoring the tingency planning. In addition, a disruption to a payment-system laws of other countries and by bank’s own internal payment processing sys- taking specific alternative actions to lessen the tems or its access to external payment systems risk. Alertness to a bank’s sovereign-risk expo- can adversely affect both the bank’s own pay- sure to its counterparties located in other nations, ments activities, as well as those of other par- and to possible alternative actions, can consid- ticipants in a payment system. As such, a erably lessen this risk. comprehensive audit program is essential to

April 2009 Commercial Bank Examination Manual Page 22 Payment System Risk and Electronic Funds Transfer Activities 5320.1 assess the risks, adequacy of controls, and com- • No single person in an EFT operation should pliance with bank policies. be responsible for all phases of the transaction (that is, for data input, verification, and transmission or posting). Risk-Control Issues • All funds transfers should be reconciled at the end of each business day. The daily balancing Bank management should consider and develop process should include a reconciliation of both risk-management policies and procedures to ad- the number and dollar amount of messages dress the variety of credit, liquidity, operational, transmitted. and other risks that can arise in the normal • All adjustments required in the processing of course of conducting its payment business— a transfer request should be approved by a regardless of the clearing and settlement method bank’s supervisory personnel, with the rea- of the particular payment systems in which the sons for the adjustment documented. Transfer bank participates. EFT systems differ widely in requests “as of” a past or future date should form, function, scale, and scope of activities. require the supervisor’s approval with well- Consequently, the specific risk-management defined reasons for those requests. measures an institution employs for a particular • Only authorized persons should have access to EFT system will differ depending on the inher- EFT equipment. ent risks in the system. As a general matter, an institution should adopt risk-management con- Considerable documentation is necessary to trols commensurate with the nature and magni- maintain adequate accounting records and audit- tude of risks involved in a particular EFT ing control. Many banks maintain transfer- system. request logs, assign sequence numbers to incom- In addition to assessing the adequacy of an ing and outgoing messages, and keep an institution’s risk-management procedures for unbroken electronic copy of all EFT messages. measuring, monitoring, and controlling its risks At the end of each business day, employees who from participating in a payment system (or are independent of the transfer function should systems) and from providing payment services compare request forms with the actual transfers to its customers, examiners should consider the to ensure that all EFT documents are accounted following internal control guidelines when they for. When reviewing the adequacy of internal review policies and procedures covering EFT controls, examiners should review the funds- activities: transfer operations to determine that recordkeeping systems are accurate and reliable, all trans- • Job descriptions for personnel responsible for actions are handled promptly and efficiently, a bank’s EFT activities should be well defined, duties are separated appropriately, audit cover- providing for the logical flow of work and age is adequate, and management recognizes the adequate segregation of duties. risks associated with these activities.

Commercial Bank Examination Manual April 2009 Page 23 Payment System Risk and Electronic Funds Transfer Activities Examination Objectives Effective date May 2002 Section 5320.2

1. To determine if the bank’s electronic funds 6. To determine that the board of directors has transfer (EFT) objectives, policies, practices, reviewed and approved the institution’s use procedures, and internal controls are adequate of Federal Reserve intraday credit, self- to control its exposure to acceptable limits of assessment (if applicable), and net debit cap, payment systems risk. and to determine if the institution is comply- 2. To determine if bank officers and other wire- ing with the Federal Reserve Policy State- transfer personnel are operating in confor- ment on Payments System Risk. mance with established guidelines. 7. If the bank has a self-assessed net debit cap, 3. To determine the scope and adequacy of the to review the bank’s self-assessment file and audit function for the risks associated with determine if the underlying analyses and payment and wire-transfer systems. methodologies are reasonable, adequate, and 4. To ascertain whether senior management is consistent with the institution’s supervisory informed of the current status, nature, and overview, risk assessments, and risk matrix. magnitude of risks associated with the bank’s 8. To evaluate the quality of the bank’s opera- EFT operations, as well as any changes to tional controls and determine the extent of these risks. compliance with applicable laws and 5. To assess the bank’s ability to monitor regulations. its payment-systems position, as well as to 9. To initiate corrective action when objectives, limit its credit and other risk exposures in policies, procedures, or internal controls are the system and from its customers or deficient or when violations of law or regu- correspondents. lations exist.

Commercial Bank Examination Manual May 2002 Page 1 Payment System Risk and Electronic Funds Transfer Activities Examination Procedures Effective date November 2004 Section 5320.3

1. Review and determine the bank’s compli- for payment-systems and EFT activities, ance with the electronic funds transfer (EFT) including third-party transactions. Perform risk-assessment standards of the examina- tests to determine the existence, reasonable- tion module, recognizing the associated risks ness, and adequacy of these policies and for each. Answer the pertinent questions procedures. Determine whether the policies that refer to EFT in the internal control and procedures have been disseminated to questionnaire. the employees who are actively responsible 2. Review and evaluate the work of internal or for and involved in performing payment- external auditors and of the compliance systems and EFT activities. Ascertain officer as it relates to the risks associated whether there is an active employee-training with payment systems and EFT activities. program that ensures employees have the Determine if payment system risk is reviewed knowledge necessary to comply with the and whether the independence, scope, cov- bank’s policies and procedures for payment- erage, and frequency of internal or external systems and EFT activities. reviews are adequate. 8. For transactions involving the Federal 3. Based on an evaluation of internal controls Reserve Bank, other private funds-transfer and the work performed by internal or systems, and other due from bank accounts, external auditors, determine the scope of the confer with the examiner who is assigned examination. ‘‘Due from Banks,’’ and determine the pro- 4. Test for compliance with policies, practices, priety of any outstanding funds-transfer procedures, and internal controls. Deter- items. mine whether the management information 9. Coordinate the review of the credit expo- systems and reports for the institution’s sures arising from payment-systems and payment systems and funds-transfer activi- EFT activities with the examiners’ review ties provide timely and accurate data that of loan programs or loan portfolios. Deter- are sufficient for personnel to make informed mine whether credit personnel make and and accurate decisions. From the examiner adequately document, independent of assigned to review ‘‘Internal Control,’’ account and operations officers, periodic obtain a listing of any deficiencies noted in credit reviews of funds-transfer customers. the latest review conducted by internal or 10. Determine where suspense items or adjust- external auditors. Determine if bank man- ment accounts are posted and accounted for, agement has taken the appropriate correc- as well as who is responsible for reviewing, tive actions for the deficiencies. resolving, and clearing out suspense items. 5. Obtain or construct an organizational chart a. Scan accounts for unusual or old items or and flow chart for the EFT area, and deter- abnormal fluctuations. mine the job responsibilities and flow of b. Reconcile accounts to departmental con- work through that department. trol totals and to the general ledger. 6. Review the bank’s standard form of agreement or other written agreements with its c. Review management reports on suspense customers, correspondent banks, and ven- items and unusual activity. dors. Determine whether those agreements 11. Review the income and expense accounts are current and clearly define the liabilities related to EFT operations. Determine the and responsibilities, including responsibili- frequency of entries caused by late or inac- ties during emergencies, of all parties. curate execution of transfer requests. Agreements with the Federal Reserve Bank 12. Observe the space and personnel allocated should refer specifically to the operating to the EFT area, and note the location of circular (or circulars) on the electronic funds communications terminals. Determine transfers pursuant to subpart B of Regula- whether existing conditions are adequate to tion J (12 CFR 210.25 et seq.). provide appropriate physical security. 7. Review the bank’s board of directors and 13. Discuss the following items with the appro- senior management policies and procedures priate officer (or officers), and prepare sum-

Commercial Bank Examination Manual November 2004 Page 1 5320.3 Payment System Risk and Electronic Funds Transfer Activities: Examination Procedures

maries in the appropriate section of the 4. Determine whether the institution periodi- examination report: cally reviews its ability to fund its closing- a. internal control exceptions, as well as position requirement on private multilateral deficiencies in or noncompliance with settlement systems, such as CHIPS. written policies, practices, and procedures b. uncorrected audit deficiencies FEDERAL RESERVE INTRADAY c. violations of laws and regulations CREDIT d. terminology, operating arrangements, accounting procedures, and time limita- 1. Determine that the board of directors has tions of EFT operations reviewed and approved the institution’s use e. the operating efficiency and physical se- of Federal Reserve intraday credit. curity of the bank’s EFT operation 2. If the institution incurs daylight overdrafts f. the adequacy of controls over settlement- in its Federal Reserve account, determine and credit-risk exposure that the institution has selected an appropri- g. recommended corrective action when ate net debit cap. policies, practices, or procedures are 3. If the institution has selected a de minimis deficient or a self-assessed net debit cap, determine 14. Update the examination workpapers to that the board-of-directors resolution fol- include the bank examination activities and lows the prescribed format and contains all procedures performed and any information of the required elements. gathered to support the completed work, 4. If the institution has selected a self-assessed including any information that will facili- net debit cap, review the contents of the tate future examinations. self-assessment file to determine that the institution has applied the guidelines appropriately and diligently, that the underlying RISK MANAGEMENT OF analysis and method were reasonable, and INTRADAY CREDIT EXPOSURES that the resulting self-assessment is generally consistent with the examination find- 1. If the bank is a CHIPS or other clearing- ings. Inform the appropriate Reserve Bank agency participant, determine the bank’s of any concerns about the institution’s net- basis for accepting customers for CHIPS- debit-cap level, self-assessment, or use of payments activity. If the examined institu- Federal Reserve intraday credit. tion is a funding participant on CHIPS, 5. Review the institution’s cap resolution file determine the criteria for accepting a non- and ascertain that it includes (1) a copy of funding participant as a respondent. Deter- the board-of-directors resolution, (2) work- mine that the criteria are reviewed sheets and supporting analysis used in its periodically. self-assessment of its own cap category, 2. Determine if appropriate intraday credit (3) copies of senior-management reports to limits are imposed and monitored for those the board of directors of the institution or its customers and counterparties with which parent (as appropriate) regarding that self- the bank has intraday credit exposures. assessment, and (4) copies of the minutes 3. Determine if the bank monitors and controls of the discussion at the appropriate board- any intraday credit exposures to affiliates.1 of-directors meeting concerning the institution’s adoption of a cap category. 1. An insured depository institution must establish and maintain policies and procedures reasonably designed to institution’s intraday extensions of credit to each affiliate and manage the credit exposure arising from its intraday exten- all affiliates in the aggregate, and must ensure that the sions of credit to affiliates in a safe and sound manner. The institution’s intraday extensions of credit to affiliates comply policies and procedures must at a minimum provide for the with section 23B of the Federal Reserve Act. (See 12 CFR monitoring and control of the credit exposure arising from the 250.248.)

November 2004 Commercial Bank Examination Manual Page 2 Payment System Risk and Electronic Funds Transfer Activities Internal Control Questionnaire Effective date May 2002 Section 5320.4

For the preliminary review and assessment, 4. Are there regular management reviews of review the bank’s internal controls, policies, staff compliance with the credit and per- practices, and procedures for payment systems sonnel procedures, operating instructions, risk and electronic funds transfer (EFT) activi- and internal controls? ties. The following procedures should be used: 5. Are activity and quality-control reports received and reviewed by management? 1. Review previous examination reports, ear- 6. Are major new system designs and newly lier workpapers, and correspondence available hardware for the payment and exchanged with the institution to get an EFT systems brought to the attention of overview of previously identified EFT and reviewed by management? concerns. 2. Review the most recent audits and internal reviews to identify the scope and noted deficiencies. SUPERVISION BY DIRECTORS 3. Review management’s actions to correct AND SENIOR MANAGEMENT examination and audit deficiencies. 4. Discuss with management recent or planned 1. Are the directors and senior management changes in EFT activities. kept informed about the nature and vol- 5. Review management reports to determine ume of transactions and the magnitude of the nature and volume of current activity. the risks involved in the funds-transfer 6. Review the minutes of management com- activity? mittees that oversee EFT activity to deter- 2. Has the board of directors or senior man- mine their content and follow-up on mate- agement reviewed and approved any limits rial matters. on the risks in the funds-transfer activities? If so, when were the limits last The bank’s payment and EFT systems should be reviewed? further reviewed and documented completely 3. Is senior management or the board of and concisely. Where appropriate, the prelimi- directors advised of any customers with— nary review and assessment should include nar- a. large intraday and overnight over- rative descriptions, flowcharts, copies of forms drafts? If so, are other extensions of used, and other pertinent information. credit to the same customers combined During the examination, the review of opera- to show the total credit exposures? tions and internal controls of all institutions b. large drawings against uncollected involved in funds-transfer or EFT activities funds? should use the following procedures. Items below 4. Are management’s responses to audit that are marked with an asterisk (*) require exceptions and recommendations adequate substantiation by observation or testing. and timely? 5. Is there adequate insurance coverage for EFT risks? Does senior management conduct adequate reviews of insurance cover- ORGANIZATION age and insurance riders for EFT operations and the overall EFT environment? 1. Is there a current organization plan detailing the structure of the funds-transfer function? 2. Is senior management responsible for ad- CREDIT MANAGEMENT, ministering the operations of the funds- EVALUATION, AND APPROVAL transfer function? 3. Does management maintain a current list 1. Under the bank’s established board-of- of bank personnel who are authorized to directors policies and procedures, is senior initiate EFT requests? management or the credit committee (or

Commercial Bank Examination Manual May 2002 Page 1 5320.4 Payment System Risk and Electronic Funds Transfer Activities: Internal Control Questionnaire

credit officers) required to review at pre- 11. Do the limits on intraday and overnight determined frequencies— overdrafts appear to be reasonable in view a. the volume of transactions, the credit- of the institution’s capital position and worthiness of customers, and the risks the creditworthiness of the respective involved in the funds-transfer activity? customers? b. credit and other exposures as they relate 12. Does a staff supervisor approve payments to safe and sound banking practices? in excess of established limits, following c. staff capabilities and the adequacy of verification that the covering funds are in equipment relative to current and transit to the bank? expected volume? 13. Before releasing payments, are payments 2. Are procedures in place to prohibit trans- against uncollected funds and intraday fers of funds against accounts that do not overdrafts in excess of established limits have collected balances or preauthorized referred to a person with appropriate credit credit availability? authority for approval, and is the reason 3. Have counterparty and customer credit for the overdraft determined? limits been established for all payment system risk exposures, including those relating to Fedwire, CHIPS, ACH, foreign exchange, and other types of payments? PERSONNEL Do credit limits take into account intraday and overnight overdrafts? 1. Has the bank taken steps to ensure that a. Are groups of affiliated customers screening procedures are applied to per- included in such limits? sonnel that are hired for sensitive positions b. Are limits set according to a clear and in the EFT departments? consistent methodology for credit-risk 2. Does the bank prohibit new or temporary assessment? employees from working in sensitive c. How often are the limits reviewed and areas of the payment-systems and EFT updated? operation? d. Does senior management monitor 3. Are statements of indebtedness required and review the customer limits? How from employees who work in sensitive frequently? positions of the payment-systems and EFT 4. Are other types of credit facilities consid- function? ered when establishing intraday-overdraft 4. Does supervisory staff give special atten- limits for the same customer? tion to employees newly assigned to work 5. Is an intraday-posting record kept for each in the EFT functions? customer, showing opening collected and 5. Are employees subject to unannounced uncollected balances, transfers in, trans- rotation of responsibilities, regardless of fers out, and the collected balances at the the size of the institution? time payments are released? 6. Are relatives of employees in the payment- 6. If payments exceed the established limits, systems and EFT function precluded from are steps taken in a timely manner to working in the same institution’s book- obtain covering funds? keeping or data processing departments? 7. Are there fully documented, periodic credit 7. Does the bank’s policy require that reviews of funds-transfer customers? employees take a minimum number of 8. Are credit reviews conducted by compe- consecutive days as part of their annual tent credit personnel who are independent vacation? Is this policy being enforced? of account and operations officers? 8. If employees have given notice of resigna- 9. Does the institution make payments in tion or received termination notices, does anticipation of receiving covering funds? management reassign them away from If so, are such payments approved by sensitive areas of the payment-systems officers who have the appropriate credit and EFT function? authority? 9. Are personnel informed of the current 10. Are intraday exposures limited to amounts trends in transfer activities, including nec- that are expected to be received the same essary internal controls, as part of a regular day? training program?

May 2002 Commercial Bank Examination Manual Page 2 Payment System Risk and Electronic Funds Transfer Activities: Internal Control Questionnaire 5320.4

SIGNATURE CARDS 12. Does the bank have procedures in operation for the issuance and cancellation of 1. Does the bank maintain a current list or test keys? card ﬁle of authorized signers for custom- *13. Is the responsibility for issuing and can- ers who use the bank’s funds-transfer celing test keys assigned to someone who services? is not responsible for testing the authentic- 2. Are customer signature cards maintained ity of transfer requests? under dual control or otherwise protected? 14. Are test codes maintained in a secure 3. Do customer signature cards limit the environment when they are not in use? number of authorized persons and the 15. Is the testing area physically separated amount of funds that an individual is from other operations? authorized to transfer? 4. Do bank personnel compare the signature on an original mail request with the authorized signature on ﬁle? TELEPHONE TRANSFER REQUESTS

1. Has the bank established guidelines for TEST KEYS what information should be obtained from a person making a funds-transfer request 1. Do telephone requests and EFT transac- by telephone? tions use test codes, and are the codes 2. Does the above information include a verified by a person other than the person test-word authentication code? receiving the request? 3. Does the bank use a callback procedure 2. Are test codes restricted to authorized that includes a test-code authentication to personnel? verify telephone transfer requests? *3. Are the files containing test-key formulas 4. Does the bank limit callbacks to transac- maintained under dual control or other- tions over a certain dollar amount? wise protected? 5. Does the bank maintain a current list of 4. Are only authorized personnel permitted persons who are authorized to initiate in the test-key area or allowed access to telephone funds transfers and messages? computers, teletapes, or terminals? *6. Does the bank have procedures in place to 5. Does the bank maintain an up-to-date prohibit persons who receive telephone test-key file? transfer requests from transmitting those 6. Does management maintain a list of those requests? authorized persons who have access to 7. Does the bank use devices that record all test-key files? incoming and outgoing transfer requests? 7. Are all messages and transfer requests that 8. Are prenumbered or sequentially num- require testing authenticated by the use of bered (at a central location after initiation) a test key? transfer-request forms used? *8. Are test codes verified by someone other 9. Is the log or record of transfer requests than the person receiving the initial trans- reviewed daily by supervisory personnel? fer request? 10. Do the records of transfer requests contain— 9. Are callback or other authentication pro- a. a sequence number? cedures performed on all transfers that do b. an amount transferred? not have a test key or signature card on file? c. the person, firm, or bank making the request (also the specific transferor)? 10. Do mail transfer requests include a test word as an authentication procedure? d. the date? 11. Does the bank’s test-key formula incorpo- e. the test-code authentication? rate a sequence number resulting from f. paying instructions? an agreement between the bank and the g. authorizing signatures for certain types customer? and dollar-amount transfers?

Commercial Bank Examination Manual May 2002 Page 3 5320.4 Payment System Risk and Electronic Funds Transfer Activities: Internal Control Questionnaire

EFT REQUESTS d. origination, modification, deletion, or rejection of order transactions or *1. Do different employees perform the func- messages? tions of receipt, testing, and transmission e. verification of the sequence numbers of of funds-transfer requests? orders? 2. Do incoming and outgoing messages re- f. accounting for all transfer requests and cord the time, or are they sequentially message traffic at the end of the day? numbered for control? g. bank supervisory review of all adjust- 3. Do incoming and outgoing messages ments, reversals, and the reasons there- include a test word as a means of message for, as well as open items? authentication? h. planning for contingencies? 4. Is an unbroken copy of all messages kept 2. Are all incoming and outgoing payment throughout the business day? orders and message requests in the EFT 5. Is the above copy reviewed and controlled and funds-transfer area— by someone not connected with operations a. time-recorded or sequentially num- in the EFT area? bered for control? b. logged? c. reviewed for test verification? AGREEMENTS d. reviewed for signature authenticity? e. reviewed to verify that the person who initiated the funds-transfer request was 1. With respect to EFT and payment-systems authorized to do so? transfer operations between the bank and its hardware and software vendors, main- f. authorized or reviewed by bank super- tenance companies, customers, correspon- visory personnel? dent banks, the Federal Reserve, and other 3. Does the EFT department of the bank providers, are the agreements in effect and prepare a daily reconcilement of funds- current? (The agreements with the appro- transfer activity by dollar amount and priate Federal Reserve Bank should refer number of messages? to the operating circulars regarding the 4. Are all rejects or exceptions reviewed by transfer of funds pursuant to subpart B of someone who is not involved in the receipt, Regulation J.) preparation, or transmittal of funds? 2. Do the written agreements state the respon- 5. If the institution accepts transfer requests sibilities of each party involved in the after the close of business or accepts agreement? transfer requests with a future value date, 3. Do the agreements state the vendors’ are they properly controlled and processed? liabilities for their employees’ actions? 6. Are Federal Reserve Bank statements reviewed and reconciled daily with the bank’s internal funds-transfer log to determine if there are ″open″ funds-transfer OPERATING AND PROCESSING items and the reasons for the outstanding PROCEDURES items? 7. Does an officer review corrections, over- 1. Do written procedures exist for the EFT rides, open items, reversals, and other functions, and are they updated for adjustments? employees in the incoming, preparation, 8. Does a person other than the receipt clerk data entry, balance-verification, transmis- review message requests and payment or- sion, accounting, reconciling, and security ders for— areas? Do these procedures include— a. the propriety of the transactions? a. control over test words, signature lists, b. future dates, especially those for mul- and opening and closing messages? tiple transactions? b. computer-terminal security and pass- 9. When reasonably feasible, does a supervi- word controls? sor check all transactions before the release c. access to the funds-transfer and EFT of funds to a customer or before initiating areas and user files? a payment message over the EFT system?

May 2002 Commercial Bank Examination Manual Page 4 Payment System Risk and Electronic Funds Transfer Activities: Internal Control Questionnaire 5320.4

10. At the end of a day, are all message ers that indicate amounts to be paid and requests and payment orders accounted for received and the source of covering funds? in an end-of-the-day proof to ensure that 8. If the above detail of receipts is not all requests have been processed? received, do the institution’s customers 11. Are internally rejected customer transfer inform it of the total amount to be received requests and message requests controlled, for the day? and are they sequentially numbered for 9. Is the information in items 7 and 8 main- accountability? tained and followed for exceptions? 12. Does an officer review and approve as-of 10. Is an intraday-posting record kept for each adjustments, open items, reversals, and customer, showing opening collected and other adjustments? uncollected balances, transfers in, trans- 13. Are key fields re-verified before transmis- fers out, and the collected balance at the sion, and are messages released by some- time payments are released? one other than the individual who origi- 11. Are significant CHIPs or Fedwire cus- nally entered the message? tomer payments and receipts communi- 14. Does the work flow in a one-way direction cated to a monitoring unit promptly during to provide adequate internal controls? the day to provide adequate information 15. Are audit trails maintained from receipt on each customer’s overall exposure? through posting to a customer’s account? 12. Does the accounting system for demand 16. Are EFT activities adequately documented, deposits give an accurate collected-funds and is there an adequate and active records- position? retention program? 13. Have limits been established within which a designated person may authorize release of payments after reviewing the cus- ACCOUNTING, RECORDKEEPING, tomer’s activity? Does the institution main- AND CONTROLS tain a record of approvals of these releases? 1. Are Federal Reserve Bank, correspondent 14. When an overnight overdraft occurs, is a bank, and clearinghouse statements used determination made as to whether a fail for funds transfers reconciled daily in caused the overdraft? If so, is this deter- another area of the bank (for example, mination properly documented? Are accounting or correspondent banking or by follow-up actions to obtain the covering a person who is separate from any money- funds in a timely manner adequate? transfer operations) to ensure that they 15. Does the institution have a record of pay- agree with the funds-transfer records? ments it failed to make? 2. Are all prenumbered forms, including 16. Is the above record reviewed to evaluate cancellations, accounted for in the daily the efficiency of the department? reconcilement, and do they include the 17. Is corrective action initiated when appro- account number and account title? priate? 3. Is the daily reconcilement of funds-transfer 18. Are investigations and follow-ups for failed and message-request activity reviewed by payments conducted by personnel who are supervisory personnel? independent of the operating unit? *4. Is the balancing of daily activity con- 19. Are customer advices issued in a timely ducted separately from the receiving, pro- manner? Do credit advices sent to custom- cessing, and sending functions? ers clearly indicate that credits to their 5. Does the EFT department verify that work accounts that are received through CHIPS sent to other bank departments agrees with are conditional upon final settlement? its totals? 20. For the settling institutions on CHIPS, are 6. Are general-ledger entries, adjustments, the net debit positions of the nonsettling automated transactions, or other support- participants relayed to appropriate person- ing documents initialed by authorized nel as soon as the positions become known? persons? 21. Are designated supervisory staff respon- 7. Does the institution receive cables or other sible for verifying that respondents’ net written communications from its custom- debit positions are covered the same day?

Commercial Bank Examination Manual May 2002 Page 5 5320.4 Payment System Risk and Electronic Funds Transfer Activities: Internal Control Questionnaire

22. Are the follow-up procedures adequate to j. incoming funds transfers; facilitate the receipt of funds? k. bank secrecy and foreign assets control, 23. Are open-statement items, suspense if applicable; and accounts, receivables, or payables and l. Federal Reserve payment system risk interoffice accounts related to EFT activity program and policy issues. controlled outside of the funds-transfer operations? 24. Do the following controls exist? PHYSICAL SECURITY a. Management prepares periodic reports on open-statement items, suspense items, 1. Is access to the EFT area restricted to and interoffice accounts. authorized personnel who have proper bank b. Reports include agings of open items, identification? In limited circumstances the status of significant items, and the when visitors are necessary (such as for resolution of prior significant items. repairs of equipment), are they restricted, 25. Do general-ledger tickets or other support- properly identified, required to sign in, and ing documents include the initials of the accompanied by authorized personnel at originator and designated supervisory all times? personnel? 2. Is written authorization given to those 26. Is senior management required to decide employees who remain in the EFT area whether to refuse to cover a net debit after normal working hours? Who gives settlement position of a respondent? such authority? Are security guards 27. Has the institution devised and maintained informed? an adequate system of internal accounting 3. Are bank terminal operators or others in controls, as required by the Foreign Cor- EFT operations denied access to computer rupt Practices Act? areas or programs? 4. Do procedures prohibit computer personnel from gaining access to bank terminals AUDIT or test-key information? 5. Does EFT equipment have physical or 1. Does management or the audit department software locks to prohibit access by unau- undertake a periodic review to ensure that thorized personnel at all times? work is being performed in accordance 6. Are terminals and other hardware in the with policy and guidelines established EFT area shut down after normal working by the board of directors and senior hours? Are they regulated by automatic management? time-out controls or time-of-day controls? 2. Is the audit department promptly informed 7. Are passwords suppressed when they are when a change is made in systems or the entered in terminals? method of operation? 8. Are operator passwords frequently 3. Does the audit or independent-review pro- changed? If so, how often? gram provide sufficient coverage relative 9. Is supervisory approval required to access to the magnitude (volume) and nature of terminals at other than authorized times? EFT activities? Are independent reviews 10. Are passwords restricted to different levels conducted, and do they address all areas of of access, such as data files and transac- EFT business, including— tions that can be initiated? a. payment-order origination (funds- 11. Are employees prohibited from taking transfer requests); access keys for sensitive equipment or b. message testing; software test keys out of the EFT area? c. credit evaluation; d. customer agreements; e. payment processing and accounting; CONTINGENCY PLANS f. personnel policies; g. physical and data security; 1. Has management properly planned for con- h. contingency plans; tingencies, and has it developed a reason- i. credit evaluation and approval; able contingency plan and safeguards that

May 2002 Commercial Bank Examination Manual Page 6 Payment System Risk and Electronic Funds Transfer Activities: Internal Control Questionnaire 5320.4

are commensurate with the volume of EFT CONCLUSION activity? 2. Does the bank maintain backup communi- 1. Is the foregoing information an adequate cations systems, and is supervisory approval basis for evaluating internal control; that required for their use? is, there are no significant internal-auditing 3. Are procedures in place for sending and procedures, accounting controls, adminis- receiving transfers if the bank is forced to trative controls, or other deficiencies or operate at a different site? circumstances in areas not covered in this 4. Are backup systems and equipment peri- questionnaire that impair any controls? odically tested by bank personnel? Explain negative answers briefly, and indi- 5. Are there adequate procedures to ensure cate any additional examination proce- that data is recovered by the opening of the dures deemed necessary. next business day’s processing? 6. Have written contingency plans been 2. Based on a composite evaluation, as evi- developed and regularly tested in case of denced by answers to the foregoing ques- partial or complete failure of the bank’s tions, internal control is considered systems or of communication lines between (adequate/inadequate). the bank and the New York Clearing 3. If intraday credit is granted to any affili- House, the Federal Reserve Bank, data ates, has the bank established policies and centers, critical customers, or servicer procedures to monitor and control such companies? exposures and ensure compliance with 7. Are contingency plans reviewed regularly section 23B of the Federal Reserve Act, as and tested at least annually? required by Regulation H? (See 12 CFR 8. Has management distributed contingency 250.248.) plans to all personnel and stored appropriate copies off-site or in a central database? 4. Based on a composite evaluation, as evi- 9. If the bank processes a large volume of denced by answers to the foregoing ques- payments, does it maintain a backup facil- tions, internal control is considered (good, ity that provides real-time recovery in case medium, or bad). of a disaster or other disruption of the 5. Will the credit risk resulting from funds primary data center? transfers have an adverse impact on over- 10. Are procedures in place for backup, off- all asset quality? site storage of critical information and for inventory control on hardware and 6. Does the allowance for loan and lease software? losses adequately include significant 11. Do procedures exist to prevent the inad- adverse credit risk that is derived from vertent release of test data into the produc- EFT activities? tion environment? 7. Will the weaknesses identified from the 12. Are primary and backup telecommunica- review of payment systems risk and EFT tion lines performance-tested frequently activity have a negative impact on overall by authorized supervisory personnel? liquidity, earnings, or capital? For guidance and listed procedures on Fedline, EFT, and information technology standards, see chapters 18 and 19 of the FFIEC Information Systems Examination Handbook.

Commercial Bank Examination Manual May 2002 Page 7