THE PAYMENTS INSTITUTE — July 20-23, 2014 Emory Conference Center Hotel, Emory University, Atlanta, Georgia

Principles of Risk Management

Norman Robinson, AAP President & CEO EastPay, Providing Payments Expertise®

Agenda

• Risk management terminology and concepts • The risk management lifecycle • Define risk categories and elements • Define enterprise or operational risk • Define cross-channel risk • Review • Discussion

2 Learning Objectives

• Understand and recognize the elements of risk, including strategic, liquidity, reputational, fraud, credit, transactional, compliance, operational, cross channel)

• Understand how these risk elements apply across payment channels

3 4 5 Five Steps to Risk Management

1. Identify and understand your major risks

5. Align 2. Decide strategies and which risks the organization Risk are natural around risk

4. Embed risk 3. Determine in all decisions capacity and & processes tolerance for risk 6 Payments Used to be simple

Cash

Banking Circa 1970 Wire Checks Transfer

7 Payments are now more complex

Cash

Mobile Checks

Wire Virtual Transfer Banking Circa 2014 Remote ATM’s Deposit

Debit ACH Cards Credit Cards

8 Risk Categories

1. Financial Risks

2. Management Risks

3. Operational Risk

9 1. Financial Risks

• Interest rate – Deposit terms and rates • Price – Non-interest income • Liquidity – Deposit operations fund the bank

10 Financial Risks Interest Rate

• Asset Liability Committee (ALCO) in place • Assets = ? • Liabilities = ? • Spread • Impact on earnings today? • Impact on earnings next year? • Stress tests • Emphasis on Capital

11 Financial Risks Pricing

• Direct impact on earnings • Missed opportunities • FI’s philosophy • Customer relations • Market relevance • Regulatory intervention – Overdraft programs – Durbin amendment – Dodd-Frank Amendment 1073 – CFPB

12 Financial Risks Liquidity

• Deposit operations provide the overwhelming majority of funding for loan operations • Interest rates and pricing impact liquidity • Critical to success of the bank – Many recent failures were liquidity driven

13 2. Management Risk

• Strategic risk – Technology as an example • Credit – Deposit operations • Reputation – Customer service • Business/Legal – Contracts/Agreements

14 Management Risk Strategic Risk

• Flawed or failed strategies • Deployment of technology • Impact on financial performance • Bleeds over into other risks or directly impacts them – Data breaches – Reputation risks

15 Management Risk Credit Risk

• The obvious • The not-so-obvious • Broad implications for – Deposit operations – Wire transfer – ACH origination

16 Management Risk Reputation Risk

• Probably the hottest topic today • Not only who you are but who you do business with • Loss of customer confidence • Impact on earnings • Loss of shareholder values

17 Management Risk Business/Legal Risks

• Risk of opening the doors – Physical security falls into this category • Proper policies • Internal controls • Procedures • Documentation • Contracts & Agreements

18 3. Operational Risk

• Transactional – Billions of transactions daily

• Compliance – The cost of not complying

19 Operational Risk Transactional Risk

• Sheer volume of transactions • Multiple points of entry into legacy systems • Internal controls • Disaster recovery • Contingency planning

20 Operational Risk Compliance Risk

• Regulatory compliance – Alphabet soup including Reg CC and Reg E – OFAC – AML/BSA • Legal compliance – UCC 3 & 4 including Check 21 – UCC 4a - wire transfer • Network compliance – Pulse/VisaNet/Maestro/Star/Others – ACH Operating Rules

21 What is Enterprise Risk?

• Risk of loss across the entire financial institution resulting from inadequate or failed controls relating to: – Internal processes – People – Systems – External Events

• “Operational risk is embedded in virtually every activity a financial institution engages in, from check processing to trading activities, and the more complex the institution or process, the greater the risk of operational failure.” • Thomas Curry, Comptroller of the Currency, March 4, 2013

22 Examples

• Internal fraud • External fraud • Customer or client interactions • Financial products • Business practices • Damage to physical plant • Business interruption • System failures • Execution and delivery of commitments • Process management • Employment practices • Workplace safety

23 Manifestations

• Failures of: – Manual processes – Automated processes – Interaction of processes with faulty data

• One time events • Cascading of multiple failures over time

24 Key Decision

• How to allocate capital to operational risk

• Challenge: – Operational risk has no naturally occurring monetary measurement; therefore, – No profit incentive exists to effective motivate increased efforts to reduce operational risk – Ergo: justifying “up” is very difficult

25 Cross-Channel Risk

Risk associated with deposit accounts by way of multiple points of access —branch, ATM, call center, debit card, online banking, check, ACH, wire, etc., or the presence of multiple risk types. • Legal • Reputational • Operational • Compliance • Fraud • Liquidity

26 Cross-Channel Risk and Account Takeover

27 Regulator Statement…

“…Thomas J. Curry, the head of the OCC, stated that although asset quality has improved, charge-off rates have fallen, and capital now stands at its highest level in a decade, another type of risk is gaining increasing prominence; Operational Risk.

In fact, the OCC considers it currently to be at the top of the list of safety and soundness issues for the institutions they supervise.

Furthermore, because the implications of operational risk extend to all other risks….“Management should distinguish the operational risk component from other risks to enable a stronger focus on operational risk mitigation.“

Source: Compliance Guru, July 2012

28 $17million Embezzlement

• Allegedly Defrauded More Than 100 Investors • $17million Unaccounted For • Bank Closed by FDIC • No Controls to Monitor “Investments”

Source: CNN July 2012

29 Account Takeover

What can criminals do if they access your Online Banking credentials?

Answer: Anything you can do • Drain Funds • ACH • Checks • Wires • Consumer & Business

30 Account Takeover Harvested Data: • OLB Info • Challenge Questions Criminal Victim’s Computer

31 Account Takeover Realities

• Stolen credentials, not weakness of Online Banking • Matter of when a business network is infected, not if • Even strong security can be bypassed • Significant losses & damaged reputations • Attacks will continue to get worse • Typically learn of network intrusion when accounts are compromised

32 32 Account Takeover Red Flags

File or Wire Exceeds Exposure Limits

Unusual log-in activity (failed attempts, etc)

Transactions on unusual days or multiple transactions in short period of time

Unusual Activity (Wires vs ACH, 2 ACH Files in 1 day, etc)

Report of unauthorized activity

New Admin Credentials created

Report from Users their authority was changed 33 Mitigation How to avoid potential loss Origination calendars

Reasonable exposure limits

Client education

Static IP or IP address authentication

Layered security Behavioral analytics and/or transaction analytics Out of Band Authentication

34 ODFI Actions

Terminate or suspend access

Contact the RDFIs

Request R06 returns

Have Originator submit files other ways

Utilize ACH Operator risk monitoring service Account takeover doesn’t always mean infected computer Have an Action Plan / Incident Response Plan

35 Learning Objectives

• Understand and recognize the nine elements of enterprise risk (strategic, liquidity, cross channel, reputational, fraud, credit, transactional, compliance, operational) • Understand how these risk elements apply across payment channels

36 Discussion

Questions

37