View
6
Download
0
Category
Preview:
Citation preview
Wire Transfer Basics
Presented by Jessica Noll, AAP Auditor/Trainer
Questions
Handouts
Audio
Presented by:
Jessica Noll, AAP Auditor/Trainer
PAR/WACHA-The Premier Payments Resource
jnoll@wacha.org
2018
• WACHA, through its Direct Membership in NACHA, is a specially recognized and licensed provider of ACH education, publications and support.
• Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program.
• NACHA owns the copyright for the NACHA Operating Rules & Guidelines. • The Accredited ACH Professional (AAP) is a service mark of NACHA. • This material is derived from collaborative work product developed by NACHA ─ The
Electronic Payments Association and its member Regional Payments Associations, and is not intended to provide any warranties or legal advice, and is intended for educational purposes only.
• This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only.
• This document could include technical inaccuracies or typographical errors and individual users are responsible for verifying any information contained herein.
• No part of this material may be used without the prior written permission of WACHA/PAR © 2018 PAR/WACHA All rights reserved
Disclaimer
� Key Definitions � Types of Networks � Rules and Regulations � Risk � Management Tools and Policies � Internal Controls � Corporate Account Takeover
Agenda
� Provides Payments Professionals with the fundamentals of wire transfer payments and how they differ from other payment systems
� Illustrate key definitions, types of wire transfer networks, and wire transfer rules and regulations
� Risk/Fraud Awareness
� How to establish strong Internal and External controls
Objectives
• Wire transfer – The electronic transfer of money from one person to another from one Bank or Credit Union to another
• Drawdown – Message requesting receiving financial institution to debit an account & wire funds to sender of the message. AKA – “reverse wire transfer”, “debit transfer” or “request for funds”. Term comes from “drawing down” balance in correspondent account
� Repetitive wire transfer – Transfer where the information and payment instruction do not change
Key Definitions
� Non-repetitive wire – Transfer where any information can be changed � Correspondent Bank – A Financial Institution that provides services on behalf of another
Financial Intuition. � Routing number/ABA – A nine digit code that’s based on the US Bank location where
an account was opened. � Corporate Account Takeover- Business identity theft in which a criminal steals a
business’s online banking credentials.
Key Definitions
� Higher dollar transfers compared to other payment types (checks or ACH) � Credit push model � Safe (assuming money isn’t going to a thief) � Fast/same day settlement for domestic transfers � Risk:
� Higher dollar loss � Irrevocable � Instant
� Higher processing fee
Wire Transfer Key Characteristics
Wire Transfer Process Flow
Sender
Sending FI
Correspondent FI
Federal Reserve
Receiver
Receiving FI
� Operated by the Federal Reserve System � Move funds between FRB member banks � Real-time, gross settlement system. � Transfers are irrevocable when received from FRB
FedWire®
� Clearing House Interbank Payments System � Operated by The Clearing House � Governed by UCC 4A � Differs from Fedwires � Only has 47 Member participants
CHIPS®
� Society for Worldwide Interbank Financial Telecommunication � International messaging system � Enables FI’s to send and receive information about Financial transactions � Funds settle through correspondent accounts
SWIFT®
� Regulation J Subpart B � Regulation S � UCC4A � Regulation E � Regulation CC � FFIEC Guidance
Rules and Regulations
� Federal Reserve Board Payment System Risk Policy (PSR) � OCC Banking Circular 235 � Office of Foreign Asset Control (OFAC)
Rules and Regulations
� Legal relationship between Financial Institution and Federal Reserve Bank � Does not cover the relationship between FI and account holder � Incorporates a version of New York UCC4A
FRB Regulation J - Subpart B
� Also referred to as BSA � Requires US Financial Institutions to assist US Government Agencies to detect & prevent
money laundering. � Recordkeeping requirements for Wires $3,000.00 or more � Recordkeeping requirements for non established customers � Retrievability
Bank Secrecy Act
� State law � New York was one of first states to pass � Local state law by contract
Uniform Commercial Code Article 4A
� Wholesale electronic funds transfers � Specifically excludes:
� Items covered by Regulation E (consumer transfers) � Exception: Foreign Remittances added as part of Dodd-Frank effective
February 7, 2013 � Debit transfers
� Regulation E excludes transfers sent thru Fedwire® or similar networks
UCC4A Key Points
� UCC4A-105 - “funds transfer day” � Example: If payment order is received after the institution’s cutoff,
institution may hold until the next funds transfer day to execute � Written Agreement � Some items cannot be varied by contract � UCC4A – 404 Notice for Credits of Incoming Transfer � UCC4A – 209 Definitions of “Acceptance” � UCC4A – 201 “Commercially Reasonable Security Measures” � UCC4A – 207 Can rely on account number # alone to post
� Unless determine that there is a discrepancy between name and acct #
� If name & account number mismatch is known, cannot accept payment order
UCC4A Key Points
Regulation E Remittance Transfer Rules � New Subpart B to Regulation E � Section 919 of the EFTA:
� Requires disclosure of certain information prior to and at the time of the transfer � Creates new consumer protections, including the right to cancel a transfer and the
right to a refund in certain circumstances � Establishes a new error resolution scheme to which remittance transfer providers
must adhere � Establishes standards of liability for remittance transfer providers and their agents
� Consumer protection � Comparison shopping � Transparency and certainty of costs
Dodd Frank 1073 International Remittance Rule
� Impacts � Any consumer request to send funds to a recipient outside of the United States � Recipient can be a consumer or business � Wire transfer, international ACH, and bill payment
� 30 minutes to rescind request � Applies to remittance transfers
� More than $15 � Made by a consumer in the US � Sent to a person or company in foreign country � Exemption for FIs that send less than 100 remittances a year
Regulation E & Foreign Remittances
� Pre-payment disclosure � Transfer amount in currency use to fund request � Institution fees � Transfer amount � Exchange rate � All other fees and taxes, i.e. correspondents and foreign taxes � Total amount RECEIVED by the recipient � Must be provided to the consumer before they agree to the transaction
Regulation E & Foreign Remittances
� Receipt disclosure: � All the information from Pre-payment disclosure � Date the funds will be available to the recipient � Name of recipient (and contact if available) � Consumers error resolution rights � Contact information of the financial institution � Statement that consumer may contact state agency that licenses the financial
institution and CFPB � The consumer has at least 2 receipts/disclosures � Error Resolution
� Consumer has 180 days to notify FI of an “error” � Such as receiver never received funds, or wrong amount
Regulation E & Foreign Remittances
� Fedwire® funds transfers are subject to funds availability provisions and to Bank Secrecy Act requirements
Regulation CC
� States Institutions should rely on “layered security approaches � Not all transactions have the same risk � Requires Institutions to implement solutions to:
� Detect and respond to suspicious activity � Have better control of administrative functions
FFIEC Guidance
� Commonly referred to as “Daylight Overdraft” � Requires FI to evaluate and continually monitor several factors
� Credit worthiness of “significant” customers � Own credit worthiness � Own credit and operational policies
� FI may have a “Daylight Overdraft limit” � Federal Reserve monitors FIs in real-time and may require pre-funding
FRB Payment System Risk Policy
� Addresses payment systems risks � Covers risks associated with different systems � Outlines policies and controls that senior management implement
OCC Banking Circular 235
� Commonly known as OFAC � Controls assets of certain foreign countries and designated individuals � Each country or individual is “authorized” by a Federal law � Countries/individuals can be added or deleted � Penalties include prison and fines � List is referred to as the “SDN” and changes frequently
Office of Foreign Assets Control
� Financial Institution requirements � Block and hold funds transfers until OFAC authorizes release � Review originated or received fund transfers to ensure funds are not transferred into
or out of accounts of a listed entity � Incoming transfers for a flagged SDN account must be frozen and the FI contact
OFAC � OFAC considers any transfer made in violation of OFAC regulations null and void
� General info, contacts and latest SDN list https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx
Office of Foreign Assets Control
� Credit � Operational � Fraud � Systemic � Sovereign � Technology/3rd Party � Reputational
Types of Risk
� “Good funds” � Available at time of transfer, � End of day, or � When settlement is attempted
� Risk Mitigation � Credit review and approval policies and procedures � Identify sender and validity of instructions � Funds held or debited prior to sending outgoing wire transfer (collected funds
ONLY)
Credit Risks
� Hardware/Software or Telecommunications Failure � Human Error � Limited/Untrained Staff � Disaster � Risk Mitigation
� Disaster recovery plan that is unique to wire transfer area � Expand beyond disaster recovery to include business resumption � Include users (external & internal)
� Staff training, cross training and backup systems
Operating Risks
� Internal Fraud � FI Employees � 3rd Party Processors
� External Fraud � Company Employees � 3rd Party Processors � Interlopers/hackers � Key loggers � Customer Impersonation � Social Engineering
Fraud Risks
� Risk Mitigation
� “Know Your Customers”
� Formal contracts
� “Commercially Reasonable Security Procedures”
� Call-backs, digital signatures, dual controls, test keys, tokens, out of band authentication, biometrics
� Need to know limits
Fraud Risks
� Risk to the system/network that one financial institution’s inability to settle its position will cause other financial institutions to fail to settle
� Risk Mitigation � Federal Reserve’s Payment System Risk Policy (Daylight Overdraft) was
developed to prevent this from occurring. Requires FI to monitor both its Fed position and customer’s position
Systemic Risk
� Risk that a sovereign government or other political entity will take some action to prevent or alter the settlement of transfers
� Often referred to as “Political” risk
Sovereign Risk
� Risks that occur from use of technology or a third party processor � Presents multiple types of risk � Has the third-party identified all the appropriate risks, designed and implemented
adequate controls to prevent loss? If not, FI bears risks for this “lacking” element of risk management � FIs should have contracts/agreements in place with correspondent FIs and service
providers that outline what controls are implemented and 3rd party’s responsibility for any errors or losses
� FIs should evaluate the controls employed and ask for additional controls to be implemented (if appropriate) or add compensating controls such as procedures or manual controls
� FI should request certification of audits conducted by technology providers to ensure compliance with legal and regulatory requirements
Technology/3rd Party Risk
� The risk that a loss or problem is communicated to the general public resulting in negative press and a loss of business
� Risk Mitigation � Have a PR plan prepared in the event that a significant loss occurs � Should include internal communications, and external press releases, contact
information, and ongoing mitigation strategies
Reputational Risk
� Personnel Management Policies � Reassign personnel who have given notice � Randomly rotate personnel � Utilize dual controls at all levels
� Recognize that for small business or FIs it may be difficult � Hire staff for funds transfers operations with a proven history with organization (not
new hires) � Adequate Training and Written Documentation � Pre employment Screenings (drug, credit, and police check) � “Time Away” Policy
Risk Management Tools
� Use of Repetitive Wire Transfers � Since most of the critical information in the payment order is “static”, risk is
reduced (operational errors, fraud, etc) � Key control is how are repetitive wires updated/changed.
� Limit non-repetitive wire transfers � Verify key data elements (amount, beneficiary and bank info) � Wire Requests by Phone/Fax ?
� Wire transfers requests should not be processed relying solely on an email request (stronger customer verification is needed)
� Wire Request Forms
Risk Management Tools
� Wire Transfer Policy � Approved by the Board annually, or when there are significant
changes in the wire process, systems, etc. � Wire Transfer Policy should address � Wire software used � Types of wires (domestic vs. international, customer vs. non-
customer) � Use of security procedures & customer agreements � Approval of an administrator and � Wire limits
� Dual Control � Rekey of wire dollar amount � Transaction limits
Internal Controls
� Customer Agreements. � Written agreements with repeat wire customers (usually for wires initiated by phone or fax, not “in person” requests)
� Agreements should: � Describe the security procedures to be followed when verifying the authenticity of a wire request
� Include waivers from the customer if they opt-out of the security procedures. (written and signed by customer)
� Established cut-off times for receiving, transmitting, amending and cancelling wire transfer requests
� Individuals authorized to request wire transfers and any wire limits established
� Defined methods by which a wire transfer request can be initiated (phone, fax, online banking)
Internal Controls
Customer Agreements.Wri;en agreements with repeat wire customers (usually for wires initiated by phone or fax, not “in person” requests)Agreements should:
Describe the security procedures to be followed when verifying the authenticity of a wire requestInclude waivers from the customer if they opt-out of the security procedures. (wri;en and signed by customer)Established cut-off times for receiving, transmi;ing, amending and cancelling wire transfer requestsIndividuals authorized to request wire transfers and any wire limits establishedDefined methods by which a wire transfer request can be initiated (phone,
fax, online banking)
� Security procedures � Daily Reconciliation by wire operations staff � Independent Reconciliation (segregation of duties)
� Wire administrator should not have wire create or verify capabilities � Due from account used for wire settlement should be reconciled by someone
independent of wire operations � May be difficult for some institutions due to limited staff.
� Supervisory review of reconcilements of funds transfer activity on a regular basis
Internal Controls
� Corporate account takeover is a type of business identity theft in which a criminal entity steals a business’s valid online banking credentials which usually results in a fraudulent wire/ACH
� How does it work� Malicious document a;ached to an email� Links within an email to an infected website� Employee(s) visiting legitimate website download infected/malicious files� Introduction of other devices (flash drives)
Corporate Account Takeover
� Who are the players � Organized criminals (often overseas) � Commercial Customers (usually a small business) � Financial Institutions � Money Mules � What is a Money Mule
� Money Mules receive funds in their bank account
� They then forward the funds to another account (usually overseas) � They keep a small portion of funds as payment
� Money Mules typically only receive between $5K-$10K to transfer, so their fee is often small
Corporate Account Takeover
� Financial Institution Employee receives email from supposed account holder requesting account balances for all accounts owned
� Employee provides account balances via email � Supposed account holder request a wire transfer to be completed and includes wire
transfer instructions � Financial Institution completes wire transfer without further verification from account
holder (call back to phone number on file) � Financial Institution learns of the Wire is fraudulent after it has been sent and suffers a
loss for not following policy or security procedures.
Lessons Learned
� Small Business Secretary receives an email from one of the owners of the Company she works for.
� The email requests her to contact their Financial Institution to do a wire transfer which includes the Wire transfer instructions and what ledger account to charge the Wire transfer expense to.
� Secretary contacts the FI and requests the wire transfer via phone but because she is not a signer the FI will need signature verification from one of the owners of the Company.
� FI faxes the Wire request to the Secretary and she obtains the signature of the owner who is a signer on the account but did not initially request the transfer.
Lessons Learned
� Wire Transfer is faxed back to the FI and they verify the legitimacy of the Signature verification and process the Wire Transfers
� Wire Transfer email request is found to be fraudulent by the Company and the Company is at a loss for not following internal controls.
Lessons Learned
Questions
• UCC4A www.law.cornell.edu/lii.html
• FFIEC authentication guidance issued June 28, 2011 www.ffiec.gov
• OFAC https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx
Resources
Wire Transfer Basics
This session is worth 1.8 credits (Keep this for your records)
AAP Continuing Education Credits
� WACHA- The Premier Payments Resource � PAR- Payment Advisory Resource
HELP DESK � Phone: 262-345-1245 � Toll Free: 800-453-1843 � Fax: 262-345-1246 � info@wacha.org
Resources
Jessica Noll, AAP
jnoll@wacha.org
Upcoming WACHA events with CBANC Education: Tax Refunds
Regulation E Disputes Government Payments Overview
Wed 2/7 at 1pm CT/2pm ET Thurs 2/15 at 1pm CT/2pm ET Wed 2/21 at 1pm CT/2pm ET
Recommended