Supervision and Regulation Letters
FFIEC Retail Payment Systems Booklet
SUPERVISION AND REGULATION
|SUBJECT:||FFIEC Retail Payment Systems Booklet|
The Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance for examiners, financial institutions, and technology service providers on the risks and risk-management practices applicable to financial institutions’ retail payment systems activities. The guidance, which is included in the FFIEC Information Technology Examination Handbook, is an update to the “Retail Payment Systems Booklet” (Booklet), which was issued in March 2004.
The revised Booklet provides risk identification and management guidance related to the operational impact of The Check Clearing for the 21st Century Act of 2004 (commonly known as the Check 21 Act). It also provides expanded guidance on merchant card processing and automated clearinghouse (ACH) activities, with a more in-depth discussion of the risks posed by these activities and some of the risk-management tools financial institutions can use to mitigate them. There are also brief discussions addressing some of the emerging technologies in retail payment systems, including contactless payment cards, biometrics, and proximity payments. The Booklet includes information on remotely created checks and electronically created payment orders, both of which are being used more frequently as payment devices in today’s rapidly evolving payments landscape. Lastly, the Booklet addresses remote deposit capture activities and provides examination work steps for use in conjunction with the January 14, 2009, FFIEC guidance on “Risk Management of Remote Deposit Capture” (SR letter 09-2). Electronic versions of the Retail Payment Systems Booklet, as well as the other Information Technology Examination Handbook booklets, are available at http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html.
Reserve Banks are asked to distribute this SR letter to the banking organizations they supervise, as well as to their supervisory and examination staff. If you have any questions regarding the revised guidance, please contact Adrienne Haden, Assistant Director, Operational and IT Risk Section at (202) 452-2058, Brad Beytien, Manager, Operational and IT Risk Section, at (202) 452-3759; or Elton Hill, Senior Supervisory Financial Analyst, Operational and IT Risk Section, at (202) 452-2514. In addition, questions may be sent via the Board’s public website.1
Patrick M. Parkinson