Dear Board of Directors:
The Federal Financial Institution Examination Council (FFIEC)1 has released an updated Retail Payment Systems Booklet (booklet), which replaces the version issued in March 2004. The updated booklet incorporates developments in various aspects of retail payments activities since the first edition was issued and provides guidance on the risks and risk-management practices applicable to credit unions in performing retail payment operations.
Significant revisions to the booklet include the following:
Check 21 – The booklet addresses changes in technology and provides guidance on the Check Clearing for the 21st Century Act of 2004 (Check 21). This act became effective on October 28, 2004, after the first edition of this booklet was published. Check 21 facilitates the broader use of electronic check processing without mandating that a financial institution change its current check collection practices. Financial institutions should deploy Check 21 with appropriate strategic planning, project management, and vendor management.
Evolution of Electronic Check Collection – The booklet discusses several possible models for electronic check collection that are emerging in the wake of the passage of Check 21. Three different services that may use either image or MICR-transmission technologies include: remotely created checks, remote deposit capture, and electronically created payment orders. There is an in-depth discussion of these practices, the risks they pose, and the risk-management tools that credit unions can use to mitigate them. The booklet also includes examination procedures to supplement the recently issued interagency guidance on remote deposit capture (LTCU: 09-CU-01).
The Automated Clearinghouse (ACH) – The booklet provides expanded guidance on ACH. The National Automated Clearinghouse Association (NACHA) and the two principal ACH operators, the Federal Reserve Banks and Electronic Payments Network (EPN), have clear expectations that financial institutions manage the related risks, particularly when the institutions engage in riskier ACH activities. The booklet provides an in-depth discussion of the increased risks posed by ACH activities and some of the risk-management tools financial institutions can use to mitigate them.
NACHA Rule and Product Changes – NACHA has mandated several important rule changes to expand the use of the ACH network and to improve risk management. Financial institutions and their technology service providers should have processes in place to ensure compliance with the rules listed in the booklet and for changes to those rules going forward.
Emerging Retail Payment Technologies – This new section discusses new technologies (i.e., contactless payment cards, biometrics for payment initiation and authentication, proximity payments) and several types of emerging network technologies (i.e., infrared, radio frequency identification, Bluetooth).
Merchant Acquiring – Operational and data integrity risks can arise from improper processing of bankcard transactions, inadequate internal controls, employee error or malfeasance, and other challenges inherent when processing within a multi-participant environment. The booklet discusses the increased risks posed by activities related to merchant acquiring and some of the risk-management tools that financial institutions can use to mitigate them.
Appendix C – This new appendix includes a schematic of retail payments access channel and payment methods.
If you have any questions, please contact your NCUA Regional Office or State Supervisory Authority.