EPS activity can expose a credit union to several risk areas as outlined below. Board-approved policies governing EPS activity should include specific measures the credit union will take to mitigate those exposures.
- Compliance risk
- Credit risk
- Fraud risk
- Liquidity risk
- Transaction risk
- Reputation risk
- Strategic risk
- Third-party risk
Compliance Risk
Compliance risk is the current and prospective risk to earnings or net worth arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards. Credit unions must ensure that their electronic payment systems activities are in compliance with the relevant laws and regulations. (See also NACHA Operating Rules & Guidelines and Federal Reserve's Payment System Risk Program.)
Key indicators of compliance risk appear below, along with information about which EPS each indicator applies to.
| Key Risk Indicator | ACH | ATM | Cards | IP/RDC | Wires |
|---|---|---|---|---|---|
| Lack of compliance with CFPB/Dodd Frank Act requirements | X | ||||
| Lack of compliance with BSA/AML and OFAC rules | X | X | X | X | X |
| Lack of compliance with NACHA operating rules and guidelines | X | ||||
| Weak contract and agreements; lack of service-level agreements; absence of contract and agreement legal review | X | X | X | X | X |
Credit Risk
Credit risk is the risk that the receiver or originator of a transaction does not have sufficient funds to settle the transaction. Examples of credit risk exposure include:
- Posting ACH credits before the settlement date.
- Crediting new members’ accounts for deposits that have not been verified.
- Posting a member business payroll without pre-funding or an established line of credit.
Each of these examples presents situations where a credit union distributes funds before it has them. If the originator defaults, goes bankrupt, or simply does not have sufficient funds to settle, the credit union may lose any funds that it has distributed before the settlement date.
Credit unions can mitigate this risk exposure by posting transactions on the settlement date, instituting holds on deposits where appropriate, and performing proper credit analysis on member businesses.
Key indicators of credit risk appear below, along with information about which EPS each indicator applies to.
| Key Risk Indicator | ACH | ATM | Cards | IP/RDC | Wires |
|---|---|---|---|---|---|
| Inadequate pre-funding; weak control of funds availability | X | X | |||
| Weak internal controls over exception handling | X | X | X | X | X |
| Insufficient credit analysis performed on originators | X | ||||
| Lack of write-off policy/inadequate write-off procedures | X | X | X | X | X |
| Inadequate system controls of dollar limits, activity thresholds, and transaction types | X | X | X | X | |
| Inadequate risk assessments on high-risk members and payment activities | X | X | X | X | X |
| Inadequate accounting; includes timely reconciliations, management of suspense, and expense accounts | X | X | X | X | X |
Fraud Risk
EPS are vulnerable to fraud perpetrated by:
- Employees and other insiders – In the absence of sound internal controls, a credit union insider could redirect funds into a general ledger suspense account.
- External sources – An individual could obtain a member’s identity and make a fraudulent request for a line of credit to be wire transferred to an outside source. For more information, see ACH Internal Controls.
Liquidity Risk
Liquidity risk is the current and potential risk to earnings or capital arising from a credit union’s inability to meet its obligations when they come due without incurring unacceptable losses. Liquidity problems can result in opportunity costs, defaults on other obligations, and costs associated with obtaining the funds from an alternative source for possibly extended periods of time. With respect to payment systems, liquidity risk is present when:
- A credit union does not have enough funds to cover outgoing electronic transfers, and
- A credit union transfers funds out before those funds have been received.
Credit unions can mitigate this risk exposure with effective cash management programs (that is, they anticipate and prepare for cash needs).
Key indicators of liquidity risk appear below, along with information about which EPS each indicator applies to.
| Key Indicator | ACH | ATM | Cards | IP/RDC | Wires |
|---|---|---|---|---|---|
| Weak control over available funds before effective date of the transaction; includes not warehousing ACH items | X | ||||
| Ineffective control of daylight over-drafting | X | X | |||
| Inadequate system controls of dollar limits and activity thresholds | X | X | X | X | X |
| Inadequate risk assessments on high-risk members and payment activities | X | X | X | X | X |
Transaction Risk
Transaction risk, also known as operational risk, is the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events that result in an inability to deliver products, remain competitive, and manage information. With respect to EPS, operational risk exposure can result from a technology failure; human or technical errors in reporting and recordkeeping; or other internal control system deficiencies. Credit unions can mitigate operational risk through adequate information systems, internal controls, backup facilities and business continuity plans, reliable technology, vendor management, regular audits, and adequate staff training and support.
Key indicators of transactional risk appear below, along with information about which EPS each indicator applies to.
| Key Risk Indicator | ACH | ATM | Cards | IP/RDC | Wires |
|---|---|---|---|---|---|
| Inadequate risk management program | X | X | X | X | X |
| Insufficient policies and documented procedures | X | X | X | X | X |
| Insufficient management oversight or oversight documentation | X | X | X | X | X |
| Inadequate internal controls; dual control, separation of duties, call-back requirements, exception handling | X | X | X | X | X |
| Inadequate training, cross-training and rotation of duties, call-back requirements, exception handling. | X | X | X | X | X |
| Inadequate internal audit function | X | X | X | X | X |
| Inadequate incident response program | X | X | X | X | X |
| Inadequate business continuity planning | X | X | X | X | X |
| Inadequate third-party and member agreements | X | X | X | X | X |
Reputation Risk
Reputation risk is the risk of negative public opinion or perception leading to a loss of confidence and/or severance of relationships. For example, an ATM with an outdated operating system that cannot accept critical updates and patches allows a breach to occur which results in the credit union’s members perceiving its systems are not secure. As a result, members withdraw their funds from the credit union.
Key indicators of reputation risk appear below, along with information about which EPS each indicator applies to.
| Key Indicator | ACH | ATM | Cards | IP/RDC | Wires |
|---|---|---|---|---|---|
| Untimely postings, downtime, and lack of system and software reliability | X | X | X | X | X |
| Multiple conversions required due to poor planning and due diligence | X | X | X | X | X |
| Lack of project management for rollout of new products and services | X | X | X | X | X |
Strategic Risk
Strategic risk is the risk of adverse business decisions through management’s actions or inactions.
Key indicators of strategic risk appear below, along with information about which EPS each indicator applies to.
| Key Risk Indicator | ACH | ATM | Cards | IP/RDC | Wires |
|---|---|---|---|---|---|
| Lack of board awareness and demonstration of risk appetite relative to EPS products or services | X | X | X | X | X |
| Lack of strategic or business plan related to EPS | X | X | X | X | X |
| Growing payment services without adequate planning | X | X | X | X | X |
| Offering new payment services without adequate vendor due diligence/third-party service provider oversight | X | X | X | X | X |
Third-Party Risk
Credit unions that use a third party (for example, a corporate credit union or CUSO) to process electronic payments are subject to third-party risk. Retail, payroll, and wire transfer companies (for example, Western Union, MoneyGram, and PayPal) are other third parties that introduce risk to the EPS.
Credit unions may not have direct control over the functions performed by third parties. If a third party does not perform adequately, it exposes the credit union to increased risk and potential losses. Credit unions can mitigate this risk exposure by performing proper due diligence over third parties. For more information, see ODFI Risk Mangement.
Last updated September 25, 2017
