Policies and Processes
EPS Policies
A credit union’s board of directors should establish and approve a policy that addresses each type of EPS the credit union uses (such as wire transfer, ACH, item processing and remote deposit capture, ATM, and card programs). An EPS policy should provide a framework for achieving objectives outlined in the board-approved strategic plan and should sufficiently address associated risk. These policies may:
- Define the types of EPS activities the credit union will engage in, as well as the specific transaction types, taking into account the risks presented by each.
- Include measures to mitigate identified risks (such as an internal control system)
- Define the credit union’s responsibilities with respect to EPS activities (for example, the credit union is responsible for ensuring that incoming funds are posted to members’ accounts by the opening of business daily, outgoing fund transfers are accurate, the identity of the sender or receiver is appropriately verified, and funds are transmitted expediently)
- Define requirements for ongoing staff training
- Ensure adequate oversight of the system and related transactions
- Ensure effective management review and oversight
- Require regular internal and/or external audits of the program
- Require that records be retained for a specified period of time
- Outline a business continuity plan and disaster recovery testing
- Define expectations for management reporting to the board
- Ensure compliance with applicable consumer protection and other Federal laws (such as NACHA, Electronic Fund Transfers (Regulation E), or Check Clearing for the 21st Century Act (Check 21)).
EPS policies should be reviewed regularly and revised as necessary to reflect changes in a credit union’s business and/or strategic plan.
Procedures
Procedures are established by a credit union’s management team to implement policies established by the board. The procedures should prescribe the steps credit union staff will follow for all phases of an EPS transaction. Management should develop procedures for each department or individual role that is involved in the process of making EPS transactions.
The procedures should be specific to each individual EPS and should address the inherent risks of each system. For example, procedures should define clear transaction limits, establish dual control over processes, establish segregation of duty among employees, document processes from beginning to end, and establish physical and logical security measures.
A credit union may use EPS to transfer its own funds out of the credit union (to a Federal Reserve Bank account, to another bank account, or to an account at a corporate credit union). Credit unions should follow established procedures and segregation of duties to process these transactions. This will ensure that the transfers are completed accurately, receive proper approvals, and there is sufficient recordkeeping to document these transactions.
The procedures should be reviewed regularly and revised, as necessary, to accommodate changes in the board-approved policy or other factors such as software changes or enhancements.
Operations
Credit unions may have independent departments, such as an ACH or wire transfer department, that input and verify EPS transmissions. These departments receive transfer requests from the member service representatives and tellers and enter them in the appropriate system (such as FedLine, ACH, or corporate credit union system). At least two separate participants should be involved in a department; one to input or request a transaction, and another to verify and send funds.
Smaller credit unions may not have individual departments devoted to these functions, and may have staff members perform more than one function related to EPS. In such cases, a credit union should have controls in place to ensure adequate segregation of duties. If adequate segregation of duties is not possible, a credit union should have compensating controls (such as a review of transfer logs by the Supervisory Committee) in place to mitigate the risk.
Risk Management
A strong risk management program begins with clearly defined objectives, a well-developed business strategy, and clear risk parameters. Risk management practices help a credit union monitor the risk in the EPS function and ensure that board-established limits are adhered to. Both the board of directors and management are responsible for ensuring that the EPS program does not expose the credit union to excessive risk.
Credit unions engaged in EPS should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and logical information security, business continuity planning, vendor management, operational controls, and legal measures.
Risk management practices are typically performed by credit union management and the outcomes are reviewed by and reported to the board of directors or the Supervisory Committee.
Risk management practices specific to EPS should include reports to the board of directors that demonstrate whether the activities remain within board-established risk parameters and are achieving expected financial results. Internal Audit or Supervisory Committee process audits help ensure that a credit union adheres to its risk management limits.
Operational Resumption and Recovery
A credit union’s management team should ensure it has the ability to recover and resume EPS operations. In order to accomplish this, the management team should ensure:
- The business continuity plan addresses EPS systems and business processes;
- Business continuity testing of systems, applications, and processes meets recovery time and recovery point objectives; and
- To the extent possible, contingency plan development and testing is coordinated with members that use EPS and any third parties used to support the EPS.
Last updated September 25, 2017