-
Identify the credit union’s delivery methods and supporting infrastructure:
- Identify the delivery methods the credit union offers and uses
- Review the credit union network topology to determine the infrastructure involved with RDC.
- Review the credit union's data flow or process flow diagram to understand the RDC function, relationship with third-party processor (if applicable), and relationship with RDC client.
-
Determine if the board of directors and management developed a formal strategic plan for the implementation of RDC and specific delivery methods.
-
Determine if management completed a comprehensive and effective risk assessment of all RDC methods, supporting infrastructure, and operational activities.
-
Determine if management developed an effective risk management program based on the results of an effective risk assessment and that the program addresses risk mitigation and fraud monitoring.
-
Assess the adequacy of the policies, procedures, and other staff guidance. Determine if they address all facets of IP/RDC operations, internal controls, and processes including, at a minimum:
-
Member qualifications and monitoring
-
Requirements for member agreements
-
Training of staff and members
- Provide educational materials to members
-
Ongoing monitoring of RDC program by management:
-
MIS reports of volume, activity, and user access
-
System and user transaction limits
-
-
Ongoing monitoring of RDC members:
-
Frequency and reason for returns
-
Fraud and abuse
-
Detection of duplicates
-
-
-
Review retention periods for physical checks and image archives, as well as the physical and logical security of archives.
-
Determine the adequacy of record management.
-
Review IP/RDC-related internal audits performed since the prior exam. Review the status of any audit exceptions and management's response to exceptions.
-
Determine the adequacy of management’s oversight of RDC operations.
-
Assess the adequacy of business continuity planning, including:
-
Business impact analysis and risk assessment process and results
-
Scope, frequency, and results of BCP testing
-
FedLine Review Procedures
If a credit union uses FedLine, examiners will also complete the following review steps:
-
Evaluate policies and procedures for processing FedLine transactions to determine whether adequate internal controls have been established:
- Determine if written policies are appropriate for the credit union’s complexity
- Ensure credit union controls address adequate separation of duties
- Walk through the procedures with credit union staff to identify any control weaknesses
- Determine that credit union follows established written policies and procedures.
-
Review physical and technical controls
- VPN device, FedLine security tokens, and workstation management
- Anti-virus, personal firewall, network security, and network segregation of FedLine router and workstations.
-
Review access and service controls
- Official authorization list, system limits, user limits, EUAC, management reports, and audit logs
- Service alerts, dual-control verification, service, and system settings
-
Review FedLine reports and screen prints, including but not limited to:
- Subscribers and Roles Report – Provides a list of organization’s current subscribers and access levels
- Event Tracker Report – Provides credential issuance and maintenance activity over a given period of time, and an audit trail of activity that may be used for subscriber research. Examiners should request and review this report for the past 12 months.
- FedPaymentsSM Manager – The "Funds Processing Options" screen can be reviewed to determine the system settings. The credit union will provide screenshots.
- Application Audit Log – This screen lists any changes to the processing options (Settings, Verification, and E-mail Notification). The credit union will provide screenshots.
-
Review Operational Controls
- Management oversight and review
- Independent review (audit)
- Incident response
- Business continuity planning and testing
Last updated September 25, 2017
