Wire Transfer Review Procedures
- Evaluate policies and procedures for processing wire transfer transactions to determine whether adequate internal controls have been established:
- Determine if written policies are appropriate for the credit union’s complexity
- Ensure credit union controls address adequate separation of duties between initiators, approvers, and reconcilers
- Ensure credit union maintains documentation of wire requests on approved form(s), which may be electronic
- Walk through the procedure with credit union staff to identify any control weaknesses
- Determine that credit union follows established written policies and procedures. Methods for this include evaluating internal audits, reviewing a sample of wire transfer documents, and interviewing credit union staff.
- Obtain a user report of the wire transfer system to identify authorized users and their roles. The user report can be indicative of a credit union’s overall internal control environment:
- Determine whether the report accurately reflects current user authorizations and access levels by comparing it to employee job titles
- Verify that no user has more than one user ID
- Verify that no terminated employees are listed
- Ensure user permissions are appropriate to employee responsibilities
- Verify each user ID is associated with an individual employee
- Confirm that credit union conducts a risk assessment of wire transfers and acts in accordance with the findings of the assessment.
- Review reports from wire transfer system to identify typical daily transaction volume. Unusual transaction amounts or volumes may reflect fraudulent/erroneous activity or weak controls:
- Determine if user authorization amounts are reasonable
- Determine if transaction volume is reasonable in relation to the credit union’s capital and control environment.
- Review the credit union’s response to any wire transfer issues raised at previous exam or audit. The response to prior exams or audits is a reflection of management’s ability or willingness to correct issues:
- Adequacy and timing of corrective actions
- Resolution of root causes rather than specific issues
- Existence of outstanding issues
- Identify any wire transfer system changes planned for the next 12 months. Poorly planned changes increase a credit union’s overall risk profile.
- Evaluate internal controls to ensure they are appropriate and determine if they have been reviewed by internal audit. While review by an internal audit is not a regulatory requirement, weak internal controls can increase a credit union’s risk of loss due to fraud or employee error.
- Confirm that exit procedures address access to the wire transfer system when a user vacates a position:
- Security tokens, if used, should be properly disposed of by the credit union immediately
- A system administrator should immediately delete employee’s access
- Employees reassigned to duties not associated with wire transfers should have their system access adjusted accordingly.
- Ensure the credit union’s security access procedures include a periodic review of user additions, deletions, access levels, and profile reports.
- Confirm that the credit union maintains a wire transfer log and that procedures outline transfers entered in the log. Compare the credit union’s settlement account statement to the wire log to ensure that all settlement entries appear in the log.
- Confirm that the credit union’s BSA compliance program includes a review of wire transfer activity:
- Determine that incoming, outgoing, and international wires are reviewed as part of the BSA compliance program.
- Determine if CU monitors high-risk member activity specifically with foreign wires.
- For more information about BSA compliance, see the FFIEC’s BSA Anti-Money Laundering Examination Manual.
- Confirm the credit union positively identifies a member who requests a wire transfer. This may be done with a standard authorization form that is signed and stored by the credit union.
- Ensure the credit union has a written agreement with each party that plays a role in processing wire transfers for the credit union:
- Funds transfer agreements are used for written agreements with financial institutions to delineate the terms and conditions of the funding sources.
- Agreements should outline the duties and responsibilities of each party to protect the interests of both parties.
- Agreements should specify the responsibilities of any party that processes wire transfers for the credit union regarding security features, such as passwords, PINs, test keys, and telephone call-back requirements.
- Ensure the credit union has written documentation that authorizes certain employees or officials to request or send wire transfers.
- Determine if the credit union’s continuity planning and disaster recovery information security and technology capabilities are adequate to address the wire transfer system.
- Determine if staff is performing regular reconciliations of the wire transfer activity to the applicable settlement accounts (FRB account or similar statement from a correspondent financial institution). Reconciling frequently (frequency should depend on activity volume) discourages fraud.
- The staff that reconcile the accounts should be different from the staff that send and receive wires.
- Staff should reconcile the account no less than daily.
- Assess the adequacy of business continuity planning, including:
- Business impact analysis and risk assessment process and results
- Scope, frequency, and results of ACH testing
FedLine Review Procedures
If a credit union uses FedLine, examiners will also complete the following review steps:
- Evaluate policies and procedures for processing FedLine transactions to determine whether adequate internal controls have been established:
- Determine if written policies are appropriate for the credit union’s complexity
- Ensure credit union controls address adequate separation of duties
- Walk through the procedures with credit union staff to identify any control weaknesses
- Determine that credit union follows established written policies and procedures.
- Review physical and technical controls
- VPN device, FedLine security tokens, and workstation management
- Anti-virus, personal firewall, network security, and network segregation of FedLine router and workstations.
- Review access and service controls
- Official authorization list, system limits, user limits, End User Authorization Contact (EUAC), management reports, and audit logs
- Service alerts, dual-control verification, service, and system settings
-
Review FedLine reports and screen prints, including but not limited to:
- Subscribers and Roles Report – Provides a list of organization’s current subscribers and access levels
- Event Tracker Report – Provides credential issuance and maintenance activity over a given period of time, and an audit trail of activity that may be used for subscriber research. Examiners should request and review this report for the past 12 months.
- FedPaymentsSM Manager – The "Funds Processing Options" screen can be reviewed to determine the system settings. The credit union will provide screenshots.
- Application Audit Log – This screen lists any changes to the processing options (Settings, Verification, and E-mail Notification). The credit union will provide screenshots.
-
Review Operational Controls
- Management oversight and review
- Independent review (audit)
- Incident response
- Business continuity planning and testing
Last updated September 25, 2017