Clearly defining the roles and responsibilities of each credit union employee with respect to EPS minimizes fraud-related losses, ensures that board-established policies and limits are observed, and provides adequate oversight over this important credit union function. Segregation of duties also protects credit union employees from having sole responsibility for a transaction. Properly trained employees will also mitigate risks.
Board of Directors
A credit union’s board of directors should establish the objectives, risk tolerances, and policies for EPS activities. These elements will be outlined in the credit union’s business plan and EPS policy. The board will determine which EPS activities the credit union will offer and when to expand services. These decisions should take into consideration management’s recommendations, the demands of the credit union’s field of membership, and the credit union’s financial position.
The board and management should manage and mitigate identified risks through an effective system of internal controls including:
- Effective internal and external audit
- Physical and logical information security
- Business continuity planning
- Vendor management
- Operational controls, and
- Legal/compliance measures
The board of directors should oversee management’s execution of the program and review periodic reports to determine whether the activities remain within established parameters and are achieving expected financial results.
Management
A credit union’s management team is responsible for carrying out the board-established business plan, including the EPS policies. The team should be fully capable of managing these activities, carrying out the policies, and adhering to the risk levels established by the board of directors. In order to implement the EPS policies, management is responsible for developing procedures that will govern the day-to-day operations of the EPS program.
At a minimum, these procedures should include:
- Timely posting, balancing, and reconciliation of transactional accounts
- Guidance for adherence to a Customer Identification Program
- Requirements for performing enhanced due diligence on high-risk members and activity
- Logical and physical access controls over internal and external systems
- Provisions for dual controls and separation of duties
- Provisions for user limits and transactional dollar thresholds
- Requirements for exception handling
Management should track and monitor the type and volume of activity made through the EPS. If management does not know the volume and amount of transactions flowing through each EPS (ACH, wire transfers, ATMs, debit cards, etc.), it reflects a lack of oversight, and should be considered a red flag. Management should generate reports documenting the performance of each electronic payment system and submit to the board on a regular basis.
Member Service Representatives and Tellers
These front-line employees interact directly with members and play an important role in ensuring that the EPS functions efficiently and correctly. All staff should receive adequate training both in the EPS activities offered by the credit union and in proper security procedures.
Accounting Staff
A credit union’s accounting staff will reconcile all EPS-related accounts on a daily basis. At larger credit unions, there may be an independent accounting department; at smaller credit unions, there may be just one staff member performing this function. This is a critical function in that it tracks the amount of systems-related transactions, which can impact the credit union’s financial position. These reconciliations may also uncover fraudulent activity or theft. Any irregularities should immediately be reported to the appropriate management or officials; in turn, management may report it to the board of directors or Supervisory Committee.
Information Security and Technology Department
A credit union’s information security and technology department will transmit ACH files to and from the Federal Reserve or a corporate credit union. This department will administer the security of all EPS and member data and will set up system users (credit union employees), as requested by management.
EPS Departments
Credit unions may have independent departments that input and verify EPS transmissions. A wire department may be established exclusively to process wire transmissions; an ACH department may process ACH files, including exception files, returns, and notifications of change. Likewise, an item processing department may process on-us and inter-bank checks and returns. These departments will receive transfer requests from the member service representatives and tellers and input them into the appropriate system (for example, FedLine, ACH, or corporate credit union system).
Dual Control and Segregation of Duties
Maintaining appropriate dual control and segregation of duties over EPS processes is important to ensure no single person has control over the entire process end-to-end. For example, ACH Origination files should be processed and approved by separate individuals. Likewise, every wire system should be set up to require at least two separate participants in a wire transfer:
- The person who inputs or requests the transfer
- The person who verifies and sends the transfer
When a credit union uses the Federal Reserve systems, the EUAC is responsible for assuring the credit union’s wire transfer system and procedures require dual control. Ideally, the EUAC should not have processing capabilities.
Smaller credit unions may not have individual departments devoted to these functions and may have staff members perform more than one function related to EPS. In these cases, the credit union should have sufficient management oversight and controls in place to ensure adequate segregation of duties.
Clearly defining the roles and responsibilities of each credit union employee or director with respect to EPS minimizes fraud-related losses, ensures that board-established policies and limits are observed, and provides adequate oversight over this important credit union function. Segregation of duties also protects credit union employees from having sole responsibility for a transaction.
Last updated September 25, 2017
