The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

Advanced Enterprise Risk Management

July 22, 201912:45 pm – 2:45 pm

Beth Cronenweth, AAP, CCMHuntington BankGroup Product Manager

The International Organization for Standardization (ISO) identifies the following principles of risk management*:

Risk management should:

• create value – resources expended to mitigate risk should be less than the consequence of inaction

• be an integral part of organizational processes

• be part of decision making process

• explicitly address uncertainty and assumptions

• be a systematic and structured process

• be based on the best available information

• be tailorable

• take human factors into account

• be transparent and inclusive

• be dynamic, iterative and responsive to change

• be capable of continual improvement and enhancement

• be continually or periodically re-assessed

Risk Management

"Committee Draft of ISO 31000 Risk management" International Organization for Standardization. 2007-06-15.

Enterprise Risk Management (ERM) Program

American Bankers Association: “Demystifying Enterprise Risk Management”

Identify inherent

risks

Identify changing

risks

Understand your

current

risk control

vulnerabilities

Assess risk in

new products,

services

Identify business

processes &

improvement

opportunities

Establish Risk

philosophy,

culture and

attitude

Risk Appetite

The probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances.

Inherent Risk

Inherent Risk

• Wire Transfer

• ACH

• Remote Deposit Capture

Inherent Risks in Payments

A device for regulating and guiding.

Controls

Controls

• Internal Controls are operating practices or activities that are established to provide reasonable assurance that specific objectives will be achieved. – Compliance with applicable policies, procedures, laws, regulations and

contracts;

– Reliability and integrity of information;

– Economic and efficient use of resources; and

– Safeguarding of assets.

• Preventative, Detective

• Why are they important?

Internal Controls

Directive Controls

Policies and procedures

Laws and regulations

Training seminars

Job descriptions

Meetings

Designed to establish desired outcomes

Preventative Controls

Locking office door

Physical control over assets

Using passwords Policies and Procedures

Segregation of duties

Designed to keep errors or irregularities from occurring.

Detective Controls

Reconciliations

Exception reports

Physical counts of inventories

Testing & Monitoring

Reviews and comparisons

Designed to detect errors or irregularities that may have occurred.

Residual risk is the threat that remains after all efforts to identify and eliminate risk have been made.

Residual Risk

Residual Risk

• Wire Transfer

• ACH

• Remote Deposit Capture

Residual Risk in Payments

• In 2013, the Institute of Internal Auditors (IIA) released a position paper stating that the “Three Lines of Defense” model provides a simple and effective way to enhance communications on risk management and control by clarifying roles and duties.*

• Easier to handle significant risk events

• Financial institutions are receiving higher scrutiny from regulators.

Three Lines of Defense - Why?

*IIA Position Paper — The Three Lines of Defense in Effective Risk Management and Control. January 2013

Copyright

Ongoing Interaction Among the LOD

• Credit

• Compliance

• Legal

• Liquidity

• Market

• Operational

• Reputational

• Strategic

Pillars of Risk

Credit risk is the risk of loss of principal or loss of a financial reward stemming from a borrower's failure to repay a loan or otherwise meet a contractual obligation.

Credit Risk

http://www.investopedia.com

Compliance risk is exposure to legal penalties, financial forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices.

Compliance Risk

http://searchcompliance.techtarget.com

Legal risk is the risk of loss because of the unexpected application of a law or regulation or because a contract or other right cannot be enforced.

Legal Risk

http://www.assetman.net

Liquidity risk is the risk that a company or bank may be unable to meet short term financial demands.

Liquidity Risk

www.investinganswers.com/financial-dictionary

Market risk is the risk that the value of an investment will decrease due to moves in market factors.

Market Risk

www.hedgefund-index.com

Operational risk is the prospect of loss resulting from inadequate or failed procedures, systems or policies.

Operational Risk

http://searchcompliance.techtarget.com

Reputational risk is the risk that a company will lose potential business because its character or quality has been called into question.

Reputational Risk

www.businessdictionary.com

Strategic risk is the possible source of loss that might arise from the pursuit of an unsuccessful business plan.

Strategic Risk

www.businessdictionary.com

Risk and Control Self-Assessment

• One of the most effective tools in the Risk Management arsenal.

• When applied effectively it will add value to your entire organization and improve the way it does business.

• Typically done on a quarterly basis.

RCSA

Global Risk Consult

RCSA – Assessing Risks

Inherent Risks as well as Residual Risks need to be assessed and rated as High, Moderate or Low.

• Inherent Risk is the risk that exists in the process.

– Effectiveness of controls is not taken into consideration for arriving at Inherent Risks.

• Residual Risk is the risk that still exists after having business controls in place.

What risks do we have?

What controls do we have to mitigate these risks?

Have the controls been implemented?

If implemented, have the controls been effective?

If not effective or not implemented, decide the response action.

RCSA – Control Effectiveness

The OCC expects bank management and the board to oversee all new, expanded, or modified products and services through an effective risk management process.

New Product Risk Assessments

OCC BULLETIN 2004-20

• A tool to assess how the risks associated with the new, expanded, or modified product or service fit with the bank's business strategy and risk profile.

• Before deciding to introduce a new, expanded, or modified product or service, banks must perform due diligence so that management understands the impact.

New Product Risk Assessment

The due diligence process should include:• Assessing how the risks associated with the new, expanded, or modified product or

service fits with the bank's business strategy and risk profile.

• Consulting with relevant functional areas, such as credit, compliance, accounting, audit, risk management, legal, operations, information technology, and marketing to determine risks, concerns, and necessary controls.

• Determining requirements for complying with laws, regulations, and regulatory guidance.

• Determining the expertise needed to effectively manage the product or service, including the possible need to acquire additional expertise.

• Researching the background, experience, and reliability of relevant third parties.

• Developing a business and financial plan for the product or service that assesses the bank's competitive position and establishes objectives and strategies for how the product or service will be brought to market.

• Developing viable alternatives, including an exit strategy in the event the product or service fails to perform as expected.

New Product Risk Assessment

OCC BULLETIN 2004-20

• Third party payment processors (TPPP) introduce a unique level of risk to banks.

• Third party payment processors are bank customers that provide payment processing services to merchants and other business entities.1

Third Party Payment Processors

1http://www.ffiec.gov

Risk Factors• TPPPs generally are not subject to BSA/AML regulatory requirements. As a

result, some processors may be vulnerable to money laundering, identity theft, fraud schemes, or other illicit transactions, including those prohibited by OFAC.

• BSA/AML risks are similar to risks from other activities in which the bank’s customer conducts transactions through the bank on behalf of the customer’s clients. When the bank is unable to identify and understand the nature and source of the transactions processed through an account, the risks to the bank and the likelihood of suspicious activity can increase.

• While TPPPs generally affect legitimate payment transactions for reputable merchants, the risk profile of such entities can vary significantly depending on the make-up of their customer base.

Third Party Payment Processors

http://www.ffiec.gov

Risks

• Heightened risk of returns

• Use of services by higher-risk merchants

• Money laundering

• Fraud

• Inadequate due diligence processes by TPPP

Third Party Payment Processors

Banks offering services to TPPPs should develop a comprehensive risk management program to address the unique attributes of Third Party Payment Processors, including evaluation of the TPPP’s clients (KYCC).

ALWAYS monitor periodically for changes!

Third Party Risk Management

A bank may assess the risks associated with payment processors by considering the following:

• Implementing a policy that requires an initial background check of the processor (using, for example, the Federal Trade Commission Web site, Better Business Bureau, Nationwide Multi-State Licensing System & Registry (NMLS), NACHA, state incorporation departments, Internet searches, and other investigative processes), its principal owners, and of the processor's underlying merchants, on a risk-adjusted basis in order to verify their creditworthiness and general business practices.

• Reviewing the processor's promotional materials, including its Web site, to determine the target clientele. A bank may develop policies, procedures, and processes that restrict the types of entities for which it allows processing services. These restrictions should be clearly communicated to the processor at account opening.

Third Party Risk Management

http://www.ffiec.gov

• Determining whether the processor re-sells its services to a third party who may be referred to as an "agent or provider of Independent Sales Organization (ISO) opportunities" or "gateway" arrangements.224Gateway arrangements are similar to an Internet service provider with excess computer storage capacity that sells its capacity to a third party that would then distribute computer services to various other individuals unknown to the provider. The third party would be making decisions about who would be receiving the service, although the provider would be providing the ultimate storage capacity. Thus, the provider bears all of the risks while receiving a smaller profit.

• Reviewing the processor’s policies, procedures, and processes to determine the adequacy of its due diligence standards for new merchants.

• Requiring the processor to identify its major customers by providing information such as the merchant's name, principal business activity, geographic location, and transaction volume.

Third Party Risk Management (cont)

http://www.ffiec.gov

• Verifying directly, or through the processor, that the merchant is operating a legitimate business by comparing the merchant's identifying information against public record databases, and fraud and bank check databases.

• Reviewing corporate documentation including independent reporting services and, if applicable, documentation on principal owners.

• Visiting the processor’s business operations center.

• Reviewing appropriate databases to ensure that the processor and its principal owners and operators have not been subject to law enforcement actions.

Third Party Risk Management (cont)

http://www.ffiec.gov

Activities/Discussion

• Focusing on one payment product, analyze inherent risk, controls, and residual risk utilizing the risk pillars discussed.

• Where do you see the greatest challenges for your institution in managing risk?

The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

Beth Cronenweth, AAP, CCMSVP, Group Product Manager

Beth.A.Cronenweth@huntington.com614-480-6977

Questions?