Wire Transfer Basics

Presented by Jessica Noll, AAP Auditor/Trainer

Questions

Handouts

Audio

Presented by:

Jessica Noll, AAP Auditor/Trainer

PAR/WACHA-The Premier Payments Resource

jnoll@wacha.org

2018

•  WACHA, through its Direct Membership in NACHA, is a specially recognized and licensed provider of ACH education, publications and support.

•  Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program.

•  NACHA owns the copyright for the NACHA Operating Rules & Guidelines. •  The Accredited ACH Professional (AAP) is a service mark of NACHA. •  This material is derived from collaborative work product developed by NACHA ─ The

Electronic Payments Association and its member Regional Payments Associations, and is not intended to provide any warranties or legal advice, and is intended for educational purposes only.

•  This material is not intended to provide any warranties or legal advice, and is intended for educational purposes only.

•  This document could include technical inaccuracies or typographical errors and individual users are responsible for verifying any information contained herein.

•  No part of this material may be used without the prior written permission of WACHA/PAR © 2018 PAR/WACHA All rights reserved

Disclaimer

� Key Definitions �  Types of Networks � Rules and Regulations � Risk � Management Tools and Policies �  Internal Controls � Corporate Account Takeover

Agenda

� Provides Payments Professionals with the fundamentals of wire transfer payments and how they differ from other payment systems

�  Illustrate key definitions, types of wire transfer networks, and wire transfer rules and regulations

� Risk/Fraud Awareness

� How to establish strong Internal and External controls

Objectives

•  Wire transfer – The electronic transfer of money from one person to another from one Bank or Credit Union to another

•  Drawdown – Message requesting receiving financial institution to debit an account & wire funds to sender of the message. AKA – “reverse wire transfer”, “debit transfer” or “request for funds”. Term comes from “drawing down” balance in correspondent account

�  Repetitive wire transfer – Transfer where the information and payment instruction do not change

Key Definitions

�  Non-repetitive wire – Transfer where any information can be changed �  Correspondent Bank – A Financial Institution that provides services on behalf of another

Financial Intuition. �  Routing number/ABA – A nine digit code that’s based on the US Bank location where

an account was opened. �  Corporate Account Takeover- Business identity theft in which a criminal steals a

business’s online banking credentials.

Key Definitions

�  Higher dollar transfers compared to other payment types (checks or ACH) �  Credit push model �  Safe (assuming money isn’t going to a thief) �  Fast/same day settlement for domestic transfers �  Risk:

� Higher dollar loss �  Irrevocable �  Instant

�  Higher processing fee

Wire Transfer Key Characteristics

Wire Transfer Process Flow

Sender

Sending FI

Correspondent FI

Federal Reserve

Receiver

Receiving FI

�  Operated by the Federal Reserve System �  Move funds between FRB member banks �  Real-time, gross settlement system. �  Transfers are irrevocable when received from FRB

FedWire®

�  Clearing House Interbank Payments System �  Operated by The Clearing House �  Governed by UCC 4A �  Differs from Fedwires �  Only has 47 Member participants

CHIPS®

�  Society for Worldwide Interbank Financial Telecommunication �  International messaging system �  Enables FI’s to send and receive information about Financial transactions �  Funds settle through correspondent accounts

SWIFT®

�  Regulation J Subpart B �  Regulation S �  UCC4A �  Regulation E �  Regulation CC �  FFIEC Guidance

Rules and Regulations

�  Federal Reserve Board Payment System Risk Policy (PSR) �  OCC Banking Circular 235 �  Office of Foreign Asset Control (OFAC)

Rules and Regulations

�  Legal relationship between Financial Institution and Federal Reserve Bank �  Does not cover the relationship between FI and account holder �  Incorporates a version of New York UCC4A

FRB Regulation J - Subpart B

�  Also referred to as BSA �  Requires US Financial Institutions to assist US Government Agencies to detect & prevent

money laundering. �  Recordkeeping requirements for Wires $3,000.00 or more �  Recordkeeping requirements for non established customers �  Retrievability

Bank Secrecy Act

�  State law � New York was one of first states to pass �  Local state law by contract

Uniform Commercial Code Article 4A

�  Wholesale electronic funds transfers �  Specifically excludes:

�  Items covered by Regulation E (consumer transfers) �  Exception: Foreign Remittances added as part of Dodd-Frank effective

February 7, 2013 � Debit transfers

�  Regulation E excludes transfers sent thru Fedwire® or similar networks

UCC4A Key Points

� UCC4A-105 - “funds transfer day” �  Example: If payment order is received after the institution’s cutoff,

institution may hold until the next funds transfer day to execute �  Written Agreement �  Some items cannot be varied by contract � UCC4A – 404 Notice for Credits of Incoming Transfer � UCC4A – 209 Definitions of “Acceptance” � UCC4A – 201 “Commercially Reasonable Security Measures” � UCC4A – 207 Can rely on account number # alone to post

� Unless determine that there is a discrepancy between name and acct #

� If name & account number mismatch is known, cannot accept payment order

UCC4A Key Points

Regulation E Remittance Transfer Rules � New Subpart B to Regulation E �  Section 919 of the EFTA:

� Requires disclosure of certain information prior to and at the time of the transfer � Creates new consumer protections, including the right to cancel a transfer and the

right to a refund in certain circumstances � Establishes a new error resolution scheme to which remittance transfer providers

must adhere � Establishes standards of liability for remittance transfer providers and their agents

� Consumer protection � Comparison shopping �  Transparency and certainty of costs

Dodd Frank 1073 International Remittance Rule

�  Impacts � Any consumer request to send funds to a recipient outside of the United States � Recipient can be a consumer or business � Wire transfer, international ACH, and bill payment

�  30 minutes to rescind request � Applies to remittance transfers

�  More than $15 �  Made by a consumer in the US �  Sent to a person or company in foreign country �  Exemption for FIs that send less than 100 remittances a year

Regulation E & Foreign Remittances

� Pre-payment disclosure �  Transfer amount in currency use to fund request �  Institution fees �  Transfer amount � Exchange rate � All other fees and taxes, i.e. correspondents and foreign taxes �  Total amount RECEIVED by the recipient � Must be provided to the consumer before they agree to the transaction

Regulation E & Foreign Remittances

� Receipt disclosure: � All the information from Pre-payment disclosure � Date the funds will be available to the recipient � Name of recipient (and contact if available) � Consumers error resolution rights � Contact information of the financial institution � Statement that consumer may contact state agency that licenses the financial

institution and CFPB �  The consumer has at least 2 receipts/disclosures �  Error Resolution

� Consumer has 180 days to notify FI of an “error” �  Such as receiver never received funds, or wrong amount

Regulation E & Foreign Remittances

�  Fedwire® funds transfers are subject to funds availability provisions and to Bank Secrecy Act requirements

Regulation CC

�  States Institutions should rely on “layered security approaches � Not all transactions have the same risk � Requires Institutions to implement solutions to:

� Detect and respond to suspicious activity � Have better control of administrative functions

FFIEC Guidance

�  Commonly referred to as “Daylight Overdraft” �  Requires FI to evaluate and continually monitor several factors

� Credit worthiness of “significant” customers � Own credit worthiness � Own credit and operational policies

�  FI may have a “Daylight Overdraft limit” �  Federal Reserve monitors FIs in real-time and may require pre-funding

FRB Payment System Risk Policy

�  Addresses payment systems risks �  Covers risks associated with different systems �  Outlines policies and controls that senior management implement

OCC Banking Circular 235

�  Commonly known as OFAC �  Controls assets of certain foreign countries and designated individuals �  Each country or individual is “authorized” by a Federal law �  Countries/individuals can be added or deleted �  Penalties include prison and fines �  List is referred to as the “SDN” and changes frequently

Office of Foreign Assets Control

�  Financial Institution requirements � Block and hold funds transfers until OFAC authorizes release � Review originated or received fund transfers to ensure funds are not transferred into

or out of accounts of a listed entity �  Incoming transfers for a flagged SDN account must be frozen and the FI contact

OFAC � OFAC considers any transfer made in violation of OFAC regulations null and void

� General info, contacts and latest SDN list https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx

Office of Foreign Assets Control

�  Credit �  Operational �  Fraud �  Systemic �  Sovereign �  Technology/3rd Party �  Reputational

Types of Risk

�  “Good funds” �  Available at time of transfer, �  End of day, or �  When settlement is attempted

� Risk Mitigation � Credit review and approval policies and procedures �  Identify sender and validity of instructions � Funds held or debited prior to sending outgoing wire transfer (collected funds

ONLY)

Credit Risks

� Hardware/Software or Telecommunications Failure � Human Error �  Limited/Untrained Staff � Disaster � Risk Mitigation

� Disaster recovery plan that is unique to wire transfer area �  Expand beyond disaster recovery to include business resumption �  Include users (external & internal)

� Staff training, cross training and backup systems

Operating Risks

�  Internal Fraud �  FI Employees �  3rd Party Processors

� External Fraud �  Company Employees �  3rd Party Processors �  Interlopers/hackers �  Key loggers �  Customer Impersonation �  Social Engineering

Fraud Risks

� Risk Mitigation

� “Know Your Customers”

� Formal contracts

� “Commercially Reasonable Security Procedures”

� Call-backs, digital signatures, dual controls, test keys, tokens, out of band authentication, biometrics

� Need to know limits

Fraud Risks

�  Risk to the system/network that one financial institution’s inability to settle its position will cause other financial institutions to fail to settle

�  Risk Mitigation �  Federal Reserve’s Payment System Risk Policy (Daylight Overdraft) was

developed to prevent this from occurring. Requires FI to monitor both its Fed position and customer’s position

Systemic Risk

�  Risk that a sovereign government or other political entity will take some action to prevent or alter the settlement of transfers

�  Often referred to as “Political” risk

Sovereign Risk

� Risks that occur from use of technology or a third party processor � Presents multiple types of risk � Has the third-party identified all the appropriate risks, designed and implemented

adequate controls to prevent loss? If not, FI bears risks for this “lacking” element of risk management � FIs should have contracts/agreements in place with correspondent FIs and service

providers that outline what controls are implemented and 3rd party’s responsibility for any errors or losses

� FIs should evaluate the controls employed and ask for additional controls to be implemented (if appropriate) or add compensating controls such as procedures or manual controls

� FI should request certification of audits conducted by technology providers to ensure compliance with legal and regulatory requirements

Technology/3rd Party Risk

�  The risk that a loss or problem is communicated to the general public resulting in negative press and a loss of business

� Risk Mitigation � Have a PR plan prepared in the event that a significant loss occurs � Should include internal communications, and external press releases, contact

information, and ongoing mitigation strategies

Reputational Risk

�  Personnel Management Policies � Reassign personnel who have given notice � Randomly rotate personnel � Utilize dual controls at all levels

�  Recognize that for small business or FIs it may be difficult � Hire staff for funds transfers operations with a proven history with organization (not

new hires) � Adequate Training and Written Documentation � Pre employment Screenings (drug, credit, and police check) � “Time Away” Policy

Risk Management Tools

� Use of Repetitive Wire Transfers �  Since most of the critical information in the payment order is “static”, risk is

reduced (operational errors, fraud, etc) �  Key control is how are repetitive wires updated/changed.

�  Limit non-repetitive wire transfers �  Verify key data elements (amount, beneficiary and bank info) �  Wire Requests by Phone/Fax ?

�  Wire transfers requests should not be processed relying solely on an email request (stronger customer verification is needed)

� Wire Request Forms

Risk Management Tools

� Wire Transfer Policy � Approved by the Board annually, or when there are significant

changes in the wire process, systems, etc. � Wire Transfer Policy should address � Wire software used � Types of wires (domestic vs. international, customer vs. non-

customer) � Use of security procedures & customer agreements � Approval of an administrator and � Wire limits

� Dual Control � Rekey of wire dollar amount � Transaction limits

Internal Controls

� Customer Agreements. � Written agreements with repeat wire customers (usually for wires initiated by phone or fax, not “in person” requests)

� Agreements should: � Describe the security procedures to be followed when verifying the authenticity of a wire request

� Include waivers from the customer if they opt-out of the security procedures. (written and signed by customer)

� Established cut-off times for receiving, transmitting, amending and cancelling wire transfer requests

� Individuals authorized to request wire transfers and any wire limits established

� Defined methods by which a wire transfer request can be initiated (phone, fax, online banking)

Internal Controls

Customer Agreements.Wri;en agreements with repeat wire customers (usually for wires initiated by phone or fax, not “in person” requests)Agreements should:

Describe the security procedures to be followed when verifying the authenticity of a wire requestInclude waivers from the customer if they opt-out of the security procedures. (wri;en and signed by customer)Established cut-off times for receiving, transmi;ing, amending and cancelling wire transfer requestsIndividuals authorized to request wire transfers and any wire limits establishedDefined methods by which a wire transfer request can be initiated (phone,

fax, online banking)

�  Security procedures � Daily Reconciliation by wire operations staff �  Independent Reconciliation (segregation of duties)

� Wire administrator should not have wire create or verify capabilities � Due from account used for wire settlement should be reconciled by someone

independent of wire operations �  May be difficult for some institutions due to limited staff.

�  Supervisory review of reconcilements of funds transfer activity on a regular basis

Internal Controls

� Corporate account takeover is a type of business identity theft in which a criminal entity steals a business’s valid online banking credentials which usually results in a fraudulent wire/ACH

� How does it work� Malicious document a;ached to an email� Links within an email to an infected website� Employee(s) visiting legitimate website download infected/malicious files�  Introduction of other devices (flash drives)

Corporate Account Takeover

� Who are the players � Organized criminals (often overseas) � Commercial Customers (usually a small business) � Financial Institutions � Money Mules � What is a Money Mule

�  Money Mules receive funds in their bank account

�  They then forward the funds to another account (usually overseas) �  They keep a small portion of funds as payment

�  Money Mules typically only receive between $5K-$10K to transfer, so their fee is often small

Corporate Account Takeover

�  Financial Institution Employee receives email from supposed account holder requesting account balances for all accounts owned

�  Employee provides account balances via email �  Supposed account holder request a wire transfer to be completed and includes wire

transfer instructions �  Financial Institution completes wire transfer without further verification from account

holder (call back to phone number on file) �  Financial Institution learns of the Wire is fraudulent after it has been sent and suffers a

loss for not following policy or security procedures.

Lessons Learned

�  Small Business Secretary receives an email from one of the owners of the Company she works for.

�  The email requests her to contact their Financial Institution to do a wire transfer which includes the Wire transfer instructions and what ledger account to charge the Wire transfer expense to.

�  Secretary contacts the FI and requests the wire transfer via phone but because she is not a signer the FI will need signature verification from one of the owners of the Company.

�  FI faxes the Wire request to the Secretary and she obtains the signature of the owner who is a signer on the account but did not initially request the transfer.

Lessons Learned

� Wire Transfer is faxed back to the FI and they verify the legitimacy of the Signature verification and process the Wire Transfers

� Wire Transfer email request is found to be fraudulent by the Company and the Company is at a loss for not following internal controls.

Lessons Learned

Questions

•  UCC4A www.law.cornell.edu/lii.html

•  FFIEC authentication guidance issued June 28, 2011 www.ffiec.gov

•  OFAC https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx

Resources

Wire Transfer Basics

This session is worth 1.8 credits (Keep this for your records)

AAP Continuing Education Credits

� WACHA- The Premier Payments Resource � PAR- Payment Advisory Resource

HELP DESK � Phone: 262-345-1245 �  Toll Free: 800-453-1843 � Fax: 262-345-1246 �  info@wacha.org

Resources

Jessica Noll, AAP

jnoll@wacha.org

Upcoming WACHA events with CBANC Education: Tax Refunds

Regulation E Disputes Government Payments Overview

Wed 2/7 at 1pm CT/2pm ET Thurs 2/15 at 1pm CT/2pm ET Wed 2/21 at 1pm CT/2pm ET