ELECTRONIC FUND TRANSFERS POLICY
General Policy Statement:
Essex County Teachers Federal Credit Union (ECTFCU) utilizes electronic fund transfer services (EFT) to manage cash resources. Specifically, ECTFCU uses Vizo Financial Credit Union (Vizo), which in turn uses the FedWire FEDLINE system, to transfer funds related to its own operations and to transfer funds on behalf of its members. ECTFCU also provides other electronic services to members, such as automatic teller machines and debit cards.
The purpose of this policy is to ensure quality internal controls and minimize the inherent risks associated with various EFT systems. Systems covered under this policy include any transfer of funds initiated through an electronic terminal, telephonic instrument, computer, or magnetic tape that orders, instructs, or authorizes ECTFCU or any other financial institution to debit or credit an account. Excluded are transfers effected by ACH (Automated Clearing House) transactions, which are covered by a separate policy. The Board will periodically assess the risks associated with EFT and will update this policy at least annually.
Guidelines:
(1) EFT SYSTEMS. ECTFCU utilizes the following EFT systems:
(A) FEDLINE. The FedWire FEDLINE system allows ECTFCU to transfer funds from its Vizo account to any other depository institution. Likewise, ECTFCU may receive funds from sending depository institutions. Under the operating rules of FedWire, each transfer is final and irrevocable when the receiving depository institution is notified of the transfer.
(B) Retail Systems. ECTFCU offers the following electronic services to members:
(i) Automated Teller Machines.
(ii) Debit/Point of Sale cards.
(2) EFT RISK ASSESSMENT.
(A) Credit Risk.
(i) Receiver Risk. Receiver risk arises from the possibility that a sending institution will not honor a transfer. ECTFCU eliminates receiver risk by avoiding revocable transfers. Under the FedWire system all payments are final and irrevocable.
(ii) Sender Risk. ECTFCU assumes sender risk whenever it makes an irrevocable payment on behalf of a member through extension of credit. ECTFCU minimizes this risk by:
1) Monitoring loans and any payments against uncollected funds or insufficient balances; and
2) Initiating effective collection procedures where necessary.
(B) Settlement Risk. Settlement risk arises from the possibility that one participant in the payment system may be unable to honor its obligations at time of settlement, which in turn deprives other participants, including ECTFCU, of expected funds. Like receiver risk, settlement risk is minimized by only initiating and receiving irrevocable transfers.
(C) Systemic Risk. The Board acknowledges that EFT systems may expose ECTFCU to systemic risk arising from the failure of one participant to honor settlement. However, ECTFCU has determined that these risk levels are within ECTFCU's risk tolerance.
(D) Legal Risk and Sovereign Risk. The Board recognizes that ECTFCU is exposed to a certain degree of legal risk since there is no binding system of international commercial law for electronic payments. ECTFCU minimizes this risk by not participating in international transactions. In addition, by limiting transactions to the United States ECTFCU effectively eliminates sovereign risk resulting from adverse foreign government action.
(E) Operational Risk. Operational risk is ECTFCU's most significant source of EFT risk exposure. The Board delegates responsibility to management for developing adequate procedures that reduce operational risk to acceptable levels. Such procedures shall provide for physical security, data security, systems testing, contingency planning, segregation of duties, and adequate backup.
(3) IDENTIFICATION AND CONTROL OF OPERATIONAL RISKS. ECTFCU has identified three areas of operational risk:
(A) System Failure. The risk that hardware or software will malfunction due to design defects, insufficient capacity, or mechanical breakdown. ECTFCU controls this risk by periodically evaluating the systems design and capacity.
(B) System Disruption. The risk that the EFT system is unable to process transactions due to system failure, natural disasters, fires, terrorists, or any other reason that could cause ECTFCU operations to cease. ECTFCU minimizes this risk through contingency planning. In the event of system failure, fund transfers will be made through alternate means. In the event of a disaster, fire, or terrorist attack, sensitive information will be adequately secured whenever possible.
(C) System Compromise. The risk of improper transfers due to error, fraud, or malicious acts, including the risk that records will be damaged or that funds will be diverted, altered, or manipulated. ECTFCU controls this risk through the development and implementation of internal controls.
(4) INTERNAL CONTROLS. The Board delegates to management the responsibility for developing, implementing, reviewing, updating, and periodically testing internal controls. Internal controls should include procedures written in accordance with the following guidelines.
(A) Personnel Procedures.
(i) ECTFCU will run reference checks on all personnel hired for sensitive positions in the wire transfer area. In addition, employees in sensitive positions are required to submit periodic statements of indebtedness.
(ii) ECTFCU will develop and implement a training program designed to ensure accurate performance of wire transfer activities and a thorough understanding of the necessity for internal controls. The program will also train employees to identify and report possible schemes to defraud.
(iii) Supervisors will afford special attention to new employees assigned to work in the wire transfer function to ensure proper training and compliance with Credit Union procedures and policies. As a general rule, new employees are prohibited from working in sensitive areas of the wire transfer function.
(iv) ECTFCU will inform employees that their responsibilities could be rotated at anytime without prior notice.
(v) ECTFCU will immediately reassign employees from sensitive areas of the wire transfer function upon receiving notice of resignation or upon giving notice of termination.
(B) Operating Procedures.
(i) Separation of Duties.
1) The receipt, data entry, and authentication functions will be segregated to the extent possible.
2) The function of determining the propriety of transactions will be performed by someone who does NOT receive orders and requests.
3) The function of reviewing rejects and exceptions is performed by someone who does NOT perform the receipt, preparation, or transmittal functions.
4) Investigations of failed payments are conducted by someone independent of the operating unit.
(ii) Security.
1) Access to the Wire Transfer System.
a) Passwords. ECTFCU restricts access to sensitive functions through password protection. Passwords are frequently changed to ensure integrity.
b) Time-of-Day Controls. Wires can only be performed during Vizo’s hours of operation.
c) Dual Operation. At least two authorized employees must enter and approve every wire transfer.
(iii) Records. The wire transfer area will maintain current records and retain them for at least five years. Records include:
1) List of authorized signatures and amounts for member transfers.
2) List of officers authorized to initiate transfers relating to Credit Union investments and any limits or restrictions.
3) Advices, requests, or instructions involving transfers over $10,000. Member funds transfer requests will contain:
a) Amount if funds are to be paid;
b) Name of member making request;
c) Date;
d) Evidence of authentication;
e) Paying instructions; and
f) Authorizing signatures.
(iv) Order Control. All incoming and outgoing wire advices and requests will be:
1) Filed appropriately;
2) Examined for signature authenticity; and
3) Reviewed to determine whether persons initiating transfer requests have proper authority.
(v) End-of-Day Controls. The following will be accounted for in an end-of-day proof to ensure that all requests have been processed.
1) All payment orders and message requests.
2) Daily reconcilement of funds sent and received.
(vi) Supervisory Review. A supervisor will review:
1) All transactions prior to release of payments.
2) Daily reconcilement of funds transfer and message request activity;
3) Adjustments, open items, and reversals.
(5) MANAGEMENT REVIEW.
(A) Reports. Management will regularly review the following reports and promptly report significant matters to the Board.
(i) Large overdrafts and drawings against uncollected funds;
(ii) Payment activity for daylight overdrafts;
(iii) List of suspense accounts;
(iv) Income and expenses relating to wire transfer operations; and
(v) Other reports as directed by the Board.
(B) Monitoring. Management will regularly review:
(i) Staff and employee compliance with credit and personnel procedures, operating instructions, and other internal controls.
(ii) Capabilities of staff and employees.
(iii) Adequacy of equipment relative to current and expected volume.
(iv) Creditworthiness of members requesting funds transfers.
(6) INTERNAL AUDITS. The Supervisory Committee will oversee an annual comprehensive audit of operational internal controls and submit its findings to the Board.
(A) Audit Findings. The Board report should include an assessment of risks, evaluation of the adequacy of controls, and determination of compliance with this policy and applicable laws, regulations, and rules.
(B) Board Action. The Board will review audit findings and institute corrective action to address deficiencies noted.
Adopted by the Board of Directors November 29, 2018