The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Federal R eserve Bank OF DALLAS TO N Y J . SALV A G G IO FtR S T V IC E PR E S ID E N T J « AS 7 5 2 6 5 -5 90 6 February 23, 1996 Notice 96-23 TO: The Chief Operating Officer of each financial institution in the Eleventh Federal Reserve District SUBJECT Modifications to the Fedwire Third-Party Access Policy DETAILS The Board of Governors of the Federal Reserve System has approved policy modifications to address Fedwire third-party access arrangements involving a service provider that is located outside the United States. In general, foreign service provider arrangements would be subject not only to the conditions applicable to domestic service provider arrangements, but also several additional conditions related to information and examination access. These incremental requirements are intended to ensure that the Federal Reserve’s oversight of Fedwire is not diminished or inappropriately limited by activity conducted outside the United States and that the Federal Reserve’s supervisory objectives are met. These changes became effective February 1, 1996. ATTACHMENT A copy of the Board’s notice (Federal Reserve System Docket No. R-0914) is attached. MORE INFORMATION For more information, please contact Nancy Barton at (214) 922-6746. For additional copies of this Bank’s notice, please contact the Public Affairs Department at (214) 922-5254. Sincerely, For additional copies, bankers and others are encouraged to use one o f the following toll-free numbers in contacting the Federal Reserve Bank o f Dallas: Dallas O ffice (800) 333 -4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012; H ouston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San A ntonio Branch Intrastate (800) 292-5810. This publication was digitized and made available by the Federal Reserve Bank of Dallas' Historical Library (FedHistory@dal.frb.org) FEDERAL RESERVE SYSTEM [Docket No. R-0914] Federal Reserve Payment System Risk Policy AGENCY: Board of Governors of the Federal Reserve System. ACTION: Policy statement. SUMMARY: The Board has approved modifications to its Fedwire third-party access policy that establish additional requirements applicable to third-party access arrangements involving a service provider located outside the United States ("foreign service provider"). On August 9, 1995, the Board approved certain interim modifications to its Fedwire third-party access policy to clarify its applicability and to reduce the administrative burden of several provisions. At that time, the Board indicated the Federal Reserve Banks would not approve any new third-party access arrangements involving a foreign service provider, pending a review of the supervisory issues associated with such arrangements. The Board has completed its assessment and has modified its policy to address the conditions under which the Federal Reserve would consider approving foreign service provider arrangements. The revised policy is intended to ensure that the Federal Reserve’s oversight of Fedwire is not diminished or inappropriately limited by the conduct of activity outside the United States and that the Federal Reserve's supervisory and examination objectives are met. In addition, the policy provides important safeguards to both depository institutions participating in third-party access arrangements and to the Reserve Banks. Among other things, the policy requires depository institutions to impose prudent controls over Fedwire funds transfers and Fedwire book-entry securities transfers initiated, received, or otherwise - 2 - processed on their behalf by a third-party service provider. EFFECTIVE DATE: February 1, 1996 FOR FURTHER INFORMATION CONTACT: Jeff Stehm, Manager (202/452-2217) or Lisa K. Hoskins, Project Leader (202/452-3437), Fedwire Section, Division of Reserve Bank Operations and Payment Systems; or Howard Amer, Assistant Director (202/452-2958), Division of Banking Supervision and Regulation; for the hearing impaired only: Telecommunications Device for the Deaf, Dorothea Thompson (202/452-3544). SUPPLEMENTARY INFORMATION: I. Background Fedwire is the large-value payment and securities settlement mechanism operated by the Federal Reserve Banks. Fedwire provides depository institutions with real-time gross settlement in central bank money of funds transfers and book-entry securities transfers made for their own account or on behalf of their customers. Typically, each depository institution that holds an account at the Federal Reserve processes its own transfers and accesses Fedwire directly. In some cases, however, a depository institution accesses Fedwire through a third-party access arrangement in which a service provider, acting as agent for a depository institution, initiates payments that are posted to the institution’s account at the Federal Reserve. Third-party access arrangements are a form of outsourcing.1 1 Depository institutions use service providers to perform a number of functions, including customer accounting, check and automated clearing house (ACH) (continued...) - 3 - In July 1987, the Board approved a set of conditions under which Fedwire third-party access arrangements could be established, as part of its payment system risk reduction policy (52 FR 29255, August 6, 1987). The Board approved modifications to the policy in August 1995 that clarified the scope and application of the policy and reduced the administrative burden of several provisions (60 FR 42418, August 15, 1995). The scope of the original policy was silent on whether the service provider could be located outside the United States. Such arrangements raise certain supervisory issues, such as the ability of U.S. examiners to access relevant information, conduct on-site reviews of Fedwire operations, and exercise their enforcement authority. As a result, in August the Board broadened the scope of the policy to include third-party access arrangements involving an office of the participant located outside the United States that acts as a service provider, but indicated that new third-party arrangements involving a foreign service provider would not be approved by the Reserve Banks pending an assessment of the relevant supervisory issues.2 ’ (...continued) processing, and the processing and/or transmission of large-value funds and securities transfers. Depository institutions have increasingly viewed outsourcing arrangements as one way to reduce operating costs. 2 The Reserve Banks have not approved any foreign service provider arrangements, although several inquiries have been received during the last few years. In its August 1995 action, the Board required that any existing arrangement involving a foreign office of a Fedwire participant acting as a service provider be reported promptly to the participant’s Reserve Bank. No such arrangements have been reported. - 4 - II. Provision-by-Provislon Analysis The policy establishes conditions that a sending or receiving institution ("the participant") must meet in order to designate another depository institution or other entity ("the service provider") to initiate, receive, and/or otherwise process Fedwire funds transfers or Fedwire book-entry securities transfers that are posted to the participant's reserve or clearing account held at the Federal Reserve. These conditions include requirements that the participant have the ability to retain operational control of the credit-granting process, monitor transfer activity conducted on its behalf, and remain responsible for managing its Federal Reserve account. In addition, the participant is expected to comply with all requirements related to Fedwire access generally, such as encryption standards, as well as all applicable state and federal laws and regulations. The policy also requires a participant that uses an unaffiliated service provider to maintain adequate termination backup arrangements so that it can continue Fedwire operations if the third-party access arrangement must be terminated. The policy also addresses certain supervisory concerns, including requirements for the participant to obtain an affirmative written statement from its primary supervisor(s) indicating that it does not object to the arrangement; the existence of an adequate audit program for the participant to review the arrangement and compliance with the Board’s policy; and the requirement that the service provider be subject to examination by the appropriate federal depository institution regulatory agency(ies). Finally, the participant and the service provider(s) must execute an - 5 - agreement with the relevant Reserve Bank(s) incorporating the policy’s conditions. The Board has modified the policy to address the conditions that apply to Fedwire third-party access arrangements involving a service provider that is located outside the United States. In particular, foreign service provider arrangements are expected to comply with the same requirements as domestic service provider arrangements as well as meet some additional conditions with regard to information and examination access. Such arrangements will also be subject to review and concurrence by the Directors of the Board’s Division of Reserve Bank Operations and Payment Systems and Division of Banking Supervision and Regulation. Taken together, these requirements are intended to ensure that the Federal Reserve’s oversight of Fedwire is not diminished or inappropriately limited by the conduct of Fedwire activity outside the United States and that supervisory objectives can be met.3 The following discussion identifies those provisions of the Fedwire third-party access policy that have been revised and discusses how and why they differ from the current policy provisions. A. Scope 3 The four primary examination objectives with regard to Fedwire are to 1) minimize systemic risk from payment activities, 2) identify weaknesses in payments operations that could jeopardize the condition of the depository institution, 3) ensure that proper records are available to assist law enforcement authorities pursuing illegal payments activities, and 4) minimize risk of loss to the Federal Reserve from a depository institution’s payment activities that may result if a depository institution were to fail while in an overdraft position at the Federal Reserve. - 6 - Opening Paragraph (unchanged): The Board will allow third-party access arrangements whereby a sending or receiving institution ("the participant") designates another depository institution or other entity ("the service provider") to initiate, receive, and/or otherwise process Fedwire funds transfers or book-entry securities transfers that are posted to the participant’s reserve or clearing account held at the Federal Reserve, provided the following conditions are met: Revised Footnote #1 to the Opening Paragraph: This policy also applies to third-party access arrangements in which an organization, including an office of the participant, located outside the United States acts as service provider by initiating, receiving, or otherwise processing Fedwire transfers on behalf, of the U.S. participant ("foreign service provider") . Previous Footnote #1 to the Opening Paragraph: This policy applies to third-party access arrangements in which an office of the participant located outside the United States acts as service provider by initiating, receiving, or otherwise processing Fedwire transfers on behalf of the U.S. participant. The Board, in approving the August 1995 modifications to the policy, stated that no new third-party access arrangements involving a foreign service provider would be approved until an assessment of the supervisory issues associated with such arrangements was completed. As a result of that assessment, the revised policy applies to all arrangements where the service provider is located outside the United States. In applying the policy to arrangements involving foreign service providers, however, the Board recognizes that such arrangements should be subject to consultation and coordination with home country supervisors, on-site examination of foreign service providers, and the availability of and access to Fedwire records. To address these issues the Board expects that such arrangements will comply with the policy conditions applicable to domestic service provider arrangements and, in - 7 - addition, meet the additional requirements applicable to arrangements involving a foreign service provider. B. Audit Program Revised Condition (#10) The participant must have in place an adequate audit program to review the arrangement at least annually to confirm that these requirements are being met. In addition, in the case of an arrangement involving a foreign service provider, both the participant and the foreign service provider must have in place an adequate audit program that addresses Fedwire operations. Audit reports in English must be made available to the Federal Reserve and the participant's primary supervisor(s) in the,United States. Previous Condition (#10) The participant must have in place an adequate audit program to review the arrangement at least annually to confirm that these requirements are being met. The revised condition requires that the Fedwire audit program of both the participant and the foreign service provider be an acceptable means to review and assess effectively, at least on an annual basis, the sufficiency of internal and data security controls, credit-granting processes, operational procedures and contingency arrangements, and compliance with applicable U.S. laws and regulations. This requirement is intended to maintain U.S. examiners’ abilities to supervise effectively the Fedwire function and to ensure that it is managed in a safe and sound manner. C. Examination of the Arrangement Revised Condition (#11) In the case of a service provider located within the United States, the service provider must be subject to examination by the appropriate federal depository institution regulatory agency(ies). rFootnote: The U.S. federal depository institution regulatory agencv(ies) must be able to examine any aspects of the service provider as may be necessary to assess the adeguacv of the operations - 8 - and financial condition of the service provider.] In the case of a service provider located outside the United States, the service provider must be subject to the supervision of a home country bank supervisor. In its review of a proposed foreign service provider arrangement, the Federal Reserve will consider the extent to which the service provider’s home country supervisor 1) oversees banks on a consolidated basis, 2) is familiar with supervising payment systems activities, 3) is willing to examine the Fedwire operations at the service provider, and 4) has demonstrated a willingness to work closely with U.S. banking authorities in addressing supervisory problems. In addition, the home country supervisor, the participant, and the service provider must agree to permit the participant’s primary supervisor(s) to conduct on-site reviews of the Fedwire operations at the foreign service provider. fFootnote: If a participant proposes to conduct its Fedwire processing at a foreign site outside the home country of the service provider, both the home country and host country supervisors would need to permit the participant's primary supervisor(s) to review the Fedwire operations.] The participant and the service provider must agree to make all policies, procedures, and other documentation relating to Fedwire operations, including those related to internal controls and data security requirements, available to the Federal Reserve and the participant's primary supervisor(s) in English. Previous Condition (#11) The service provider must be subject to examination by the appropriate federal depository institution regulatory agency(ies). fFootnote: The U.S. federal depository institution regulatory agencv(ies) must be able to examine any aspects of the service provider as may be necessary to assess the adeguacy of the operatiens and financial condition of the service prpvider.1 The revised condition provides the opportunity for the Federal Reserve and the participant's primary supervisor(s) to 1) assess the risks associated with the third-party access arrangement in the context of the service provider's home country’s bank supervision program, 2) determine if it would be reasonable for the participant’s primary supervisor(s) to depend, to some extent, on the home country supervisor to examine the Fedwire operation at the service provider, and 3) ensure that the participant's primary supervisor(s) has access to relevant Fedwire records. These - 9 - conditions are intended to maintain U.S. examiners’ ability to supervise effectively the Fedwire function and to ensure that it is managed in a safe and sound manner. In reviewing the arrangement in the context of the foreign service provider’s home country supervision program, the Federal Reserve would carefully consider each of the four criteria contained in this^ portion of the modified policy. The Federal Reserve, however, will not grant approval to outsource Fedwire absent an affirmative implementing agreement with the home country supervisor. The Federal Reserve may also discuss other supervisory issues, such as home country laws and regulations that may limit examination access, with the particular home country supervisor prior to approving an arrangement involving a foreign service provider. With regard to proposals to outsource Fedwire processing to an unaffiliated foreign service provider, and in particular to an organization that is not a depository institution, the Federal Reserve would discuss with the home country supervisor issues related to the level of supervision and examination of the proposed service provider and other issues that could affect the risks associated with such an arrangement. D. Review and Approval of Proposed Arrangements Revised Condition (Closing Paragraph) The participant's Federal Resen/e Bank is responsible for approving each proposed Fedwire third-party access arrangement. The Directors of the Board’s Division of Reserve Bank Operations and Payment Systems and Division of Banking Supervision and Regulation must concur with a proposed arrangement 1) in which the participant is not affiliated through at least 80 percent common ownership with the service provider and where the participant is owned by one of the 50 largest bank holding companies (based on consolidated assets), or 2) in which the service provider is located outside the United States. Approval of - 10 - a foreign service provider arrangement would be contingent on a review of both the participant’s and the foreign service provider’s Fedwire policies, procedures, and operations, which would be conducted by the Federal Reserve prior to the commencement of operations. Previous Condition (Closing Paragraph) The Federal Reserve Bank is responsible for approving each proposed Fedwire third-party access arrangement. In a proposed arrangement in which the participant is not affiliated through at least 80 percent common ownership with the service provider and where the participant is owned by one of the 50 largest bank holding companies (based on consolidated assets), the Directors of the Division of Reserve Bank Operations and Payment Systems and the Division of Banking Supervision and Regulation must concur with the arrangement. The revised condition recognizes the potential risks associated with outsourcing Fedwire operations to a foreign service provider and the need for Board staff review and concurrence with such arrangements. Arrangements involving a foreign service provider warrant careful consideration in order to determine whether the proposed arrangement poses any undue risks and whether adequate supervisory oversight can be maintained. An infrastructure review is appropriate to confirm compliance with the Fedwire third-party access policy and other relevant policies and regulations. The infrastructure review also would permit the Federal Reserve to assess the adequacy of system integrity, controls and contingency arrangements, and would allow it to determine first hand whether information access issues pose unacceptable risks. III. Effective Date The revised Fedwire third-party access policy becomes effective February 1, 1996. IV. Competitive Impact Analysis -11 - The Board assesses the competitive impact of changes that may have a substantial effect on payment system participants. In particular, the Board assesses whether a proposed change would have a direct and material adverse effect on the ability of other service providers to compete effectively with the Federal Reserve Banks in providing similar services and whether such effects are due to legal differences or due to a dominant market position deriving from such legal differences. The Federal Reserve Banks' Fedwire funds transfer and book-entry securities transfer services provide, real-time gross settlement in central bank money. While these services cannot be duplicated by private-sector service providers, banks can make large-dollar funds transfers through other systems, such as CHIPS, or through correspondent book transfers, although these transactions have attributes that differ from Fedwire transfers. Similarly, there are private-sector securities clearing and/or settlement systems, such as the Government Securities Clearing Corporation and the Participants Trust Company, that facilitate primary and secondary market trades of U.S. Treasury and agency securities. Other transactions involving U.S. government securities may be cleared and settled on the books of banks to the extent that the counterparties are customers of the same bank. The Board’s third-party access policy places conditions on arrangements in which a Fedwire participant may contract with another organization to initiate, receive, or otherwise process Fedwire transfers. The Board has revised the policy to establish additional conditions applicable to depository institutions wishing to access Fedwire through a foreign service provider to ensure that the Federal Reserve’s - 12 - oversight of Fedwire is not diminished or inappropriately limited by the conduct of activity outside the United States and that the Federal Reserve's supervisory and examination objectives are met. Other large-dollar systems can and do place restrictions on the ability of participants to outsource their operations to foreign service providers. The Board's policy, as revised, does not adversely affect the ability of depository institutions or service providers to compete with the Federal Reserve Banks to provide funds transfer or securities transfer services. V. Policy Statement The Board has amended its "Federal Reserve System Policy Statement on Payments System Risk" under the heading "I. Federal Reserve Policy" by replacing "G. Fedwire Third-party Access Policy" with the following: G. Fedwire Third-Party Access Policy The Board will allow third-party access arrangements whereby a sending or receiving institution ("the participant") designates another depository institution or other entity ("the service provider") to initiate, receive, and/or otherwise process Fedwire funds transfers or book-entry securities transfers that are posted to the participant’s reserve or clearing account held at the Federal Reserve, provided the following conditions are met:1 1 This policy also applies to third-party access arrangements in which an organization, including an office of the participant, located outside the United States acts as service provider by initiating, receiving, or otherwise processing Fedwire transfers on behalf of the U.S. participant ("foreign service provider"). - 1. 13 - The participant retains operational control of the credit-granting process by (1) individually authorizing each funds or securities transfer, or (2) establishing individual customer transfer limits and a transfer limit for the participant’s own activity, within which the service provider can act. The transfer limit could be a combination of the account balance and established credit limits. For the purposes of this policy, these arrangements are called "line-of-credit arrangements." 2. In funds transfer line-of-credit arrangements, the service provider must have procedures in place and the operational ability to ensure that a funds transfer that would exceed the established transfer limit is not permitted without first obtaining the participant's approval. In book-entry securities transfer line-ofcredit arrangements, the service provider must have procedures in place and the operational ability to provide the participant with timely notification of an incoming transfer that exceeds the applicable limit and must act upon the participant’s instructions to accept or reverse the transfer accordingly. 3. Transfers will be posted to the participant's reserve or clearing account held at the Federal Reserve, and the participant will remain responsible for managing its Federal Reserve account, with respect to both its intraday and overnight positions. The participant must be able to monitor transfer activity conducted on its behalf. 4. The participant’s board of directors must approve the role and responsibilities of a service provider(s) that is not affiliated with the participant through at least 80 - 14 - percent common ownership. In line-of-credit arrangements, the participant’s board of directors must approve the intraday overdraft limit for the activity to be processed by the service provider and the credit limits for any inter-affiliate funds transfers.2 5. The Board expects all participants to ensure that their Fedwire operations couid be resumed in a reasonable period of time in the event of an operating outage, consistent with the requirement to maintain adequate contingency backup capabilities as set forth in the interagency policy (FFIEC SP-5, July 1989). A participant is not relieved of such responsibility because it contracts with a service provider. 6. In cases where the service provider is not affiliated with the participant through at least 80 percent common ownership, the participant must be able to continue Fedwire operations if the participant is unable to continue its service provider arrangement (e.g., in lh e event the Reserve Bank or the participant’s primary supervisor terminates the service provider arrangement). 7. The participant must certify that the arrangement is consistent with corporate separateness and does not violate branching restrictions. 8. The participant must certify that the specifics of the arrangement will allow the 2 In cases where a U.S. branch of a foreign bank wishes to be a participant in an arrangement subject to this policy, and its board of directors has a more limited role in the bank's management than a U.S. board, the role and responsibilities of the service provider should be reviewed by senior management at the foreign bank's head office that exercises authority over the foreign bank equivalent to the authority exercised by a board of directors over a U.S. depository institution. - 15 - participant to comply with all applicable state and federal laws and regulations governing the participant, including, for example, retaining and making accessible records in accordance with the regulations adopted under the Bank Secrecy Act. 9. The participant's primary supervisor(s) must affirmatively state in writing that it does not object to the arrangement. 10. The participant must have in place an adequate audit program to review the arrangement at least annually to confirm that these requirements are being met In addition, in the case of an arrangement involving a foreign service provider, both the participant and the foreign service provider must have in place an adequate audit program that addresses Fedwire operations. Audit reports in English must be made available to the Federal Reserve and the participant's primary supervisor(s) in the United States. 11. In the case of a service provider located within the United States, the service provider must be subject to examination by the appropriate federal depository institution regulatory agency(ies).3 In the case of a service provider located outside the United States, the service provider must be subject to the supervision of a home country bank supervisor. In its review of a proposed foreign service provider arrangement, the Federal Reserve will consider the extent to which the service provider’s home country 3 The U.S. federal depository institution regulatory agency(ies) must be able to examine any aspects of the sen/ice provider as may be necessary to assess the adequacy of the operations and financial condition of the service provider. - 16 - supervisor 1) oversees banks on a consolidated basis, 2) is familiar with supervising payment systems activities, 3) is willing to examine the Fedwire operations at the service provider, and 4) has demonstrated a willingness to work closely with U.S. banking authorities in addressing supervisory problems. In addition, the home country supervisor, the participant, and the service provider must agree to permit the participant's primary supervisor(s) to conduct on-site reviews of the Fedwire operations at the foreign service provider.4 The participant and the service provider must agree to make all policies, procedures, and other documentation relating to Fedwire operations, including those related to internal controls and data security requirements, available to the Federal Reserve and the participant's primary supervisor(s) in English. 12. The participant and the service provider(s) must execute an agreement with the relevant Reserve Bank(s) incorporating these conditions. The participant's Federal Resen/e Bank is responsible for approving each proposed Fedwire third-party access arrangement. The Directors of the Board's Division of Reserve Bank Operations and Payment Systems and Division of Banking Supervision and Regulation must concur with a proposed arrangement 1) in which the participant is not affiliated through at least 80 percent common ownership with the service provider and where the participant is owned by one of the 50 largest bank 4 If a participant proposes to conduct its Fedwire processing at a foreign site outside the home country of the service provider, both the home country and host country supervisors would need to permit the participant's primary supervisor(s) to review the Fedwire operations. - 17 * holding companies (based on consolidated assets), or 2) in which the service provider is located outside the United States. Approval of a foreign service provider arrangement would be conditioned on satisfactory findings of a review of both the participant’s and the foreign service provider’s Fedwire policies, procedures, and operations, which would be conducted by the Federal Reserve prior to the commencement of operations. By order of the Board of Governors of the Federal Reserve System, January 24, 1996. (signed) William ' William W. Wiles, Secretary of the Board. [FR Doc. 96-00000 Filed 00-00-96; 8:45 am] BILLING CODE 6210-01-P