The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
FEDERAL RESERVE BASMK OF MEW YORK /fj^ du January 7, 1988 SECURITY OF FEDWIRE OPERATIONS To the Chief Operating Officer and the General Auditor of Each Depository Institution in the Second Federal Reserve District: The purpose o f this notice is to encourage depository institutions to review periodically their funds and book-entry securities transfer operations to ensure that adequate precautionary m easures are in place to guard against possible wire transfer fraud. Fedwire transfers often involve large sums o f m oney, and cannot be retrieved unilaterally by the sender. Thus, procedures for processing trans fers sent and received over Fedwire should be carefully and regularly review ed to assure that appro priate security m easures are in place. Nationw ide data suggest that various m ethods have been used to attem pt fraudulent transfers. Exam ples include: gaining unauthorized access to com puter room s, term inals, or testwords; collu sion with bank or custom er personnel; and im personating correspondent bank personnel, Federal Reserve Bank personnel, or corporate or respondent bank custom ers. If your institution detects a fraudulent wire transfer attem pt, regardless o f w hether or not the attem pt is successful, the local office o f the Federal Bureau of Investigation should be notified im m ediately. If the fraud attem pt involves a Fedwire transfer, the Funds Transfer Departm ent or the Securities Transfer D epartm ent of this B ank should also be notified im m ediately. The suggestions printed on the following pages are offered for your consideration when con ducting reviews o f your funds and securities transfer operations. W hile they refer to Fedw ire trans fers, they have universal applicability and are offered as guides. Each depository institution should have procedures in place that m eet its particular needs. W e recognize that these suggestions m ay be im plem ented in different ways by different institutions, but we believe the basic control principles can and should be adopted by all. If you or m em bers of your staff have any questions concerning Fedw ire security and control procedures, please contact Andrew H eikaus, M anager, Funds Transfer D epartm ent (Tel. No. 212-720-5561), or Patricia Hilt-Lupack, M anager, Securities Transfer D epartm ent (Tel. No. 212-720-5379). C arol W . B arrett , Vice President. 16 2 /$ Recommendations in Connection With Safeguarding the Integrity of Fed wire Transfers 1. Operational controls © Employ authentication procedures (e .g . , testwords and call-backs) when receiving funds and securities transfer instructions over the telephone, particularly for those involving a third party. Ideally, all such requests should be received at a central point so that authentication procedures can be applied uniform ly. © Use call-back or other positive verification procedures to confirm third-party transfer instruc tions to or advices of receipt from correspondents before paying funds to custom ers. © C hange testword and other authentication m echanisms (e .g . , encryption keys) on an appropri ate schedule. © Tape-record telephone conversations involving transfer requests, to provide additional sup port to your institution in the event of disputes regarding instructions or am ounts. © Retain unbroken m onitor copies or hard copies of all transactions transm itted through term in als connected to Fedwire. © Confirm that available funds are in a custom er’s account or that the transfer am ount is within authorized credit limits before transfer instructions are im plem ented. © Devote extra attention to security and control procedures in em ergency or unusual situations (e .g ., m ajor com puter outages or pow er failures). © Subject rejected transactions and all correcting and reversing entries to supervisory review. © Above all, caution all em ployees involved to be alert to unusual or suspicious requests for inform ation, changes in instructions from custom ers, activities of cow orkers, etc. They should also be cautioned not to discuss internal procedures with anyone outside your funds or securities areas. 2. Balancing and accounting controls © Verify that the m essage accountability sequence num bers on transfers sent and received are unique and consecutive. © Confirm that acknow ledgem ents are returned for all outgoing m essages. © Verify that the total num ber and dollar am ount of funds and securities transfer m essages sent and received by Fedwire are in proof with sum m aries received from the Federal Reserve, at least on an end-of-day basis. To facilitate this proof, m aintain a log of all transfer requests at the point of receipt. © Reconcile differences on daily reserve or clearing account statem ents prom ptly and report any discrepancies to this Bank im mediately. © Provide advice copies of funds and securities transfers to your custom ers and encourage rec oncilem ent o f these advices by your custom ers on the day o f receipt. 2 3. Personnel © Establish appropriate segregation o f duties, to the extent possible, within the wire transfer operation. For exam ple, receive, entry and verification functions should not be perform ed by the sam e person for the same message. © Ensure that em ployees receive periodic training concerning the im portance of security and control m easures and that penalties for noncom pliance with operating procedures are pub lished and enforced. © Rotate personnel assigned to the com m unications area; enforce vacation requirem ents; and consider increasing supervision o f these em ployees, if appropriate. © Review the appropriateness of hiring practices with respect to em ployees having access to com puter room s and com m unications term inals. © Reassign em ployees who have given notice of resignation or who have been given notice of term ination. © M onitor closely the activities o f all outside personnel who are on your institution’s prem ises (■e .g ., consultants, program m ers, repairm en). © Direct em ployees to keep user-id passwords confidential and to change their passw ords peri odically. 4. Physical security © Ensure that only individuals who have a business need are perm itted access to com puter room s, com m unications lines, telephone panel boards, term inals, operating instructions, testcode form ulas, encryption keys, testword lists, form s, passw ords, com puter files, and pro grams. © Ensure that term inals and other equipm ent and material (e.g ., encryption keys, testwords) used in your Fedwire operations are secured 24 hours a day. © Ensure that security copies of software (com puter program s) used to run data entry devices (PCs) are stored in a secure m anner. 5. Legal agreem ents © Establish and m aintain written agreem ents for all custom ers making funds or securities trans fer requests, particularly for those custom ers who initiate transfer requests by telephone, ter m inals, or other means that do not provide for signed authorization. These agreem ents should clearly set forth the scope o f your institution’s liability. 6. A udit program s © Include all of the activities of your institution’s funds and securities transfer operations in your institution’s audit program. Prepared by: Federal Reserve Bank of New York Electronic Paym ents Function January 1988 3