Scribd Logo
Upload

Welcome to Scribd!

  • ATMEFTControls ICQ

    Uploaded by

    Armend Salihu
    10 views4 pages
    Atm eft controls

    Original Title

    ATMEFTControls_ICQ

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Atm eft controls

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views4 pages

    ATMEFTControls ICQ

    Uploaded by

    Armend Salihu
    Atm eft controls

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    ATM/EFT/REG.

    E CONTROLS - Page 1 of 3

    Prepared By Reviewed By
    INTERNAL CONTROL QUESTIONNAIRE
    ________ _______
    RISK FACTOR (Medium)

    Audit Subject: ATM/EFT/REGULATION E CONTROLS


    Date: ___________________________ Branch: ______________________________________________________________

    EXHIBITS:
    ____ PROVIDED TO CLIENT ____ SEND WITH REPORT ____ NOT APPLICABLE Y/N I O T

    * * * Does the bank have an SPM which covers this function?

    PLASTIC CARD AND PIN CONTROLS


    1. Is access to the physical area in which encoding is accomplished limited to authorized
    personnel with dual control procedures employed?

    2. Are proper inventory controls over blank plastic cards in place? (There should be
    proper accounting for the number of cards used, including test cards and spoiled
    cards.)

    3. Are reasonable dual control practices in place where possible? (Only a limited working
    supply of blank cards and cards in the process of being embossed/encoded should be
    allowed out of dual custody. Adequate interim storage and accounting must exist for
    all cards not under dual control.)

    4. Are controls in place to ensure that all cards are initially disbursed from the storage
    area, and end up either in the mail area or are properly disposed of?

    5. Does the bank use a service bureau to handle access device operations? If so:

    a. Does the bank have a contractual arrangement in place to ensure that all aspects
    of safeguarding customer information, card and PIN controls, destruction of no-
    longer-needed documents, returned cards and PIN mailers, etc. are handled in
    accordance with bank specifications?
    ?

    6. Does the bank receive returned ATM cards, and if so, are they handled separately and
    not by issuing personnel?

    a. If so, does the bank use a returned ATM/Debit Card Log to show evidence of
    receipt, dual control, and final disposition of the card?

    b. Are customers identified prior to the bank returning the card?

    c. Does the bank protect other customer and non-customer information when
    requesting a signature as evidence of return of a captured card by covering the
    information and/or by having the customer sign a separate piece of paper?

    d. Are returned cards and PINs destroyed within a reasonable time period, and is the
    destruction date and dual control evidenced on the log?

    7. Are PINs stored separate from plastic cards?

    8. Are PIN mailers processed and delivered with the same security accorded the delivery
    of bankcards to cardholders?

    9. Do PIN systems record the number of unsuccessful PIN entries and restrict access to a
    customer’s account after a small number of attempts?

    10. Are PIN systems designed so that PINs can be changed without re-issuance of cards?

    11. Does the bank have procedures in place that limit the number of employees who are
    authorized to order ATM cards and PINs?

    12. Does the bank callback the ordering of ATM Cards and PIN numbers to a source
    document generated from the card company?

     2004 Risk Management Group Revised 2/19/04


    ATM/EFT/REG. E CONTROLS - Page 2 of 3

    Y/N I O T
    ATM ACTIVITY
    13. If the ATM is “off-line” and remains open for customer use, is the withdrawal limit
    lowered to reduce loss potential?

    14. Are captured cards logged in and maintained in double custody until the owner claims
    it, it is forwarded to the issuing financial institution, or it is destroyed in dual custody?

    15. Are unclaimed captured cards destroyed after a reasonable period of time?

    16. Are customers identified prior to the bank returning the card?

    17. Is there a well-defined procedure for handling captured cards from other institutions?

    18. Is there evidence that an officer reviews the ATM Suspicious Activity Report daily?

    19. Is there evidence of appropriate follow-up on suspicious activity?

    DAILY/MONTHLY PROCEDURES
    20. Is there evidence that the ATM is subject to a surprise cash count at least once
    monthly?

    21. Are procedures in place for after-hours servicing of the ATM? Is this handled by bank
    employees or by an “outside” vendor? Are proper dual controls evident - i.e., log for
    after-hours personnel and contracts of outside vendors?

    22. Is the daily access made under dual control and so documented? Review log.

    23. Are the daily transactions processed under strict dual control?

    24. Is the daily work microfilmed prior to processing?

    SAFETY AND SECURITY


    25. Are alarm devices connected to all automated teller machines?

    26. Are the ATM and customer visible from the street?

    27. Is the ATM area equipped with a Class C fire extinguisher?

    28. Are the combinations and keys to the machines controlled (if so, indicate controls)?

    29. Are the key and the combination changed periodically when situations such as
    employee turnover occur or in accordance with bank policy?

    30. Does the bank furnish to ATM users a “Notice of Precautions”?


    [Reference to law C.C.
    13050]

    31. Are ATM cameras periodically checked to ensure proper operability?

    PROCEDURES FOR RESOLVING ERRORS


    32. Has an error resolution procedure been implemented that will promptly investigate
    and resolve alleged errors within 10 business days? [205.11(c)
    (1)]

    33. If the institution requires a complaint or question to be confirmed in writing within 10


    business days, is this requirement disclosed to the consumer when the error notice is
    given orally?

    34. Does the institution inform the consumer of results of investigation within 10 business
    days of the initial error report? [205.11(c)
    (1)]

     2004 Risk Management Group Revised 2/19/04


    ATM/EFT/REG. E CONTROLS - Page 3 of 3

    Y/N I O T
    35. If the institution needs more time and informs the consumer that it may take up to 45
    days, does the institution:

    a. Re-credit the consumer’s account within 10 business days of the initial report,
    except where written confirmation is required but not received within 10 business
    days? [205.11(c)
    (2)]

    b. Notify the consumer within 2 business days of the amount and date of the re-
    crediting and the fact that the consumer will have full use of funds pending the
    outcome of the resolution?

    c. Give the consumer full use of the funds during the investigation period?

    36. If the institution determines that no error has occurred, have procedures been
    established to:

    a. Promptly (and within 3 business days of concluding the investigation, but no later
    than 10 business days from the error notification if the institution is proceeding
    under that alternative) provide a written explanation of its findings?
    [205.11(d)
    (1)]

     Include the notice of the consumer’s right to request the documents upon
    which the institution relied in making its determination.

    b. Upon debiting a provisionally credited amount, notify the consumer of the date
    and amount of the debit and the fact that the institution will continue to honor
    checks and drafts to third parties and preauthorized transfers for five business
    days to the extent that they would have been paid if the provisionally re-credited
    funds had not been debited? [205.11(d)(2)(i) and
    (ii)]

    c. Assure that the institution honors checks or drafts to third parties or preauthorized
    transfers for five business days after transmittal of the notice?

    d. Provide copies of documents, upon request?

    37. Is a log maintained for customer claims which includes customer name, account
    number involved, dollar amount of transaction, description of claim, and final result
    of claim?

    38. Is the response time to all claims within the allowable time frame? (Provisional
    credit - 10 business days; Final resolution - 45 business days.) [12 CFR 205.11(c)(1)]

    NOTES:

     2004 Risk Management Group Revised 2/19/04


    ATM/EFT/REG. E CONTROLS - Page 4 of 3

     2004 Risk Management Group Revised 2/19/04

    You might also like