[Federal Register Volume 61, Number 20 (Tuesday, January 30, 1996)]
[Notices]
[Pages 3035-3039]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 96-1652]
-----------------------------------------------------------------------
FEDERAL RESERVE SYSTEM
[Docket No. R-0914]
Federal Reserve Payment System Risk Policy
AGENCY: Board of Governors of the Federal Reserve System.
ACTION: Policy statement.
-----------------------------------------------------------------------
SUMMARY: The Board has approved modifications to its Fedwire third-
party access policy that establish additional requirements applicable
to third-party access arrangements involving a service provider located
outside the United States (``foreign service provider''). On August 9,
1995, the Board approved certain interim modifications to its Fedwire
third-party access policy to clarify its applicability and to reduce
the administrative burden of several provisions. At that time, the
Board indicated the Federal Reserve Banks would not approve any new
third-party access arrangements involving a foreign service provider,
pending a review of the supervisory issues associated with such
arrangements. The Board has completed its assessment and has modified
its policy to address the conditions under which the Federal Reserve
would consider approving foreign service provider arrangements. The
revised policy is intended to ensure that the Federal Reserve's
oversight of Fedwire is not diminished or inappropriately limited by
the conduct of activity outside the United States and that the Federal
Reserve's supervisory and examination objectives are met. In addition,
the policy provides important safeguards to both depository
institutions participating in third-party access arrangements and to
the Reserve Banks. Among other things, the policy requires depository
institutions to impose prudent controls over Fedwire funds transfers
and Fedwire book-entry securities transfers initiated, received, or
otherwise processed on their behalf by a third-party service provider.
EFFECTIVE DATE: February 1, 1996.
[[Page 3036]]
FOR FURTHER INFORMATION CONTACT: Jeff Stehm, Manager (202/452-2217) or
Lisa K. Hoskins, Project Leader (202/452-3437), Fedwire Section,
Division of Reserve Bank Operations and Payment Systems; or Howard
Amer, Assistant Director (202/452-2958), Division of Banking
Supervision and Regulation; for the hearing impaired only:
Telecommunications Device for the Deaf, Dorothea Thompson (202/452-
3544).
SUPPLEMENTARY INFORMATION:
I. Background
Fedwire is the large-value payment and securities settlement
mechanism operated by the Federal Reserve Banks. Fedwire provides
depository institutions with real-time gross settlement in central bank
money of funds transfers and book-entry securities transfers made for
their own account or on behalf of their customers. Typically, each
depository institution that holds an account at the Federal Reserve
processes its own transfers and accesses Fedwire directly. In some
cases, however, a depository institution accesses Fedwire through a
third-party access arrangement in which a service provider, acting as
agent for a depository institution, initiates payments that are posted
to the institution's account at the Federal Reserve. Third-party access
arrangements are a form of outsourcing.1
\1\Depository institutions use service providers to perform a
number of functions, including customer accounting, check and
automated clearing house (ACH) processing, and the processing and/or
transmission of large-value funds and securities transfers.
Depository institutions have increasingly viewed outsourcing
arrangements as one way to reduce operating costs.
---------------------------------------------------------------------------
In July 1987, the Board approved a set of conditions under which
Fedwire third-party access arrangements could be established, as part
of its payment system risk reduction policy (52 FR 29255, August 6,
1987). The Board approved modifications to the policy in August 1995
that clarified the scope and application of the policy and reduced the
administrative burden of several provisions (60 FR 42418, August 15,
1995). The scope of the original policy was silent on whether the
service provider could be located outside the United States. Such
arrangements raise certain supervisory issues, such as the ability of
U.S. examiners to access relevant information, conduct on-site reviews
of Fedwire operations, and exercise their enforcement authority. As a
result, in August the Board broadened the scope of the policy to
include third-party access arrangements involving an office of the
participant located outside the United States that acts as a service
provider, but indicated that new third-party arrangements involving a
foreign service provider would not be approved by the Reserve Banks
pending an assessment of the relevant supervisory issues.2
\2\The Reserve Banks have not approved any foreign service
provider arrangements, although several inquiries have been received
during the last few years. In its August 1995 action, the Board
required that any existing arrangement involving a foreign office of
a Fedwire participant acting as a service provider be reported
promptly to the participant's Reserve Bank. No such arrangements
have been reported.
---------------------------------------------------------------------------
II. Provision-by-Provision Analysis
The policy establishes conditions that a sending or receiving
institution (``the participant'') must meet in order to designate
another depository institution or other entity (``the service
provider'') to initiate, receive, and/or otherwise process Fedwire
funds transfers or Fedwire book-entry securities transfers that are
posted to the participant's reserve or clearing account held at the
Federal Reserve. These conditions include requirements that the
participant have the ability to retain operational control of the
credit-granting process, monitor transfer activity conducted on its
behalf, and remain responsible for managing its Federal Reserve
account. In addition, the participant is expected to comply with all
requirements related to Fedwire access generally, such as encryption
standards, as well as all applicable state and federal laws and
regulations. The policy also requires a participant that uses an
unaffiliated service provider to maintain adequate termination backup
arrangements so that it can continue Fedwire operations if the third-
party access arrangement must be terminated.
The policy also addresses certain supervisory concerns, including
requirements for the participant to obtain an affirmative written
statement from its primary supervisor(s) indicating that it does not
object to the arrangement; the existence of an adequate audit program
for the participant to review the arrangement and compliance with the
Board's policy; and the requirement that the service provider be
subject to examination by the appropriate federal depository
institution regulatory agency(ies). Finally, the participant and the
service provider(s) must execute an agreement with the relevant Reserve
Bank(s) incorporating the policy's conditions.
The Board has modified the policy to address the conditions that
apply to Fedwire third-party access arrangements involving a service
provider that is located outside the United States. In particular,
foreign service provider arrangements are expected to comply with the
same requirements as domestic service provider arrangements as well as
meet some additional conditions with regard to information and
examination access. Such arrangements will also be subject to review
and concurrence by the Directors of the Board's Division of Reserve
Bank Operations and Payment Systems and Division of Banking Supervision
and Regulation. Taken together, these requirements are intended to
ensure that the Federal Reserve's oversight of Fedwire is not
diminished or inappropriately limited by the conduct of Fedwire
activity outside the United States and that supervisory objectives can
be met.3 The following discussion identifies those provisions of
the Fedwire third-party access policy that have been revised and
discusses how and why they differ from the current policy provisions.
\3\The four primary examination objectives with regard to
Fedwire are to 1) minimize systemic risk from payment activities, 2)
identify weaknesses in payments operations that could jeopardize the
condition of the depository institution, 3) ensure that proper
records are available to assist law enforcement authorities pursuing
illegal payments activities, and 4) minimize risk of loss to the
Federal Reserve from a depository institution's payment activities
that may result if a depository institution were to fail while in an
overdraft position at the Federal Reserve.
---------------------------------------------------------------------------
A. Scope
Opening Paragraph (Unchanged)
The Board will allow third-party access arrangements whereby a
sending or receiving institution (``the participant'') designates
another depository institution or other entity (``the service
provider'') to initiate, receive, and/or otherwise process Fedwire
funds transfers or book-entry securities transfers that are posted
to the participant's reserve or clearing account held at the Federal
Reserve, provided the following conditions are met:
Revised Footnote #1 to the Opening Paragraph
This policy also applies to third-party access arrangements in
which an organization, including an office of the participant,
located outside the United States acts as service provider by
initiating, receiving, or otherwise processing Fedwire transfers on
behalf of the U.S. participant (``foreign service provider'') .
Previous Footnote #1 to the Opening Paragraph
This policy applies to third-party access arrangements in which
an office of the participant located outside the United States acts
as service provider by initiating, receiving, or otherwise
processing Fedwire transfers on behalf of the U.S. participant.
The Board, in approving the August 1995 modifications to the
policy, stated that no new third-party access
[[Page 3037]]
arrangements involving a foreign service provider would be approved
until an assessment of the supervisory issues associated with such
arrangements was completed. As a result of that assessment, the revised
policy applies to all arrangements where the service provider is
located outside the United States. In applying the policy to
arrangements involving foreign service providers, however, the Board
recognizes that such arrangements should be subject to consultation and
coordination with home country supervisors, on-site examination of
foreign service providers, and the availability of and access to
Fedwire records. To address these issues the Board expects that such
arrangements will comply with the policy conditions applicable to
domestic service provider arrangements and, in addition, meet the
additional requirements applicable to arrangements involving a foreign
service provider.
B. Audit Program
Revised Condition (#10)
The participant must have in place an adequate audit program to
review the arrangement at least annually to confirm that these
requirements are being met. In addition, in the case of an
arrangement involving a foreign service provider, both the
participant and the foreign service provider must have in place an
adequate audit program that addresses Fedwire operations. Audit
reports in English must be made available to the Federal Reserve and
the participant's primary supervisor(s) in the United States.
Previous Condition (#10)
The participant must have in place an adequate audit program to
review the arrangement at least annually to confirm that these
requirements are being met.
The revised condition requires that the Fedwire audit program of
both the participant and the foreign service provider be an acceptable
means to review and assess effectively, at least on an annual basis,
the sufficiency of internal and data security controls, credit-granting
processes, operational procedures and contingency arrangements, and
compliance with applicable U.S. laws and regulations. This requirement
is intended to maintain U.S. examiners' abilities to supervise
effectively the Fedwire function and to ensure that it is managed in a
safe and sound manner.
C. Examination of the Arrangement
Revised Condition (#11)
In the case of a service provider located within the United
States, the service provider must be subject to examination by the
appropriate federal depository institution regulatory agency(ies).
[Footnote: The U.S. federal depository institution regulatory
agency(ies) must be able to examine any aspects of the service
provider as may be necessary to assess the adequacy of the
operations and financial condition of the service provider.]
In the case of a service provider located outside the United
States, the service provider must be subject to the supervision of a
home country bank supervisor. In its review of a proposed foreign
service provider arrangement, the Federal Reserve will consider the
extent to which the service provider's home country supervisor 1)
oversees banks on a consolidated basis, 2) is familiar with
supervising payment systems activities, 3) is willing to examine the
Fedwire operations at the service provider, and 4) has demonstrated
a willingness to work closely with U.S. banking authorities in
addressing supervisory problems. In addition, the home country
supervisor, the participant, and the service provider must agree to
permit the participant's primary supervisor(s) to conduct on-site
reviews of the Fedwire operations at the foreign service provider.
[Footnote: If a participant proposes to conduct its Fedwire
processing at a foreign site outside the home country of the service
provider, both the home country and host country supervisors would
need to permit the participant's primary supervisor(s) to review the
Fedwire operations.] The participant and the service provider must
agree to make all policies, procedures, and other documentation
relating to Fedwire operations, including those related to internal
controls and data security requirements, available to the Federal
Reserve and the participant's primary supervisor(s) in English.
Previous Condition (#11)
The service provider must be subject to examination by the
appropriate federal depository institution regulatory agency(ies).
[Footnote: The U.S. federal depository institution regulatory
agency(ies) must be able to examine any aspects of the service
provider as may be necessary to assess the adequacy of the
operations and financial condition of the service provider.]
The revised condition provides the opportunity for the Federal
Reserve and the participant's primary supervisor(s) to 1) assess the
risks associated with the third-party access arrangement in the context
of the service provider's home country's bank supervision program, 2)
determine if it would be reasonable for the participant's primary
supervisor(s) to depend, to some extent, on the home country supervisor
to examine the Fedwire operation at the service provider, and 3) ensure
that the participant's primary supervisor(s) has access to relevant
Fedwire records. These conditions are intended to maintain U.S.
examiners' ability to supervise effectively the Fedwire function and to
ensure that it is managed in a safe and sound manner.
In reviewing the arrangement in the context of the foreign service
provider's home country supervision program, the Federal Reserve would
carefully consider each of the four criteria contained in this portion
of the modified policy. The Federal Reserve, however, will not grant
approval to outsource Fedwire absent an affirmative implementing
agreement with the home country supervisor.
The Federal Reserve may also discuss other supervisory issues, such
as home country laws and regulations that may limit examination access,
with the particular home country supervisor prior to approving an
arrangement involving a foreign service provider. With regard to
proposals to outsource Fedwire processing to an unaffiliated foreign
service provider, and in particular to an organization that is not a
depository institution, the Federal Reserve would discuss with the home
country supervisor issues related to the level of supervision and
examination of the proposed service provider and other issues that
could affect the risks associated with such an arrangement.
D. Review and Approval of Proposed Arrangements
Revised Condition (Closing Paragraph)
The participant's Federal Reserve Bank is responsible for
approving each proposed Fedwire third-party access arrangement. The
Directors of the Board's Division of Reserve Bank Operations and
Payment Systems and Division of Banking Supervision and Regulation
must concur with a proposed arrangement (1) in which the participant
is not affiliated through at least 80 percent common ownership with
the service provider and where the participant is owned by one of
the 50 largest bank holding companies (based on consolidated
assets), or (2) in which the service provider is located outside the
United States. Approval of a foreign service provider arrangement
would be contingent on a review of both the participant's and the
foreign service provider's Fedwire policies, procedures, and
operations, which would be conducted by the Federal Reserve prior to
the commencement of operations.
Previous Condition (Closing Paragraph)
The Federal Reserve Bank is responsible for approving each
proposed Fedwire third-party access arrangement. In a proposed
arrangement in which the participant is not affiliated through at
least 80 percent common ownership with the service provider and
where the participant is owned by one of the 50 largest bank holding
companies (based on consolidated assets), the Directors of the
Division of Reserve Bank Operations and Payment Systems and the
Division of Banking Supervision and Regulation must concur with the
arrangement.
The revised condition recognizes the potential risks associated
with
[[Page 3038]]
outsourcing Fedwire operations to a foreign service provider and the
need for Board staff review and concurrence with such arrangements.
Arrangements involving a foreign service provider warrant careful
consideration in order to determine whether the proposed arrangement
poses any undue risks and whether adequate supervisory oversight can be
maintained. An infrastructure review is appropriate to confirm
compliance with the Fedwire third-party access policy and other
relevant policies and regulations. The infrastructure review also would
permit the Federal Reserve to assess the adequacy of system integrity,
controls and contingency arrangements, and would allow it to determine
first hand whether information access issues pose unacceptable risks.
III. Effective Date
The revised Fedwire third-party access policy becomes effective
February 1, 1996.
IV. Competitive Impact Analysis
The Board assesses the competitive impact of changes that may have
a substantial effect on payment system participants. In particular, the
Board assesses whether a proposed change would have a direct and
material adverse effect on the ability of other service providers to
compete effectively with the Federal Reserve Banks in providing similar
services and whether such effects are due to legal differences or due
to a dominant market position deriving from such legal differences.
The Federal Reserve Banks' Fedwire funds transfer and book-entry
securities transfer services provide real-time gross settlement in
central bank money. While these services cannot be duplicated by
private-sector service providers, banks can make large-dollar funds
transfers through other systems, such as CHIPS, or through
correspondent book transfers, although these transactions have
attributes that differ from Fedwire transfers. Similarly, there are
private-sector securities clearing and/or settlement systems, such as
the Government Securities Clearing Corporation and the Participants
Trust Company, that facilitate primary and secondary market trades of
U.S. Treasury and agency securities. Other transactions involving U.S.
government securities may be cleared and settled on the books of banks
to the extent that the counterparties are customers of the same bank.
The Board's third-party access policy places conditions on
arrangements in which a Fedwire participant may contract with another
organization to initiate, receive, or otherwise process Fedwire
transfers. The Board has revised the policy to establish additional
conditions applicable to depository institutions wishing to access
Fedwire through a foreign service provider to ensure that the Federal
Reserve's oversight of Fedwire is not diminished or inappropriately
limited by the conduct of activity outside the United States and that
the Federal Reserve's supervisory and examination objectives are met.
Other large-dollar systems can and do place restrictions on the ability
of participants to outsource their operations to foreign service
providers. The Board's policy, as revised, does not adversely affect
the ability of depository institutions or service providers to compete
with the Federal Reserve Banks to provide funds transfer or securities
transfer services.
V. Policy Statement
The Board has amended its ``Federal Reserve System Policy Statement
on Payments System Risk'' under the heading ``I. Federal Reserve
Policy'' by replacing ``G. Fedwire Third-party Access Policy'' with the
following:
G. Fedwire Third-Party Access Policy
The Board will allow third-party access arrangements whereby a
sending or receiving institution (``the participant'') designates
another depository institution or other entity (``the service
provider'') to initiate, receive, and/or otherwise process Fedwire
funds transfers or book-entry securities transfers that are posted to
the participant's reserve or clearing account held at the Federal
Reserve, provided the following conditions are met:1
\1\This policy also applies to third-party access arrangements
in which an organization, including an office of the participant,
located outside the United States acts as service provider by
initiating, receiving, or otherwise processing Fedwire transfers on
behalf of the U.S. participant (``foreign service provider'').
---------------------------------------------------------------------------
1. The participant retains operational control of the credit-
granting process by (1) individually authorizing each funds or
securities transfer, or (2) establishing individual customer transfer
limits and a transfer limit for the participant's own activity, within
which the service provider can act. The transfer limit could be a
combination of the account balance and established credit limits. For
the purposes of this policy, these arrangements are called ``line-of-
credit arrangements.''
2. In funds transfer line-of-credit arrangements, the service
provider must have procedures in place and the operational ability to
ensure that a funds transfer that would exceed the established transfer
limit is not permitted without first obtaining the participant's
approval. In book-entry securities transfer line-of-credit
arrangements, the service provider must have procedures in place and
the operational ability to provide the participant with timely
notification of an incoming transfer that exceeds the applicable limit
and must act upon the participant's instructions to accept or reverse
the transfer accordingly.
3. Transfers will be posted to the participant's reserve or
clearing account held at the Federal Reserve, and the participant will
remain responsible for managing its Federal Reserve account, with
respect to both its intraday and overnight positions. The participant
must be able to monitor transfer activity conducted on its behalf.
4. The participant's board of directors must approve the role and
responsibilities of a service provider(s) that is not affiliated with
the participant through at least 80 percent common ownership. In line-
of-credit arrangements, the participant's board of directors must
approve the intraday overdraft limit for the activity to be processed
by the service provider and the credit limits for any inter-affiliate
funds transfers.2
\2\In cases where a U.S. branch of a foreign bank wishes to be a
participant in an arrangement subject to this policy, and its board
of directors has a more limited role in the bank's management than a
U.S. board, the role and responsibilities of the service provider
should be reviewed by senior management at the foreign bank's head
office that exercises authority over the foreign bank equivalent to
the authority exercised by a board of directors over a U.S.
depository institution.
---------------------------------------------------------------------------
5. The Board expects all participants to ensure that their Fedwire
operations could be resumed in a reasonable period of time in the event
of an operating outage, consistent with the requirement to maintain
adequate contingency backup capabilities as set forth in the
interagency policy (FFIEC SP-5, July 1989). A participant is not
relieved of such responsibility because it contracts with a service
provider.
6. In cases where the service provider is not affiliated with the
participant through at least 80 percent common ownership, the
participant must be able to continue Fedwire operations if the
participant is unable to continue its service provider arrangement
(e.g., in the event the Reserve Bank or the participant's primary
supervisor terminates the service provider arrangement).
7. The participant must certify that the arrangement is consistent
with corporate separateness and does not violate branching
restrictions.
[[Page 3039]]
8. The participant must certify that the specifics of the
arrangement will allow the participant to comply with all applicable
state and federal laws and regulations governing the participant,
including, for example, retaining and making accessible records in
accordance with the regulations adopted under the Bank Secrecy Act.
9. The participant's primary supervisor(s) must affirmatively state
in writing that it does not object to the arrangement.
10. The participant must have in place an adequate audit program to
review the arrangement at least annually to confirm that these
requirements are being met. In addition, in the case of an arrangement
involving a foreign service provider, both the participant and the
foreign service provider must have in place an adequate audit program
that addresses Fedwire operations. Audit reports in English must be
made available to the Federal Reserve and the participant's primary
supervisor(s) in the United States.
11. In the case of a service provider located within the United
States, the service provider must be subject to examination by the
appropriate federal depository institution regulatory
agency(ies).3
\3\The U.S. federal depository institution regulatory
agency(ies) must be able to examine any aspects of the service
provider as may be necessary to assess the adequacy of the
operations and financial condition of the service provider.
---------------------------------------------------------------------------
In the case of a service provider located outside the United
States, the service provider must be subject to the supervision of a
home country bank supervisor. In its review of a proposed foreign
service provider arrangement, the Federal Reserve will consider the
extent to which the service provider's home country supervisor (1)
oversees banks on a consolidated basis, (2) is familiar with
supervising payment systems activities, (3) is willing to examine the
Fedwire operations at the service provider, and (4) has demonstrated a
willingness to work closely with U.S. banking authorities in addressing
supervisory problems. In addition, the home country supervisor, the
participant, and the service provider must agree to permit the
participant's primary supervisor(s) to conduct on-site reviews of the
Fedwire operations at the foreign service provider.4 The
participant and the service provider must agree to make all policies,
procedures, and other documentation relating to Fedwire operations,
including those related to internal controls and data security
requirements, available to the Federal Reserve and the participant's
primary supervisor(s) in English.
\4\If a participant proposes to conduct its Fedwire processing
at a foreign site outside the home country of the service provider,
both the home country and host country supervisors would need to
permit the participant's primary supervisor(s) to review the Fedwire
operations.
---------------------------------------------------------------------------
12. The participant and the service provider(s) must execute an
agreement with the relevant Reserve Bank(s) incorporating these
conditions.
The participant's Federal Reserve Bank is responsible for approving
each proposed Fedwire third-party access arrangement. The Directors of
the Board's Division of Reserve Bank Operations and Payment Systems and
Division of Banking Supervision and Regulation must concur with a
proposed arrangement (1) in which the participant is not affiliated
through at least 80 percent common ownership with the service provider
and where the participant is owned by one of the 50 largest bank
holding companies (based on consolidated assets), or (2) in which the
service provider is located outside the United States. Approval of a
foreign service provider arrangement would be conditioned on
satisfactory findings of a review of both the participant's and the
foreign service provider's Fedwire policies, procedures, and
operations, which would be conducted by the Federal Reserve prior to
the commencement of operations.
By order of the Board of Governors of the Federal Reserve
System, January 24, 1996.
William W. Wiles,
Secretary of the Board.
[FR Doc. 96-1652 Filed 1-29-96; 8:45 am]
BILLING CODE 6210-01-P