This paper payments. faster. and of controls investigates the operational hazards associated with the processing of It besides clarifies why traditional controls are no longer adequate to manage in some instances. real-time processing rhythms. and recommends a new series – known as Parallel. Autonomous Audit – as the solution to these jobs.
Operational Risk – A Definition
Operational Hazard is one of the more recent add-ons to the “risk” household. and hence one of the least good understood. However. we have known about some of the constituents of Operational Risk for many old ages. The Bank of International Settlement ( BIS ) Glossary gives the undermentioned definition of Operational Risk: “The hazard that deficiencies in information systems or internal controls could ensue in unexpected losingss. ” A similar definition of Operational Risk appears in the Federal Reserve System Trading Activities manual: “ …the hazard of human mistake or fraud or that systems will neglect to adequately enter. proctor. and history for minutess or places. ” These definitions show that although Operational Risk may give rise to incorrect fiscal information. it is non rather the same
as Financial Risk. which encompasses Settlement. Liquidity. Credit. and Exchange Risk. A figure of regulative governments are get downing to concentrate on Operational Risk. now that they are get downing to acquire Market and Credit Risk under control. Operational Risk appears as one of the basiss of Basel ll. and is found or implied in Corporate Governance ordinances such as Sarbanes-Oxley subdivision 404. ISACA has done much work to supply a model for Operational Risk through its COBIT attack. ( For more information about COBIT. delight visit World Wide Web. isaca. org. )
Where Operational Risk Exists in Payment Systems
Operational Risk arises in a figure of countries within Payment Systems: Processing hazards. Authorization hazards. Computational hazards.
Whether a bank handles a payment dealing manually or via a computing machine system ( or a combination of both ) . there is a hazard that it will non make its intended finish either within an acceptable timeframe – or at all. The consequence of this may be little if a 24 hr hold of a retail customer’s payment does non ensue in a fiscal punishment. However. the customer’s dissatisfaction may happen look at a ulterior day of the month when there will be a definite impact on the bank’s concern ( e. g. . if the retail client of all time becomes a Corporate client ) . In add-on. if the payment is: A High Value time-critical payment. such as a domestic RTGS payment or an international CLS Payment. the bank may confront mulcts of many 1000000s of dollars for non run intoing its Service Level Agreement with the client. It may besides lose the Corporate history to a rival bank. In add-on. under the SarbanesOxley government. a Board Member might confront prison clip. and in the United States at least the client may action the bank for Consequential Liability. the punishments for which could set the bank out of concern. A domestic Low Value payment such as an “on us” payment cheque. may acquire lost in the Back Office of a bank. Likewise. an inter-bank payment may non make the Clearing House. the Clearing
House may non direct it right to the Central Bank for Settlement. the Central Bank may non return it right to the Clearing House after Settlement or the Clearing House may non direct it right to the intended receiving bank. An inter-bank High Value payment. the dealing way may be shorter ( traveling from the arising bank straight to the Central Bank for Settlement and so to the finish bank ) . However. the payment may still travel astray. and since it is High Value. it must make the right finish within a specified length of clip ( frequently measured in proceedingss. if non seconds ) . If it fails to make so. it will go rapidly apparent to the client that something is incorrect. An International payment. the dealing way is frequently more complex. For illustration. a payment routed through a letter writer bank web might go through through every bit many as 10 intermediate Bankss. In the same manner. a payment that a Corporate client novices and intends to settle through CLS Bank may travel from Corporate to a Third Party bank. to a Settlement bank. to CLS Bank. and so forth via another Settlement bank. another Third Party bank. and eventually to the having Corporate client. Therefore. the more links in the dealing concatenation. the more opportunities of a processing mistake. Again. if the payment is a High Value payment. any mistake becomes rapidly seeable to the client.
Payments for more than a certain value have ever needed a specified degree of mandate within a bank. Banks by and large check for this within a computing machine system. However. with the increasing accent on straightthrough processing and the machine-controlled sensing and rectification of informations mistakes. there is a demand to guarantee that corrections that require re-authorization receive it. This is possible utilizing a new type of control. called Parallel Automated Audit. A bank can implant a regulation in its concern database to verify that a rectification receives the same degree of mandate as the original dealing. Parallel. Autonomous Audit uses an independent piece of package that “sits on top of” an application or applications and proctors each dealing utilizing a database of concern regulations. These regulations specify
the way that each dealing should take. and how long it should take the payment to make its finish. Historically. Bankss have used this type of control to supervise an single computing machine system. However. as payment minutess become more complex and can follow a figure of waies. there is a turning realisation that clients hold a bank responsible for its ain processing – and for quickly observing when an mistake occurs elsewhere in the dealing concatenation. Banks by and large accept that payment minutess ever follow pre-determined paths. and that the participants are portion of a Closed User Group. The Bankss involved know that they are portion of a concatenation. and as a consequence. they unwillingly enter into a spoken duologue to seek and follow a missing payment. However. Bankss must now automatize this duologue to observe mistakes in existent – or near real-time.
There have ever been controls such as batch sums. test balances. and statement rapprochements to observe the corruptness of an point of informations – whether knowing ( fraud ) or unwilled ( package or hardware mistake ) . These controls will go on to play an of import function in payment systems. The job with such controls is that the mistakes detected merely become seeable after a period of clip ( e. g. . at the terminal of the twenty-four hours or even at the terminal of a month ) . This hold in observing and rectifying an mistake increases the opportunity that the client will happen out about it. As it becomes easier to travel an history from one bank to another. and clients no longer have the same traditional trueness. they are less likely to accept errors by their bank. Even though retail payments are of lower precedence to Bankss. the increasing frequence of uncluttering rhythms ( e. g. . Interpay in the Netherlands clears retail payments every 30 proceedingss ) requires Bankss to detect mistakes faster. This is even truer for High Value payments that Bankss are now treating in realtime. where batch-type controls are less utile.
The Parallel Automated Audit attack allows a bank to specify the profile of each single payment dealing. It besides enables the sensing and rectification of mistakes in real-time across a Closed User Group.
How Such Mistakes Occur
A information gaining control mistake where a valid. but wrong. BIC or IBAN finish codification is entered. An mistake in the middleware or application package that sends a dealing to an wrong finish. In many Bankss. a different application system handles each type of payment instrument. Therefore. if a direct debit is miscoded as a standing order. the incorrect application will treat it. The failure of a processing node or a communications nexus may neglect. This type of failure can detain a payment for an unacceptable length of clip – without giving the client any warning.
The Use of Controls
In a payments scenario. Bankss use controls to observe an mistake in the operational sequence of the procedure. These controls should observe when a dealing is mis-routed to an wrong finish – or when it fails to make its finish.
As the processing rhythm for both Low Value and High Value payments becomes shorter. there is no longer adequate clip for a bank to observe and rectify processing mistakes rapidly plenty for the client to stay incognizant that a job exists. Even when the client becomes cognizant of a job. he is progressively improbable to accept a belated response from his bank. To turn to this scenario. Bankss need to: Automatize the sensing and rectification of mistakes.
Supplement traditional batch controls with real-time monitoring of single minutess against a profile defined in a Rules database. Automatize the diagnosing and rectification of mistakes right along the dealing concatenation – and non merely in their ain computing machine systems. Technological solutions exist to turn to all of these issues. Banks that implement these solutions will be able to: Assure regulators that the bank is managing its customers’ money in a responsible manner. Increase the opportunity of retaining client histories when mistakes do occur ( as they ever will ) .
About the Writer
Jim Jones has worked in the computing machine industry for the last 40 old ages. with the last 20 of those focused on Payment Systems and Risk Management. He has consulted with a figure of states on the strategic development of their Payment Systems. and has managed the execution of some 20 national systems. Jim has besides worked to re-architect the Back Office of a figure of major international Bankss. He is a regular talker at international conferences on Payment Systems.