Gaining Control over Payment-System Risk
Auditors could do much more to ensure that banks have enough control over the credit risks associated with cash management and other operating services.
True, some banks have finally begun to get serious about the issue as business failures have proliferated, along with Fed proposals for reducing payment-system risk.
Typically, the cash management business manager provides the driving force, with a strong assist from the credit administration department. The goal has been to make control over operational credit risk a part of the credit administration system.
Nevertheless, many banks have left enhanced control of such risk on the back burner.
Making Control Routine
Historic loss rates are not valid indicators of current or future risks. This is especially true for the fast-growing automated clearing house (ACH) and electronic data interchange products. In these areas, credit risk is rising with increased transaction volume and more high-dollar applications.
Design of risk controls is the responsibility of the cash management and credit administration departments.
Still, the auditing department can help. Auditors are most effective when measuring actual practice against documented policy and procedure. The best way to get more help from the auditors is to have in place documented procedures for controlling operational credit risk.
Documented controls are needed for existing customers as well as new ones.
Controls for existing customers can be designed to prevent unapproved exposures or just to monitor exposures that have already occurred.
For wire transfers, most banks have active controls. But for a wide range of nonwire services, the only controls in place are new-customer approvals and retrospective monitoring.
Many more banks, pushed by the regulators -- especially the Federal Reserve -- will be installing active procedures for nonwire services.
The final versions of the Fed's risk-reduction proposals, including those for measuring and pricing daylight overdrafts, are expected during the first quarter of 1992.
But the Fed will shortly provide an even more important incentive to documenting procedures for the control of operational credit risk.
That incentive will be an expanded version of the guide each bank uses to determine its daylight overdraft cap.
Currently, the cap is based on a multiple of the bank's adjusted primary capital. The multiple is determined by a factors including the bank's ability to control positions across Fed Wire.
A bank's board must approve a self-assessment of that ability each year.
The guide to making that assessment is being expanded to include the bank's ability to to control exposures associated with automated clearing house and check services.
Very few banks have the documented ACH and check controls needed for board approval.
The new guide, whose publication is expected to come early next year, will make operational credit a higher priority for many more banks.
The result will be documented procedures for which internal auditors can test compliance.
The Office of the Comptroller of the Currency is also requiring national banks to upgrade their control of operating credit risk.
Banking Circular 235, issued in May 1989, requires all national banks participating in domestic and international payment systems to:
* Periodically assess the risks associated with those systems.
* Identify responsibility for assessing risks.
* Document procedures to perform assessments.
The Bank Administration institute has been leading a project to identify risks in the payment systems to help spread the cost of complying with Circular 235. The domestic phase of the project was completed this year.
Bankers should now provide a vehicle to gain the assistance of their internal auditors. One way is to encourage the adoption of audit guidelines specifically designed for operating services.
The National Automated Clearing House Association has a good start on the process for ACH services. The group's operating guidelines include a chapter on audit controls and compliance.
Beginning next year,, the requirement for self-audit of clearing-house procedures will be part of the operating rules.
The association is also considering writing a more detailed audit guide to support the new rule and to assist banks in compliance. There is an opportunity here to focus on the control of credit risks along with rule compliance and other auditing concerns.
So, help is coming. Bankers concerned about operational credit risk can look forward to the support of a rigorous audit examination in the future.