How Risky? The Elements of Managing Retail Payments Risk

December 2011

Jennifer Windh: Welcome to the Federal Reserve Bank of Atlanta's Payments Spotlight podcast. Today, we're joined by Tony DaSilva, a senior bank examiner at the Federal Reserve Bank of Atlanta. Formerly a banker, Tony understands the perspective of both the supervisor and the supervised institution when it comes to the challenges of managing retail payments risk. Today, he will be sharing his recommendations for banks implementing an effective payment risk management program.

Tony, thanks for joining us.

Tony DaSilva: You're welcome.

Windh: So, what are some of the more common risk issues that bankers face with payment services today?

Photo of Tony DaSilvaDaSilva: Payments risk management is sometimes informal, decentralized, or even just missing. Another issue is anxiety for income in this economy combined with a passive oversight of third-party senders. Sometimes they don't even understand that they have a third-party sender or originator activity. Insufficient policies and expertise for the complexity of the payment environment—we do see that in institutions of varying sizes, but primarily with our smaller community banks. Another one is a lack of adequate customer due diligence or underwriting for the exposure to credit, and also legal liability losses. Lack of effective oversight over third-party senders is another issue. Limited bank board and senior management involvement is another. Insufficient risk management and reporting. And the last one that we see a lot is inadequate NACHA Operating Rules, BSA/AML [Bank Secrecy Act/anti-money laundering], or consumer protection training for employees in management.

Windh: Can you tell us some of the basic elements of a risk management program?

DaSilva: When we talk about risk management in the payments business, we're talking about primarily credit risk, compliance risk, transaction risk, fraud risk, legal and reputational risk. So it starts, with a good risk management program, with the following:

  • Number one: Planning. Having clear, defined objectives, well-developed business strategy, clear risk payments parameters and role within the financial institution's strategic plan.
  • The second is the risk identification and assessment, and we talk about management knowledge and understanding of their risks and this is where that is critical. Incorporating that risk assessment into the bank's overall risk management process, and again this is going to vary by institution and institutions that use third parties.
  • The third step is the mitigation and controls of those risks that are identified through policies/procedures, clearly defined responsibilities, strong internal controls over transactions, a good risk-based audit program, and well-designed contracts and agreements.
  • And the final step is the measuring and monitoring. Periodic reports that allow the board and senior managements to determine [that] the activities are remaining within the bank's established risk parameters.

Windh: You mentioned that bank board and senior management need to be involved with risk management. Can you be more specific about how they should engage?

DaSilva: Well, first you must determine what level of knowledge does senior management demonstrate regarding the payments products and services they offer. Do they understand the inherent product risks, the compliance requirements, the ability to monitor, the operations management and operational risks? Do they understand their reputational risks, their legal risk? How deep is the management across the product lines? Do they have subject matter experts? And finally, does management ensure that the retail payments strategy matches their overall competencies in the bank? And, in summary, their overall knowledge, experience, and abilities to execute.

Windh: We understand that an organization's risk culture should dictate how the risk management program is developed and implemented. Can you talk a little about the need for an effective risk-assessment process as a part of understanding the organization's risk culture?

DaSilva: Well, absolutely. The first step is to assess the bank's risk culture. You know, what is the financial institution's payments strategy? Are they a risk taker, or are they risk-averse? Does the bank have disciplined and consistently followed processes for initiating, analyzing, approving new products and services prior to rolling them out? Many of our institutions several years ago rolled out remote deposit capture without doing any type of risk assessment. They really didn't understand the inherent risks with that particular service.

Another issue: does the financial institution pursue relationships with high-risk merchants or originators? Does the financial institution enforce strict risk limits set by the bank's board? And is compliance with policies and controls monitored and enforced? That's very critical to managing the risk.

Windh: Well, Tony, thanks for sharing your knowledge with us.

DaSilva: You're welcome.

Windh: Again, we've been speaking today with Tony DaSilva. This concludes our Payments Spotlight podcast on payments risk management programs. You can find more information about the Retail Payments Risk Forum by visiting our website at Thanks for listening, and please return for more podcasts.

If you have comments or questions, please send us an e-mail at