Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:
- The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
- Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
- Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type
The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.
These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.
Note: These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.
Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.
This overview supports the Payment Lifecycle and Security Profile for the Check Payment Type.
Check Definition: A check payment is a negotiable instrument drawn against deposited funds and used to pay a specific entity a specific amount of funds on demand. A check is routed from the payer to the payee and deposited at the payee’s financial institution. Some or all funds are made available to the payee on deposit and the item is routed to the payer’s financial institution for settlement. The payer’s financial institution shifts funds from the payer’s account upon receipt of the item. Historically, paper checks were physically routed, but today, much of check routing is done electronically.Overview of Laws, Regulations and References on Payment Security (Including Challenges and Improvement Opportunities)
Legal and Regulatory References
Federal Reserve Operating Circular 3 (OC 3) Collection of Cash Items and Returned Checks
Uniform Commercial Code Articles 3 (Negotiable Instruments) and 4 (Bank Deposits and Collections) (as adopted by the states)
Regulation CC: Availability of Funds and Collection of Checks, 12 Code of Federal Regulation (CFR) § 229.1 et seq.
Expedited Funds Available Act, 12 U.S. Code (U.S.C.) § 4001 et seq.
Regulation DD: Truth in Savings (maximum limits of number / amounts of deposits), 12 CFR § 1030.1 et seq.
Check Clearing for the 21st Century, 12 U.S.C. § 5001 et seq.
Regulation J: Collection of Checks and Other Items By Federal Reserve Banks, 12 CFR § 210.25 et seq.
Financial Crimes Enforcement Network (FinCEN) Bank Secrecy Act, 31 U.S.C. § 5311, et seq.; 31 CFR § 1010.100, et seq. (implementing regulations); Federal Financial Institutions Examination Council (FFIEC), Bank Secrecy Act/Anti-Money Laundering Examination Manual (2014)
Customer Identification Program (CIP), 31 CFR § 1020.220, et seq.
Identity Theft Red Flags Rules, 12 CFR § 41.90 (OCC); 12 CFR § 222.90 (FRB); 12 CFR § 334.90 (FDIC); 12 CFR § 717.90 (NUCA); 16 CFR § 681.1 (FTC); 17 CFR § 162.30 (CFTC); 17 CFR § 248.201 (SEC)
Remote Deposit (RDC) and Mobile Remote Deposit Capture (MRDC)
- FFIEC, Authentication in an Internet Banking Environment (October 12, 2005) FFIEC, Supplemental to Authentication in an Internet Banking Environment (June 28, 2011)
- FFIEC, Risk Management of Remote Deposit Capture (January 14, 2009)
- Vendors/third-party processors typically provide MRDC solutions to financial institutions. Likely managed through contracts and regulations, not standards.
- See FFIEC IT Handbook: http://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/payment-instruments,-clearing,-and-settlement/check-based-payments/remote-deposit-capture.aspx
Remotely Created Check (RCC)
- FFIEC, Authentication in an Internet Banking Environment (October 12, 2005) FFIEC, Supplemental to Authentication in an Internet Banking Environment (June 28, 2011)
- An RCC does not bear the signature of a person on whose account the check is drawn. Instead, the RCC bears the account holder’s printed or typed name or a statement that the account holder authorized the check. The account holder can authorize the creation of an RCC by telephone by providing the appropriate information, including the Magnetic Ink Character Recognition (MICR) data. RCCs may go over a check clearing network or be processed as ACH debits and follow appropriate rules.
- See FFIEC IT Handbook: http://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/payment-instruments,-clearing,-and-settlement/check-based-payments/remotely-created-checks.aspx
Office of the Comptroller of the Currency (OCC) Bulletin 2008-12
Board of Governors of the Federal Reserve System, Guidance on Managing Outsourcing Risk (Dec. 5, 2013) – FRB SR 13-19: Third-party oversight guidance, set of cyber-risk oversight activities, which includes reporting and expectations for Boards of Directors and Senior Management.
FFIEC IT Exam Handbooks: Some of the handbooks are more frequently a factor in exams, but they all contain provisions that impact payments compliance in the areas of confidentiality, availability, data integrity, privacy and third-party oversight.
- FFIEC, IT Examination Handbook, Information Security (Sept. 2016)
- FFIEC, IT Examination Handbook, Retail Payment Systems (Apr. 2016)
- FFIEC, IT Examination Handbook, Supervision of Technology Service Providers (Oct. 2012)
FFIEC, Cybersecurity Assessment Tool (CAT) (June 2015): The CAT is a support tool issued by the FFIEC to assist financial organizations with managing cyber-risk. CAT is strongly encouraged by some U.S. States, but in general, it is based on existing guidance and thus does not constitute new regulation.
Gramm-Leach-Bliley Act (1999), 15 U.S.C. § 6801 et seq.
Regulation P, Privacy of Consumer Financial Information, 12 CFR part 1016.1 et seq. – enacted to control how financial institutions manage the private information of individuals. In addition, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information include provisions associated with the role of risk management, boards and third-party oversight.
Federal Trade Commission Act (1914), 15 U.S.C. § 45(a) (prohibiting “unfair or deceptive acts or practices in or affecting commerce”); 16 CFR § 314.3 (requiring companies to develop written information security programs to protect customer information)
Consumer Financial Protection Act of 2010, 15 U.S.C. § 5531 et seq. (prohibiting “unfair, deceptive, or abusive act[s] or practice[s]. . .” in consumer finance)
State-based cybersecurity and breach laws: A challenge due to the variation among those sets of regulation which include:
- All 50 states address unauthorized access, malware and viruses
- 20 states address spyware
- 23 states address phishing
Source: National Conference of State Legislatures
International cybersecurity regulations and related data-protection laws: Vary widely and continue to evolve; e.g. European Union General Data Protection Regulations (May 2018); Japan: The Act on the Protection of Information (May 2017)
For ACH transactions, see applicable regulations in the ACH Payment Lifecycle and Security Profile. See 12 CFR 1005.3(c)(1) (under Regulation E, the term “electronic fund transfer” does not include “a/any transfer of funds originated by check, draft, or similar paper instrument”).
Office of Foreign Assets Control (OFAC)/Sanction Screening
Other References
American National Standards Institure (ANSI) ASC X9 Technical Report (TR) 8 –Check Security Guidelines
- Provides information for people involved in paper check or electronic check processing to become more familiar with industry practices and processes that identify and deter fraudulent use of paper checks, check images and electronically transmitted check data.
- Discusses tools that detect and prevent fraud, covering topics from high-tech software to low-tech physical control of the source documents.
ANSI X9.100 Series Check Image Exchange Basics (Formerly Check 21)
- 100-181 TIFF Image Format for Image Exchange
- 100-187 Electronic Exchange of Check and Image Data
National Institute of Standards and Technology (NIST) Cybersecurity Framework
Electronic Clearing House Organization (ECCHO) rules
Challenges and Improvement Opportunities
Unclear if regulatory framework with FFIEC is sufficient to address RCC and RDC.
New security standards are needed to address potential increase in check fraud from fraudsters opening checking accounts to perpetuate overall ID fraud and develop ways to create counterfeit checks; or fraud associated with mobile RDC.
Last Updated: 02/21/2018