Purpose

The Electronic Fund Transfer Act as implemented through Regulation E was enacted to protect the rights of individuals with regard to transfers of funds involving electronic access to accounts through the use of automatic teller machines, point of sale terminals, and preauthorized transfers to and from accounts. The term “electronic fund transfer” generally refers to a transaction initiated through an electronic terminal, telephone, or computer that instructs a financial institution to credit or debit a member’s asset account. The transfer of funds involving wire transfers, business accounts or securities regulated by CFTC are not covered. The regulation requires credit unions to make certain disclosures for electronic funds transfers relating to limitations on the transfers, fees charged for making a transfer, the error resolution process, and the potential liabilities of the member, as well as those of the credit union. The Federal Reserve Board’s Regulation E implements the provisions of the EFT Act. Regulation E establishes the basic rights, liabilities, and responsibilities of consumers who use electronic fund transfer services and of financial institutions that offer these services. The purpose of this policy is to ensure quality internal controls and minimize the inherent risks associated with various EFT systems. Systems covered under this policy include any transfer of funds initiated through an electronic terminal, telephonic instrument, computer, or magnetic tape that orders, instructs, or authorizes the Credit Union or any other financial institution to debit or credit an account. The Board will periodically assess the risks associated with EFT and will update this policy at least annually.

Policy statement

It is the policy of the Elliott Community Federal Credit Union to comply with the requirements of Regulation E. All required disclosures will be clear and readily understandable, in writing, and in the form the member may keep. Elliott Community Federal Credit Union utilizes electronic fund transfer services (EFT) to manage cash resources more efficiently. Specifically, the Credit Union uses the FedWire FEDLINE system as well as Vizo Zephyr Western Union (wires) to transfer funds related to its own operations and to transfer funds on behalf of its members. The Credit Union also provides other electronic services to members, such as automatic teller machines, telephone audio response, and debit cards.

EFT SYSTEMS -The Credit Union utilizes the following EFT systems:

• FEDLINE.The FedWire Fedline system allows the Credit Union to transfer funds from its Federal Reserve account to any other depository institution.Likewise, the Credit Union may receive funds from sending depository institutions.Under the operating rules of FedWire, each transfer is final and irrevocable when the receiving depository institution is notified of the transfer.
• Retail Systems.The Credit Union offers the following electronic services to members:
  • Automatic Teller Machines
  • Telephone audio response
  • Debit cards

EFT RISK ASSESSMENT -

• Credit Risk
  • Receiver Risk. Receiver risk arises from the possibility that a sending institution will not honor a transfer. The Credit Union eliminates receiver risk by avoiding revocable transfers. Under the FedWire system all payments are final and irrevocable.
  • Sender Risk. The Credit Union assumes sender risk whenever it makes an irrevocable payment on behalf of a member through extension of credit. The Credit Union minimizes this risk by:
    • Monitoring loans and any payments against uncollected funds or insufficient balances; and
    • Initiating effective collection procedures where necessary.
• Settlement Risk. Settlement risk arises from the possibility that one participant in the payment system may be unable to honor its obligations at time of settlement, which in turn deprives other participants including the Credit Union of expected funds. Like receiver risk, settlement risk is minimized by only initiating and receiving irrevocable transfers.
• Systemic Risk. The Board acknowledges that EFT systems may expose the Credit Union to systemic risk arising from the failure of one participant to honor settlement. However, the Credit Union has determined that these risk levels are within the Credit Union's risk tolerance.
• Legal Risk and Sovereign Risk. The Board recognizes that the Credit Union is exposed to a certain degree of legal risk since there is no binding system of international commercial law for electronic payments. The Credit Union minimizes this risk by not participating in international transactions. In addition, by limiting transactions to the United States the Credit Union effectively eliminates sovereign risk resulting from adverse foreign government action.
• Operational Risk. Operational risk is the Credit Union's most significant source of EFT risk exposure. The Board delegates responsibility to management for developing adequate procedures that reduce operational risk to acceptable levels. Such procedures shall provide for physical security, data security, systems testing, contingency planning, segregation of duties, and adequate backup.

IDENTIFICATION AND CONTROL OF OPERATIONAL RISKS - The Credit Union has identified three areas of operational risk:

• System Failure. The risk that hardware or software will malfunction due to design defects, insufficient capacity, or mechanical breakdown. The Credit Union controls this risk by periodically evaluating the systems design and capacity.
• System Disruption. The risk that the EFT system is unable to process transactions due to system failure, natural disasters, fires, terrorists, or any other reason that could cause Credit Union operations to cease. The Credit Union minimizes this risk through contingency planning. In the event of system failure, wire transfers will be made through corporate central. In the event of a disaster, fire, or terrorist attack, sensitive information will be adequately secured whenever possible.
• System Compromise. The risk of improper transfers due to error, fraud, or malicious acts, including the risk that records will be damaged or that funds will be diverted, altered, or manipulated. The Credit Union controls this risk through the development and implementation of internal controls.

INTERNAL CONTROLS - The Board delegates to management the responsibility for developing, implementing, reviewing, updating, and periodically testing internal controls. Internal controls should include procedures written in accordance with the following guidelines.

• Personnel Procedures
  • The Credit Union will run security checks on all personnel hired for sensitive positions in the wire transfer area. In addition, employees in sensitive positions are required to submit periodic statements of indebtedness.
  • The Credit Union will develop and implement a training program designed to ensure accurate performance of wire transfer activities and a thorough understanding of the necessity for internal controls. The program will also train employees to identify and report possible schemes to defraud. Any EFT transaction is done by an Authorized Personnel and reviewed by another authorized personnel. When Returns are initiated, they are initiated by one Authorized Employee then approved by a second Authorized Personnel before being returned.
  • Supervisors will afford special attention to new employees assigned to work in the wire transfer function to ensure proper training and compliance with Credit Union procedures and policies. As a general rule, new employees are prohibited from working in sensitive areas of the wire transfer function.
  • The Credit Union will inform employees that their responsibilities could be rotated at any time without prior notice.
  • Relatives of employees in the wire transfer function may NOT work in the Credit Union's bookkeeping or data processing department.
  • The Credit Union will immediately reassign employees from sensitive areas of the wire transfer function upon receiving notice of resignation or upon giving notice of termination.
  • All wire information is locked in Vault area and kept under dual control at all times.
  • The Wire is initiated by one employee of the Credit Union. Then one of the authorized personnel initiates said wire with Vizo then second authorized personnel must approve wire before the wire is sent out. During this process both authorized personnel run all parties involved with the wire through the OFAC system to ensure they are not on said list.
  • We test the internal controls on an Annual Basis to ensure the procedures are being followed accordingly. The wire logs are reviewed on a Monthly Basis by Management as well as the Supervisory Committee.
  • We do initiate and accept International wires through Vizo Zephyr (Western Union). We do not accept or initiate wires to restricted countries on the OFAC List. All procedures are done dually by two Authorized personnel as all wires are handled. One authorized personnel initiate why another authorized personnel approves wire. All procedures of checking identity and checking the OFAC List are completed as well.
• Operating Procedures.
  • Separation of Duties.
    • The receipt, data entry, and authentication functions will be adequately segregated. For EFT; one employee will go in and download all EFT transactions while another authorized personnel will review said information and totals. When EFT Returns are initiated, they are done so by one authorized personnel and then must be approved by a second before any return may be done. As for wires; one designated employee will input wire into Vizo. A Second designated employee will then go in and review all of the information. They will then approve the wire once they have verified all of the information is correct.
    • The function of determining the propriety of transactions will be performed by someone who does NOT receive orders and requests.
    • The function of reviewing rejects and exceptions is performed by someone who does NOT perform the receipt, preparation, or transmittal functions.
    • Investigations of failed payments are conducted by someone independent of the operating unit.
• Security
  • Access to Area. Access to the wire transfer area is restricted to authorized personnel. Unauthorized individuals visiting the area must be accompanied by an authorized individual at all times
  • Access to Terminals.
    • Passwords. The Credit Union restricts access to wire terminals and sensitive functions through password protection. Passwords are frequently changed to ensure integrity.
    • Time-of-Day Controls. Wire terminals are regulated by time-of-day controls. All terminals in the transfer area are shut down after normal working hours. Access during unauthorized times requires supervisory approval.
    • Dual Operation. At least two authorized employees must be present during operation of the terminal.
  • Records. The wire transfer area will maintain current records and retain them for at least five years. Records include:
    • List of authorized signatures and amounts for member transfers.
    • List of officers authorized to initiate transfers relating to Credit Union investments and any limits or restrictions. See Investment Policy.
    • Advices, requests, or instructions involving transfers over $10,000. Funds transfer message requests will contain:
      1. Sequence number;
      2. Amount if funds are to be paid;
      3. Name of member making request;
      4. Date;
      5. Evidence of authentication;
      6. Paying instructions; and
      7. Authorizing signatures.
  • Order Control. All incoming and outgoing payment orders and message requests will be received in the wire transfer area, and all payment orders will be:
    1. Time stamped or sequentially numbered;
    2. Documented in a log book;
    3. Examined for signature authenticity; and
    4. Reviewed to determine whether persons initiating transfer requests have proper authority.
  • End-of-Day Controls. The following will be accounted for in an end-of-day proof to ensure that all requests have been processed.
    1. All payment orders and message requests
    2. All pre-numbered forms including cancellations
    3. Daily reconcilement of funds sent and received
  • Testing.
    • The testing area will be separated from the remainder of the operation area.
    • Test codes are:
      1. Required for telephonic requests;
      2. Used for transactions verified by someone other than the person who receives the request; At this point, the out of the box questions is initiated for verification prior to any wire being initiated or sent if additional verification is needed or member is not in person.
      3. Restricted to authorized personnel; and
      4. Maintained in a secure environment when not used.
  • Supervisory Review. A supervisor will review:
    • All transactions prior to release of payments
    • Daily reconcilement of funds transfers and message request activity;
    • Adjustments, open items, and reversals.

MANAGEMENT REVIEW -

• Reports. Management will regularly review the following reports and promptly report significant matters to the Board.
  • Fund transfer activity reports documenting the number of items received and paid as well as total volume;
  • Large overdrafts and drawings against uncollected funds;
  • Payment activity for daylight overdrafts;
  • List of suspense accounts;
  • Income and expenses relating to wire transfer operations; and
  • Other reports as directed by the Board

• Monitoring. Management will regularly review:
  • Staff and employee compliance with credit and personnel procedures, operating instructions, and other internal controls.
  • Capabilities of staff and employees.
  • Adequacy of equipment relative to current and expected volume.
  • Creditworthiness of funds transfer members.

INITIAL DISCLOSURE REQUIREMENTS

The Federal Reserve Board’s Regulation E requires that the terms and conditions of Electronic Fund Transfers for all members’ accounts be disclosed substantially in a form provided by the Federal Reserve Board before the EFT service has been initiated. Elliott Community Federal Credit Union will comply with this Federal Reserve Board requirement by providing all new members with a copy of its Membership Booklet, which list in detail on pages 11-14 the contents of the Electronic Funds Transfer Agreement and Disclosure. The initial disclosure must include the following:

• Summary of member’s liability.
• The Credit Union’s telephone number and address for unauthorized transfer notification.
• Credit Union business days.
• Type of transfers and limitations on frequency and dollar amount.
• Fees for ETFs or for the right to make transfers.
• Right to receive documentation (receipt and periodic statements).
• Summary of the member’s right to stop payment of a preauthorized EFT, and the procedure for placing a stop payment order.
• Liability of the Credit Union for failure to make or stop certain transfers.
• The circumstances under which the Credit Union may provide information regarding the member’s account to third parties.
• Error resolution procedures.
• A notice that a fee may be imposed at ATMs when the member initiates an ETF or makes a balance inquiry and that a fee may be imposed by any network used to complete the transaction.

SUBSEQUENT DISCLOSURE REQUIREMENTS

Elliott Community Federal Credit Union will mail or deliver a written notice at least 45 days before the effective date of any change in a term or condition required to be disclosed by Regulation E if the change results in:

• Increased fees for the member;
• Increased liability for the member;
• A decrease in the available types of electronic fund transfers; or
• Stricter limitations on the frequency or dollar amount of transfers.

ERROR RESOLUTION NOTICE

Elliott Community Federal Credit Union will mail or deliver an error resolution notice (similar to the initial notice) to the member on an annual basis. Alternatively, an abbreviated notice may be included in each periodic statement.

PERIODIC STATEMENTS

Elliott Community Federal Credit Union will provide periodic statements on member account activity for each monthly cycle in which an EFT has occurred and, at least quarterly if no EFT has occurred or if access is limited to pre-authorized transfers. The periodic statement must include the following information:

Transaction information:

• The amount of the EFT including any charges and the date debited or credited.
• Type of transaction and account affected.
• If initiated at an electronic terminal (ATM), the location including city, state or foreign country must be listed.
• The name of the third party to whom or from whom the funds have been transferred.
• Account number
• Fees
• Account balances in the beginning and at the end of the statement period.
• Address and telephone number for inquires.
• Telephone number for preauthorized transfers.

ATM DISCLOSURES

If the Credit Union charges a fee for EFT or balance inquires, Elliott Community Federal Credit Union will be required to disclose this fact along with the amount of the fee. This disclosure will be located on or at the ATM, and on either the screen or the paper receipt, before the user is committed to paying the fee. The Credit Union will make a receipt available to ATM users upon request, at the time the member initiates the EFT at an electronic terminal. The receipt must include the following information:

• The amount of the transfer. A fee may be imposed so long as it is displayed on or at the terminal and is listed on the receipt.
• The date the transfer is initiated.
• An identification code or number that identifies the user’s account(s) or the access devise used to initiate the transfer.
• The terminal location,
• The name of any third party to or from who funds are transferred.

ERROR RESOLUTION PROCESS

The member’s liability is $0 as long as they dispute transactions within 2 business days of the loss or theft of their debit card – or refer to the debit card policy. Errors include the following:

Transaction information:

• An unauthorized EFT
• An incorrect amount to or from an account
• An omission of an EFT on a periodic statement
• A computation error made by the Credit Union
• Receipt of an incorrect amount of cash from an electronic terminal
• Improper identification on a periodic statement
• A request for additional documentation

The Credit Union will comply with the requirements for resolving errors in response to any oral or written notice from a member that meets the following criteria:

• It is received by the Credit Union no later than 60 days from the time the periodic statement is sent, or the passbook documentation is provided, on which the error is reflected
• It enables the Credit Union to identify the member’s name and account number; and
• Indicates why the member believes an error existed and includes to the extent possible the type, date, and amount of the error
• The credit union may require the member to provide written confirmation of the request within 10 business days of an oral notice

All errors will be resolved, and necessary adjustments made to the member’s account within ten business days from the date of receipt of the member’s notice. The results of the investigation will be provided to the member within three business days after the investigation is concluded. Elliott Community Federal Credit Union may extend the ten-business daytime limit to forty-five calendar days from receipt of the notice if more time is needed to conduct the investigation. In these situations, the member’s account will be credited within ten (10) business days for the amount in error.

INTERNAL AUDITS

The Supervisory Committee will oversee an annual comprehensive audit of operational internal controls and submit its findings to the Board.

• Audit Findings. The Board report should include an assessment of risks, evaluation of the adequacy of controls, and determination of compliance with this policy and applicable laws, regulations, and rules.
• Board Action. The Board will review audit findings and institute corrective action to address deficiencies noted.

The audit is completed by the assessment from Policy 310 and addressed at the board meeting annually.

TRAINING/UPDATING

Elliott Community Federal Credit Union will provide training to all affected employees and update policies and procedures as needed to reflect regulatory changes.

RECORD RETENTION POLICY

Elliott Community Federal Credit Union will retain all documentation relating to EFT’s for at least two years. The credit union will also retain, until final disposition, records relating to any action filed under the Electronic Fund Transfer Act. Records to be retained include:

Deposit Slips/credit tickets for each transaction or equivalent direct deposit or wire transfer over $100.00	5 Years	31 CFR 103
Wire copies or advices	5 Years	31 CFR 103.33
Wire transfer debit and credit entries	5 Years	31 CFR 103.33
Wire transfer log	5 Years	31 CFR 103.33
ATM Card Agreements	2 Years after account is closed	12 CFR 1005.31
Billing dispute documentation of required actions	2 Years after settlement  of dispute	Reg. Z 1026.25, Reg. E actions 12 CFR 1005.31 and 12 CFR 1005.13
EFT Reg. E disclosure procedure compliance evidence	2 Years	12 CFR 1005.13 Consumer Credit Protection Act
ATM Activity/Transaction Report	2 Years	12 CFR 1005.13
ATM Proprietary or Network Report	2 Years	12 CFR 1005.13