payments-risk-assessment

Payments risk assessment

A payments risk assessment is the artifact a sponsor-bank reviewer, a state-MTL examiner, an internal auditor, or a risk committee expects to see at the start of an annual cycle, a program review, or a delta-risk review when a rail, segment, or corridor changes. The work is to denominate the program in rails, customer segments, and geographies, then read fraud, BSA / AML, sanctions, operational resilience, sponsor-bank / processor / BIN-sponsor dependence, customer-harm / UDAAP, and reporting controls against each cell. The shape is a matrix, not a narrative. The skill stops at draft; the second-line lead, the BSA officer, the head of payments compliance, or the sponsor-bank operating committee owns sign-off.

This skill produces the assessment as a markdown artifact (templates/default-output.md shape) and a structured record (schemas/payments-risk-assessment.schema.json) that downstream skills consume. The matrix is rail-by-rail, segment-by-segment, and geography-by-geography; the cross-cutting risks (fraud, AML / sanctions, op resilience, UDAAP, reporting, cyber) layer on top with pointers to the deep-dive skills that own the detail. Concentration is three sub-tables, not one line.

Ask first

Before drafting, get plain answers. Most engagements answer them in the first conversation; default and flag where they do not.

• What is the program operator role. Fintech program operator, BaaS platform, program manager, wallet operator, neobank, payments processor, money-transmitter-only, BNPL provider, payroll-on-demand provider, cross-border remittance provider, virtual-currency on-ramp / off-ramp. The role drives which sponsor-bank construct, which money-transmitter analysis, and which CFPB applicability questions belong in the matrix. Do not assert MSB-vs-not categorically; the FinCEN administrative-ruling library is configuration-specific.
• Which rails, segments, and geographies are in scope. Rails: ACH, Same Day ACH, wire (Fedwire / CHIPS), card debit, card credit, FedNow, RTP, P2P (Zelle, Venmo, Cash App-style), check, cross-border correspondent, virtual-currency on-ramp. Segments: consumer, SMB, payroll-on-demand, gig-economy disbursement, BNPL borrower / merchant, cross-border remittance sender / receiver, high-risk vertical (gambling, adult, MSB-customer, cannabis-adjacent). Geographies: US states (each carries its own MTL / NMLS posture), corridor countries, sanctioned-jurisdiction proximity. The scope sets the matrix; missing rails or segments mean missing risk.
• What triggered the assessment. Annual or semi-annual cycle, sponsor-bank annual review, state-MTL exam letter, processor or BIN-sponsor change, sponsor-bank change or wind-down, new rail or corridor going live, post-incident reset, larger-participant-rule applicability check. The trigger sets the audience and the depth.
• Who is the audience. Sponsor-bank operating committee, sponsor-bank TPRM team, state-MTL examiner via NMLS, CFPB EXAMS team where the larger-participant rule designates the firm, internal audit, board risk committee, ERC. The audience drives length and tone, not content; the matrix stays the matrix.
• What is the source posture. Public-only (the firm has not been engaged yet), public-plus-firm-policy, public-plus-firm-policy-plus-system-of-record-evidence, connector-aware (live ledger, processor-portal, NMLS, sponsor-bank reporting feeds). Posture sets the evidence ask. Aspirational posture is not a posture.

When scope is supplied, the skill consumes it (institution.type, institution.primary_regulators, sector_overlay_set, cross_cutting_overlay_set, persona.role, source_posture). When it is not supplied, ask the questions and default to public posture if the practitioner declines. Note in the artifact that scope was not formalised.

How the matrix gets built

The assessment has the same spine across program-operator types. A senior reviewer fills it in roughly in the order the program is structured, not in lockstep.

The frame opens with the program summary: program-operator role, sponsor banks (each one named by role, not by brand), processors front-end / back-end / gateway, BIN sponsors per network, ledger provider, KYC / CIP vendor, fraud-decision vendor, sanctions-screening vendor, geographic footprint by US state and corridor, customer base size by segment, current-cycle volume and value by rail. The summary is one page. Detail goes into the matrix rows.

The risk universe by rail is the first matrix. One row per rail in scope. Columns: inherent risk; the top three rail-specific failure modes (these are not generic — ACH carries unauthorised-return-rate breach against current NACHA thresholds, administrative-return-rate breach, Same Day ACH cutover errors, WEB Debit account-validation failure under the rule effective March 19, 2021; card carries chargeback-rate program escalation, fraud-rate program escalation under the network's monitoring program, BIN-sponsor reporting failure; FedNow and RTP carry settlement-finality irrevocability, request-for-return-of-funds latency, ISO 20022 message-field anomalies; cross-border correspondent carries OFAC-screening latency, correspondent-bank de-risking, FX-disclosure timing under Reg E §1005.31 subpart B); key controls; residual risk; top three KRIs (rail-specific, not portfolio-level); owner role. Cite each failure mode by file path into references/source-anchors.md rather than restating the rule text.

The risk universe by customer segment is the second matrix. One row per segment in scope. Columns: inherent risk; top failure modes (UDAAP themes per segment, dispute / chargeback profile, AML / sanctions profile, fraud-pattern profile); key controls; residual risk; top KRIs; owner. Segment-level UDAAP is the highest-frequency examiner finding in this lane: account-closure / hold without notice or recourse, fee-disclosure-vs-actual reconciliation, FDIC-insurance representation under the FDIC misrepresentation rule (12 CFR Part 328 Subpart B), Reg E §1005.11 timing failures presented as both Reg E and UDAAP, BNPL fee and dispute presentation, dark-pattern risk in onboarding. Pull the cross-cutting conduct overlay in by default; pull the consumer-compliance deep-dive (consumer-compliance-fair-lending/udaap-risk-review with the payments-fintech overlay) for the substantive review.

The risk universe by geography is the third matrix. One row per US state in scope plus one row per corridor country if the program operates cross-border. Columns: licensing posture (MTL via NMLS; Money Transmitter Modernization Act adoption status for the state; MSB registration where applicable; state DFI / DOB registration; specialised licences such as NYDFS BitLicense for VC activity, CA DFPI under the CA Money Transmission Act and California Consumer Financial Protection Law); top failure modes (state UDAP regime, state breach-notification statute, state cross-border remittance rules); key controls; residual risk; owner. Default-to-USA on the geography row is wrong; the operative obligations are state-by-state.

The concentration views are three sub-tables, not one line. Sponsor-bank concentration: top-N share by deposits, volume, customer count; scenario impact under single-sponsor exit; appetite posture; standby sponsor and dual-sponsor architecture status. Processor concentration: top-N share by volume and value per rail; scenario impact under single-processor outage or consent-order; rail-by-rail redundancy status. BIN-sponsor concentration: top-N share of card volume and outstanding cards; scenario impact under BIN-sponsor exit or fraud-rate program escalation; debit-vs-credit and network-by-network coverage. Cross-link to third-party-operational-resilience/concentration-risk-review (with the payments-fintech overlay) for the portfolio-level analysis; raise the flag here, do the deeper analysis there.

The cross-cutting risks layer the topics that cut across rails and segments. Fraud (rail-specific signal denominators; faster-payments irrevocability driven typology shift); AML / sanctions (cross-link to financial-crime-governance/aml-model-monitoring and sanctions-screening-qa with the payments-fintech overlay; corridor-by-corridor screening cadence; Travel Rule applicability under 31 CFR §1010.410(f) for transmittals at threshold); operational resilience (rail-availability against impact tolerance; sponsor-bank cutover capability; in-flight-clock preservation under transition); customer-harm / UDAAP (theme-by-theme control review against current CFPB Supervisory Highlights and Circular series); reporting and data quality (denominators, granularity, timeliness; Reg E §1005.11 dispute-data timing as both an internal KRI and an examiner-facing report); cyber (NYDFS Part 500 where applicable; GLBA Safeguards §314.4; sponsor-bank cyber-notification chain; processor and fraud-decision vendor cyber posture; cross-link to risk-reporting/cyber-disclosure-readiness for the disclosure leg). Each topic gets a row with risk owner, top three KRIs, and the deep-dive skill reference. Do not restate the deep-dive analysis here; this is the matrix view.

The risk-appetite posture lays a green / yellow / red read across the top-quintile cells of the matrix above against firm appetite. Where firm appetite is not on file, mark [evidence needed] rather than fabricating a threshold. Trigger conditions for red-to-amber escalation are named per cell.

The KRIs and reporting cadence dictionary names each KRI with definition, source system, threshold (where set; otherwise [evidence needed]), owner role, and reporting cadence (board, ERC, sponsor-bank operating committee, sponsor-bank TPRM, state-MTL annual report). Rail-specific KRIs sit alongside cross-cutting KRIs.

The recommended remediation portfolio ties items back to specific risk references with action, owner role, target date, and evidence link. The portfolio is the bridge from assessment to work plan; it does not approve or decide.

The artifact closes with open items and named follow-ups, source citations with date, and the recommended disposition (baseline-accepted, accept-with-conditions, remediate-then-re-baseline, escalate). Disposition is a draft recommendation. The named approver — head of payments compliance, BSA officer, sponsor-bank chief compliance officer counterpart, board risk committee — decides.

Quality bar

Every material claim cites a source from references/source-anchors.md (or a loaded overlay) by file path; unsupported claims are marked [evidence needed]. The matrix denominators are rails, segments, and geographies (a generic enterprise taxonomy with payments-flavoured failure modes dropped in is not this artifact). Concentration is three sub-tables (sponsor-bank, processor, BIN-sponsor). State geography rows do not default to "USA". The §1033 status note repeats wherever §1033 obligations are touched: the rule was finalised October 22, 2024 but is in a stayed compliance-date posture and a CFPB-initiated reconsideration with an ANPR — date-stamp each citation and record which dates are stayed, which are operative, and which are subject to further rulemaking. The CFPB payment-app larger-participant rule (November 2024) is nullified by PL 119-11 effective May 9, 2025; do not carry a direct-CFPB-supervision row anchored to that rule. The Section 1071 small-business-lending rule was revised May 2026 and applies only where the program originates small-business credit. MSB-vs-not is configuration-specific against the FinCEN administrative-ruling library, not a categorical claim. Faster-payments rails (FedNow, RTP) carry settlement-finality irrevocability and the recovery mechanic is request-for-return-of-funds, not chargeback. NACHA and card-network rule citations are paywalled and carry the disclaimer "current edition; specific sections to be confirmed against the firm's licensed copy". Named institutions appear in narrative only when they are public defendants in a finalised enforcement action with a published consent order. The artifact is a draft and the named approver decides.

Adaptation

Assessment depth and length scale to the trigger and the audience. A sponsor-bank annual-review file reads longer than a quarterly delta-risk review. A board-risk-committee read-out collapses the matrices to heat-map summaries with the supporting rows in an appendix; a state-MTL exam preparation file leads with the state geography row and the MTL / NMLS posture, with the rail and segment matrices supporting. A new-corridor delta review focuses on the affected corridor country, the affected rail rows, and the cross-cutting AML / sanctions and operational-resilience overlays; the unchanged rows summarise to a status line. Sector overlay loading is fixed (this skill is the payments-fintech sector flagship; the overlay is references/sector-overlays/payments-fintech.md). Cross-cutting overlay loading follows scope plus the rule that conduct and cyber are default-on for any payments program touching consumers and rails respectively, and privacy is default-on where the firm processes NPI through fraud or AML monitoring beyond the baseline.

Pointers

• references/source-anchors.md — citations and excerpts for the named anchors.
• references/sector-overlays/payments-fintech.md — payments-fintech sector flavour (this is the sector flagship; the overlay carries the rail-specific, sponsor-bank-specific, money-transmitter-specific detail and the §1033 status note).
• references/cross-cutting/cyber.md, conduct.md, privacy.md — cross-cutting flavour. Conduct is default-on for any consumer-facing program; cyber is default-on for any program with processor / ledger / fraud-decision vendor exposure (substantively all of them); privacy is default-on where customer-data flows for fraud and AML monitoring extend beyond baseline.
• references/firm-overlay.md — firm-installed policy, taxonomy, decision forums and sign-off owners, risk-appetite thresholds beyond the regulatory baseline; consumed when present.
• templates/default-output.md — assessment template.
• schemas/payments-risk-assessment.schema.json — structured-output contract for downstream consumption.
• examples/ — BNPL program operator preparing its annual assessment after a CFPB action wave; cross-border remittance fintech reassessing risk after adding RTP and a new corridor.
• TROUBLESHOOTING.md — recurring pitfalls (generic taxonomy with payments flavour dropped in; default-to-USA geography; sponsor-bank-only concentration; treating BNPL as a single rail; missing the faster-payments irrevocability shift; categorical MSB assertions).

The plugin-level shared references (references/source-map.md, references/policy-control-library.md, references/public-regulatory-scenarios.md) sit at the plugin root and are consulted alongside the skill-level files.

Output

Default to drafting against templates/default-output.md. Render as Word, Excel, PowerPoint, or Markdown when the audience or workflow asks for it; a sponsor-bank annual-review file usually rides as a Word document with the matrices in Excel appendices, a board read-out as a deck. Produce the structured record at schemas/payments-risk-assessment.schema.json when downstream automation or a registered consumer needs it. Downstream consumers: concentration-risk-review reads the three concentration sub-tables for portfolio-level analysis; fintech-partner-controls reads the rail and segment rows for the sponsor-bank-facing controls inventory; payment-operations-incident-review reads the rail, segment, and geography baselines when an incident lands; aml-model-monitoring and sanctions-screening-qa read the corridor-by-corridor view and the cross-cutting AML / sanctions row; udaap-risk-review reads the segment matrix for the conduct overlay; regulatory-change-management/exam-brief reads the geography matrix and the MTL / NMLS posture for state-track exam preparation. The schema is the cross-skill contract; additive changes only. Add fields, do not rename or repurpose them. A breaking change is a versioned migration with the downstream skills told in advance.