Customer Authentication
Purpose of the authentication script.
Verify identity consistently to reduce social engineering and fraud risk.
Why must month‑end net cash differences be resolved promptly?
To ensure books match physical cash and reduce loss/fraud exposure and findings.
Control purpose of imaging required account documents into EIV before or at account activation.
Evidence of disclosures and authorization; prevents “missing from EIV” exceptions and ensures audit traceability.
Why must key/combination logs be current?
Proves access control and deters misuse; supports reviews.
Why are timely updates after SDB surrender critical?
Prevents unauthorized access and ensures correct billing/records.
One thing you must never solicit or accept over the phone
Sensitive credentials such as PINs or full passwords
Define dual control in vault operations
Two associates jointly access, count, and record to prevent single‑person risk.
Best action when a required disclosure isn’t in EIV after opening
Obtain/confirm client acknowledgment, image and index correctly, and document remediation and timing.
First step if a key is lost or unaccounted for.
Escalate, resecure per procedure (rekey/change combo), and document end‑to‑end.
Required evidence for SDB access changes.
Signed access update plus identity verification, imaged and indexed.
A red flag that should trigger stepped‑up verification
Urgency pressure, inconsistent answers, or unusual requests outside normal patterns.
A practice that avoids quarterly vault fine‑count misses.
Calendar holds with alternates, checklist sign‑offs, and manager review with documented evidence.
Name two indexing pitfalls that trigger exceptions
Wrong document‑type label and incomplete or mismatched customer or account identifiers.
Best practice when changing combinations
Dual control, immediate log updates, and confirm the change works.
A common SDB maintenance error that drives exceptions.
Not removing surrendered access in all required systems/logs.
Control‑correct response when a phone request fails authentication
Do not proceed; offer in‑person verification or call back using a verified number on file.
First steps when a variance exceeds threshold.
Stop and recount, reconcile logs, review transactions/footage as required, escalate per policy, and document.
Client refuses a disclosure acknowledgment—what is the control‑correct next step?
Do not proceed; escalate per procedure and document both refusal and guidance received
Handling temporary vendor key custody.
Use sign‑in/out log, dual control where required, and escort policy adherence.
Practice to prevent SDB exceptions during staffing gaps.
Dual‑verification checklist and end‑of‑day audit of SDB transactions.
Why documenting failed authentication attempts matters.
Provides evidence of control effectiveness and supports investigations and trend analysis
Documentation miss that turns a small variance into a CMR finding.
Missing investigation notes or lack of evidence of timely manager review.
One proactive step to prevent “signature card(s) missing from EIV"
Use a new‑account checklist with an EIV imaging/verification step before completion.
Evidence reviewers look for on access logs.
Completeness, dates/times, signatures/initials, and manager review.
Logs and system disagree—what’s the control‑correct path?
Investigate, correct records, document actions, and escalate as required.