IMAGING & PAYMENTS PROCESSING : How Smart Financial Institutions Can Apply the FFIEC Guidelines to Remote Deposit sales@profitstars.com 877.827.7101
How Smart Financial Institutions Can Apply the FFIEC Guidelines to Remote Deposit Contents The Intent of the FFIEC Guidance 3 Preparing for an RDC Examination 3 Step 1: Assess 4 Step 2: Abate 4 Step 3: Audit 5 A Deposit is Still a Deposit 5 Conclusion 6
IMAGING & PAYMENTS PROCESSING Regulatory guidance issued in January 2009 on managing the risk of remote deposit capture has prompted concern from financial institutions uncertain about how to interpret the broadly written document. An overly strict interpretation of the guidance could lead some institutions to adopt burdensome risk-mitigation activities that would quickly put a crimp in the business case for RDC. Interpreting the guidance too loosely, however, could put institutions at odds with their regulators, ultimately harming their ability to keep up with competitors in the fast-paced RDC market. The guidance, issued by the Federal Financial Institutions Examination Council, is far from specific. Rather, it is full of admonitions to senior management about things it should, could, might, and may do. Interpreting the guidelines in a way that fully satisfies regulators yet does not put an outsized burden on the resources required to support the product is important. The fact is that nobody would like to see the financial industry s ability to reduce cost and better serve customers through RDC impaired by uncertainty surrounding the guidelines. RDC has become one of the most successful new product offerings in the history of banking. Smart financial institutions have rushed to offer RDC in a bid to win over corporate customers that view the service as a productivity boon. Using RDC, these customers can send digitized images of checks into the bank, eliminating time-consuming trips to the branch. Many banks have successfully gained new deposit business, and even expanded their geographic reach, by promoting the time-saving aspects of RDC to corporate customers. Another attraction to RDC is the security features it offers. The risks of traditional paper-based transaction processing involve lost, stolen, photocopied or falsely produced checks. In addition, the paper-based system is prone to significant human error. And there is no audit trail available to verify that teller tasks, such as validating checks, performing signature verifications and ensuring complete endorsements exist, were performed. In comparison, the latest RDC technologies, through various access and audit controls, manage risk much more effectively. From an installed base of zero in 2004, the number of remote deposit capture devices deployed at companies around the country grew to nearly 400,000 by the end of 2008, and is expected to reach as many as 3.2 million capture points by 2012 and 5 million by 2014, according to recent projections from the Boston-based research firm, Celent. Growth in 2008 alone reached a 65% compound annual rate, Celent said. Nearly two-thirds of all U.S. banks, or 7,200 of them, were offering remote deposit capture by the end of 2008. 8,000 Historic RDC Adoption 450,000 7,000 400,000 6,000 350,000 # FIs Adopting 5,000 4,000 3,000 300,000 250,000 200,000 150,000 # Seats Deployed 2,000 100,000 1,000 50,000-2004 2005 2006 2007 2008 # FIs # Seats 0 Source: 2008 Oliver Wyman, www.oliverwyman.com, State of Remote Deposit Capture 2008: Sprint Becomes A Marathon
Many financial institutions also view RDC as a critical part of an overall strategy to boost deposits. That view has only intensified with the premium banks are placing on deposit-gathering in the current economic environment. Given RDC s strong track record and great potential for generating new business and deposits, financial institutions must take care to judiciously interpret the FFIEC guidance. Successfully implementing the guidance will help preserve the viability of what has become an essential tool for reducing cost and better serving customers. While the broad parameters of the guidance may have generated concern, financial institutions can work to meet and even exceed examiner expectations through a series of simple steps. A three-step process: Assess, Abate and Audit, can help institutions manage the task of measuring up to the guidelines. The Intent of the FFIEC Guidance The FFIEC guidance on RDC has elicited a wide range of reaction since its publication. Analysts have called it prudent, but greater in scope than expected with potentially far-reaching consequences. The guidance certainly establishes a strong tone with regard to exam scrutiny and management accountability. At the same time, it provides a practical blueprint for managing RDC risk, clearing the way for banks to move forward with expanded offerings of this important service. The FFIEC guidance makes it clear that there are unique aspects to RDC that impact risk management. It asserts that as a new deposit channel, RDC needs to be dynamically monitored and properly managed. Significantly, the guidance places responsibility for RDC plans and policies squarely on the shoulders of the financial institution s board of directors and senior management. While the scope of the guidance has elicited concern from financial institutions about heavy-handed regulation, there are reasons to believe regulators will take a measured approach as they assess financial institutions RDC businesses. First of all, rather than apply the same risk-mitigation requirements to all financial institutions, the guidance indicates that examinations will be tailored, based on the size and complexity of the bank, the scale of its RDC business relative to other activities, and the risk profile of the bank s RDC customers. These factors will help determine the appropriate level of governance, oversight and risk management required for RDC. In addition, because the amount of RDC-related losses due to fraud and risky activity have been so small to date that they are considered insignificant, it is likely that the level of RDC scrutiny by regulatory bodies will diminish in comparison to what was originally proposed in January. Finally, there is no denying that the regulators have their hands full with a variety of issues, including overseeing the industry s overall asset quality. Given the current economic environment, RDC oversight will not be ignored, but emphasis on it may lessen in comparison to other priorities. Preparing for an RDC Examination To adequately prepare for an RDC examination from an enterprise-wide perspective, financial institutions should follow a three-step process: Assess: Identify and understand legal, compliance, reputation and operational risks. Abate: Establish policies, procedures and controls to mitigate the assessed risk. Audit: Document the consistent application of those policies, procedures and controls. Briefly, the three steps call upon financial institutions to conduct a risk assessment, determine their risk profile, proactively implement tools and controls to mitigate that risk and document why these tools and controls are appropriate. Documentation consists of a risk policy approved by the board of directors, as well as operational procedures approved by senior management which address the specific RDC activities of the institution and the technology used for deployment. The procedures should directly tie back into the risk policy.
IMAGING & PAYMENTS PROCESSING Thus compliance is about determining, tracking and documenting the level of risk and how that risk is managed, and proving that the established procedures were followed. Examples of documentation may include credit files on RDC customers, proof that RDC customers received education and training on the RDC system deployed and notes from any onsite or online audits performed on RDC customers. Documentation also includes the reports and audit trails provided by the financial institution s RDC software vendor used to monitor the use of the service. As part of the preparatory process, institutions should seek out hardware and software from reputable vendors that contain fraud detection tools such as access controls, business rules, check-image analysis, duplicate detection, encryption, user tracking and real-time review capabilities. Other important risk mitigation features include multi-factor authentication and limits on transactions. Institutions must ensure that these tools are used consistently for the level of determined risk and according to the written policies and procedures that have been established. Step 1: Assess Just as no two financial institutions are alike, no two have the same RDC risk profile. Each financial institution must assess its unique RDC risk, determine its responsibilities in mitigating that risk and document its readiness. Examiners will be looking for institutions to produce risk policies that specifically address legal, compliance, reputation and operational risk. Failure to properly address these risks exposes the institution to regulatory action and a diminished ability to use RDC to attain new customers or serve existing ones. More detailed information on examiner s expectations will be available in The Retail Payments System Booklet of the FFIEC IT Examination Handbook, scheduled to be released in late 2009; however, financial institutions can also reference high-level descriptions of risk management processes existing within the FFIEC Bank Secrecy Act (BSA)/Anti- Money Laundering (ALM) Examination Manual. Just as each financial institution is unique, so are the risk factors for each potential customer. Rather than creating completely new procedures, a financial institution can also use the above mentioned resources to determine customer risk as the guidance states that information gathered while conducting customer identification and customer due diligence procedures in fulfillment of the institution s BSA/ALM program can support the assessment of customer suitability. The FFIEC lays responsibility for assessing and managing RDC risk on the financial institution s board of directors and senior management. Their responsibilities include: approving RDC plans, policies and significant expenditures; ensuring that management is identifying, assessing, measuring, mitigating and monitoring RDC risk, and monitoring RDC performance, implementations and ongoing operations. The FFIEC guidance makes clear that the technical method of deploying RDC in no way changes the level of responsibility for the board and senior management. Institutions may offer their customers RDC through an application service provider (ASP) or through a hosted solution installed and run by the institution. Either way, the board and senior management are ultimately responsible for overseeing risk management of the RDC system. Step 2: Abate Once risk has been assessed and documented, financial institutions must demonstrate they have the technology and procedures in place to identify and mitigate that risk. Much of the FFIEC guidance for RDC revolves around commercially reasonable practices such as qualifying and training customers, conducting due diligence on vendors, documenting policies and procedures, ensuring business continuity and data security and constructing comprehensive agreements for RDC clients. At a minimum, a financial institution s RDC risk abatement should address: the types of customers using RDC and their deposit limits; the use of appropriate review and approval controls; the detection of duplicate items; and methods of fraud prevention. Financial institutions should also assess the network interfaces and encryption used to securely manage and transmit data and images to the bank from RDC customers. Particularly important is ensuring that confidential customer information cannot be accessed by unauthorized individuals. The following baseline controls are considered standard: Daily total-deposit amount limits Individual/company transaction-amount limits
Controls to facilitate separation of duties (dual controls are a very strong method of reducing risk) Minimum password requirements Duplicate detection Adaptive or multi-factor authentication Defined user authorities/permissions Of particular concern to financial institutions is whether the FFIEC will require financial institutions to personally visit RDC customer sites to ensure the proper risk mitigation procedures and controls are in place. Such visits would be onerous for institutions of all sizes. Indeed, the cost to institutions of visiting customer sites, which in some cases are long distances, would make it impractical for many institutions to continue to offer RDC. The FFIEC guidance pertaining to on-site visits reads: When the level of risk warrants, financial institution staff should include visits to the customer s physical location as part of the suitability review. So whether a financial institution will need to conduct a site visit will depend on the risk assessment it completed in Step 1. Financial institutions able to demonstrate they have conducted appropriate due diligence on an RDC customer should not be required to make an on-site visit. Similarly, if an institution can prove that it has adequately assessed and addressed risks at customer locations, then franking devices, another area of concern to financial institutions, should not be required. The customer suitability review starts with a list of customers that use RDC, how these customer segments were qualified, and the number of transactions and dollar values each typically processes. Most examiners will also want to see a copy of the bank s standard contractual agreement for RDC customers. The FFIEC guidance also states that financial institutions should ensure customers receive sufficient training. One way to address this is through software and service providers that offer step-by-step online and telephone-based training as a complement to their basic RDC offerings. Institutions should also document customer attendance at training sessions. Step 3: Audit The third step, audit, proves that financial institutions consistently follow the policies, procedures and controls it has determined to be necessary. The technology behind many RDC solutions enables reporting that financial institutions can use to highlight RDC trends and exceptions. A system that can track and report all customer activity, for example, is useful from an audit perspective. Senior management and board members should regularly review reports on performance, implementation and ongoing operations, especially for violations of agreements and transaction thresholds. The guidance suggests that the FFIEC recognizes that technology-driven services such as RDC are capable of evolving over time and need to be managed dynamically. Institutions must be prepared to recognize changing situations, such as those brought on by a change in technology, risk tolerance or federal regulation, and be able to take quick action as necessary. A Deposit Is Still a Deposit When evaluating the risks of RDC, keep in mind that RDC is a deposit rather than a withdrawal. As such, it poses credit risk only if a bank grants provisional credit for funds, allowing immediate withdrawals. Unlike automated clearinghouse transactions, there is no opportunity for an RDC customer to direct a credit outside the primary financial institution offering the RDC service. Checks themselves have some risk, but RDC does not in and of itself make depositing checks more risky. If an item is returned for non-sufficient funds (NSF), the same risk applies whether the item was presented remotely or in person at the branch. Fraudulent checks present a risk, and could be more difficult to detect once an item is converted to an image. However, with the proper risk mitigation technologies in place, RDC becomes at least as secure, if not more so, than deposits made by way of the branch, ATM or mail. The bottom line is that there is no evidence of any increased losses attributed to RDC. In addition, RDC is potentially more secure than other channels because it removes numerous physical touch points from the deposit process, reducing the likelihood of mistakes. By automating check deposits, financial institutions ensure that business rules for funds availability or image quality are applied consistently to every transaction. And with most scanners able to detect the presence of MICR, RDC may be better equipped to detect fraudulent checks than tellers in the branch. So whether made by a slip of paper or through an electronic image, a deposit is still a deposit.
IMAGING & PAYMENTS PROCESSING Financial institutions will also need to present auditable proof that their RDC systems address confidentiality, integrity and availability of data. Financial institutions that utilize ASP or vendor-hosted solutions can leverage the annually updated SAS-70 Type II audit to specifically address security concerns outlined in the FFIEC guidance. Conclusion The recently released FFIEC guidance should not pose any obstacles to RDC deployment. As in any FFIEC exam, bankers need to prepare documentation to pre-empt concerns that individual examiners may have. Be prepared to speak the language of the guidance and meet each of the controls with foresight. The financial industry s motivation for accurately interpreting the FFIEC guidelines is high, given the importance of the technology in fostering deposit growth and transaction-processing security. With its advanced security and risk management features, RDC may well emerge as the safest method for accepting deposits, compared to traditional channels that lack similar controls. In addition, RDC s ability to increase a bank s geographic footprint and enter into new markets without establishing brick-and-mortar branches is significant, given the industry s emphasis on deposit growth. Financial institutions can increase their confidence in their ability to meet the guidelines by following the three-step process of Assess, Abate and Audit. As an established technology, there is a wealth of best-practices information that financial institutions can apply to manage any RDC risk. Institutions should seek out best-of-breed RDC systems that incorporate frauddetection tools, such as access control, business rules, check-image analysis, duplicate detection, encryption, user tracking and real-time review capabilities. Supported by a system that incorporates these features, RDC is an exceptionally secure channel for taking deposits. About ProfitStars ProfitStars, a division of Jack Henry & Associates, Inc., provides best-of-breed solutions that improve the performance of financial institutions of all asset sizes and charters, and diverse corporate entities. These solutions facilitate revenue and growth, risk mitigation and control, and cost control; and complement virtually any core information processing platform. Additional information is available at www.profitstars.com. ProfitStars is a leading provider of remote deposit capture solutions, ranked No. 1 in end-user deployments by Celent, a prominent global research firm. ProfitStars helps financial institutions of all sizes succeed with in-house, ASP, browser-based, commercial and retail remote deposit applications. Visit the company s RDC Resource Center at http://discover.profitstars.com/remotedepositexpert, or contact us at www.sales@profitstars.com. Additional information is available at or by calling 877.827.7101 2014 Jack Henry & Associates, Inc. ProfitStars is a registered trademark of Jack Henry & Associates, Inc.