Expand Remote Deposit & Mitigate Risk:

Similar documents
RDC Risk Management in 2015

Jen Wasmund, AAP, NCP Compliance Services Director

RDC Risk Management & FFIEC Compliance May 2010 Update

Extending TouchPoint Banking Suite Applications with OpenSpan

REMOTE DEPOSIT CAPTURE (RDC) CHECK IMAGING AT THE ATM

CORE BANK PROCESSING NUPOINT. Dynamic Solutions. Superior Results.

REMOTE DEPOSIT CAPTURE SUITE

Source Capture Solutions : New Year, New Capabilities. February 3, 2010

Source Capture Solutions

REMOTE DEPOSIT CAPTURE (RDC) CHEQUE IMAGING AT THE ATM PART OF NCR S ENTERPRISE HUB FOR REMOTE DEPOSIT CAPTURE

Retail Payment Systems Internal Control Questionnaire

NCR APTRA PASSPORT FOR ATM Part of NCR s enterprise hub for remote deposit capture

Enterprise risk management for consumer products companies

Wire Transfer Audit. Craig Hametner, CPA, CIA, CMA, CFE City Auditor. Prepared By: Jed Johnson Senior Audit Analyst. Michelle Taylor Audit Analyst

Actimize Essentials AML. Cloud Based Anti-Money Laundering Solutions

REMOTE LOCKBOX DELIVERS FLEXIBLE LOCKBOX PROCESSING OPTIONS FOR FINANCIAL INSTITUTIONS

BEST PRACTICES IN AP AUTOMATION

Bank Platform. Signature A Fully Customizable and Feature-Rich Banking Platform for a Sharper Competitive Edge

Hot Topics in Payments Cornerstone CU League Small CU Committee July 9, 2014

RiskTech Quadrant 2017 Watchlist Monitoring Solutions

JOB TITLE: VP, BSA Officer REPORTS TO: SVP, Deposit Operations and Regulatory Compliance/CRA Officer DEPARTMENT: Compliance

Auditing for Effective Training

THIRD-PARTY RISK MANAGEMENT

Internal Audit Challenges & Opportunities Speaker: Laurie Shen, Director, Grant Thornton LLP

Internal Control Systems

Client onboarding and Legal Entity Data Solutions from Thomson Reuters

December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:

Finding the Key to Sales Excellence: What Do High Performers Look Like?

THE IMPORTANCE OF DEVELOPING A SOCIAL MEDIA COMPLIANCE POLICY

Extended Enterprise Risk Management

FINRA 2090/2111 Solutions & Expertise

A Vision of an ISO Compliant Company by Bruce Hawkins, MRG, Inc.

- Cindy Griffin, CEO Northern Hills Federal Credit Union

Fraud Risk Management

Improving Insight into Identity Risk through Attributes

Cybersecurity Awareness. Implementing Effective Staff Training and Communications. Treasury and Trade Solutions

LeiningerCPA, Ltd. RISK MANAGEMENT POLICY STATEMENT

Thomson Reuters SCREENING RESOLUTION SERVICE

Understanding Internal Controls Office of Internal Audit

Enhancing Audit Committee Excellences through Internal Audit. 21 November 2017

Madison Consulting Group. An Introduction to Our Compliance and Regulatory Consulting Services

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

The Economic Benefits of Puppet Enterprise

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

No digitalization without risks

CORE BANK PROCESSING MERIDIAN.NET. Dynamic Solutions. Superior Results.

Avaya One Touch Video solution

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

DICTATION & TRANSCRIPTION

Maximizing The Value Of Your Smart Grid Investment

Certified Identity Governance Expert (CIGE) Overview & Curriculum

Deciphering third-party business risk in a period of weak commodity prices

Auditing Standards and Practices Council

CODE OF BUSINESS CONDUCT AND ETHICS. FRONTIER AIRLINES, INC. Adopted May 27, 2004

Veterinarians Rely on Pacific Continental Bank

Mc Donald s Project Innovate- An futile approach to the Organizational Change Management

Arjun Kalra - Senior Manager - Crowe Horwath Risk Consulting Practice Chuck Taylor BSA Officer City National Bank

RCC Identifier White Paper

BANKWORLD KIOSK Today s solution for tomorrow s self-service bank BANKWORLD BANK ON THE FUTURE WITH TODAY S TECHNOLOGY CR2.COM

Conduct Risk Management

Solutions. Card Risk Management Leverage Our Industry-Leading Solutions and Services to Fight the Rising Cost of Fraud

AML for MSBs & FinTech: The Compliance Conundrum. Insight Article. Copyright 2016 NICE Actimize. All rights reserved.

WHITE PAPER THE DIGITAL DOLLAR: GROWING REVENUE THROUGH DIGITAL CHANNELS

MSP Purpose, Value & ROI

Banking at the speed of your life. Online. Mobile. Superior. Safe. PARKSTERLING. Answers You Can Bank On.

Solutions. Credit Union Platforms Integrated Technology to Fit Your Enterprise Needs

Desktop Teller User s Starter Kit

Policy Outsourcing and Cloud-Based File Sharing

ORACLE ADVANCED FINANCIAL CONTROLS CLOUD SERVICE

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

Predictive Customer Interaction Management

Tracking and Measuring Physician Relations

Bricks To Clicks. Agenda

Adobe Document Cloud Creates Better, Faster Digital Workflow Experiences

Operational/Implementation Issues

Ethics and integrity. Compliance: A guide for third parties

ACFE FRAUD PREVENTION CHECK-UP ASSOCIATION OF CERTIFIED FRAUD EXAMINERS

Fraud Prevention: How to Identify and Protect Your Higher Ed Institution

Infrastructure and Capital Projects

Strengthening Your Enterprise Risk Management Process

jhapassport EMV Update:

Trends Shaping the Bank of the Future

Self Assessment Workbook

Chief Executive Officers and Compliance Officers of All National Banks, Department and Division Heads, and All Examining Personnel

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

PROSPECTUS lafferty.com

CHARTER FEDERAL RESERVE BANK OF RICHMOND BOARD OF DIRECTORS AUDIT AND RISK COMMITTEE

The October 1 EMV Liability Shift: Everything You Need to Know

PHASE TWO FOLLOW-UP REPORT ON THE AUDIT OF CONTRACTS (2008)

The web seminar has not yet started: A sound check will be performed 5 minutes before the start time.

Achieving customer intimacy with IBM SPSS products

Customer Relationship Management Solutions for Vehicle Captive Finance. An Oracle White Paper October 2003

Next generation Managed Print Services

UniWeb. Our electronic banking services system available directly on the Internet

An Oracle White Paper December Reducing the Pain of Account Reconciliations

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

TEN. The TOP. Managed IT Services. reasons for. AMA Networks presents the.

FRAUD AND PROFESSIONAL ETHICS IN HIGHER EDUCATION

2017 The Global ABB Integrity Program.

2017 Healthcare Compliance Benchmark Study

Transcription:

IMAGING & PAYMENTS PROCESSING : How Smart Financial Institutions Can Apply the FFIEC Guidelines to Remote Deposit sales@profitstars.com 877.827.7101

How Smart Financial Institutions Can Apply the FFIEC Guidelines to Remote Deposit Contents The Intent of the FFIEC Guidance 3 Preparing for an RDC Examination 3 Step 1: Assess 4 Step 2: Abate 4 Step 3: Audit 5 A Deposit is Still a Deposit 5 Conclusion 6

IMAGING & PAYMENTS PROCESSING Regulatory guidance issued in January 2009 on managing the risk of remote deposit capture has prompted concern from financial institutions uncertain about how to interpret the broadly written document. An overly strict interpretation of the guidance could lead some institutions to adopt burdensome risk-mitigation activities that would quickly put a crimp in the business case for RDC. Interpreting the guidance too loosely, however, could put institutions at odds with their regulators, ultimately harming their ability to keep up with competitors in the fast-paced RDC market. The guidance, issued by the Federal Financial Institutions Examination Council, is far from specific. Rather, it is full of admonitions to senior management about things it should, could, might, and may do. Interpreting the guidelines in a way that fully satisfies regulators yet does not put an outsized burden on the resources required to support the product is important. The fact is that nobody would like to see the financial industry s ability to reduce cost and better serve customers through RDC impaired by uncertainty surrounding the guidelines. RDC has become one of the most successful new product offerings in the history of banking. Smart financial institutions have rushed to offer RDC in a bid to win over corporate customers that view the service as a productivity boon. Using RDC, these customers can send digitized images of checks into the bank, eliminating time-consuming trips to the branch. Many banks have successfully gained new deposit business, and even expanded their geographic reach, by promoting the time-saving aspects of RDC to corporate customers. Another attraction to RDC is the security features it offers. The risks of traditional paper-based transaction processing involve lost, stolen, photocopied or falsely produced checks. In addition, the paper-based system is prone to significant human error. And there is no audit trail available to verify that teller tasks, such as validating checks, performing signature verifications and ensuring complete endorsements exist, were performed. In comparison, the latest RDC technologies, through various access and audit controls, manage risk much more effectively. From an installed base of zero in 2004, the number of remote deposit capture devices deployed at companies around the country grew to nearly 400,000 by the end of 2008, and is expected to reach as many as 3.2 million capture points by 2012 and 5 million by 2014, according to recent projections from the Boston-based research firm, Celent. Growth in 2008 alone reached a 65% compound annual rate, Celent said. Nearly two-thirds of all U.S. banks, or 7,200 of them, were offering remote deposit capture by the end of 2008. 8,000 Historic RDC Adoption 450,000 7,000 400,000 6,000 350,000 # FIs Adopting 5,000 4,000 3,000 300,000 250,000 200,000 150,000 # Seats Deployed 2,000 100,000 1,000 50,000-2004 2005 2006 2007 2008 # FIs # Seats 0 Source: 2008 Oliver Wyman, www.oliverwyman.com, State of Remote Deposit Capture 2008: Sprint Becomes A Marathon

Many financial institutions also view RDC as a critical part of an overall strategy to boost deposits. That view has only intensified with the premium banks are placing on deposit-gathering in the current economic environment. Given RDC s strong track record and great potential for generating new business and deposits, financial institutions must take care to judiciously interpret the FFIEC guidance. Successfully implementing the guidance will help preserve the viability of what has become an essential tool for reducing cost and better serving customers. While the broad parameters of the guidance may have generated concern, financial institutions can work to meet and even exceed examiner expectations through a series of simple steps. A three-step process: Assess, Abate and Audit, can help institutions manage the task of measuring up to the guidelines. The Intent of the FFIEC Guidance The FFIEC guidance on RDC has elicited a wide range of reaction since its publication. Analysts have called it prudent, but greater in scope than expected with potentially far-reaching consequences. The guidance certainly establishes a strong tone with regard to exam scrutiny and management accountability. At the same time, it provides a practical blueprint for managing RDC risk, clearing the way for banks to move forward with expanded offerings of this important service. The FFIEC guidance makes it clear that there are unique aspects to RDC that impact risk management. It asserts that as a new deposit channel, RDC needs to be dynamically monitored and properly managed. Significantly, the guidance places responsibility for RDC plans and policies squarely on the shoulders of the financial institution s board of directors and senior management. While the scope of the guidance has elicited concern from financial institutions about heavy-handed regulation, there are reasons to believe regulators will take a measured approach as they assess financial institutions RDC businesses. First of all, rather than apply the same risk-mitigation requirements to all financial institutions, the guidance indicates that examinations will be tailored, based on the size and complexity of the bank, the scale of its RDC business relative to other activities, and the risk profile of the bank s RDC customers. These factors will help determine the appropriate level of governance, oversight and risk management required for RDC. In addition, because the amount of RDC-related losses due to fraud and risky activity have been so small to date that they are considered insignificant, it is likely that the level of RDC scrutiny by regulatory bodies will diminish in comparison to what was originally proposed in January. Finally, there is no denying that the regulators have their hands full with a variety of issues, including overseeing the industry s overall asset quality. Given the current economic environment, RDC oversight will not be ignored, but emphasis on it may lessen in comparison to other priorities. Preparing for an RDC Examination To adequately prepare for an RDC examination from an enterprise-wide perspective, financial institutions should follow a three-step process: Assess: Identify and understand legal, compliance, reputation and operational risks. Abate: Establish policies, procedures and controls to mitigate the assessed risk. Audit: Document the consistent application of those policies, procedures and controls. Briefly, the three steps call upon financial institutions to conduct a risk assessment, determine their risk profile, proactively implement tools and controls to mitigate that risk and document why these tools and controls are appropriate. Documentation consists of a risk policy approved by the board of directors, as well as operational procedures approved by senior management which address the specific RDC activities of the institution and the technology used for deployment. The procedures should directly tie back into the risk policy.

IMAGING & PAYMENTS PROCESSING Thus compliance is about determining, tracking and documenting the level of risk and how that risk is managed, and proving that the established procedures were followed. Examples of documentation may include credit files on RDC customers, proof that RDC customers received education and training on the RDC system deployed and notes from any onsite or online audits performed on RDC customers. Documentation also includes the reports and audit trails provided by the financial institution s RDC software vendor used to monitor the use of the service. As part of the preparatory process, institutions should seek out hardware and software from reputable vendors that contain fraud detection tools such as access controls, business rules, check-image analysis, duplicate detection, encryption, user tracking and real-time review capabilities. Other important risk mitigation features include multi-factor authentication and limits on transactions. Institutions must ensure that these tools are used consistently for the level of determined risk and according to the written policies and procedures that have been established. Step 1: Assess Just as no two financial institutions are alike, no two have the same RDC risk profile. Each financial institution must assess its unique RDC risk, determine its responsibilities in mitigating that risk and document its readiness. Examiners will be looking for institutions to produce risk policies that specifically address legal, compliance, reputation and operational risk. Failure to properly address these risks exposes the institution to regulatory action and a diminished ability to use RDC to attain new customers or serve existing ones. More detailed information on examiner s expectations will be available in The Retail Payments System Booklet of the FFIEC IT Examination Handbook, scheduled to be released in late 2009; however, financial institutions can also reference high-level descriptions of risk management processes existing within the FFIEC Bank Secrecy Act (BSA)/Anti- Money Laundering (ALM) Examination Manual. Just as each financial institution is unique, so are the risk factors for each potential customer. Rather than creating completely new procedures, a financial institution can also use the above mentioned resources to determine customer risk as the guidance states that information gathered while conducting customer identification and customer due diligence procedures in fulfillment of the institution s BSA/ALM program can support the assessment of customer suitability. The FFIEC lays responsibility for assessing and managing RDC risk on the financial institution s board of directors and senior management. Their responsibilities include: approving RDC plans, policies and significant expenditures; ensuring that management is identifying, assessing, measuring, mitigating and monitoring RDC risk, and monitoring RDC performance, implementations and ongoing operations. The FFIEC guidance makes clear that the technical method of deploying RDC in no way changes the level of responsibility for the board and senior management. Institutions may offer their customers RDC through an application service provider (ASP) or through a hosted solution installed and run by the institution. Either way, the board and senior management are ultimately responsible for overseeing risk management of the RDC system. Step 2: Abate Once risk has been assessed and documented, financial institutions must demonstrate they have the technology and procedures in place to identify and mitigate that risk. Much of the FFIEC guidance for RDC revolves around commercially reasonable practices such as qualifying and training customers, conducting due diligence on vendors, documenting policies and procedures, ensuring business continuity and data security and constructing comprehensive agreements for RDC clients. At a minimum, a financial institution s RDC risk abatement should address: the types of customers using RDC and their deposit limits; the use of appropriate review and approval controls; the detection of duplicate items; and methods of fraud prevention. Financial institutions should also assess the network interfaces and encryption used to securely manage and transmit data and images to the bank from RDC customers. Particularly important is ensuring that confidential customer information cannot be accessed by unauthorized individuals. The following baseline controls are considered standard: Daily total-deposit amount limits Individual/company transaction-amount limits

Controls to facilitate separation of duties (dual controls are a very strong method of reducing risk) Minimum password requirements Duplicate detection Adaptive or multi-factor authentication Defined user authorities/permissions Of particular concern to financial institutions is whether the FFIEC will require financial institutions to personally visit RDC customer sites to ensure the proper risk mitigation procedures and controls are in place. Such visits would be onerous for institutions of all sizes. Indeed, the cost to institutions of visiting customer sites, which in some cases are long distances, would make it impractical for many institutions to continue to offer RDC. The FFIEC guidance pertaining to on-site visits reads: When the level of risk warrants, financial institution staff should include visits to the customer s physical location as part of the suitability review. So whether a financial institution will need to conduct a site visit will depend on the risk assessment it completed in Step 1. Financial institutions able to demonstrate they have conducted appropriate due diligence on an RDC customer should not be required to make an on-site visit. Similarly, if an institution can prove that it has adequately assessed and addressed risks at customer locations, then franking devices, another area of concern to financial institutions, should not be required. The customer suitability review starts with a list of customers that use RDC, how these customer segments were qualified, and the number of transactions and dollar values each typically processes. Most examiners will also want to see a copy of the bank s standard contractual agreement for RDC customers. The FFIEC guidance also states that financial institutions should ensure customers receive sufficient training. One way to address this is through software and service providers that offer step-by-step online and telephone-based training as a complement to their basic RDC offerings. Institutions should also document customer attendance at training sessions. Step 3: Audit The third step, audit, proves that financial institutions consistently follow the policies, procedures and controls it has determined to be necessary. The technology behind many RDC solutions enables reporting that financial institutions can use to highlight RDC trends and exceptions. A system that can track and report all customer activity, for example, is useful from an audit perspective. Senior management and board members should regularly review reports on performance, implementation and ongoing operations, especially for violations of agreements and transaction thresholds. The guidance suggests that the FFIEC recognizes that technology-driven services such as RDC are capable of evolving over time and need to be managed dynamically. Institutions must be prepared to recognize changing situations, such as those brought on by a change in technology, risk tolerance or federal regulation, and be able to take quick action as necessary. A Deposit Is Still a Deposit When evaluating the risks of RDC, keep in mind that RDC is a deposit rather than a withdrawal. As such, it poses credit risk only if a bank grants provisional credit for funds, allowing immediate withdrawals. Unlike automated clearinghouse transactions, there is no opportunity for an RDC customer to direct a credit outside the primary financial institution offering the RDC service. Checks themselves have some risk, but RDC does not in and of itself make depositing checks more risky. If an item is returned for non-sufficient funds (NSF), the same risk applies whether the item was presented remotely or in person at the branch. Fraudulent checks present a risk, and could be more difficult to detect once an item is converted to an image. However, with the proper risk mitigation technologies in place, RDC becomes at least as secure, if not more so, than deposits made by way of the branch, ATM or mail. The bottom line is that there is no evidence of any increased losses attributed to RDC. In addition, RDC is potentially more secure than other channels because it removes numerous physical touch points from the deposit process, reducing the likelihood of mistakes. By automating check deposits, financial institutions ensure that business rules for funds availability or image quality are applied consistently to every transaction. And with most scanners able to detect the presence of MICR, RDC may be better equipped to detect fraudulent checks than tellers in the branch. So whether made by a slip of paper or through an electronic image, a deposit is still a deposit.

IMAGING & PAYMENTS PROCESSING Financial institutions will also need to present auditable proof that their RDC systems address confidentiality, integrity and availability of data. Financial institutions that utilize ASP or vendor-hosted solutions can leverage the annually updated SAS-70 Type II audit to specifically address security concerns outlined in the FFIEC guidance. Conclusion The recently released FFIEC guidance should not pose any obstacles to RDC deployment. As in any FFIEC exam, bankers need to prepare documentation to pre-empt concerns that individual examiners may have. Be prepared to speak the language of the guidance and meet each of the controls with foresight. The financial industry s motivation for accurately interpreting the FFIEC guidelines is high, given the importance of the technology in fostering deposit growth and transaction-processing security. With its advanced security and risk management features, RDC may well emerge as the safest method for accepting deposits, compared to traditional channels that lack similar controls. In addition, RDC s ability to increase a bank s geographic footprint and enter into new markets without establishing brick-and-mortar branches is significant, given the industry s emphasis on deposit growth. Financial institutions can increase their confidence in their ability to meet the guidelines by following the three-step process of Assess, Abate and Audit. As an established technology, there is a wealth of best-practices information that financial institutions can apply to manage any RDC risk. Institutions should seek out best-of-breed RDC systems that incorporate frauddetection tools, such as access control, business rules, check-image analysis, duplicate detection, encryption, user tracking and real-time review capabilities. Supported by a system that incorporates these features, RDC is an exceptionally secure channel for taking deposits. About ProfitStars ProfitStars, a division of Jack Henry & Associates, Inc., provides best-of-breed solutions that improve the performance of financial institutions of all asset sizes and charters, and diverse corporate entities. These solutions facilitate revenue and growth, risk mitigation and control, and cost control; and complement virtually any core information processing platform. Additional information is available at www.profitstars.com. ProfitStars is a leading provider of remote deposit capture solutions, ranked No. 1 in end-user deployments by Celent, a prominent global research firm. ProfitStars helps financial institutions of all sizes succeed with in-house, ASP, browser-based, commercial and retail remote deposit applications. Visit the company s RDC Resource Center at http://discover.profitstars.com/remotedepositexpert, or contact us at www.sales@profitstars.com. Additional information is available at or by calling 877.827.7101 2014 Jack Henry & Associates, Inc. ProfitStars is a registered trademark of Jack Henry & Associates, Inc.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback