RDC Audit & Compliance: Lessons from the Battlefield

Similar documents
RDC Risk Management in 2015

RDC Risk Management & FFIEC Compliance May 2010 Update

Expand Remote Deposit & Mitigate Risk:

Jen Wasmund, AAP, NCP Compliance Services Director

Consumer and Mobile RDC Risk Management

REMOTE DEPOSIT CAPTURE SUITE

Retail Payment Systems Internal Control Questionnaire

FGFOA 2017 Focus on the Future

- Cindy Griffin, CEO Northern Hills Federal Credit Union

THIRD-PARTY RISK MANAGEMENT

Auditing for Effective Training

Bank Secrecy Act Training: Who, What, When, How and Why? Presented by Lynn English Lafayette Federal Credit Union

The top five benefits of outsourcing B2B payments processing

FMS New York/ New Jersey Chapter Meeting January 14, The Impact of Models. by: Scott Baranowski

Client Focused Results Driven

Arjun Kalra - Senior Manager - Crowe Horwath Risk Consulting Practice Chuck Taylor BSA Officer City National Bank

PHASE TWO FOLLOW-UP REPORT ON THE AUDIT OF CONTRACTS (2008)

Same Day ACH: Getting Ready to Move Payments Faster Louisiana Bankers Association October 20, 2015 Baton Rouge, LA

The New Rule on Customer Due Diligence Key Takeaways from Banker s Toolbox

Your unique family, our unique approach.

Model Risk Management

Source Capture Solutions : New Year, New Capabilities. February 3, 2010

White Paper: Training the Payroll Staff

RSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM

Lessons Learned Using HORIZON Teller Capture. Russell High, Product Manager May 24, 2017

Becoming an ODFI Implementation Toolkit

UNLOCKING THE SECRETS OF ACH ORIGINATION AND PROCESSING

Employer Implementation Overview

THE IMPORTANCE OF DEVELOPING A SOCIAL MEDIA COMPLIANCE POLICY

Ramifications of the New COSO Framework & Recent PCAOB Actions

A Guide to Professional Standards

User s Starter Kit. For Home or Small Office Use. fcbbanks.com

Madison Consulting Group. An Introduction to Our Compliance and Regulatory Consulting Services

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

PEOPLESOFT ebill PAYMENT

MSP Purpose, Value & ROI

Cachet Financial Services. White Paper. 5 Considerations When Selecting a New ACH Processor Partner

6 Ways To Protect Your Business From Data Breaches in 2017

Conformity Assessment - Requirements for the Operation of Various Types of Bodies Performing Inspection

Fed Consultation Paper Association for Financial Professionals (AFP) Response

Foundational banking. Guidance for conversation on banking services. Trainers notes for very basic banking with clients

Entrepreneurship Version. Instructor guide. 2003, 2013 Wells Fargo Bank, N.A. All rights reserved. Member FDIC. ECG VERSION 5.

DEVELOPING A PERSUASIVE BUSINESS CASE FOR CRM. Glenda Parker

Remote Deposit Capture Check Images or ACH?

How to Lock Down Your Document Recording Processes Focus on compliance and security

Job Family Matrix. Core Duties Core Duties Core Duties

YOUR SUCCESS IS OUR BUSINESS

DFCU ONLINE BUSINESS REMOTE DEPOSIT CAPTURE FAQ

Essential Records Webinar

AML and Tax Compliance in the Asia-Pacific Region: Investing in KYC Systems, Data, and Processes

M&A Process. Kimberly B. Snyder, CPA Executive Vice President / CFO Valley Bank

CHECKLIST. 7 Steps to Conducting The Perfect Audit

American United Federal Credit Union JOB DESCRIPTION TELLER IV

Diversified Services. Our Diversified Services include:

BUSINESS CONTINUITY MANAGEMENT

Source Capture Solutions

BSA/AML Self-Assessment Tool. Overview and Instructions

P-Cards Done Right. Katie Beatty Community Engagement Manager

The #1 Financial Mistake Made by Small-Business Owners

fmswhitepaper Low transaction-volume branches: An overlooked opportunity By Michael Scott President and CEO, FMSI

Policy Outsourcing and Cloud-Based File Sharing

A Guide for Employers Termination of Employment

AICPA Peer Review Program Compliance: Responding to Latest Developments

Fraud Prevention: How to Identify and Protect Your Higher Ed Institution

PROTECT & UNLOCK YOUR VALUE THROUGH SUCCESSION PLANNING

Turning Accounts Payable and Procurement into a Competitive Advantage What you need to know about the latest advances in technology

Corporate Background and Experience: Financial Soundness: Project Staffing and Organization

Risk Mitigation in a Core Banking Conversion

Veterinarians Rely on Pacific Continental Bank

Audit of Weighing Services. Audit and Evaluation Services Final Report Canadian Grain Commission

Effectively demonstrate the value of your training by steering clear of these evaluation mistakes.

COMMUNITY LIVING BRANT POLICY AND PROCEDURE MANUAL

CORE BANK PROCESSING NUPOINT. Dynamic Solutions. Superior Results.

UCIB Consulting Seminar

Employee Wellness Portals. The 4 Game Changers. Choosing the right Platform for your Wellness Program. An ebook presented by

The hidden reality of payroll & HR administration costs

Freight Broker Agent

Internal Audit Challenges & Opportunities Speaker: Laurie Shen, Director, Grant Thornton LLP

Ecommerce & Accounting. Scott We Speak Ecommerce

Verify Category A Audit Content

Contents. Primer Series: HIPAA Privacy, Security, and the Omnibus Final Rule

Turning Receivables Operations Green

Whether you take in a lot of money. or you collect pennies

OFCCP s Veterans and Individuals with Disabilities Final Regulations Impose New Obligations on Federal Contractors and Subcontractors

ATM Outsourcing. The Answer to Your ATM Woes. Is ATM Outsourcing Right for You? WHITE PAPER. Owning an ATM can be a difficult task.

Report on controls over Devon Funds Management Limited s investment management services. For the period from 1 January 2014 to 31 December 2014

risk and compliance department business plan

Starting a Vendor Assessment Program

When you have to be right. Tax & Accounting. 5 Ways to Increase Your Engagement Workflow Efficiency

MONITORING YOUR EMPLOYEES SOCIAL MEDIA ACTIVITY

API Gateway Digital access to meaningful banking content

REGULATORY HOT TOPICS FOR INTERNAL AUDITORS: EVALUATING THE USE OF AML TECHNOLOGY

Seattle Public Schools The Office of Internal Audit

WORKFORCE MANAGEMENT MOVING EMPLOYEE ASSET MANAGEMENT FROM TRANSACTIONAL TO STRATEGIC

ECM Migration Without Disrupting Your Business:

MARIANNE E. ROCHE ATTORNEY AT LAW

Take stock, take control with Sage 50

Solutions. Cash & Logistics Intelligent and Integrated Solutions to Optimize Currency Levels, Reduce Expenses and Improve Control

EXECUTIVE COMPENSATION

Digital Retail Banking

Transcription:

RDC Audit & Compliance: Lessons from the Battlefield Kevin Olsen, AAP, NCP Payments Space Advisors September / October 2, 2014 Be sure to tweet about the #RDCSummit and mention @RDCTweet

Disclaimer This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice. You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature. Image source: Thinkstock 2

Session Description The saying The best way to learn is to learn from others mistakes is never more true than when it comes to financial risk management, audit and compliance. Join us for an engaging session revealing common pitfalls found across dozens of RDC Compliance and Audit reviews. Key take-aways: Understand best practices and lessons learned in RDC Audits from experts who have performed dozens of reviews Learn the common mistakes made by financial institutions which lead to negative audit reviews Be able to implement a framework to help ensure successful audit and compliance reviews 3

Areas of the Risk Assessment ASSESSING THE RISK RDC Risk Policy RDC Product Risk Assessment BSA/AML Risk Assessment Vendor Due-Diligence Customer Due-Diligence & Implementation 4

Areas of the Risk Assessment MITIGATION AND CONTROLS Customer Agreement Test of Merchant RDC Agreements Customer Training Operational Controls 5

Areas of the Risk Assessment MEASURING AND MONITORING File Monitoring Test of Measuring and Monitoring Management & Board Oversight Customer Monitoring Vendor Monitoring & Change Management 6

Top 5 Merchant Findings 1. RDC Policy/Procedures are Lacking/Customer Training 2. FI uses a Canned Agreement (Agreement Issues) 3. Monitoring for Red Flags and or Anomalies 4. BSA Officer Included 5. Duplicate Presentments 7

Top 5 Mobile Findings 1. Customer Due Diligence (Who Gets the Service?) 2. Duplicate Presentments 3. Deposit Velocity Thresholds for Customers 4. Termination 5. Vendor Management 8

The Real World The following are findings from RDC risk assessments we have performed Some are from merchant Some are from mobile Some are from both 9

RDC Policy The RDC Policy must clearly define the risk management parameters for the product by which a Financial Institution s management follows in establishing procedures 10

RDC Policy A trend is has been observed where FI s are streamlining their RDC Policy to a point where they are intentionally too brief with little direction to allow FI Management greater latitude in how the product is supported and delivered This approach to creating a product policy actual adds more risk to RDC 11

Product Ownership Recommend that Management assign an individual with the role of Merchant RDC Product Officer/Owner as outlined in the Bank s RDC Policy The individual assigned to this role should have end-to-end product knowledge and ownership to ensure that the product is properly supported, managed and monitored 12

Product Ownership Review vendor release notes, product upgrades Failure to do so could result is a product that does not address critical risk mitigation and compliance changes, as well as competitive changes, too. 13

Written Procedures Financial institution does not have ample written procedures in place for Remote Deposit Capture operations and processing. These are needed even when the RDC Service is outsourced Procedures 14

BSA/AML Financial institution performs a BSA/AML Risk Assessment but the scope does not include Remote Deposit Capture Remote Deposit Capture onboarding (for existing customers of the Bank) and annual review process does not consider the input from the BSA Officer as it pertains to SAR filings 15

Vendor Management Financial institution does not have a Board approved Vendor Management Policy 16

Assessing RDC Customers RDC is NOT ACH While RDC has some similar factors used to also qualify an ACH client, establishing a deposit limit is not the same as setting an exposure limit for ACH or a loan It is a sound business practice to risk rate customers for RDC and FIs should use criteria such as: Deposit size Frequency Number of items Type of business RDC has risk factors, but credit risk is limited 17

Agreements Financial Institutions get a sample RDC Agreement from either their Vendor or another FI and they never really review it or customize to their institution s environment Agreements should be appropriate for the institution s specific RDC environment and should identify clearly each party s roles, responsibilities, and liabilities 18

Agreements While the issues around the RDC Agreement were a lot worse 5 years ago, FI s still need to understand that they need to keep their agreements current The FFIEC Guidance on RDC has not changed since 2009, other guidance and industry practices have evolved and your service agreements need to keep up with these changes 19

Agreements Missing Provisions Roles and responsibilities of the parties, including those related to the sale or lease of equipment and software needed for RDC at the customer location 20

Agreements Missing Provisions Handling and record retention procedures for the information in RDC, including physical and logical security expectations for access, transmission, storage, and disposal of deposit items containing nonpublic personal information 21

Agreements Missing Provisions The FI s authority to perform periodic audits of the Customer s RDC process, including the IT infrastructure 22

Agreements Missing Provisions Performance standards for the FI and the customer. These could include: maintenance of a secure system; adequately trained staff; oversight of the deposit process and the document management process 23

Agreements Missing Provisions Authority of the financial institution to mandate specific internal controls at the customer s locations, audit customer operations, or request additional customer information 24

Customer Training The financial institution conducts customer training during the installation process onsite at the customer s location or remotely via phone or online However, the various aspects of training are not documented in writing to ensure a consistent delivery 25

Customer Training Checklist A tool that not only ensures the trainer covers all of the critical operational elements of the RDC product, but it should also cover the key RDC requirements as identified in the RDC agreement RDC Agreement is usually signed by a senior management person in the company and rarely do they provide a copy of the agreement to the person who will actually be processing the RDC deposits 26

Customer Training Checklist Covering these requirements ensures the RDC User is informed This practice also provides the elements for RDC User inspections The sound business practice for this checklist is to have the trainer and the RDC user sign it 27

Customer Training Checklists The customer training checklist should include, at a minimum, the following items: Procedures for ensuring the security and confidentiality of customer information Guidelines for the handling, storage, and destruction of original, physical documents Separation of duties and dual control procedures Image quality minimum requirements Franking/Endorsement requirements (if applicable) Duplicate item/file management procedures Contingency procedures Deposit cut-off times 28

Duplicate Deposited Items While most RDC Applications offer duplicate detection to prevent the same item from being deposited again via RDC, duplicates still occur from items from being deposited at a branch after they are processed via RDC Adequate procedures help, but a sound business practice is the use of restrictive endorsements or franking the items processed through RDC to assist tellers at your branches or the branch of another FI from processing the duplicate item 29

Across the board Duplicate Detection Merchants doesn t see Mobile Mobile and Merchant don t see In-person 30

File Monitoring The reporting available to the financial institution can be extremely limited or reports that are available via the RDC Application are not utilized Adequate reporting assists in the management and oversight and risk mitigation of the Remote Deposit Capture Operations and RDC User Compliance 31

Proofing (Monitoring) Are you looking at everything the same way you did when items were presented physically? 32

Board Reporting Board Reporting is frequently very limited or not done at all Regulators are looking at the type and degree of detail provided in Sr. Management and Board Reporting 33

Board Reporting The recommendation here is report what makes sound business sense to tell your Board of Directors: Number of RDC clients/users, Number of scanner locations, Total deposits, Total items Number of exceptions (like over limit situations) P&L financials (if you can provide those) Provide key information on each high risk customer using the product to prove monitoring and reporting is appropriate to the risk the FI is taking 34

Layered Security The FFIEC supplemental Guidance on Internet Authentication strongly recommends layered security, which is an FI focus for the main internet access, but is frequently overlooked for RDC because it is not on the main portal User Name Password Token 35

Annual Reviews A Financial Institution s RDC policy typically require an annual review yet many FI s are not performing this on a timing basis Use the actual deposit activity in the review of deposit limits (12 months activity is recommended) Deposit Limits are a benchmark or monitoring and reporting and are not an exposure limit Return deposited items activity should also be considered in the annual review process 36

RDC Reviews If a Financial Institution risk rates their RDC clients, then they could consider alternatives to performing annual reviews. The following is an example of one such approach: Low Risk RDC clients maybe could be reviewed every 24 months; Moderate Risk RDC clients could be reviewed every 18 months Higher Risk clients can be reviewed every 12 months Highest Risk clients could be reviewed every 6 months 37

Onsite Visits/Inspections FIs are under the false impression they must conduct onsite visits/inspections for all RDC Users The FFIEC Guidance states the following: Customer Due Diligence and Suitability When the level of risk warrants, financial institution staff should include visits to the customer s physical location as part of the suitability review. FIs should define the red flags that warrant an onsite visit or inspection Whatever approach is taken, it should be in the RDC Policy 38

Onsite Visits/Inspections Another alternative to onsite visits/inspections is the use of an RDC Self-Assessment tool, especially for moderate or low risk customers and out of footprint customers This is useful in gathering and assessing the customers Physical controls/security Technological controls User access controls Scanner placement PC Security Don t forget to inspect the key training 39 requirements

Vendor Review The financial institution has not performed a service quality review of the vendor against agreed upon service level agreements 40

Questions? 41

Additional Takeaways Every session should have additional value-add information, resources, handouts, etc. List those here. RDC Annual Review Form Template Remote Deposit Customer Self-Assessment Sample 2014 RDC Training Guide Template 42

About The Presenters Kevin Olsen, AAP, NCP Payments Space Advisors kolsen@eastpay.org 43

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback