RDC Audit & Compliance: Lessons from the Battlefield Kevin Olsen, AAP, NCP Payments Space Advisors September / October 2, 2014 Be sure to tweet about the #RDCSummit and mention @RDCTweet
Disclaimer This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice. You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature. Image source: Thinkstock 2
Session Description The saying The best way to learn is to learn from others mistakes is never more true than when it comes to financial risk management, audit and compliance. Join us for an engaging session revealing common pitfalls found across dozens of RDC Compliance and Audit reviews. Key take-aways: Understand best practices and lessons learned in RDC Audits from experts who have performed dozens of reviews Learn the common mistakes made by financial institutions which lead to negative audit reviews Be able to implement a framework to help ensure successful audit and compliance reviews 3
Areas of the Risk Assessment ASSESSING THE RISK RDC Risk Policy RDC Product Risk Assessment BSA/AML Risk Assessment Vendor Due-Diligence Customer Due-Diligence & Implementation 4
Areas of the Risk Assessment MITIGATION AND CONTROLS Customer Agreement Test of Merchant RDC Agreements Customer Training Operational Controls 5
Areas of the Risk Assessment MEASURING AND MONITORING File Monitoring Test of Measuring and Monitoring Management & Board Oversight Customer Monitoring Vendor Monitoring & Change Management 6
Top 5 Merchant Findings 1. RDC Policy/Procedures are Lacking/Customer Training 2. FI uses a Canned Agreement (Agreement Issues) 3. Monitoring for Red Flags and or Anomalies 4. BSA Officer Included 5. Duplicate Presentments 7
Top 5 Mobile Findings 1. Customer Due Diligence (Who Gets the Service?) 2. Duplicate Presentments 3. Deposit Velocity Thresholds for Customers 4. Termination 5. Vendor Management 8
The Real World The following are findings from RDC risk assessments we have performed Some are from merchant Some are from mobile Some are from both 9
RDC Policy The RDC Policy must clearly define the risk management parameters for the product by which a Financial Institution s management follows in establishing procedures 10
RDC Policy A trend is has been observed where FI s are streamlining their RDC Policy to a point where they are intentionally too brief with little direction to allow FI Management greater latitude in how the product is supported and delivered This approach to creating a product policy actual adds more risk to RDC 11
Product Ownership Recommend that Management assign an individual with the role of Merchant RDC Product Officer/Owner as outlined in the Bank s RDC Policy The individual assigned to this role should have end-to-end product knowledge and ownership to ensure that the product is properly supported, managed and monitored 12
Product Ownership Review vendor release notes, product upgrades Failure to do so could result is a product that does not address critical risk mitigation and compliance changes, as well as competitive changes, too. 13
Written Procedures Financial institution does not have ample written procedures in place for Remote Deposit Capture operations and processing. These are needed even when the RDC Service is outsourced Procedures 14
BSA/AML Financial institution performs a BSA/AML Risk Assessment but the scope does not include Remote Deposit Capture Remote Deposit Capture onboarding (for existing customers of the Bank) and annual review process does not consider the input from the BSA Officer as it pertains to SAR filings 15
Vendor Management Financial institution does not have a Board approved Vendor Management Policy 16
Assessing RDC Customers RDC is NOT ACH While RDC has some similar factors used to also qualify an ACH client, establishing a deposit limit is not the same as setting an exposure limit for ACH or a loan It is a sound business practice to risk rate customers for RDC and FIs should use criteria such as: Deposit size Frequency Number of items Type of business RDC has risk factors, but credit risk is limited 17
Agreements Financial Institutions get a sample RDC Agreement from either their Vendor or another FI and they never really review it or customize to their institution s environment Agreements should be appropriate for the institution s specific RDC environment and should identify clearly each party s roles, responsibilities, and liabilities 18
Agreements While the issues around the RDC Agreement were a lot worse 5 years ago, FI s still need to understand that they need to keep their agreements current The FFIEC Guidance on RDC has not changed since 2009, other guidance and industry practices have evolved and your service agreements need to keep up with these changes 19
Agreements Missing Provisions Roles and responsibilities of the parties, including those related to the sale or lease of equipment and software needed for RDC at the customer location 20
Agreements Missing Provisions Handling and record retention procedures for the information in RDC, including physical and logical security expectations for access, transmission, storage, and disposal of deposit items containing nonpublic personal information 21
Agreements Missing Provisions The FI s authority to perform periodic audits of the Customer s RDC process, including the IT infrastructure 22
Agreements Missing Provisions Performance standards for the FI and the customer. These could include: maintenance of a secure system; adequately trained staff; oversight of the deposit process and the document management process 23
Agreements Missing Provisions Authority of the financial institution to mandate specific internal controls at the customer s locations, audit customer operations, or request additional customer information 24
Customer Training The financial institution conducts customer training during the installation process onsite at the customer s location or remotely via phone or online However, the various aspects of training are not documented in writing to ensure a consistent delivery 25
Customer Training Checklist A tool that not only ensures the trainer covers all of the critical operational elements of the RDC product, but it should also cover the key RDC requirements as identified in the RDC agreement RDC Agreement is usually signed by a senior management person in the company and rarely do they provide a copy of the agreement to the person who will actually be processing the RDC deposits 26
Customer Training Checklist Covering these requirements ensures the RDC User is informed This practice also provides the elements for RDC User inspections The sound business practice for this checklist is to have the trainer and the RDC user sign it 27
Customer Training Checklists The customer training checklist should include, at a minimum, the following items: Procedures for ensuring the security and confidentiality of customer information Guidelines for the handling, storage, and destruction of original, physical documents Separation of duties and dual control procedures Image quality minimum requirements Franking/Endorsement requirements (if applicable) Duplicate item/file management procedures Contingency procedures Deposit cut-off times 28
Duplicate Deposited Items While most RDC Applications offer duplicate detection to prevent the same item from being deposited again via RDC, duplicates still occur from items from being deposited at a branch after they are processed via RDC Adequate procedures help, but a sound business practice is the use of restrictive endorsements or franking the items processed through RDC to assist tellers at your branches or the branch of another FI from processing the duplicate item 29
Across the board Duplicate Detection Merchants doesn t see Mobile Mobile and Merchant don t see In-person 30
File Monitoring The reporting available to the financial institution can be extremely limited or reports that are available via the RDC Application are not utilized Adequate reporting assists in the management and oversight and risk mitigation of the Remote Deposit Capture Operations and RDC User Compliance 31
Proofing (Monitoring) Are you looking at everything the same way you did when items were presented physically? 32
Board Reporting Board Reporting is frequently very limited or not done at all Regulators are looking at the type and degree of detail provided in Sr. Management and Board Reporting 33
Board Reporting The recommendation here is report what makes sound business sense to tell your Board of Directors: Number of RDC clients/users, Number of scanner locations, Total deposits, Total items Number of exceptions (like over limit situations) P&L financials (if you can provide those) Provide key information on each high risk customer using the product to prove monitoring and reporting is appropriate to the risk the FI is taking 34
Layered Security The FFIEC supplemental Guidance on Internet Authentication strongly recommends layered security, which is an FI focus for the main internet access, but is frequently overlooked for RDC because it is not on the main portal User Name Password Token 35
Annual Reviews A Financial Institution s RDC policy typically require an annual review yet many FI s are not performing this on a timing basis Use the actual deposit activity in the review of deposit limits (12 months activity is recommended) Deposit Limits are a benchmark or monitoring and reporting and are not an exposure limit Return deposited items activity should also be considered in the annual review process 36
RDC Reviews If a Financial Institution risk rates their RDC clients, then they could consider alternatives to performing annual reviews. The following is an example of one such approach: Low Risk RDC clients maybe could be reviewed every 24 months; Moderate Risk RDC clients could be reviewed every 18 months Higher Risk clients can be reviewed every 12 months Highest Risk clients could be reviewed every 6 months 37
Onsite Visits/Inspections FIs are under the false impression they must conduct onsite visits/inspections for all RDC Users The FFIEC Guidance states the following: Customer Due Diligence and Suitability When the level of risk warrants, financial institution staff should include visits to the customer s physical location as part of the suitability review. FIs should define the red flags that warrant an onsite visit or inspection Whatever approach is taken, it should be in the RDC Policy 38
Onsite Visits/Inspections Another alternative to onsite visits/inspections is the use of an RDC Self-Assessment tool, especially for moderate or low risk customers and out of footprint customers This is useful in gathering and assessing the customers Physical controls/security Technological controls User access controls Scanner placement PC Security Don t forget to inspect the key training 39 requirements
Vendor Review The financial institution has not performed a service quality review of the vendor against agreed upon service level agreements 40
Questions? 41
Additional Takeaways Every session should have additional value-add information, resources, handouts, etc. List those here. RDC Annual Review Form Template Remote Deposit Customer Self-Assessment Sample 2014 RDC Training Guide Template 42
About The Presenters Kevin Olsen, AAP, NCP Payments Space Advisors kolsen@eastpay.org 43