RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive Director RemoteDepositCapture.com September 30, 2011
Regulatory Guidance Overview 1. FFIEC RDC Risk Management Guidance released January 14, 2009 RDC risk management process in an electronic environment Focusing on RDC deployed at a customer location Principles of RDC risk management discussed are applicable to: FI s Internal deployment ATM, Branch, Cash Vault Other forms of electronic deposit delivery systems (e.g., mobile banking and automated clearing house [ACH] check conversions). 2. Retail Payment Systems Booklet (N), (M) February 10, 2010 3. 2010 Version of the Bank Secrecy Act/Anti-Money Laundering Examination Manual Updated April 29, 2010 4. Authentication in an Internet Banking Environment October 12, 2005 1. Supplement to Authentication in an Internet Banking Environment June 22, 2011 5. Reg. CC changes are coming RDC Risk Management Update 2011 2
New Challenges Mobile, Flatbed, Merchant, Fax Treat as new products in the process Device security Check security Compliance Mobile for small business and the consumer The farther down you go the less the sophistication of the business Keep it simple Fewer checks and balances Segregation of duties Documented risk practices FFIEC Guidance is risk management oriented, not device oriented RDC Risk Management Update 2011 3
FFIEC guidance was a watershed event But what value will all the resulting effort produce? Nearly 90% of FIs surveyed have suffered NO LOSS uniquely attributed to RDC This includes CUs offering consumer RDC Losses among the 12% were not recurring events Fraud mechanisms are not a mystery, nor many: Duplicate presentment Kiting Insider fraud Duplicate presentment is the most commonly cited mechanism by a large margin We have suffered no loss uniquely attributed to RDC We have had a single loss incident We have had several loss incidents We have recurring loss incidents RDC Loss Profile 17% 8% 6% 8% 0% 1% 1% 21% 63% 92% 93% 91% 0% 20% 40% 60% 80% 100% Resp (%) Source: Celent FI survey, September 2010, n=194 >$50b $10b - $50b $1b - $10b <$1b This slide provided courtesy of Celent. Almost exclusively in our cases, our losses are due to insider fraud at our customer sites, due to a lack of or failing to follow existing dual controls US Mid tier bank RDC Risk Management Update 2011 4
System Capabilities & Integration System Functionality Duplicate item detection Scanner options Data Integration & Usability Audit logs and event logs (MIS reporting) IQA and IUA Front and Back of the Check MICR & CAR/LAR Controls Marking Capability Presence of Endorsements Clearing options LCR (lowest cost routing) Includes rules for ACH vs.. Image and IRD ABA Validation routines Integration of BSA/AML systems and processes OFAC BCP (Enterprise) IT Security Infrastructure (SSO, rights and privileges, etc.) RDC Risk Management Update 2011 5
Key Information: Understand Business Know Your Customer Finances, Customers, Processes CDD (Customer Due Diligence, EDD (Enhanced Due Diligence, CIP (Customer Identification Program) Understand Deposits Obtain History Volumes & Values of Items, deposits, returns, Velocity Use this data to custom-fit RDC Thresholds, Limits, Holds & Availability Schedules Separation of Duties, Approvals Functional Capabilities Pricing, Balances, monitor deposit & data trends. RDC Should be customized to each individual client. RDC Risk Management Update 2011 6
Duplicate Detection Duplicate Detection should ideally be done across all levels & accounts, channels and products. Levels & Accounts User, Location, Account Channels RDC Location, Lockbox, ATM, Branch, Mail Drop, Kiosk & Inclearings, etc. Products Check and ACH (for converted items) Network All banks using a specific service provider Industry i3g / Fed Initiative More?? RDC Risk Management Update 2011 7
The Importance of Endorsements Endorsements can help prevent duplicates Restrict deposit to a specific bank & account Legal & Regulatory implications Appropriate endorsement can be identified Teller Payor Systemic Identification Decreases likelihood item will be used Criminals can also see the restrictive endorsement Systemic Capabilities are evolving Hardware & Software RDC Risk Management Update 2011 8
Testing Risk Management Risk Control / Risk Type Operational Error Check Kiting Duplicate Error Duplicate Fraud Value Fraud Volume Fraud Return Items Value / Volume Thresholds - RDC System DD* *Duplicate Detection - - - - Cross-Channel DD* - - - - *Duplicate Detection IQA / IQU / CAR / LAR Patterning - - - - Holds Availability Schedules Balances Level of Risk Management Adequacy: ¼ Circle = Minimal ½ Circle = Fair ¾ Circle = Moderate Full Circle = Good FIs should have at least 1.5 Total Circles per risk type, 2+ for Fraud Risk Types. RDC Risk Management Update 2011 9
RDC Risk Management Striking the perfect balance between BSA/Compliance and Treasury Management Heather Holliway, Product Manager Synovus Financial Corp. September 30, 2011
Let the Tug-of-War Begin Synovus released RDC in 2005 Rush to market, high profile product Treasury Management is eager to sell, sell, sell! BSA wants control! Copyright 2010, RemoteDepositCapture.com 11
Results of Tug-of-War Customer dissatisfaction with turn-around time on approval Sales team frustrated with documentation requirements and approval process Resource intensive for both BSA and Treasury Management teams BSA now referred to as BPU (Business Preventative Unit) Copyright 2010, RemoteDepositCapture.com 12
Question: The Dilemma How can we sell the service and deliver quickly while appropriately mitigating risk? Answer: Restructure the customer approval process based on customers risk classifications. Revise the Risk Policy! Copyright 2010, RemoteDepositCapture.com 13
A Realistic Approach Treasury Management must partner with BSA/Compliance and Operational Risk to create a realistic and reasonably designed risk based Remote Deposit Capture policy based on FFIEC guidance Implement monitoring or audit procedures Understand your customers activity to identify red flags before it s too late Be proactive vs. reactive Determine both business segment and BSA Risk tolerance thresholds Copyright 2010, RemoteDepositCapture.com 14
Customer Approval Process Customer approval process Define customer risk categories based on FFIEC guidance and your bank s risk appetite (e.g. low, medium and high) Determine which categories are permitted and prohibited Determine who owns the approval based on risk type (e.g. moderate risk requires dual approval, high risk RDC prohibited) Regardless of risk level, due diligence must be performed and documented Know your customer: apply your bank s CIP and CDD/EDD standards Document anticipated volume and $ deposited Review previous statements to understand customer s activity Verify account ownership Verify credit relationship is in good standing (if applicable) Copyright 2010, RemoteDepositCapture.com 15
Account Monitoring Ongoing Account Activity/Transaction Monitoring Examples of valuable data: customer account balances and deposit history spiked activity or trends that are inconsistent with anticipated account activity overdrawn accounts higher incident of NSF checks, returned items or customer complaints routinely resubmitted data files or duplicate presentment of checks or images changes in business profile or ownership Accounts with significant variances should be reviewed, explanations should be documented and archived for audit Accounts with suspicious activity: should be reported to Loss Prevention, Operational Risk and BSA/Compliance work with Relationship Manager to determine whether or not service should be removed Copyright 2010, RemoteDepositCapture.com 16
Training Critical for both Treasury Management and Customers! Treasury Management Training Sales must understand policy before selling Mandatory Product and Risk training on at least an annual basis Identify BSA/Compliance red flags for suspicious activity Escalation Criteria both Operational and BSA compliance Standardize documentation for monitoring and exception reviews to meet compliance, audit and regulatory scrutiny Customer Training - end user should understand the policies and procedures set forth in the legal agreement Deposit deadline Eligible / Ineligible items Handling of duplicate items Retention requirements Prohibited use Copyright 2010, RemoteDepositCapture.com 17
Striking the Perfect Balance Simplify the customer approval process based on FFIEC guidance Implement risk based account and transaction monitoring based on your bank s BSA risk profile and business segment risk tolerance Sales Team selling and generating fee income! BPU returns to BSA no longer the bad guys! Copyright 2010, RemoteDepositCapture.com 18
Summary of Risk Management Standards - FFIEC: Comprehensively identify and assess RDC risk prior to implementation Conduct appropriate customer CDD and EDD on new RDC customers Create risk-based parameters that can be used to conduct RDC customer suitability reviews Obtain expected account activity from the RDC customer, such as the anticipated RDC transaction volume, dollar volume, and type (e.g., payroll checks, third-party checks, or traveler s checks), comparing it to actual activity, and resolving significant deviations Compare expected activity to business type to ensure they are reasonable and consistent Develop well-constructed contracts that clearly identify each party s role, responsibilities, and liabilities, and that detail record retention procedures for RDC data Implement additional monitoring or reviews when significant changes occur in the type or volume of transactions Ensure that RDC customers receive adequate training Copyright 2010, RemoteDepositCapture.com 19
Questions? Copyright 2010, RemoteDepositCapture.com 20
Additional Takeaways Determine both business segment and BSA Risk tolerance thresholds Design a reasonable and realistic policy based on FFIEC guidance and controls currently in place e.g. assume more risk on the front line due to in depth monitoring on the back end Partner with BSA/Compliance tap into their knowledge! Copyright 2010, RemoteDepositCapture.com 21
Questions? RDC Risk Management Update 2011 22
Additional Takeaways Determine both business segment and BSA Risk tolerance thresholds Design a reasonable and realistic policy based on FFIEC guidance and controls currently in place e.g. assume more risk on the front line due to in depth monitoring on the back end Partner with BSA/Compliance tap into their knowledge! RDC Risk Management Update 2011 23
About The Presenter Heather Holliway Synovus Financial Corp. HeatherHolliway@synovus.com RDC Risk Management Update 2011 24