Remote Deposit Capture Risk Management & FFIEC Complaince

RDC Risk Management
& FFIEC Compliance
Presented By:
John Leekley, Founder & CEO
Ed McLaughlin, Executive Director
RemoteDepositCapture.com
&
Hope Schall, Attorney, Vedder Price P.C.
February 2009
This webinar is sponsored by:

A Unique Perspective
RemoteDepositCapture.com is an independent information & services
resource for the Payments Industry.
– We are NOT a reseller, solution provider, etc.
– We ARE experts in, and an open resource for the industry.
– We work with the vast majority of leading solution providers, FIs, processors.
– Thousands of FIs, corporations, businesses and consumers visit the site each month.
– We were directly involved in the formulation of the guidance and training of hundreds
of auditors.
– Services
• News & Research
• RDC Marketplace
• Solution Provider Directories
• RDC Overviews
• White Paper Central
• FREE Webinars, and more.
•Contacts:
• John.Leekley@RemoteDepositCapture.com
• Ed.McLaughlin@RemoteDepositCapture.com
Copyright 2009, Remote Deposit Capture, LLC 2
Remote Deposit Capture Risk Management
& FFIEC Compliance

Today’s webinar is brought to you by…
Copyright 2009, Remote Deposit Capture, LLC
& FFIEC Compliance
3
Digital Check is a leading technology provider of low-cost check scanners for the distributed
capture marketplace. Delivering reliable performance with superior MICR and image quality,
the TellerScan® and award-winning CheXpress® models TS215 TS230, TS4120, and CX30
are specifically designed to meet the needs of today’s branch and RDC users.
To learn more about Digital Check, the Secure Choice in Distributed Capture™, please visit
www.digitalcheck.com or call 888-838-5744.
Fiserv Source Capture OptimizationTM
enables a common web platform
for remote deposit capture at the Consumer, Merchant, Branch, Teller
and ATM.
Ranked #1 Branch and Teller Capture Solution in the industry (AITE, Dec 2008)
Visit www.sco.fiserv.com to learn more.
• call (800) 872-7882
• email: victoria.lant@fiserv.com

Agenda
• Introduction to the FFIEC Guidance
• RDC Risk Overview
• Legal Agreements
• Strategic Approaches to Risk Management &
Compliance
– Technology
– Operations
– Information Security
– Vendors, Customers & Personnel
– Risk Measurement, Monitoring & Reporting
– Mitigation & Control
Legal Disclaimer: This is not legal advice. RemoteDepositCapture.com is reporting on observations and experiences while
working directly with dozens of solution providers, financial institutions and the various regulatory agencies. For legal advice /
guidance, please work with a competent and qualified legal representative.
Legal Disclaimer: This is not legal advice. RemoteDepositCapture.com is reporting on observations and experiences while
working directly with dozens of solution providers, financial institutions and the various regulatory agencies. For legal advice /
guidance, please work with a competent and qualified legal representative.
& FFIEC Compliance
Please see our “Best Practices in RDC Risk Management” Webinar for implementable RDC risk
management tactics.

Introduction
• FFIEC RDC Risk Management Guidance released January 14, 2009
– Elements of an RDC risk management process in an electronic environment,
– Focusing on RDC deployed at a customer location.
• Principles of RDC risk management discussed are also applicable to
– FI’s Internal deployment – Branch, Cash Vault
– Other forms of electronic deposit delivery systems (e.g., mobile banking and
automated clearing house [ACH] check conversions).
• Click Here to Download the FFIEC Guidance
• Click Here to View our Webinar: Best Practices in RDC Risk Management
& FFIEC Compliance

RDC is a Payments Platform
RDC Applies to a family of related products &
services most often differentiated by location of
check capture.
Consumer RDC: - Already here with 75,000+
Users!
The term “Remote Deposit Capture” refers to the process of electronically
capturing check images and data, transmitting that information for deposit
and clearing, and truncating the original paper checks. This definition is
evolving to include additional payment types, including card payments.
Remote Deposit Capture
Lockbox
Branch
Teller
Corporate
Merchant
Correspondent
ATM
Consumer
RDC is becoming an integrated technology platform increasingly used to
process different types of payments and data with the ability to feed that data
to systems both internal and external to the organization.
& FFIEC Compliance

Three Pillars of the FFIEC Guidance
• Responsibility
– Senior Management
– Board
• Risks
– Internal
– External
– Process
• Mitigation
– Planning
– Assessment
– Mitigate
– Measure
– Report
– Monitor
Risks
Responsibility
Mitigation
& FFIEC Compliance

FFIEC - Risks With RDC
• Legal/Contractual Agreements
• Customer Selection – Risk begins here
– Customer Audit
• Access
• Vendor Selection & Risk Management
• Implementation
• Physical & Logical Security
– Monitoring & Thresholds
– Duplicate Detection
• Privacy of Non Public Information
• Business Continuity & System Failure
& FFIEC Compliance

Risk Management of Remote Deposit Capture
• RDC is a new delivery system and not simply a new service.
• It is necessary to identify and assess the following:
– Risks
• legal,
• compliance,
• reputation, and
• operational
– Business Objectives & Capabilities
• Insure RDC is compatible with institution’s business:
• Strategies
• ROI
• Ability to manage the risks inherent in RDC.
• Incorporate RDC Risk assessments into existing risk assessment
processes
& FFIEC Compliance

Risk Management Processes & Responsibilities
• Establish a Risk Framework
– Planning,
– Risk identification and assessment,
– Controls,
– Measuring and Monitoring
• Determine appropriate level of
governance, oversight, and risk
management
– Size and complexity of the financial
institution,
– Relative scale and impact of RDC to
overall activities
• Management must:
– Approve plans, policies, and significant
expenditures,
– Review periodic performance and risk
management reports on implementation
and ongoing operation and services.
– Management is responsible for the RDC
system
Risk
Granularity
Risk Discipline
Risk
Activities
Legal
Com
pliance
Reputation
O
perational
Internal
3rd
Party
Planning
Risk Identification
Monitor
Risk Assessment
Controls
Measure
Report
Customer
Technology
RDC Risk Framework
& FFIEC Compliance

Hope Schall - Biography
• Ms. Schall is an attorney at Vedder Price P.C. in Chicago, Illinois. The
Financial Institutions Group at Vedder Price represents financial institutions
and financial service providers of all sizes throughout the U.S.
• Ms. Schall concentrates her practice on a wide range of bank and thrift-
related matters, including regulatory and payment issues, mergers and
acquisitions and the development of new financial products.
• Prior to joining Vedder Price, Ms. Schall served as an attorney for the
Federal Reserve Bank of Chicago, where her responsibilities included
advising the Reserve Bank on banking supervisory and regulatory issues
and payments and financial services issues, including matters involving
FedLine Services, Fedwire, FedACH and various check services.
• Ms. Schall is a frequent speaker at banking and payment conferences
across the country. She holds an LL.M. degree in Financial Services Law
from Chicago Kent College of law, a J.D. degree from DePaul University.

Legal Risk Overview
• Anti-Money Laundering & Bank
Secrecy Act issues
• Applicable law, rules and
agreements
• Agreements between banks and
their service providers
• Agreements between banks and
their customers

Contracts & Agreements
• Bank’s engaging in RDC should have
strong, well-constructed contracts and
customer agreements.
• Legal counsel should help develop
agreements.
• Agreements should include various
provisions set forth in the guidance.
• Guidance requires actions that can only be
accomplished via an agreement.
& FFIEC Compliance

“Top” 5 Requirements
1. Roles and responsibilities
2. Governing laws, regulations and
rules
3. Allocation of liability
4. Termination
5. Handling and record retention
procedures
& FFIEC Compliance

1. Roles and Responsibilities
• Contract should be tailored to the service.
• Describe the service that is being provided.
– E.g., Who is the customer? Is ACH processing
involved? Where does imaging occur?
• Describe the items to be processed.
• Describe limitations.
• Address responsibility for equipment and
software.
• Address responsibility for security.
& FFIEC Compliance

2. Governing Law
• There is no law that governs the processing of check
images.
• Paper check processing without an agreement is
governed by the UCC default provisions.
• Banks need agreements to set forth the law and
provisions they want to apply to the processing of check
images.
& FFIEC Compliance

2. Governing Law
• Make check law apply.
– E.g., UCC Articles 3 & 4, Regulation CC, Clearinghouse Rules,
Federal Reserve Operating Circulars, etc.
• Address gaps in the law.
– E.g., image format, image quality, returned items, duplicate items,
etc.
• Push back warranties, liabilities and risks.
– E.g., bank of first deposit warranties, Check 21 Act warranties and
indemnities
& FFIEC Compliance

3. Allocation of Liability
• Only responsible for performing the services set forth in
the agreement.
• Only liable for actual damages.
• Except as otherwise required by law, liable up to a
certain limit.
& FFIEC Compliance

4. Termination
• Customer may terminate with prior notice and Bank may
terminate immediately.
• Termination does not affect transactions in process.
• Retain ability to obtain funds from other customer
accounts.
• Customer should have contingency procedures in place.
& FFIEC Compliance

5. Handling and Record Retention
• Big issue for examiners.
• Must require that the customer securely store and
destroy original checks.
& FFIEC Compliance

Additional Provisions
• Warranties, indemnification and dispute resolution
• Types of items that may be transmitted
• Documents RDC customers must provide to facilitate investigations
or resolve disputes
• Processes and procedures that customer must follow
• Periodic audits of the RDC process, including IT infrastructure
• Performance standards for the financial institution and customer
• Funds availability, collateral and collected funds requirements
• Authority of the financial institution to mandate internal controls,
customer’s location, audit of operations or request additional
information

RDC Risk Assessment Should Identify
• Risks to the security and confidentiality of nonpublic personal
information
• Changes in:
– Technology
– Sensitivity of customer information
– Internal or external threats to information
– Business arrangements.
• Risks associated with location may vary based on:
– In house deployment
– Type of Business
– Remote locations – Business or Home (Consumer)
– Domestic or International
• Difference depending on clearing items under either or both:
– Check 21
– ACH
& FFIEC Compliance

RDC Has Impacts Throughout The Organization
Financial Institution
• Systems Impacted
– DDA, Float, Billing, Client Information Files, ACH, Returns, etc.
• Operations Impacted
– Check Processing, ACH, Research, Proof, etc.
– Business Continuity
• Business Divisions Impacted
– Sales, Support, Product Management, Risk,
and more
• Financials Impacted
– Fee Income
– Float
– Deposit Balances, Capital Base, Liquidity, Loans
• Products Impacted:
– DDA, Deposits, ACH, Online Banking, and more.
• RDC requires an organization-wide collaborative effort
• Deposit Products Product Management should lead.
DDA
ACH
RISK
SECURITY
OPERATIONS
TREASURY
TECHNOLOGY
& FFIEC Compliance

Which Resources are Required?
Remote Deposit Capture
Implementation Stakeholders
Area
Senior Management Sponsor
Project Management Office (PMO)
Product Management
Cash Management Sales
IT ‐ Application Development
IT ‐ Infrastructure/Operations
IT – Security
Audit
HR/Training
Procurement/Vendor Management
Operations (ACH, Day1, Day 2, Lockbox)
Risk / Compliance
Finance & Treasury
3rd Parties
Source; Catalyst Consulting, RemoteDepositCapture.com
Deposits are the “lifeblood” of any
financial institution. RDC impacts almost
all areas within an FI.
& FFIEC Compliance

Vendor Due Diligence and Suitability
• Deployment Options
– “In-House”
– “ASP / Hosted”
– View Webinar: Hosted vs. In-House Solutions
• Service Level Agreements
– Processing Timeliness, Bandwidth, Uptime
– Cutoffs, Reviews, Data Entry
– Help Desk Roles & Responsibilities
• Security, Accessibility & Reliability
– SAS 70 Type II Certification
– Issue Resolution, Reporting
– Process / System Monitoring & Confirmations
Financial institutions that rely on service providers for RDC activities should ensure
implementation of sound vendor management processes
& FFIEC Compliance

Vendor Risk Management
• Selecting the “Right” Solution Provider
– Is RDC a Core Capability?
– Financial Stability
– Systemic Capabilities
– Strategic Fit for your organization
• Operational Risk Management
– Scalability, Reliability & Processing Bandwidth
– Online access to real-time reports
– Parameter-driven systems (item thresholds, etc.)
– Process & System Monitoring Capabilities
Financial institutions that rely on service providers for RDC activities
should ensure implementation of sound vendor management processes
& FFIEC Compliance

Business Continuity & Disaster Recovery
The financial institution’s BCP & DR plans
should address:
• RDC systems and business processes, and the
testing activities
• Contingency plan development and testing should
be coordinated with customers using RDC.
& FFIEC Compliance

Operational Risks
•Identify operational risks
• Access and Security of systems,
• Access and storage of original deposit items
• Location and security of electronic files
• Security and safekeeping of retained
nonpublic personal information
• Faulty equipment
• Inadequate procedures
• Inadequate training
• Document processing
• Poor image quality
• Inaccurate electronic data
Therefore, it is important to require customers to implement
appropriate document management procedures to ensure the
safety and integrity of deposited items from the time of receipt
until the time of destruction or other voiding.
& FFIEC Compliance

Authentication & High Risk Transactions
Authentication system recommendations: multifactor
authentication, layered security, or other controls
reasonably calculated to mitigate risks.
• Elevated or New Risks in an RDC environment.
– Check alteration & Magnetic Ink Character Recognition (MICR) line
– Forged or missing endorsements
– Check security features
– Physical alteration of a deposited check – such as by “washing”
– Counterfeit items
– Duplicate presentment.
• Customer personnel
• Access by customers and their staffs to nonpublic personal information.
High-risk transactions involve access to customer information or the
movement of funds to other parties. The agencies consider transfer of
deposit transaction information to represent “the movement of funds to
other parties.”
& FFIEC Compliance

Operational Risks - Lack of Control
Guidance
• Ineffective controls at the
customer location lead to:
• The intentional or unintentional
alteration of deposit item
information,
• Resubmission of an electronic
file,
• Re-deposit of physical items.
• Inadequate separation of duties
at customer location can afford
an individual:
• End-to-end access to the RDC
process
• The ability to alter logical and
physical information without
detection.
Control
• Identify and flag changes made to
scanned item or meta data (MICR,
CAR/LAR
• Duplicate file detection
• Duplicate Item detection
• Franking, endorsement, audit trail
marking
• Administrative controls that assign,
track and report entitlements. E.g.
require separate person for account set
up and deposit review approval
• Dual control where appropriate
& FFIEC Compliance

IT Security Risks
Guidance
• Internal networks
• External networks of service
providers & customers.
• Technology-related operational
risks include
– Failure to maintain compatible
and integrated IT systems
– Multiple release levels-
associated software or
hardware
– Fail to install an update or
patch
– Web application vulnerabilities,
– Authentication
– Lack of encryption at any point
in the process.
Control
• IT audit controls (existing)
• Vendor Risk Management
(existing)
• Customer audits and
certification
• Active monitoring of HW & SW
inventory
• Stringent change control
procedures
• IT security audits (existing)
• Layered authentication (BITS,
MFA
• IT security audit (existing)
& FFIEC Compliance

Examples of Existing Assessment Requirements
Interagency Guidelines Establishing Information Security Standards:
The Security Guidelines require a financial institution to design an information security
program to control the risks identified through its assessment, commensurate with the
sensitivity of the information and the complexity and scope of its activities
FFIEC IT Examination Handbook: Information Security Booklet:
Individual financial institutions and their service providers must maintain effective security
programs adequate for their operational complexity. These security programs must have
strong board and senior management level support, integration of security activities and
controls throughout the organization’s business processes, and clear accountability for
carrying out security responsibilities
Bank Secrecy Act / Anti-Money Laundering Examination Manual:
12 CFR 748 — “Security Program, Report of Crime and Catastrophic Act and Bank
Secrecy Act Compliance” Requires federally insured credit unions to maintain security
programs and comply with the BSA
& FFIEC Compliance

Goal - Assess Once For Many
& FFIEC Compliance

Risk Management: Mitigation and Controls
Management must complete and approve a comprehensive
risk assessment before (prior to) implementing an RDC
system and show:
• It can manage the risks associated with RDC
• Implement appropriate risk management policies
• It can effectively mitigate, measure, and monitor those
risks and establish:
– Risk tolerance levels,
– Internal procedures and controls,
– Risk transfer mechanisms where appropriate and available,
– Develop well-designed contracts
& FFIEC Compliance

Customer Due Diligence and Suitability
• Risk Mitigation begins with Customer Selection
• Establish appropriate risk-based guidelines, e.g. BSA/AML
• Foreign correspondent accounts are subject to further due diligence
• New and existing customers, a suitability review should include:
– Business activities
– Review of their risk management processes
– Location
– Their customer base - Review should be commensurate with the level of risk
– When the level of risk warrants, visits to the customer’s physical location should be
included to evaluate the following:
• Management, operational controls and
• Risk management practices,
• Staffing and the need for training and ongoing support,
• IT infrastructure
• Review available reports of independent audits
• When appropriate, risk self-assessments by the RDC customer may be
adequate
& FFIEC Compliance

Mitigation and Control Considerations
• Separation of duties or other compensating controls
• Strong change control processes
• Deposit items can be endorsed, franked, or
otherwise noted as already processed.
• Insurance coverage may provide a cost
effective way to mitigate risk further.
These controls should be designed and implemented
to ensure the security and integrity of data
& FFIEC Compliance

Risk Management: Measuring and Monitoring
The following elements must be addressed in a Risk Management and
Monitoring System:
• Risk measuring and monitoring systems – Internal, Partner and Customer
• Establish accurate & timely operational performance metrics
• Set operational benchmarks and standards,
• Regular reviews of the reports, scheduled periodic reviews and operational risk
assessments.
• Establish Reports to track, monitor and measure:
– Duplicate entries
– Violations of deposit thresholds.
– Velocity metrics , i.e.; file size and number of files, transaction dollar value and
volume, and return item dollar value and volume
– Reject items and corrections,.
– Reports should address point-in-time activities as well as trends for individual and/or
groups of customers with similar characteristics, and for the RDC product as a whole
• Report content should be structured to meet the needs of the various levels of
management.
& FFIEC Compliance

• Measure Results
– Establish Schedule, Standards and
Measurement Criteria
– Automate as many as possible
– Establish a red, yellow and green
system to identify risk exposure
– Audit – Internal, external
and customer
• Monitor
– Policy
– Operations
– Security
– Procedures
• Report
– Frequency of Reports
– Frequency of Reviews
• Risk Planning
̶ Identify Risks Items and Categories
̶ Assign Risk Levels
• Assess Risk
̶ Customer Selection – Business,
Tenure, Transaction
̶ History, Balances, Availability
̶ Legal Requirements
̶ Operations – IT, Networking, Vendor
̶ Security – Data, Identity, Network
• Mitigation Plans – Controls
̶ Policies
̶ People
̶ Processes
̶ Technology
Risk Management Process –
A Planning and Mitigation Life Cycle
& FFIEC Compliance

Risk Reporting & Monitoring
• Establish Policies and procedures for RDC that include metrics for
reporting and risk tolerances for accounts:
– Account rules and limits
• Account Selection – Tenure, Transaction history, Balances, Type of Business
• Deposit limits – per day for review and analysis + per week or month
• Item amount ($) limits – Maximum per check
• Random review of deposits – For accuracy
– Monitoring and review of accounts for, (aka ACH) for duplicates, rejected
and returned items
– Monitor internal processes for separation of responsibilities:
administration for password, account setup, account access, deposit
review etc.
– Establish procedures for regular reporting of deposit history and to
identify patterns
– Periodic emails or letters to customers to remind them of their
responsibilities for: training, security, process, check retention,
endorsements, adequate safeguards for storage of checks and account
information
• Include RDC in audit process
& FFIEC Compliance

Risk Reporting and Monitoring Checklist Examples
Develop a Risk Audit Checklist – Example
Written RDC Policies and Procedures Document
Legal Agreement need periodic review
Account Selection rules and limits
Establish thresholds and limits for volume, velocity and value
Monitoring and review of accounts for duplicates, rejected
and returned items
Monitor internal, partner and customer processes:
• Security and Access
• Separation of responsibilities
• Establish procedures for regular reporting
• Deposit history and to identify patterns
• Periodic training, emails or letters to customers
RDC included in audit process (GRC) and customer visits/audit scheduled
as necessary
Frequency of Audit established
& FFIEC Compliance

Risk Management
Key Risks
• KYC
• Duplicate Presentment
• Data Alteration
• Information Security – Paper &
Electronic
• Fraud Detection
• Image Quality/Integrity
• Errors
Risk Management
Insurance
Duplicate Detection
Data Encryption
Information Security – Procedures &
Technology
Legal Liabilities Shifted
Standards Evolving
Availability Assignment
Security Levels / Approvals
RDC & Related Technologies can provide better risk
management capabilities than were present in a paper-
based processing environment.
& FFIEC Compliance

Conclusion
A financial institution offering RDC should have:
• Sound risk management and mitigation systems
• Require adequate risk management at customer locations.
• Prior to implementing RDC, and thereafter, management should:
– Periodically conduct a risk assessment to identify types and levels of risk
exposure.
• Comprehensive contracts and customer agreements should identify clearly
the roles, responsibilities, and liabilities.
• Appropriate technology and process controls at both the financial institution
and the customer locations
• Financial institution management and the customer should implement
effective risk measurement and monitoring systems.
• Insurance coverage should be considered as a risk transfer mechanism.
• RDC may not be appropriate for all customers or for all financial institutions.
• The board and senior management are ultimately responsible for safe
and sound operations, including RDC products and services.
& FFIEC Compliance

Questions?
& FFIEC Compliance

Thank you to our Sponsors…
Fiserv Source Capture OptimizationTM
enables a common web platform for remote
deposit capture at the Consumer,
Merchant, Branch, Teller and ATM.
Ranked #1 Branch and Teller Capture Solution in the
industry (AITE, Dec 2008)
Visit www.sco.fiserv.com to learn more
call (800) 872-7882
email: victoria.lant@fiserv.com
& FFIEC Compliance
44

Thank you to our Sponsors…
& FFIEC Compliance
45
Digital Check is a leading technology provider of low-cost check scanners for the distributed
capture marketplace. Delivering reliable performance with superior MICR and image quality,
the TellerScan® and award-winning CheXpress® models TS215 TS230, TS4120, and CX30
are specifically designed to meet the needs of today’s branch and RDC users.
To learn more about Digital Check, the Secure Choice in Distributed Capture™, please visit
www.digitalcheck.com or call 888-838-5744.

For More Information:
• Hope Schall Contact Info
– Hschall@VedderPrice.com
– www.VedderPrice.com
• RemoteDepositCapture.com
– Ed.McLaughlin@RemoteDepositCapture.com
– John.Leekley@RemoteDepositCapture.com
• Additional Resources:
– Download a pdf of the FFIEC Guidance by clicking here.
– Download a pdf of RemoteDepositCapture.com’s Best Practices in RDC Risk
Management presentation by clicking here.
– Join The Discussion: Remote Deposit Capture Risk Management Best Practices,
Examples and More.
– View the Webinar: Best Practices in RDC Risk Management – A Financial
Institution Perspective.
– FFIEC Press Release Website
& FFIEC Compliance

Remote Deposit Capture Risk Management & FFIEC Complaince

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to Remote Deposit Capture Risk Management & FFIEC Complaince

Similar to Remote Deposit Capture Risk Management & FFIEC Complaince (20)

Remote Deposit Capture Risk Management & FFIEC Complaince