Remote Deposit Capture Customer Due Diligence FFIEC Tier II Exam Considerations Plus Mobile Capture! March 5, Topics of Discussion

Transcription

1 Remote Deposit Capture Customer Due Diligence FFIEC Tier II Exam Considerations Plus Mobile Capture! March 5, 2014 Carolyn C. Dowdy, Speaker Bank Project Solutions does not guaranty by implementing criteria of this Webinar that you will not receive regulatory comments or recommendations. Topics of Discussion Understanding RDC Basics and Exam Objective Purpose of Team Collaboration Determining Level of Governance Pertinent RDC Program Fundamentals Understanding Guidance Customer Suitability and Due Diligence Considerations RDC Business Application Content Considerations Site Visits and Customers Self Assessments Considerations Mobile Deposit Capture Outline of RDC Examination Findings Conclusion Presentation Resources and Educational Resources 1

2 Understanding RDC Examination Objective Exam Success = Team Collaboration Understanding RDC Remote Deposit Capture (RDC) A deposit transaction delivery system which allows a financial institution to receive digital information from deposit documents captured at remote locations. (FIL letter: Risk Management of Remote Deposit Capture ) 2

3 Understanding RDC Deposit Delivery Systems include: Merchant or Business Capture Corporate Capture Consumer / Personal Capture ATM Deposit Capture Branch Capture Teller Capture Mobile Deposit Capture (Consumer or Business) Also referred to as Remote Deposit Capture and Remote Capture NOTE: Be sure your policies, procedures, business processes, controls, RDC Strategic Plan, and risk assessment address each delivery system implemented! Examination Objective Retail Payment Systems FFIEC Tier I & Tier II examination objective: Evaluate Policies and procedures Business processes Personnel Internal control systems including: Information Security Business Continuity Disaster Recovery Vendor Management Program Will you have a Retail Payment Systems Tier I, Tier II, or combination of both exam? Will other IT Handbooks and guidance be utilized by examiners? 3

4 Exam Success = Team Collaboration Who might be on your team and why? Member(s) of Senior Management (e.g. Sr Credit Officer, CFO) Chief Technology Officer/Information Security Officer Operations Officer/Cash or Treasury Manager Compliance Officer(s) including BSA Officer Risk Managers HR/Training Officer(s) Auditors (audit, but stay independent) Others, as appropriate Integrated team approach Determining Level of Governance RDC and Fundamentals 4

5 Determining Level of Governance RDC How do you determine appropriate level of governance, oversight, and management of RDC? Size and complexity of institution; and Relative scale and impact of RDC overall activities RDC fundamentals include, but are not limited to. Understand ROI Audits Board, Committees of Board, Senior Management Risk Assessments, Policies, Procedures, Controls RDC Strategic Plan Disaster Recovery /Business Continuity Organizational Charts Job Descriptions Information Security/Fraud Institution Customer Site Third-party TP Training/Education Staff & Customers Vendor Management Contracts /Agreements Customers & Third-parties 5

6 FFIEC IT Handbook Retail Payment Systems Tier II Customer Due Diligence and Suitability Be Ready to Discuss with Examiner Institution s customer due diligence and suitability process All customer deposit delivery systems Staff involved in process: Staff who conducts due diligence Staff who has approval authority 6

7 Be Ready to Discuss with Examiner Decision criteria considered in the process to qualify customer: How the financial institution risk rates existing customers: On recurring basis How customer is qualified The customer information institution reviews, such as: Customer application Financial analysis Years in business (for business customers) Be Ready to Discuss with Examiner Decision criteria considered in the process to qualify customer.continued: Loan/deposit history Credit score Business practices Sufficiency of staff Compliance with PCI standards (when appropriate) Publicly available reports for customer that are companies (e.g. Dunn & Bradstreet) Visa/MasterCard terminated merchant file or ChexSystems reports, when appropriate for customer 7

8 Be Ready to Discuss with Examiner Decision criteria considered in the process to qualify customer: Procedures that address customer identification, pursuant to BSA/AML manual Procedures to address foreign correspondent relationships and international cash letter pouch activity pursuant to BSA/AML manual (when appropriate) OFAC and U S Patriot considerations, also Process and criteria to evaluate RDC customer s information security infrastructure and risk management processes RDC Deposit Delivery Systems Customer Due Diligence & Suitability Due diligence suitability may differ depending on deposit delivery system! Mobile Capture (Consumer) Consumer (home setting) Due Diligence & Suitability Merchant/Business/ Corporate Capture Mobile Capture (Business) Establish written P&P, business processes for due diligence & suitability for each! 8

9 RDC Business Application Example Reasons to Develop an Application Reasons include, but are not limited to: Supports established policy, procedures, and controls of the financial institution Supports fact finding criteria as established in the underwriting policy (e. g. institution s focus customer, maybe a auto decline customer, etc.) Considered as part of the customer s due diligence suitability process to mitigate the institution s risk to include fraud, money laundering, and information security Standardizes the application process throughout the institution and supports compliance Establishes a basis to set RDC limits for deposits and level of monitoring, etc. 9

10 Title & Purpose of Application What should we call the Remote Deposit Capture Application? Should we call it Remote Deposit Capture Application? Should we call it Cash Management Services Application? It depends on the specific product/services questions on the application: RDC check image; RDC ACH Check Conversion; ACH Origination payroll, etc. Title & Purpose of Application - continued. Reasons to consider one multi purpose application: Basic questions and information needed is the same to evaluate the customer Streamlines application process for multiple services/products Standardizes the application process which supports P&P and underwriting guidelines Less training and instruction needed for staff: One application to learn and understand! 10

11 Who Should Take the Application & Why? Should it be Assigned to Treasury Management Department Personnel, Deposit OPS Personnel, or the RDC Services Coordinator, if you have these assigned departments or coordinators? Assigned to New Business Development Personnel, Branch Managers, or Lenders? Is your institution large or small? This will determine who your management assigns the application responsibility Do you have one location or multiple locations? If you have. One location, you may assign it to anyone of the departments or personnel above Multiple locations, you may be better served to assign the application process to New Business Development Reps, Branch and Assistant Branch Managers, or Lenders Who Should Take the Application & Why? - continued. Is there a hard fast answer, best practice, or right wrong way to assign out the application responsibility? Not really! Assign the appropriate personnel to coordinate with your financial institution s size and structure. In essence, what works best for your institution and operating environment. Why should the institution be selective when assigning the application responsibility? Staff member may not understand the purpose or be able to explain to the customer why certain questions are on the application..so it is strongly encouraged that you: Train your assigned staff on the application content, required attachments, and process. 11

12 Information and Its Importance on the Application Basic application content may include, but is not limited to: Business name and d/b/a, if applicable, address, tax I.D. Nature of the legal business and services (domestic, international) How many locations? Where located? Annual sales/revenue Date established Type of ownership (e. g. proprietorship, LLC, corporation) Bankruptcy or charge off information Information and Its Importance continued. Remote Deposit Capture information requested might include: Types of checks taken for deposit: (Business, Personal, Money Orders, Cashiers Checks, third party checks, Travelers Cheques, RCC, domestic and/or foreign checks, other) # of scanners, speed of scanners, geographic location of scanners Highest single deposit dollar amount Highest daily deposit dollar amount Highest number of checks in a single deposit Highest dollar amount of a single check in a deposit Highest number of checks deposited each day Highest number of deposits made each day Highest number of checks deposited each month Highest number of deposited items returned (e.g. in last 3, 6, or 12 months) Highest number of chargebacks; (e. g. in last 3, 6, or 12 months) Highest dollar amount of chargebacks; (e. g. in last 3, 6, or 12 months) Note: The above criteria is for example purposes. 12

13 Information and Its Importance - continued... Information may include, but is not limited to: References from other financial institutions, the customer is, or has done business with (e.g. inquire if they have RDC elsewhere, do they have cash management services elsewhere (ACH Payroll, etc.) Ask, Have they ever been declined or terminated for these services? Vendor credit reference(s) Principal(s) of company s information (e.g. name, address, driver s licenses, state, expiration date of licenses, ss #, other acceptable I.D., home/cell phone, place and date of birth, (percentage of ownership, if applicable)) Documentation to accompany application (e.g. organizational documentation, business filing certificates, signed Federal income tax statements or financial statement, personal financial statements, W 2s, bank statements, current resolution, etc.) Information and Its Importance - continued... Information may include, but is not limited to: Credit reports on principals Dunn & Bradstreet report on business, if available Note: Remember, Bank Secrecy Act, OFAC, and U S Patriot Act. This should have been addressed during depository account opening process! Remember, ongoing monitoring! 13

14 Compliance & Legal Review of Application Before using any application or during development of an application have: Legal review Compliance review Note: This presentation may not include all requirements; it supports the due diligence customer suitability process, but may need to be expanded modified, if your institution is setting up higher risk BSA customers (e.g. foreign correspondence, foreign money services business, third party senders, certain mail order companies, etc.). Also, consider customer may be higher risk for other reasons (e.g. high $ and unit volumes, creditworthiness, lack of controls information security fraud controls, etc.) Site Visits and Customers Self Assessments Examples and Considerations 14

15 Are Site Visits and/or Customers Self Assessments Based on Risk? Should be, pursuant the FIL Risk Management of Remote Deposit Capture which refers to other FFIEC Booklets: (e.g. BSA, Information Security, Retail Payment Systems, etc.) Why site visits and/or customers self assessments? Mitigates fraud, money laundering, and information security risk issues customer s site RDC at customer s site may present more risk and complexity (e.g. customer s business premises) RDC capture process is outside the direct control of the institution Consider..establishing risk rating levels.low, medium, high; establish target customers; and you may establish auto decline customers higher risk customers RDC Site Visit/Customers Self Assessment Your institution s established policies, procedures, controls and business processes provide guidance to your staff: Some institution's may do site visits initially, annually, and more often as situations may occur on all customers; may not be practical for consumer capture, mobile capture; and Other institution s establish initial site visits and frequency based on predetermined low, medium, or high risk customers and types of companies and industries Institution s may incorporate Customers Self Assessments in program When the level of risk warrants, institution s staff should consider visiting the customer s physical location as part of the suitability review. During these visits, the customer s operational controls and risk management processes should be evaluated 15

16 Example 1 Establishing Risk Level Options How will we establish risk rating levels for entities and customers? Consider using two rating systems (BSA Risk Rating and a RDC Risk Rating) BSA Risk Rating : Establish low, moderate, moderate to high, highest risk rating system; or you could do low, moderate, high risk rating Criteria may come from BSA/CIP Program when account is established. (The risk rating may change after the account is opened based on customer s activities.) AND: RDC Risk Rating: Establish low, moderate, moderate to high, highest risk; or you could do low, moderate, high risk rating Use both of these ratings to establish when an initial site visit and subsequent site visits annually and periodically are done Example 2 Establishing Risk Level Options How will we establish risk rating levels for entities and customers? Consider establishing one risk rating system that incorporates BSA/CIP criteria and other criteria such as RDC $ volumes, # of items, creditworthiness, etc. Call it the RDC Risk Rating System: Establish low, moderate, moderate to high, highest risk rating system; or you could do low, moderate, high risk rating Criteria may come BSA/CIP program when account is established and other criteria obtained on the customer during the RDC Application process (customer suitability) or during the annual or periodic evaluation analysis Based on the RDC Risk Rating decide on: Initial Site Visit Annual Site Visits Periodic Site Visits Also consider Customer s Self Assessments 16

17 Site Visits Customers Self Assessments Once risk rating system levels and criteria are established: Establish guidelines for Site Visits Establish guidelines, if institution will be using Customer s Self Assessments Incorporate into RDC Program Policy and Procedures Submit to the board for approval Consider this verbiage in contract: (e.g. Financial institution reserves the right to do Audits and Site Visits and the customer agrees to periodically fill out Customer s Self Assessments pursuant to the institution s timelines and due dates, if requested.) A Few Reasons for Site Visits and/or Customers Self Assessments Establishes customer s line of business as stated on the RDC Application coordinates with storefront or place of operation Mitigates fraud and money laundering risks Ability to review/monitor: Safeguard of non public information: Properly store and secure checks Security of equipment/systems, information security Various aspects of customer s IT System (e.g. virus protection, fire wall turned on, patch management) Sufficient management and internal controls Proper staffing and trained backup staff for processing Enough staff to effectively segregate responsibilities Tool(s) to monitor customer s responsibilities as outlined in contract 17

18 Mobile Deposit Capture (MDC) Mobile Deposit Capture Is Mobile Deposit Capture. A deposit delivery system? Remote deposit capture? A retail payment system? Electronic banking? YES, TO ALL! 18

19 Mobile Deposit Capture What is the risk management process? Identify / assess; Measure; Monitor/manage; and Control risks Does risk management process in FFIEC guidance apply to all deposit delivery systems including Mobile Deposit Capture? Yes Should we read FFIEC guidance with our team and discuss what is practical for Merchant Capture vs Mobile Deposit Capture? Wouldn t that be the most logical thing to do? Mobile Deposit Capture Will all institutions establish the same customer due diligence and suitability processes? No.Why. examples? Risk tolerances, strategic business goals, and philosophies differ between institutions Level of risk and type of focus customers may differ Will Mobile Deposit Capture and your Merchant Capture customer due diligence and suitability processes be different? Yes because your deposit delivery systems are different and your risks are different? Dollar and number of items volume, technologies differ, consumer and/or business customers, RDC Application content, BSA risk, etc. 19

20 Mobile Deposit Capture Should we consider site visits and/or customer selfassessments? Consider when doing your Mobile Deposit Capture risk assessment! Ask.does risk warrant it? What best practices are being established in industry? Would site visits be practical for MDC? Would customer self assessments be practical or necessary for MDC? Mobile Deposit Capture If we offer MDC to all customers in good standing, will we have the same daily and monthly maximum deposit limits? Once management establishes put in RDC Risk Management Policy Establish what good standing means its criteria Establish due diligence and suitability program for consumer and business, as applicable If your policy states you may make exceptions be specific on your established due diligence and suitability alternate processes Also, state whether you will provide MDC to high risk BSA customers Where can I find information on RDC customer due diligence and suitability? FIL letter Risk Management of Remote Deposit Capture FFIEC IT Handbook, Retail Payment Systems, including Appendix A, Examiners Evaluation Questions 20

21 Mobile Deposit Capture During risk assessment of deposit delivery system, should we consider including. Evaluating, identifying and assessing. System features; Attributes; Functions; Ability to provide efficient customer support; Business processes; Security features and controls; and Procedures for system s backup Yes we should consider! Mobile Deposit Capture Should we incorporate Mobile Deposit Capture in RDC Strategic Plan? Yes Should we consider a RDC Audit Plan? Yes Should we consider Vendor Management P&P to include: Risk assessment; and Performing due diligence? Yes.refer to Outsourcing Technology Services FFIEC IT Handbook 21

22 Mobile Deposit Capture Should we consider business continuity and information security? Yes Will we do annual reviews on MDC? Are annual reviews necessary for MDC? Since Mobile Deposit Capture is typically lower maximum $ volumes and low number of items, will you consider it low risk in these categories? What best practices are being established in industry? Will your risk tolerance be lower or higher than other institutions? Will you set up low, medium, and high risk BSA customers on MDC? Mobile Deposit Capture Other considerations may include, but are not limited to: Establishing RDC policies, procedures, controls, and business processes Hiring capable staff (manage program and take customer service calls) Updating job descriptions and organizational chart Updating network diagram and topography of clearing/settlement/system flow Developing customer service contacts, do proper training Training all staff benefits Mobile Deposit Capture product/service Developing application and approval process (MDC consumer and/or business) Establishing target customers, maximum limits (MDC consumer and/or business) Balancing procedures, customer maintenance, changing limits Image review process and other backroom processes Exception and security reports Training and educating staff and customers (verbal and/or written training) Approvals and reporting to board or committee of board Understanding ROI 22

23 Mobile Deposit Capture Other considerations may include, but are not limited to: Obtain appropriate agreements, recommend attorney review For guidance when preparing the contract: Refer to FFIEC IT Handbook, Retail Payment Systems, Appendix A, Tier II, on RDC contract for information Tell your customer if you are reviewing item to determine it is eligible for processing.you should. Establish procedures backroom review/processing Understand your RDC system attributes and train your staff Will you provide same day credit? Will you provide next business day availability? Will you review item(s) so decide on holds? Will you allow the deposit of third party checks? If so, will you review item for proper endorsement? Mobile Deposit Capture Other considerations may include, but are not limited to: Should you inform customer on: Required hardware and how to sign up? Fees or possible future fees? Maximum daily item and/or $ limit, monthly maximum limit? What items cannot be deposited through mobile capture? E.g. Foreign checks, checks drawn on line of credit, credit card checks, RCC, thirdparty payee What exception items include? MICR data that is not machine readable, previously processed item, drawn on bank outside US NOT payable through US bank A confirmation message will be sent to them when received? How they will receive message, if item is rejected? When they should commercially destroy item? How should they secure item? 23

24 Mobile Deposit Capture Considerations include, but are not limited to: Should you inform customer on: Their responsibility to protect the hardware and their security credentials? How to protect their system? (e.g. updating operating system, virus protection, password protect device, do not share authentication credentials) Authorized items should be payable to them and endorsed by them? The bank s cut off time for a business day? When funds are available? Who they contact and contact information for customer service? How the institution may terminate service? Do you reserve the right to audit? Could this be customer self assessments? Documents requested by the institution? Note: Determine your process! Outline of RDC Examination Findings 24

25 RDC Examination Findings In 2012 these were the top five examination findings: Lack of or inappropriate deposit and individual item limits Lack of or weak monitoring practices Lack of MIS (Management Information Systems) reporting Lack of risk assessment No customer site visitations or any other form of verification of the proper storage and destruction of checks Top examination finding in 2013: Establishing appropriate limits; and Monitoring limits.still challenge in some institutions No major issues being found Conclusion Understand laws, regulations, circulars, and guidance including BSA Meet with your team/stakeholders to discuss: Risk management program including risk assessments Examiner s questions in Retail Payment Systems IT Handbook Determine guidance and what is practical for type of deposit delivery system Write policies, procedures, and establish controls/business processes Strongly recommend contracts/agreements prepared or reviewed by attorney Develop due diligence process and suitability for each appropriate deposit delivery system Research best practices being established in industry for mobile capture Don t forget periodic reports to board and approvals! 25

26 Questions? Carolyn C. Dowdy, Managing Member (770) Resources FFIEC IT Handbooks FFIEC IT Handbook Retail Payment Systems BSA/AML Examination Handbook FIL Risk Management of Remote Deposit Capture Remotedepositstore.com (examples and ideas for consideration) Southeast Region Examiner(Top Five Findings 2012, 2013) _005.htm 26

27 FFIEC IT Handbook Retail Payment Systems booklets/retail payment systems.aspx FFIEC IT Handbooks to include ebanking and the BSA/AML Infobase ACH Rules Educational Resources FIL Institution Letter Risk Management of Remote Deposit Capture Supplement to Authentication in an Internet Banking Environment ITS Final% %20(FFIEC%20Formated).pdf Stay abreast of FIL letters and other resources, as applicable! Carolyn Dowdy TTS Mark Bennett Thank You! Upcoming Webinars March 6 th Safe Deposit Box Employee Compliance Certification Program March 7 th Virtual Cash, Virtual Wallets and Virtual Branches: The New BSA Frontier March 10 th For Sales People: Cross Selling and Building Advocates March 11 th Fair Lending for the Frontline March 12 th Power of Attorney & Living Trust Documents March 13 th Safe Deposit Box Employee Compliance Certification Program (Part 2) March 19 th The CFPB Ruling on UDAAP & Collecting Past Due Accounts March 20 th Safe Deposit Box Employee Compliance Certification Program (Part 3) March 20 th You're the New Supervisor! March 25 th UCC: What You Need to Know About the Amendments 27