Merchant RDC: Capturing the Risks and Getting with the Program

Transcription

1 Merchant RDC: Capturing the Risks and Getting with the Program Tony DaSilva, AAP, CISA, Senior Examiner Federal Reserve Bank and Terri Pelle Sands, AAP, Managing Director Payments Information Circle

2 Financial Institutions and RDC Guidance How FIs Are Complying With the Guidance: Risk Assessments Risk Mitigation and Control Measuring and Monitoring Remaining Challenges Trends and Findings Agenda 2

3 Remote Deposit Capture & Presentment Options Checks Direct Presentment of Image or Printed Substitute Check Paying Bank Depository Bank Image or ACH Transmitted to Correspondent, FRB or Exchange Network Scanner at Corporate Customer Paying Bank Presentment of Image or Printed Substitute Check or ACH Item Paying Bank 3

4 Risk Assessment

5 Risk Assessment FFIEC Guidance: Risk assessments should be conducted prior to implementing RDC and identify and assess the legal, compliance, reputation, and operational risks associated with the new system and should involve senior management 5

6 Risk Assessment Financial institutions are doing the following: Going back and creating a RDC risk assessment as cited within the FFIEC Guidance Requesting more involvement from applicable areas Requiring senior management to take a more active role in ensuring a risk assessment is performed 6

7 Risk Assessment Financial institutions are doing the following: Realizing there is more to the risk assessment than just the technical aspects (operational, legal and compliance, reputational, customer suitability) Identifying higher risk business customers (i.e. type of deposits, additional accounts linked to one scanner, types of customers, etc.) 7

8 Risk Mitigation and Control

9 Risk Mitigation and Control FFIEC Guidance: The risks associated with RDC should be able to be managed and monitored and on an ongoing basis Documented procedures and policies in place Risk tolerance levels set Well managed contracts 9 9

10 Risk Mitigation and Control Financial institutions are doing the following: Focusing more on the physical access controls over RDC systems Creating procedures to ensure original deposited items are at customer physical location Developing procedures surrounding nonpublic information (transmission, retention, destruction) 10

11 Risk Mitigation and Control Financial institutions are doing the following: Realizing the importance of initial and ongoing training at customer site Developing sample procedures for the customers to ensure there is risk mitigation and control procedures at customer site 11

12 Risk Mitigation and Control Financial institutions are doing the following: Beginning to tie the credit side to the operations and technology side in terms of bank wide risks Setting limits on each customer and developing financial reports for senior management More of a focus on the overall customer relationship and ways money can move (i.e. ACH, Wires, RDC, etc.) 12 12

13 Risk Mitigation and Control Financial Institutions are doing the following: Compliance/Information Security Officers are understanding the importance of enforcing the BSA/AML program to the RDC delivery system Going back and reviewing vendor management due diligence and re documenting or creating a new vendor management program Reviewing and sometimes re documenting business continuity plans 13

14 Risk Mitigation and Control Financial Institutions are doing the following: Developing training programs for cash management representatives to be more consistent and risk focused Training front line staff to be aware of receiving current RDC customers in person deposits Redoing their existing agreements to match current process (i.e. adding agreements or verbiage on multiple accounts, adding certain items listed in the FFIEC Guidance) 14

15 Risk Mitigation and Control Financial Institutions are doing the following: Redoing their existing agreements to match current process (i.e. adding agreements or verbiage on multiple accounts, adding certain items listed in the FFIEC Guidance) Training staff on agreements to ensure thorough communication of this agreement is presented to customer 15

16 Risk Measuring and Monitoring

17 Risk Measuring and Monitoring FFIEC Guidance: Financial institutions should measure and monitor its performance, customer performance, have operational metrics in place and perform periodic reviews and risk assessments 17 17

18 Risk Measuring and Monitoring Financial Institutions are doing the following: Getting a better understanding of their risk management reports and monitoring these reports daily Duplicate entries / violation of deposit thresholds Velocity Reject, corrections, and CAR/LAR adjustments 18

19 Risk Measuring and Monitoring Financial Institutions are doing the following: Documenting information on each depositor, type of receivables, company information and placing in customer file for periodic reviews Creating monthly reports for distribution to compliance and senior management on deposits received via RDC delivery system, spikes in activity, problem issues and resolution Development of audit review procedures and creation of quarterly status reports to board of directors 19

20 Remaining Challenges

21 Remaining Challenges Agreements not matching actual RDC function (i.e. business accounts having consumer account linked) Absence of risk assessment or lack of complete information in the risk assessment Little to no involvement from compliance department Absence of fraud control (i.e. no teller alerts placed for inperson RDC deposits) 21 21

22 Remaining Challenges Absence of access review (one person with super user credentials overseeing access) Absence of customer suitability procedures (credit side still not seeing RDC as a credit like risk) Absence of cross channel risk mitigation (no opportunity to catch kiting across multiple payment channels within own financial institution) Using NSF/uncollected as sole fraud detection system 22

23 A Regulatory Perspective RDC Guidance Retail Payments Examination Procedures What Regulators are Finding 23

24 Remote Deposit Capture Guidance Released January 2009 A Regulatory Perspective What it Covers? Merchant Remote Deposit Mobile Remote Deposit ATM Remote Deposit What it Doesn t Cover? Consumer Remote Deposit 24

25 Types of Remote Deposit Capture Merchant Remote Deposit Mobile Remote Deposit ATM Remote Deposit Consumer Remote Deposit 25

26 Top Findings 1) Inadequate or inappropriate Limits or No Limits 2) Lack of Monitoring 3) Lack of Adequate MIS and Reporting 4) Lack of Senior Management & Board Oversight 5) Inappropriate Approval Process (separation of duties) Regulatory Concerns 1) Complacency 2) Lack of Audit Coverage 3) Service Becoming a Commodity Merchant Remote Deposit 26

27 Top Findings Mobile Remote Deposit 1) Community Banks Feeling the Pressure to Offer 2) Lack of Sophistication in Monitoring Regulatory Concerns 1) Technology and Resources to Adequately Mitigate Risks 2) Potential for an Increase in Operational Losses 3) Potential for an Increase in Fraud Losses 27

28 Top Findings Consumer Remote Deposit 1) Some Community Banks Beginning to Offer the Service (Home based businesses, High Wealth Customers, Out of Footprint Customers) 2) Some Banks Feeling the Pressure to Offer, but Reluctant Regulatory Concerns 1) Technology and Resources to Adequately Mitigate Risks 2) Potential for an Increase in Losses 28

29 RDC Regulatory Examinations Retail Payments Examination Procedures Published February 2010 How is this different than the original RDC Guidance? What Does the Examination Procedures Cover? 29

30 RDC Regulatory Examinations What are Regulators Focused on Now? How do Financial Institutions Prepare for an RDC Exam? 30

31 Thank you for your participation! Tony DaSilva, AAP, CISA Federal Reserve Bank of Atlanta Supervision and Regulation Terri Sands, AAP, Managing Director Payments Information Circle 31