RDC Risk Management & FFIEC Compliance

Transcription

1 RDC Risk Management Presented By: John Leekley, Founder & CEO Ed McLaughlin, Executive Director RemoteDepositCapture.com & Hope Schall, Attorney, Vedder Price P.C. This webinar is sponsored by: February 2009

2 A Unique Perspective RemoteDepositCapture.com is an independent information & services resource for the Payments Industry. We are NOT a reseller, solution provider, etc. We ARE experts in, and an open resource for the industry. We work with the vast majority of leading solution providers, FIs, processors. Thousands of FIs, corporations, businesses and consumers visit the site each month. We were directly involved in the formulation of the guidance and training of hundreds of auditors. Services News & Research RDC Marketplace Solution Provider Directories RDC Overviews White Paper Central FREE Webinars, and more. Contacts: John.Leekley@RemoteDepositCapture.com Ed.McLaughlin@RemoteDepositCapture.com Copyright 2009, Remote Deposit Capture, LLC 2

3 Today s webinar is brought to you by Fiserv Source Capture Optimization TM enables a common web platform for remote deposit capture at the Consumer, Merchant, Branch, Teller and ATM. Ranked #1 Branch and Teller Capture Solution in the industry (AITE, Dec 2008) Visit to learn more. call (800) victoria.lant@fiserv.com Digital Check is a leading technology provider of low-cost check scanners for the distributed capture marketplace. Delivering reliable performance with superior MICR and image quality, the TellerScan and award-winning CheXpress models TS215 TS230, TS4120, and CX30 are specifically designed to meet the needs of today s branch and RDC users. To learn more about Digital Check, the Secure Choice in Distributed Capture, please visit or call Copyright 2009, Remote Deposit Capture, LLC 3

4 Agenda Introduction to the FFIEC Guidance RDC Risk Overview Legal Agreements Strategic Approaches to Risk Management & Compliance Technology Operations Information Security Vendors, Customers & Personnel Risk Measurement, Monitoring & Reporting Mitigation & Control Please see our Best Practices in RDC Risk Management Webinar for implementable RDC risk management tactics. Legal Disclaimer: This is not legal advice. RemoteDepositCapture.com is reporting on observations and experiences while working directly with dozens of solution providers, financial institutions and the various regulatory agencies. For legal advice / guidance, please work with a competent and qualified legal representative. Copyright 2009, Remote Deposit Capture, LLC 4

5 Introduction FFIEC RDC Risk Management Guidance released January 14, 2009 Elements of an RDC risk management process in an electronic environment, Focusing on RDC deployed at a customer location. Principles of RDC risk management discussed are also applicable to FI s Internal deployment Branch, Cash Vault Other forms of electronic deposit delivery systems (e.g., mobile banking and automated clearing house [ACH] check conversions). Click Here to Download the FFIEC Guidance Click Here to View our Webinar: Best Practices in RDC Risk Management Copyright 2009, Remote Deposit Capture, LLC 5

6 RDC is a Payments Platform RDC Applies to a family of related products & services most often differentiated by location of check capture. Consumer RDC: - Already here with 75,000+ Users! Remote Deposit Capture Corporate Merchant Consumer Teller Branch Lockbox ATM Correspondent The term Remote Deposit Capture refers to the process of electronically capturing check images and data, transmitting that information for deposit and clearing, and truncating the original paper checks. This definition is evolving to include additional payment types, including card payments. RDC is becoming an integrated technology platform increasingly used to process different types of payments and data with the ability to feed that data to systems both internal and external to the organization. Copyright 2009, Remote Deposit Capture, LLC 6

7 Three Pillars of the FFIEC Guidance Responsibility Senior Management Board Risks Internal External Process Mitigation Planning Assessment Mitigate Measure Report Monitor Responsibility Risks Mitigation Copyright 2009, Remote Deposit Capture, LLC 7

8 FFIEC - Risks With RDC Legal/Contractual Agreements Customer Selection Risk begins here Customer Audit Access Vendor Selection & Risk Management Implementation Physical & Logical Security Monitoring & Thresholds Duplicate Detection Privacy of Non Public Information Business Continuity & System Failure Copyright 2009, Remote Deposit Capture, LLC 8

9 Risk Management of Remote Deposit Capture RDC is a new delivery system and not simply a new service. It is necessary to identify and assess the following: Risks legal, compliance, reputation, and operational Business Objectives & Capabilities Insure RDC is compatible with institution s business: Strategies ROI Ability to manage the risks inherent in RDC. Incorporate RDC Risk assessments into existing risk assessment processes Copyright 2009, Remote Deposit Capture, LLC 9

10 Risk Management Processes & Responsibilities Establish a Risk Framework Planning, Risk identification and assessment, Controls, Measuring and Monitoring Determine appropriate level of governance, oversight, and risk management Size and complexity of the financial institution, Relative scale and impact of RDC to overall activities Management must: Approve plans, policies, and significant expenditures, Review periodic performance and risk management reports on implementation and ongoing operation and services. Management is responsible for the RDC system Risk Activities Legal Compliance Planning Risk Assessment Risk Identification Controls Measure Monitor Report Risk Discipline Reputation RDC Risk Framework Operational Technology Customer Internal 3 rd Party Risk Granularity Copyright 2009, Remote Deposit Capture, LLC 10

11 Hope Schall - Biography Ms. Schall is an attorney at Vedder Price P.C. in Chicago, Illinois. The Financial Institutions Group at Vedder Price represents financial institutions and financial service providers of all sizes throughout the U.S. Ms. Schall concentrates her practice on a wide range of bank and thriftrelated matters, including regulatory and payment issues, mergers and acquisitions and the development of new financial products. Prior to joining Vedder Price, Ms. Schall served as an attorney for the Federal Reserve Bank of Chicago, where her responsibilities included advising the Reserve Bank on banking supervisory and regulatory issues and payments and financial services issues, including matters involving FedLine Services, Fedwire, FedACH and various check services. Ms. Schall is a frequent speaker at banking and payment conferences across the country. She holds an LL.M. degree in Financial Services Law from Chicago Kent College of law, a J.D. degree from DePaul University.

12 Legal Risk Overview Anti-Money Laundering & Bank Secrecy Act issues Applicable law, rules and agreements Agreements between banks and their service providers Agreements between banks and their customers

13 Contracts & Agreements Bank s engaging in RDC should have strong, well-constructed contracts and customer agreements. Legal counsel should help develop agreements. Agreements should include various provisions set forth in the guidance. Guidance requires actions that can only be accomplished via an agreement. Copyright 2009, Remote Deposit Capture, LLC 13

14 Top 5 Requirements 1. Roles and responsibilities 2. Governing laws, regulations and rules 3. Allocation of liability 4. Termination 5. Handling and record retention procedures Copyright 2009, Remote Deposit Capture, LLC 14

15 1. Roles and Responsibilities Contract should be tailored to the service. Describe the service that is being provided. E.g., Who is the customer? Is ACH processing involved? Where does imaging occur? Describe the items to be processed. Describe limitations. Address responsibility for equipment and software. Address responsibility for security. Copyright 2009, Remote Deposit Capture, LLC 15

16 2. Governing Law There is no law that governs the processing of check images. Paper check processing without an agreement is governed by the UCC default provisions. Banks need agreements to set forth the law and provisions they want to apply to the processing of check images. Copyright 2009, Remote Deposit Capture, LLC 16

17 Make check law apply. 2. Governing Law E.g., UCC Articles 3 & 4, Regulation CC, Clearinghouse Rules, Federal Reserve Operating Circulars, etc. Address gaps in the law. E.g., image format, image quality, returned items, duplicate items, etc. Push back warranties, liabilities and risks. E.g., bank of first deposit warranties, Check 21 Act warranties and indemnities Copyright 2009, Remote Deposit Capture, LLC 17

18 3. Allocation of Liability Only responsible for performing the services set forth in the agreement. Only liable for actual damages. Except as otherwise required by law, liable up to a certain limit. Copyright 2009, Remote Deposit Capture, LLC 18

19 4. Termination Customer may terminate with prior notice and Bank may terminate immediately. Termination does not affect transactions in process. Retain ability to obtain funds from other customer accounts. Customer should have contingency procedures in place. Copyright 2009, Remote Deposit Capture, LLC 19

20 5. Handling and Record Retention Big issue for examiners. Must require that the customer securely store and destroy original checks. Copyright 2009, Remote Deposit Capture, LLC 20

21 Additional Provisions Warranties, indemnification and dispute resolution Types of items that may be transmitted Documents RDC customers must provide to facilitate investigations or resolve disputes Processes and procedures that customer must follow Periodic audits of the RDC process, including IT infrastructure Performance standards for the financial institution and customer Funds availability, collateral and collected funds requirements Authority of the financial institution to mandate internal controls, customer s location, audit of operations or request additional information

22 RDC Risk Assessment Should Identify Risks to the security and confidentiality of nonpublic personal information Changes in: Technology Sensitivity of customer information Internal or external threats to information Business arrangements. Risks associated with location may vary based on: In house deployment Type of Business Remote locations Business or Home (Consumer) Domestic or International Difference depending on clearing items under either or both: Check 21 ACH Copyright 2009, Remote Deposit Capture, LLC 22

23 RDC Has Impacts Throughout The Organization Financial Institution Systems Impacted DDA, Float, Billing, Client Information Files, ACH, Returns, etc. Operations Impacted Check Processing, ACH, Research, Proof, etc. Business Continuity Business Divisions Impacted Sales, Support, Product Management, Risk, and more Financials Impacted Fee Income Float Deposit Balances, Capital Base, Liquidity, Loans Products Impacted: DDA, Deposits, ACH, Online Banking, and more. RDC requires an organization-wide collaborative effort Deposit Products Product Management should lead. TECHNOLOGY TREASURY DDA ACH RISK SECURITY OPERATIONS Copyright 2009, Remote Deposit Capture, LLC 23

24 Which Resources are Required? Remote Deposit Capture Implementation Stakeholders Area Senior Management Sponsor Project Management Office (PMO) Product Management Cash Management Sales IT Application Development IT Infrastructure/Operations IT Security Audit HR/Training Procurement/Vendor Management Operations (ACH, Day1, Day 2, Lockbox) Risk / Compliance Finance & Treasury 3 rd Parties Deposits are the lifeblood of any financial institution. RDC impacts almost all areas within an FI. Source; Catalyst Consulting, RemoteDepositCapture.com Copyright 2009, Remote Deposit Capture, LLC 24

25 Vendor Due Diligence and Suitability Deployment Options In-House ASP / Hosted View Webinar: Hosted vs. In-House Solutions Service Level Agreements Processing Timeliness, Bandwidth, Uptime Cutoffs, Reviews, Data Entry Help Desk Roles & Responsibilities Security, Accessibility & Reliability SAS 70 Type II Certification Issue Resolution, Reporting Process / System Monitoring & Confirmations Financial institutions that rely on service providers for RDC activities should ensure implementation of sound vendor management processes Copyright 2009, Remote Deposit Capture, LLC 25

26 Vendor Risk Management Selecting the Right Solution Provider Is RDC a Core Capability? Financial Stability Systemic Capabilities Strategic Fit for your organization Operational Risk Management Scalability, Reliability & Processing Bandwidth Online access to real-time reports Parameter-driven systems (item thresholds, etc.) Process & System Monitoring Capabilities Financial institutions that rely on service providers for RDC activities should ensure implementation of sound vendor management processes Copyright 2009, Remote Deposit Capture, LLC 26

27 Business Continuity & Disaster Recovery The financial institution s BCP & DR plans should address: RDC systems and business processes, and the testing activities Contingency plan development and testing should be coordinated with customers using RDC. Copyright 2009, Remote Deposit Capture, LLC 27

28 Operational Risks Identify operational risks Access and Security of systems, Access and storage of original deposit items Location and security of electronic files Security and safekeeping of retained nonpublic personal information Faulty equipment Inadequate procedures Inadequate training Document processing Poor image quality Inaccurate electronic data Therefore, it is important to require customers to implement appropriate document management procedures to ensure the safety and integrity of deposited items from the time of receipt until the time of destruction or other voiding. Copyright 2009, Remote Deposit Capture, LLC 28

29 Authentication & High Risk Transactions Authentication system recommendations: multifactor authentication, layered security, or other controls reasonably calculated to mitigate risks. Elevated or New Risks in an RDC environment. Check alteration & Magnetic Ink Character Recognition (MICR) line Forged or missing endorsements Check security features Physical alteration of a deposited check such as by washing Counterfeit items Duplicate presentment. Customer personnel Access by customers and their staffs to nonpublic personal information. High-risk transactions involve access to customer information or the movement of funds to other parties. The agencies consider transfer of deposit transaction information to represent the movement of funds to other parties. Copyright 2009, Remote Deposit Capture, LLC 29

30 Operational Risks - Lack of Control Guidance Ineffective controls at the customer location lead to: The intentional or unintentional alteration of deposit item information, Resubmission of an electronic file, Re-deposit of physical items. Inadequate separation of duties at customer location can afford an individual: End-to-end access to the RDC process The ability to alter logical and physical information without detection. Control Identify and flag changes made to scanned item or meta data (MICR, CAR/LAR Duplicate file detection Duplicate Item detection Franking, endorsement, audit trail marking Administrative controls that assign, track and report entitlements. E.g. require separate person for account set up and deposit review approval Dual control where appropriate Copyright 2009, Remote Deposit Capture, LLC 30

31 Guidance Internal networks External networks of service providers & customers. IT Security Risks Technology-related operational risks include Failure to maintain compatible and integrated IT systems Multiple release levelsassociated software or hardware Fail to install an update or patch Web application vulnerabilities, Authentication Lack of encryption at any point in the process. Control IT audit controls (existing) Vendor Risk Management (existing) Customer audits and certification Active monitoring of HW & SW inventory Stringent change control procedures IT security audits (existing) Layered authentication (BITS, MFA IT security audit (existing) Copyright 2009, Remote Deposit Capture, LLC 31

32 Examples of Existing Assessment Requirements Interagency Guidelines Establishing Information Security Standards: The Security Guidelines require a financial institution to design an information security program to control the risks identified through its assessment, commensurate with the sensitivity of the information and the complexity and scope of its activities FFIEC IT Examination Handbook: Information Security Booklet: Individual financial institutions and their service providers must maintain effective security programs adequate for their operational complexity. These security programs must have strong board and senior management level support, integration of security activities and controls throughout the organization s business processes, and clear accountability for carrying out security responsibilities Bank Secrecy Act / Anti-Money Laundering Examination Manual: 12 CFR 748 Security Program, Report of Crime and Catastrophic Act and Bank Secrecy Act Compliance Requires federally insured credit unions to maintain security programs and comply with the BSA Copyright 2009, Remote Deposit Capture, LLC 32

33 Goal - Assess Once For Many Copyright 2009, Remote Deposit Capture, LLC 33

34 Risk Management: Mitigation and Controls Management must complete and approve a comprehensive risk assessment before (prior to) implementing an RDC system and show: It can manage the risks associated with RDC Implement appropriate risk management policies It can effectively mitigate, measure, and monitor those risks and establish: Risk tolerance levels, Internal procedures and controls, Risk transfer mechanisms where appropriate and available, Develop well-designed contracts Copyright 2009, Remote Deposit Capture, LLC 34

35 Customer Due Diligence and Suitability Risk Mitigation begins with Customer Selection Establish appropriate risk-based guidelines, e.g. BSA/AML Foreign correspondent accounts are subject to further due diligence New and existing customers, a suitability review should include: Business activities Review of their risk management processes Location Their customer base - Review should be commensurate with the level of risk When the level of risk warrants, visits to the customer s physical location should be included to evaluate the following: Management, operational controls and Risk management practices, Staffing and the need for training and ongoing support, IT infrastructure Review available reports of independent audits When appropriate, risk self-assessments by the RDC customer may be adequate Copyright 2009, Remote Deposit Capture, LLC 35

36 Mitigation and Control Considerations These controls should be designed and implemented to ensure the security and integrity of data Separation of duties or other compensating controls Strong change control processes Deposit items can be endorsed, franked, or otherwise noted as already processed. Insurance coverage may provide a cost effective way to mitigate risk further. Copyright 2009, Remote Deposit Capture, LLC 36

37 Risk Management: Measuring and Monitoring The following elements must be addressed in a Risk Management and Monitoring System: Risk measuring and monitoring systems Internal, Partner and Customer Establish accurate & timely operational performance metrics Set operational benchmarks and standards, Regular reviews of the reports, scheduled periodic reviews and operational risk assessments. Establish Reports to track, monitor and measure: Duplicate entries Violations of deposit thresholds. Velocity metrics, i.e.; file size and number of files, transaction dollar value and volume, and return item dollar value and volume Reject items and corrections,. Reports should address point-in-time activities as well as trends for individual and/or groups of customers with similar characteristics, and for the RDC product as a whole Report content should be structured to meet the needs of the various levels of management. Copyright 2009, Remote Deposit Capture, LLC 37

38 Risk Management Process A Planning and Mitigation Life Cycle Risk Planning Identify Risks Items and Categories Assign Risk Levels Assess Risk Customer Selection Business, Tenure, Transaction History, Balances, Availability Legal Requirements Operations IT, Networking, Vendor Security Data, Identity, Network Mitigation Plans Controls Policies People Processes Technology Measure Results Establish Schedule, Standards and Measurement Criteria Automate as many as possible Establish a red, yellow and green system to identify risk exposure Audit Internal, external and customer Monitor Policy Operations Security Procedures Report Frequency of Reports Frequency of Reviews Copyright 2009, Remote Deposit Capture, LLC 38

39 Risk Reporting & Monitoring Establish Policies and procedures for RDC that include metrics for reporting and risk tolerances for accounts: Account rules and limits Account Selection Tenure, Transaction history, Balances, Type of Business Deposit limits per day for review and analysis + per week or month Item amount ($) limits Maximum per check Random review of deposits For accuracy Monitoring and review of accounts for, (aka ACH) for duplicates, rejected and returned items Monitor internal processes for separation of responsibilities: administration for password, account setup, account access, deposit review etc. Establish procedures for regular reporting of deposit history and to identify patterns Periodic s or letters to customers to remind them of their responsibilities for: training, security, process, check retention, endorsements, adequate safeguards for storage of checks and account information Include RDC in audit process Copyright 2009, Remote Deposit Capture, LLC 39

40 Risk Reporting and Monitoring Checklist Examples Develop a Risk Audit Checklist Example Written RDC Policies and Procedures Document Legal Agreement need periodic review Account Selection rules and limits Establish thresholds and limits for volume, velocity and value Monitoring and review of accounts for duplicates, rejected and returned items Monitor internal, partner and customer processes: Security and Access Separation of responsibilities Establish procedures for regular reporting Deposit history and to identify patterns Periodic training, s or letters to customers RDC included in audit process (GRC) and customer visits/audit scheduled as necessary Frequency of Audit established Copyright 2009, Remote Deposit Capture, LLC 40

41 Risk Management Key Risks KYC Duplicate Presentment Data Alteration Information Security Paper & Electronic Fraud Detection Image Quality/Integrity Errors Risk Management Insurance Duplicate Detection Data Encryption Information Security Procedures & Technology Legal Liabilities Shifted Standards Evolving Availability Assignment Security Levels / Approvals RDC & Related Technologies can provide better risk management capabilities than were present in a paperbased processing environment. Copyright 2009, Remote Deposit Capture, LLC 41

42 Conclusion A financial institution offering RDC should have: Sound risk management and mitigation systems Require adequate risk management at customer locations. Prior to implementing RDC, and thereafter, management should: Periodically conduct a risk assessment to identify types and levels of risk exposure. Comprehensive contracts and customer agreements should identify clearly the roles, responsibilities, and liabilities. Appropriate technology and process controls at both the financial institution and the customer locations Financial institution management and the customer should implement effective risk measurement and monitoring systems. Insurance coverage should be considered as a risk transfer mechanism. RDC may not be appropriate for all customers or for all financial institutions. The board and senior management are ultimately responsible for safe and sound operations, including RDC products and services. Copyright 2009, Remote Deposit Capture, LLC 42

43 Questions? Copyright 2009, Remote Deposit Capture, LLC 43

44 Thank you to our Sponsors Fiserv Source Capture Optimization TM enables a common web platform for remote deposit capture at the Consumer, Merchant, Branch, Teller and ATM. Ranked #1 Branch and Teller Capture Solution in the industry (AITE, Dec 2008) Visit to learn more call (800) victoria.lant@fiserv.com Copyright 2009, Remote Deposit Capture, LLC 44

45 Thank you to our Sponsors Digital Check is a leading technology provider of low-cost check scanners for the distributed capture marketplace. Delivering reliable performance with superior MICR and image quality, the TellerScan and award-winning CheXpress models TS215 TS230, TS4120, and CX30 are specifically designed to meet the needs of today s branch and RDC users. To learn more about Digital Check, the Secure Choice in Distributed Capture, please visit or call Copyright 2009, Remote Deposit Capture, LLC 45

46 For More Information: Hope Schall Contact Info RemoteDepositCapture.com Additional Resources: Download a pdf of the FFIEC Guidance by clicking here. Download a pdf of RemoteDepositCapture.com s Best Practices in RDC Risk Management presentation by clicking here. Join The Discussion: Best Practices, Examples and More. View the Webinar: Best Practices in RDC Risk Management A Financial Institution Perspective. FFIEC Press Release Website Copyright 2009, Remote Deposit Capture, LLC 46