I. INTRODUCTION
A new set of guidelines provide bankers with a better idea of how regulators will evaluate their use of remote check-image capture services. The Federal Financial Institutions Examination Council’s (FFIEC) guidelines warn that banks should consider remote capture not just a service but a new delivery system requiring top-level oversight.
The guidance gives lengthy lists of issues that banks should consider when drafting the legal agreements covering their remote capture services and assessing their operational risks. It also puts some emphasis on the more complex issues that some institutions may face, such as the use of least-cost routing systems to determine whether to clear a check as an image or convert it to an ACH transaction and working with cross-border customers who may be outside U.S. legal jurisdiction.
The guidance took effect upon its issuance on January 14, 2009, for all examinations and may require that institutions train not only their own employees but also the customers to whom they offer the service.
II. BACKGROUND
Remote Deposit Capture (RDC), a deposit transaction delivery system, allows a financial institution to receive digital information from deposit documents captured at remote locations. These locations may be the financial institution’s branches, ATMs, domestic and foreign correspondents, or locations owned or controlled by commercial or retail customers of the financial institutions. In substance, RDC is similar to traditional deposit delivery systems at financial institutions; however, it enables customers of financial institutions to deposit items electronically from remote locations. RDC can decrease processing costs, support new and existing banking products, and improve customers’ access to their deposits; however, it introduces additional risks to those typically inherent in traditional deposit delivery systems.
Under the new Guidance, a financial institution’s approach to managing RDC risk involves several steps. The first step is to assist the risks posed by that financial institution’s particular implementation of RDC. The second step is to implement controls that are designed to mitigate the risks that were identified in the first step. The third step is to implement systems to measure and monitor the effectiveness of its controls.
III. RISK MANAGEMENT: RISK ASSESSMENT
Although deposit taking is not a new activity, RDC should be viewed as a new delivery system and not simply as a new service. Prior to implementing RDC, senior management should identify and assess the legal, compliance, reputation, and operational risks associated with the new system. They should ensure that RDC is compatible with the institution’s business strategies and understand the return on investment and management’s ability to manage the risks inherent in RDC. Management should incorporate their assessments of RDC systems, including products and services, into existing risk assessment processes, such as those for Information Technology and Bank Secrecy/Anti-Money Laundering.
The size and complexity of the financial institution, as well as the relative scale and impact of RDC to overall activities, should determine the appropriate level at which governance, oversight, and risk management of RDC should occur. Accordingly, the board or management should approve plans, policies, and significant expenditures, and should review periodic performance and risk management reports on the implementation and ongoing operation of RDC systems and services.
A financial institution’s RDC risk assessment should include a determination of the risks to the security and confidentiality of nonpublic personal information consistent with the Interagency Guidelines Establishing Information Security Standards(Guidelines). Under these Guidelines, financial institutions must adjust their information security programs in light of any relevant changes in technology, the sensitivity of customer information, internal or external threats to information, and their own changing business arrangements. Therefore, as an institution implements RDC systems, it must consider information security risks associated with RDC technology and operations.
A. Legal and Compliance Risks
Senior management should identify and assess exposure to legal and compliance risks related to RDC. For example, if a financial institution accepts a deposit of check images from a customer through the RDC system, legal risk exposures may be related to the controls over the process used for image capture or image exchange and the institution’s arrangements and contracts for clearing and settling checks. When a financial institution sends the deposited items, in either electronic or paper form, to another institution for collection or presentment, it should consider the risks it takes under the Check Clearing for the 21st Century Act (Check 21 Act), Regulation CC, Regulation J, applicable state laws, or any agreements or clearinghouse rules.
Some RDC systems employ “least cost routing,” which allows items to be transmitted and settled either through the check collection system or as an ACH transaction. Financial institutions should understand the separate rules and liabilities and consider them in the risk assessment.
The financial institution should evaluate potential risks and regulatory requirements under Bank Secrecy Act laws and regulations when designing and implementing RDC. The institution should consider whether and to what extent it could be exposed to the risk of money laundering activities as well as its ability to comply with anti-money laundering laws and regulations and suspicious activity monitoring. In particular, the growing use of RDC by foreign correspondent financial institutions and foreign money services businesses to replace pouch and certain instrument processing and clearing activities raises money laundering risks the institution should understand and mitigate. Additional due diligence may be necessary where there is evidence that the RDC capture device is in a foreign location, or when a customer has been otherwise identified as being high risk.
B. Operational Risks
Senior management should understand operational risks and ensure that appropriate policies, procedures, and other controls are in place to mitigate them, including physical and logical access controls over RDC systems, original deposit items at customer locations, electronic files, and retained nonpublic personal information. Management should assess carefully how RDC affects existing risks and mitigating controls. For example, for the various technological options, management should assess the risks associated with how and where nonpublic personal information is captured, transmitted, retained, and destroyed. Management should consider the confidentiality, integrity, and availability of data afforded by its IT systems and by the systems used by its service providers and RDC customers.
RDC processes at a customer location expose the financial institution to operational risks from the point of initial capture. These risks can be unique to each customer’s location, RDC processing technology, and information security systems. Faulty equipment, inadequate procedures,or inadequate training of customers and their employees can lead to inappropriate document processing, poor image quality, and inaccurate electronic data. Ineffective controls at the customer location may lead to the intentional or unintentional alteration of deposit item information, resubmission of an electronic file, or re-deposit of physical items. Inadequate separation of duties at a customer location can afford an individual end-to-end access to the RDC process and the ability to alter logical and physical information without detection. In the typical RDC process, original deposit items are not submitted to the financial institution but are retained by the customer or the customer’s service provider. Therefore, it is important for the financial institution to require customers to implement appropriate document management procedures to ensure the safety and integrity of deposited items from the time of receipt until the time of destruction or other voiding.
A financial institution should consider carefully the authentication method appropriate for RDC customers. As stated in the Interagency Guidance on Authentication in an Internet Banking Environment, the FFIEC agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. The agencies consider transfer of deposit transaction information to represent “the movement of funds to other parties.” Thus, for those RDC systems using the Internet as a communication medium, management should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate risks.
Risks associated with fraud are not unique to RDC; however, certain aspects of fraud risk are elevated in an RDC environment. Check alteration, including making unwarranted changes to the Magnetic Ink Character Recognition (MICR) line on the image of scanned items, may be more difficult to detect when deposited items are received through RDC and are not inspected by a qualified person. Similarly, forged or missing endorsements, which may be detected in person, may be less easily detected in an RDC environment. Certain check security features may be lost or the physical alteration of a deposited check–such as by “washing” or other alteration techniques – may be obscured in imaging or electronic conversion processes. Counterfeit items may be similarly difficult to detect. Duplicate presentment of checks and images at the institution or another depository institution represents both a business process and a fraud risk. The potential for insider fraud may be greater with RDC because the financial institution typically does not perform background checks on its customers’ employees who may have access to physical deposit items or electronic files. Access by customers and their staffs to nonpublic personal information contained on, or represented by, deposit items may also increase the risk of identity theft.
IV. RISK MANAGEMENT: MITIGATION AND CONTROLS
If a comprehensive risk assessment supports a management conclusion that the risks associated with RDC can be effectively mitigated, measured, and monitored, management should implement appropriate risk management policies. These policies should establish risk tolerance levels, internal procedures and controls, risk transfer mechanisms where appropriate and available, and well-designed contracts that meet the institution’s risk management needs.
A. Customer Due Diligence and Suitability
A financial institution may determine that risks associated with RDC warrant greater customer selectivity than the risks associated with traditional deposit services and may choose to reduce and control those risks by limiting the availability of this system. Management should establish appropriate risk-based guidelines to qualify customers for this service. In general, information gathered while conducting customer identification and customer due diligence procedures in fulfillment of the institution’s BSA/AML program can support the assessment of customer suitability. Foreign correspondent accounts are subject to due diligence requirements prescribed in regulations issued pursuant to the USA PATRIOT Act amendments to the BSA.
For new and existing customers, a suitability review should involve consideration of the customer’s business activities and risk management processes, geographic location,and customer base. The depth of such review should be commensurate with the level of risk.
When the level of risk warrants, financia linstitution staff should include visits to the customer’s physical location as part of the suitability review. During these visits, the institution should evaluate management, operational controls and risk management practices, staffing and the need for training and ongoing support, and the IT infrastructure. In addition, the financial institution should review available reports of independent audits performed at the customer location related to IT, RDC, and associated operational processes. When appropriate, based on risk, financial institutions may choose to rely on self-assessments by their RDC customers when these address the controls and risk management practices that would otherwise be reviewed during on-site visits by financial institution staff.
B. Vendor Due Diligence and Suitability
Financial institutions’ interest in RDC has led to a proliferation of RDC technology service providers and RDC hardware and software suppliers. Financial institutions that rely on service providers for RDC activities should ensure implementation of sound vendor management processes as described in the Outsourcing Technology Services Booklet of the FFIEC IT Examination Handbook.
C. RDC Training for Customers
Without effective periodic training, RDC customers may have unrealistic expectations of the system or may not understand their roles in managing risks and monitoring for processing errors or unauthorized activity. Management should ensure that customers receive sufficient training, whether the customer obtains the RDC system from the financial institution or from a third-party servicer. Sound training should include documentation that addresses routine operations and procedures, including those related to the risk of duplicate presentment and problem resolution.
D. Contracts and Agreements
Strong, well-constructed contracts and customer agreements are critical inmitigating the financial institution’s risks. The financial institution’s legal counsel should help develop contracts and agreements with other financial institutions that accept checks in the form of electronic files, third-party service providers, and customers that participate in the RDC process. Contracts and agreements should be appropriate for the institution’s specific RDC environment and should identify clearly each party’s roles, responsibilities, and liabilities. RDC agreements should establish the control requirements identified during the risk assessment process and the consequences of noncompliance.
There are many elements that management should consider when developing customer contracts. For example, the contracts should cover risks and responsibilities relative to the physical equipment used by the customer in the RDC process. Specific contract provisions for consideration include:
E. Business Continuity
Senior management shoulde nsure the financial institution’s ability to recover and resume RDC operations to meet customer service requirements when an unexpected disruption occurs. The financial institution’s business continuity plan should address RDC systems and business processes, and the testing activities should assess whether restoration of systems and processes meets recovery objectives and time frames. To the extent possible,contingency plan development and testing should be coordinated with customers using RDC. The Business Continuity Planning Booklet of the FFIEC IT Examination Handbook provides more guidance on the process.
V. RISK MANAGEMENT: MEASURING AND MONITORING
Financial institutions should develop and implement risk measuring and monitoring systems for effective oversight of RDC activities. Institutions should ensure that customers using RDC have implemented operational and risk monitoring processes appropriate to their choice of technology. Management should establish key operational performance metrics that support accurate and timely monitoring of risk within RDC processes. This information should be used to set operational benchmarks and standards, as well as to develop reports for monitoring results against the standards. Effective management oversight involves regularly reviewing the reports and periodically conducting reviews and operational risk assessments. This will help ensure that the monitoring and reporting process accurately reflects current policies and procedures and sound practices.
A variety of reports can facilitate management oversight of RDC operations, customer compliance with agreements or contracts,and instances of anomalous or questionable activity. Reports on duplicate entries (file and/or item recognition and interception) and violations of deposit thresholds may help monitor for unauthorized activities.
VI. CONCLUSION
A financial institution offering RDC should have sound risk management and mitigation systems in place and should require adequate risk management at customer locations. Prior to implementing RDC, and periodically thereafter, management should conduct a risk assessment to identify the related types and levels of risk exposure. Comprehensive contracts and customer agreements should identify clearly theroles, responsibilities, and liabilities of all parties in the RDC process to minimize exposure to legal and compliance risks. Appropriate technology and process controls should be implemented at both the financial institution and the customer locations to address operational risk. Financial institution management and the customer should implement effective risk measurement and monitoring systems. When appropriate and available, insurance coverage should be considered as a risk transfer mechanism. As with other financial services, RDC may not be appropriate for all customers or for all financial institutions.