RDC Audit & Compliance: Lessons Learned from the...

RDC Audit & Compliance: Lessons

Learned from the Battlefield

Kevin Olsen, AAP, NCP

VP of Education

© 2015 EastPay. All Rights Reserved 1

Respe

ct Te

amwo

rk Pa

ssion

Int

egrity

Tr

ust

Not-for-profit Regional Payments Association

Educational Programs

Member Benefits – Voice & Representation in National Rule Making and Regulatory Process

– Toll Free Operational Assistance and

– Discounts on Seminars, Publications, and Conferences

Online Purchasing and Registration

8 ACH Accredited Professionals (AAP)

2 National Check Payments Professionals (NCP)

2 Certified NCP Instructors

2 Certified Treasury Professionals (CTP)

2 Certified Internal Auditor (CIA)

1 Certified Information Systems Auditor (CISA)

1 Certified Financial Services Auditor (CFSA)


Disclaimer

This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice

You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature

Image source: Thinkstock


REMOTE DEPOSIT CHANGED

EVERYTHING


RDC is a Payments Platform

RDC applies to a family of related products and

services most often differentiated by location of

capture


RemoteDepositCapture.com

Changes With Remote Deposit

Check capture and

storage begins in

various physical

locations


Check capture process is

not completed by

financial institution staff

RDC RISK ASSESSMENTS


Who Says We Have to do Risk

Assessments?

Federal Financial Institution Examination

Council (FFIEC)

– Federal Reserve, FDIC, OCC, NCUA, CFPB, State

Regulators

NACHA Operating Rules


FFIEC

Financial institutions can mitigate many of the risks associated with electronic payments origination & processing

– Based on a comprehensive risk assessment of the financial institution’s electronic payments environment

– Board and management oversight that establishes appropriate risk tolerances, effective reporting, employee training, and prudent vendor management practices

– Leverage existing risk management processes

– Involve risk management, compliance, and audit resources in the electronic payments risk management effort

– Incorporate all payment products and services into a broader Payment Risk Management Program


Risk Assessment Objectives

Identify the inherent risks and risk factors within the Financial Institution’s ACH or retail payment activities

Identify the key control practices to mitigate those risks

Evaluate the effectiveness of those controls to mitigated the risks considering the likelihood and potential impact to its capital and earnings AND its regulatory compliance obligations


Risk Assessment Objectives

Identify the parties involved, their

responsibilities and their experience/training

Determine whether deficiencies noted in the

last examination and most recent

internal/external audit have been addressed

and/or corrected by management

How deficiencies were corrected

The risk assessment should be reviewed and

approved by the Board annually


Risk Assessment

The risk assessment should encompass factors such as:

– Scope of product

– Financial institution position in payment process

– Type of customer

– Anticipated volume of transactions

– Customer role/responsibility in process

• Customer ability to download/retain NPI (non-public information)

– FI-approved vendors and equipment

– ACH/RDC/Both?


The Real World

The following are findings from RDC risk

assessments we have performed

Some are from merchant

Some are from mobile

Some are from both


Top 5 Merchant Findings


RDC Policy/Procedures are

Lacking/Customer Training


FI uses a Canned Agreement

(Agreement Issues)


Monitoring for Red Flags

and/or Anomalies


BSA Officer Included


Duplicate Presentments


Top 5 Mobile Findings


Customer Due Diligence

(Who Gets the Service?)


Duplicate Presentments


Deposit Velocity

Thresholds for Customers


Termination


Vendor Management


RDC Policy

The RDC Policy must clearly define the risk

management parameters for the product by

which a Financial Institution’s management

follows in establishing procedures


RDC Policy

A trend is has been observed where FI’s are

streamlining their RDC Policy to a point where

they are intentionally too brief with little

direction to allow FI Management greater

latitude in how the product is supported and

delivered

This approach to creating a product policy

actual adds more risk to RDC


Product Ownership

Recommend that Management assign an

individual with the role of Merchant RDC

Product Officer/Owner as outlined in the Bank’s

RDC Policy

The individual assigned to this role should have

end-to-end product knowledge and ownership

to ensure that the product is properly

supported, managed and monitored


Product Ownership

Review vendor release notes, product upgrades

Failure to do so could result is a product that

does not address critical risk mitigation and

compliance changes, as well as competitive

changes, too


Written Procedures

Financial institution does not have ample

written procedures in place for Remote Deposit

Capture operations and processing

These are needed even when the RDC Service

is outsourced


Procedures

BSA/AML

Financial institution performs a BSA/AML Risk

Assessment but the scope does not include

Remote Deposit Capture

Remote Deposit Capture onboarding (for

existing customers of the Bank) and annual

review process does not consider the input from

the BSA Officer as it pertains to SAR filings


Vendor Management

Financial institution does not have a Board

approved Vendor Management Policy


Assessing RDC Customers

RDC is NOT ACH

While RDC has some similar factors used to also qualify an ACH client, establishing a deposit limit is not the same as setting an exposure limit for ACH or a loan

It is a sound business practice to risk rate customers for RDC and FIs should use criteria such as: – Deposit size

– Frequency

– Number of items

– Type of business

RDC has risk factors, but credit risk is limited


Agreements

Financial Institutions get a sample RDC

Agreement from either their Vendor or another

FI and they never really review it or customize to

their institution’s environment


Agreements

Agreements should be appropriate for the

institution’s specific RDC environment and

should identify clearly each party’s roles,

responsibilities, and liabilities


Agreements

While the issues around the RDC Agreement

were a lot worse 5 years ago, FI’s still need to

understand that they need to keep their

agreements current


Agreements

The FFIEC Guidance on RDC has not changed

since 2009, other guidance and industry

practices have evolved and your service

agreements need to keep up with these

changes


Agreements Missing Provisions

Roles and responsibilities of the parties,

including those related to the sale or lease of

equipment and software needed for RDC at the

customer location



Handling and record retention procedures for

the information in RDC, including physical and

logical security expectations for access,

transmission, storage, and disposal of deposit

items containing nonpublic personal

information



The FI’s authority to perform periodic audits of

the Customer’s RDC process, including the IT

infrastructure



Performance standards for the FI and the

customer

Including

– Maintenance of a secure system

– Adequately trained staff

– Oversight of the deposit process

– Document management process



Authority of the

financial institution to

mandate specific

internal controls at the

customer’s locations,

audit customer

operations, or request

additional customer

information


Customer Training

The financial institution conducts customer

training during the installation process onsite at

the customer’s location or remotely via phone

or online

However, the various aspects of training are not

documented in writing to ensure a consistent

delivery


Customer Training Checklist

A tool that not only ensures the trainer covers all of the critical operational elements of the RDC product, but it should also cover the key RDC requirements as identified in the RDC agreement

RDC Agreement is usually signed by a senior management person in the company and rarely do they provide a copy of the agreement to the person who will actually be processing the RDC deposits


Customer Training Checklist

Covering these requirements ensures the RDC

User is informed

This practice also provides the elements for

RDC User inspections

The sound business practice for this checklist is

to have the trainer and the RDC user sign it


Customer Training Checklists

The customer training checklist should include, at a minimum, the following items: – Procedures for ensuring the security and confidentiality

of customer information

– Guidelines for the handling, storage, and destruction of original, physical documents

– Separation of duties and dual control procedures

– Image quality minimum requirements

– Franking/Endorsement requirements (if applicable)

– Duplicate item/file management procedures

– Contingency procedures

– Deposit cut-off times


Duplicate Deposited Items

While most RDC Applications offer duplicate detection to prevent the same item from being deposited again via RDC, duplicates still occur from items from being deposited at a branch after they are processed via RDC

Adequate procedures help, but a sound business practice is the use of restrictive endorsements or franking the items processed through RDC to assist tellers at your branches or the branch of another FI from processing the duplicate item


Duplicate Detection

Across the board

– Merchants doesn’t see Mobile

– Mobile and Merchant don’t see In-person (teller)

– ATM is seen by any other channels


File Monitoring

The reporting available to the financial

institution can be extremely limited or reports

that are available via the RDC Application are

not utilized


File Monitoring

Adequate reporting assists in the management

and oversight and risk mitigation of the Remote

Deposit Capture Operations and RDC User

Compliance


Proofing (Monitoring)

Are you looking at everything the same way you

did when items were presented physically?


Board Reporting

Board Reporting is frequently very limited or not

done at all

Regulators are looking at the type and degree

of detail provided in Sr. Management and Board

Reporting


Board Reporting

The recommendation here is report what makes sound business sense to tell your Board of Directors: – Number of RDC clients/users,

– Number of scanner locations,

– Total deposits,

– Total items

– Number of exceptions (like over limit situations)

– P&L financials (if you can provide those)

– Provide key information on each high risk customer using the product to prove monitoring and reporting is appropriate to the risk the FI is taking


Layered Security

The FFIEC supplemental

Guidance on Internet

Authentication strongly

recommends layered

security, which is an FI

focus for the main

internet access, but is

frequently overlooked for

RDC because it is not on

the main portal


Annual Reviews

A Financial Institution’s RDC policy typically require an annual review yet many FI’s are not performing this on a timing basis

Use the actual deposit activity in the review of deposit limits (12 months activity is recommended)

Deposit Limits are a benchmark or monitoring and reporting and are not an exposure limit

Return deposited items activity should also be considered in the annual review process


RDC Reviews

If a Financial Institution risk rates their RDC clients, then they could consider alternatives to performing annual reviews

The following is an example of one such approach: – Low Risk RDC clients maybe could be reviewed every 24

months;

– Moderate Risk RDC clients could be reviewed every 18 months

– Higher Risk clients can be reviewed every 12 months

– Highest Risk clients could be reviewed every 6 months


Onsite Visits/Inspections

FIs are under the false impression they must conduct onsite visits/inspections for all RDC Users

The FFIEC Guidance states the following: – Customer Due Diligence and Suitability

– When the level of risk warrants, financial institution staff should include visits to the customer’s physical location as part of the suitability review

FIs should define the red flags that warrant an onsite visit or inspection

Whatever approach is taken, it should be in the RDC Policy


Onsite Visits/Inspections

Another alternative to onsite visits/inspections is the use of an RDC Self-Assessment tool, especially for moderate or low risk customers and out of footprint customers

This is useful in gathering and assessing the customers – Physical controls/security

– Technological controls

– User access controls

– Scanner placement

– PC Security

Don’t forget to inspect the key training requirements


Vendor Review

The financial institution has not performed a

service quality review of the vendor against

agreed upon service level agreements


Questions?


RDC Audit & Compliance: Lessons Learned from the...

Documents

Transcript of RDC Audit & Compliance: Lessons Learned from the...