RDC Audit & Compliance: Lessons Learned from the...
Transcript of RDC Audit & Compliance: Lessons Learned from the...
RDC Audit & Compliance: Lessons
Learned from the Battlefield
Kevin Olsen, AAP, NCP
VP of Education
© 2015 EastPay. All Rights Reserved 1
Respe
ct Te
amwo
rk Pa
ssion
Int
egrity
Tr
ust
Not-for-profit Regional Payments Association
Educational Programs
Member Benefits – Voice & Representation in National Rule Making and Regulatory Process
– Toll Free Operational Assistance and
– Discounts on Seminars, Publications, and Conferences
Online Purchasing and Registration
8 ACH Accredited Professionals (AAP)
2 National Check Payments Professionals (NCP)
2 Certified NCP Instructors
2 Certified Treasury Professionals (CTP)
2 Certified Internal Auditor (CIA)
1 Certified Information Systems Auditor (CISA)
1 Certified Financial Services Auditor (CFSA)
© 2015 EastPay. All Rights Reserved 2
Disclaimer
This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice
You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature
Image source: Thinkstock
© 2015 EastPay. All Rights Reserved 3
RDC is a Payments Platform
RDC applies to a family of related products and
services most often differentiated by location of
capture
© 2015 EastPay. All Rights Reserved 5
RemoteDepositCapture.com
Changes With Remote Deposit
Check capture and
storage begins in
various physical
locations
© 2015 EastPay. All Rights Reserved 6
Check capture process is
not completed by
financial institution staff
Who Says We Have to do Risk
Assessments?
Federal Financial Institution Examination
Council (FFIEC)
– Federal Reserve, FDIC, OCC, NCUA, CFPB, State
Regulators
NACHA Operating Rules
© 2015 EastPay. All Rights Reserved 8
FFIEC
Financial institutions can mitigate many of the risks associated with electronic payments origination & processing
– Based on a comprehensive risk assessment of the financial institution’s electronic payments environment
– Board and management oversight that establishes appropriate risk tolerances, effective reporting, employee training, and prudent vendor management practices
– Leverage existing risk management processes
– Involve risk management, compliance, and audit resources in the electronic payments risk management effort
– Incorporate all payment products and services into a broader Payment Risk Management Program
© 2015 EastPay. All Rights Reserved 9
Risk Assessment Objectives
Identify the inherent risks and risk factors within the Financial Institution’s ACH or retail payment activities
Identify the key control practices to mitigate those risks
Evaluate the effectiveness of those controls to mitigated the risks considering the likelihood and potential impact to its capital and earnings AND its regulatory compliance obligations
© 2015 EastPay. All Rights Reserved 10
Risk Assessment Objectives
Identify the parties involved, their
responsibilities and their experience/training
Determine whether deficiencies noted in the
last examination and most recent
internal/external audit have been addressed
and/or corrected by management
How deficiencies were corrected
The risk assessment should be reviewed and
approved by the Board annually
© 2015 EastPay. All Rights Reserved 11
Risk Assessment
The risk assessment should encompass factors such as:
– Scope of product
– Financial institution position in payment process
– Type of customer
– Anticipated volume of transactions
– Customer role/responsibility in process
• Customer ability to download/retain NPI (non-public information)
– FI-approved vendors and equipment
– ACH/RDC/Both?
© 2015 EastPay. All Rights Reserved 12
The Real World
The following are findings from RDC risk
assessments we have performed
Some are from merchant
Some are from mobile
Some are from both
© 2015 EastPay. All Rights Reserved 13
RDC Policy
The RDC Policy must clearly define the risk
management parameters for the product by
which a Financial Institution’s management
follows in establishing procedures
© 2015 EastPay. All Rights Reserved 26
RDC Policy
A trend is has been observed where FI’s are
streamlining their RDC Policy to a point where
they are intentionally too brief with little
direction to allow FI Management greater
latitude in how the product is supported and
delivered
This approach to creating a product policy
actual adds more risk to RDC
© 2015 EastPay. All Rights Reserved 27
Product Ownership
Recommend that Management assign an
individual with the role of Merchant RDC
Product Officer/Owner as outlined in the Bank’s
RDC Policy
The individual assigned to this role should have
end-to-end product knowledge and ownership
to ensure that the product is properly
supported, managed and monitored
© 2015 EastPay. All Rights Reserved 28
Product Ownership
Review vendor release notes, product upgrades
Failure to do so could result is a product that
does not address critical risk mitigation and
compliance changes, as well as competitive
changes, too
© 2015 EastPay. All Rights Reserved 29
Written Procedures
Financial institution does not have ample
written procedures in place for Remote Deposit
Capture operations and processing
These are needed even when the RDC Service
is outsourced
© 2015 EastPay. All Rights Reserved 30
Procedures
BSA/AML
Financial institution performs a BSA/AML Risk
Assessment but the scope does not include
Remote Deposit Capture
Remote Deposit Capture onboarding (for
existing customers of the Bank) and annual
review process does not consider the input from
the BSA Officer as it pertains to SAR filings
© 2015 EastPay. All Rights Reserved 31
Vendor Management
Financial institution does not have a Board
approved Vendor Management Policy
© 2015 EastPay. All Rights Reserved 32
Assessing RDC Customers
RDC is NOT ACH
While RDC has some similar factors used to also qualify an ACH client, establishing a deposit limit is not the same as setting an exposure limit for ACH or a loan
It is a sound business practice to risk rate customers for RDC and FIs should use criteria such as: – Deposit size
– Frequency
– Number of items
– Type of business
RDC has risk factors, but credit risk is limited
© 2015 EastPay. All Rights Reserved 33
Agreements
Financial Institutions get a sample RDC
Agreement from either their Vendor or another
FI and they never really review it or customize to
their institution’s environment
© 2015 EastPay. All Rights Reserved 34
Agreements
Agreements should be appropriate for the
institution’s specific RDC environment and
should identify clearly each party’s roles,
responsibilities, and liabilities
© 2015 EastPay. All Rights Reserved 35
Agreements
While the issues around the RDC Agreement
were a lot worse 5 years ago, FI’s still need to
understand that they need to keep their
agreements current
© 2015 EastPay. All Rights Reserved 36
Agreements
The FFIEC Guidance on RDC has not changed
since 2009, other guidance and industry
practices have evolved and your service
agreements need to keep up with these
changes
© 2015 EastPay. All Rights Reserved 37
Agreements Missing Provisions
Roles and responsibilities of the parties,
including those related to the sale or lease of
equipment and software needed for RDC at the
customer location
© 2015 EastPay. All Rights Reserved 38
Agreements Missing Provisions
Handling and record retention procedures for
the information in RDC, including physical and
logical security expectations for access,
transmission, storage, and disposal of deposit
items containing nonpublic personal
information
© 2015 EastPay. All Rights Reserved 39
Agreements Missing Provisions
The FI’s authority to perform periodic audits of
the Customer’s RDC process, including the IT
infrastructure
© 2015 EastPay. All Rights Reserved 40
Agreements Missing Provisions
Performance standards for the FI and the
customer
Including
– Maintenance of a secure system
– Adequately trained staff
– Oversight of the deposit process
– Document management process
© 2015 EastPay. All Rights Reserved 41
Agreements Missing Provisions
Authority of the
financial institution to
mandate specific
internal controls at the
customer’s locations,
audit customer
operations, or request
additional customer
information
© 2015 EastPay. All Rights Reserved 42
Customer Training
The financial institution conducts customer
training during the installation process onsite at
the customer’s location or remotely via phone
or online
However, the various aspects of training are not
documented in writing to ensure a consistent
delivery
© 2015 EastPay. All Rights Reserved 43
Customer Training Checklist
A tool that not only ensures the trainer covers all of the critical operational elements of the RDC product, but it should also cover the key RDC requirements as identified in the RDC agreement
RDC Agreement is usually signed by a senior management person in the company and rarely do they provide a copy of the agreement to the person who will actually be processing the RDC deposits
© 2015 EastPay. All Rights Reserved 44
Customer Training Checklist
Covering these requirements ensures the RDC
User is informed
This practice also provides the elements for
RDC User inspections
The sound business practice for this checklist is
to have the trainer and the RDC user sign it
© 2015 EastPay. All Rights Reserved 45
Customer Training Checklists
The customer training checklist should include, at a minimum, the following items: – Procedures for ensuring the security and confidentiality
of customer information
– Guidelines for the handling, storage, and destruction of original, physical documents
– Separation of duties and dual control procedures
– Image quality minimum requirements
– Franking/Endorsement requirements (if applicable)
– Duplicate item/file management procedures
– Contingency procedures
– Deposit cut-off times
© 2015 EastPay. All Rights Reserved 46
Duplicate Deposited Items
While most RDC Applications offer duplicate detection to prevent the same item from being deposited again via RDC, duplicates still occur from items from being deposited at a branch after they are processed via RDC
Adequate procedures help, but a sound business practice is the use of restrictive endorsements or franking the items processed through RDC to assist tellers at your branches or the branch of another FI from processing the duplicate item
© 2015 EastPay. All Rights Reserved 47
Duplicate Detection
Across the board
– Merchants doesn’t see Mobile
– Mobile and Merchant don’t see In-person (teller)
– ATM is seen by any other channels
© 2015 EastPay. All Rights Reserved 48
File Monitoring
The reporting available to the financial
institution can be extremely limited or reports
that are available via the RDC Application are
not utilized
© 2015 EastPay. All Rights Reserved 49
File Monitoring
Adequate reporting assists in the management
and oversight and risk mitigation of the Remote
Deposit Capture Operations and RDC User
Compliance
© 2015 EastPay. All Rights Reserved 50
Proofing (Monitoring)
Are you looking at everything the same way you
did when items were presented physically?
© 2015 EastPay. All Rights Reserved 51
Board Reporting
Board Reporting is frequently very limited or not
done at all
Regulators are looking at the type and degree
of detail provided in Sr. Management and Board
Reporting
© 2015 EastPay. All Rights Reserved 52
Board Reporting
The recommendation here is report what makes sound business sense to tell your Board of Directors: – Number of RDC clients/users,
– Number of scanner locations,
– Total deposits,
– Total items
– Number of exceptions (like over limit situations)
– P&L financials (if you can provide those)
– Provide key information on each high risk customer using the product to prove monitoring and reporting is appropriate to the risk the FI is taking
© 2015 EastPay. All Rights Reserved 53
Layered Security
The FFIEC supplemental
Guidance on Internet
Authentication strongly
recommends layered
security, which is an FI
focus for the main
internet access, but is
frequently overlooked for
RDC because it is not on
the main portal
© 2015 EastPay. All Rights Reserved 54
Annual Reviews
A Financial Institution’s RDC policy typically require an annual review yet many FI’s are not performing this on a timing basis
Use the actual deposit activity in the review of deposit limits (12 months activity is recommended)
Deposit Limits are a benchmark or monitoring and reporting and are not an exposure limit
Return deposited items activity should also be considered in the annual review process
© 2015 EastPay. All Rights Reserved 55
RDC Reviews
If a Financial Institution risk rates their RDC clients, then they could consider alternatives to performing annual reviews
The following is an example of one such approach: – Low Risk RDC clients maybe could be reviewed every 24
months;
– Moderate Risk RDC clients could be reviewed every 18 months
– Higher Risk clients can be reviewed every 12 months
– Highest Risk clients could be reviewed every 6 months
© 2015 EastPay. All Rights Reserved 56
Onsite Visits/Inspections
FIs are under the false impression they must conduct onsite visits/inspections for all RDC Users
The FFIEC Guidance states the following: – Customer Due Diligence and Suitability
– When the level of risk warrants, financial institution staff should include visits to the customer’s physical location as part of the suitability review
FIs should define the red flags that warrant an onsite visit or inspection
Whatever approach is taken, it should be in the RDC Policy
© 2015 EastPay. All Rights Reserved 57
Onsite Visits/Inspections
Another alternative to onsite visits/inspections is the use of an RDC Self-Assessment tool, especially for moderate or low risk customers and out of footprint customers
This is useful in gathering and assessing the customers – Physical controls/security
– Technological controls
– User access controls
– Scanner placement
– PC Security
Don’t forget to inspect the key training requirements
© 2015 EastPay. All Rights Reserved 58
Vendor Review
The financial institution has not performed a
service quality review of the vendor against
agreed upon service level agreements
© 2015 EastPay. All Rights Reserved 59
Contact The Presenter
Kevin Olsen, AAP, NCP
Vice President of Education, IT Manager
© 2015 EastPay. All Rights Reserved
800-681-4224 General Information [email protected]
Audit and Risk [email protected]
Education [email protected]
© 2015 EastPay. All Rights Reserved