Embed Size (px)
Citation preview
Compliance and Regulation for Mobile Solutions
Amanda J. SmithMessick & Lauer, P.C.
May 16, 2013
Overview
• E-Sign Act• Uniform Electronic Transactions Act• Electronic document retention• Remote deposit capture compliance and risk
management
Electronic Signatures in Global and National Commerce Act (E-Sign Act)
In General
• Just because a signature, contract, or other document is in electronic form does not mean it is not binding or legal; and
• A contract cannot be deemed unenforceable or invalid solely because an electronic record or signature was used in its formation.
E-Sign Requirements
• Consent must be informed – E-Sign disclosures.• The consumer must have the technological ability to
accept the electronic records and you must have proof of this.
• Must obtain the consumer’s consent to accept the records electronically.
• Must provide subsequent disclosures if technology requirements change in a material way.
• Consumer must have the right to withdraw consent prior to receiving the electronic record.
E-Sign Disclosures
• Clear and conspicuous;• Provided before the consumer agrees to accept
electronic records;• Explain what rights the consumer has to obtain the
records in paper form;• Explain consumer’s right to withdraw consent and
consequences of the withdraw;• Describe the extent of the consent granted;• Delineate the procedures to be followed in the event
the consumer chooses to withdraw consent;
E-Sign Disclosures – Cont’d
• Tell the consumer the process which should be followed to update his or her contact information;
• Divulge whether the consumer may obtain paper copy of the electronic record;
• Tell whether there will be a fee assessed for obtaining paper copy and if the relationship will be terminated upon withdraw of consent; and
• Describe the hardware and software requirements for access and retention.
Exceptions
• Wills, codicils, and trusts.• Certain areas of the UCC.• Notices of default, foreclosure, repossession,
or eviction.
Uniform Electronic Transaction Act
What is it?
• Uniform rules to govern transactions in electronic commerce that should serve in every state.
• By adopting the official version of UETA, states have the authority to modify, limit, or supersede some E-Sign provisions, including its consumer protection provisions.
• Forty-seven states, the District of Columbia, Puerto Rico, and the Virgin Islands have adopted.
• In general, when E-Sign and UETA conflict, UETA governs.
What does it say?
• A record or signature may not be denied legal effect or enforceability solely because it is in electronic form.
• A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.
• Any law that requires a writing will be satisfied by an electronic record.
• Any signature requirement in the law will be met if there is an electronic signature.
Electronic Document Retention
Guidance
• Appendix A to Part 749– Must be accurate, reproducible and accessible to
an examiner.• NCUA Legal Opinion Letter 07-0812• State law – Retention times
• Federal and state rules of evidence– Use of electronic records in court proceedings.
Remote Deposit Capture
Risk Management
• FFIEC publication - Risk Management of Remote Deposit Capture
• What are the risks associated with the activity?
• How do you mitigate and control the risks?• How do you monitor the risks on an ongoing
basis?
Legal and Compliance Risks
• Check 21 Act, Regulation CC, Regulation J, applicable state laws, account agreements, and clearinghouse rules may apply.– Most regulations do not specifically address RDC
scenarios (i.e. funds availability) therefore customer agreements must address.
• Back Secrecy Act and Anti-Money Laundering – Policies and procedures
Customer Agreement
• Roles and responsibilities of the parties, including those related to hardware and software requirements;
• Record retention and disposal requirements;• Types of items that may be transmitted;• Processes and procedures that the customer must
follow, including image quality;• Dispute resolution procedures;• Periodic audits of RDC procedures, if applicable;• Performance standards for financial institution and
customer;
Customer Agreement - Continued
• Allocation of liability, warranties, indemnification; • Funds availability, collateral, and collected funds
requirements;• Governing laws, regulations and rules;• Authority of the financial institution to mandate
specific internal controls at the customer’s locations, audit customer operations, or request additional customer information; and
• Authority of the financial institution to terminate the RDC relationship.
Operational Risks• Fraud – risk is elevated in a RDC environment.
– Check alteration– Forged or missing endorsements– Certain security features may be lost– Counterfeit – Duplicate presentment of checks
• Safety of deposited items held by customers (i.e. Protection of NPPI).• Proper disposal of deposited items by customers.• Customer authentication.• Data security and lack of encryption in the RDC system.• Reliability of the RDC vendor.• RDC processes at the consumer’s location.• Maintaining compatible IT between financial institution, vendor, and consumer.
Controlling Operational Risks
• Customer due diligence• Vendor due diligence• RDC training for customers• Business continuity• Monitoring and reporting• Change control processes• Insurance
NCUA Supervisory Focus for 2013
• Letter No. 13-CU-01• Remote deposit capture, online banking,
mobile baking, and social media.• Must implement controls that commensurate
with the risks involved, in particular ensuring the security and stability of these service delivery channels.
Remote Deposit Capture Examination Procedures
• Letter No. 09-CU-07 and enclosure Remote Deposit Capture Questionnaire. – Service Delivery Environment– Management – Strategic Planning/ Risk Assessment/
Policies and Procedures– Due Diligence – Vendor/ Member / Application
Specifications– Legal & Compliance / Contracts & Agreements/ Internal
Audit– Operational (Implementation)– Fraud
Questions? Comments?
