Upload
truongduong
View
217
Download
0
Embed Size (px)
Citation preview
RDC Risk Management Update 2011
Heather Holliway, Product Manager Synovus Financial Corp.
Ed McLaughlin, Executive Director
RemoteDepositCapture.com
September 30, 2011
Regulatory Guidance Overview 1. FFIEC RDC Risk Management Guidance released January 14, 2009
– RDC risk management process in an electronic environment – Focusing on RDC deployed at a customer location
– Principles of RDC risk management discussed are applicable to: • FI’s Internal deployment – ATM, Branch, Cash Vault • Other forms of electronic deposit delivery systems (e.g., mobile banking and
automated clearing house [ACH] check conversions).
2. Retail Payment Systems Booklet (N), (M) – February 10, 2010 3. 2010 Version of the Bank Secrecy Act/Anti-Money Laundering Examination
Manual – Updated April 29, 2010 4. Authentication in an Internet Banking Environment – October 12, 2005
1. Supplement to Authentication in an Internet Banking Environment – June 22, 2011
5. Reg. CC changes are coming…
2 RDC Risk Management Update 2011
New Challenges • Mobile, Flatbed, Merchant, Fax
– Treat as new products in the process – Device security – Check security – Compliance
• Mobile for small business and the consumer – The farther down you go the less the sophistication of the business
• Keep it simple • Fewer checks and balances • Segregation of duties • Documented risk practices
• FFIEC Guidance is risk management oriented, not device oriented
3 RDC Risk Management Update 2011
FFIEC guidance was a watershed event But what value will all the resulting effort produce?
• Nearly 90% of FIs surveyed have suffered NO LOSS uniquely attributed to RDC
– This includes CUs offering consumer RDC
• Losses among the 12% were not recurring events
• Fraud mechanisms are not a mystery, nor many:
– Duplicate presentment – Kiting – Insider fraud
• Duplicate presentment is the most commonly cited mechanism by a large margin
RDC Loss Profile
1%
8%
91%
1%
6%
93%
0%
8%
92%
21%
17%
63%
0% 20% 40% 60% 80% 100%
We have recurring loss incidents
We have had several lossincidents
We have had a single lossincident
We have suffered no lossuniquely attributed to RDC
Resp (%)
>$50b
$10b - $50b
$1b - $10b
<$1b
Source: Celent FI survey, September 2010, n=194
“Almost exclusively in our cases, our losses are due to insider fraud at our customer sites, due to a lack of or failing to follow existing dual controls” – US Mid tier bank
This slide provided courtesy of Celent.
4 RDC Risk Management Update 2011
System Capabilities & Integration System Functionality • Duplicate item detection • Scanner options • Data Integration & Usability • Audit logs and event logs (MIS reporting) • IQA and IUA • Front and Back of the Check
– MICR & CAR/LAR Controls – Marking Capability – Presence of Endorsements
• Clearing options – LCR (lowest cost routing) Includes rules for ACH vs.. Image and IRD
• ABA Validation routines • Integration of
– BSA/AML systems and processes – OFAC – BCP (Enterprise)
• IT Security Infrastructure (SSO, rights and privileges, etc.)
5 RDC Risk Management Update 2011
Know Your Customer Key Information: • Understand Business
– Finances, Customers, Processes – CDD (Customer Due Diligence,
EDD (Enhanced Due Diligence, – CIP (Customer Identification Program)
• Understand Deposits – Obtain History – Volumes & Values of Items, deposits, returns, – Velocity
• Use this data to custom-fit RDC – Thresholds, Limits, Holds & Availability Schedules – Separation of Duties, Approvals – Functional Capabilities – Pricing, Balances, monitor deposit & data trends.
RDC Should be customized to each individual client. 6 RDC Risk Management Update 2011
Duplicate Detection Duplicate Detection should ideally be done across
all levels & accounts, channels and products. •Levels & Accounts •User, Location, Account
•Channels •RDC Location, Lockbox, ATM, Branch, Mail Drop, Kiosk & Inclearings, etc.
•Products •Check and ACH (for converted items)
•Network •All banks using a specific service provider
•Industry •i3G / Fed Initiative •More??
7 RDC Risk Management Update 2011
The Importance of Endorsements
• Endorsements can help prevent duplicates – Restrict deposit to a specific bank & account
• Legal & Regulatory implications
– Appropriate endorsement can be identified • Teller • Payor • Systemic Identification
– Decreases likelihood item will be used • Criminals can also see the restrictive
endorsement
• Systemic Capabilities are evolving – Hardware & Software
8 RDC Risk Management Update 2011
Testing Risk Management Risk Control / Risk
Type Operational
Error Check Kiting
Duplicate Error
Duplicate Fraud
Value Fraud
Volume Fraud
Return Items
Value / Volume Thresholds -
RDC System DD* - - - -
Cross-Channel DD* - - - - IQA / IQU / CAR / LAR - - - -
Patterning
Holds
Availability Schedules
Balances
*Duplicate Detection
¼ Circle = Minimal ½ Circle = Fair ¾ Circle = Moderate Full Circle = Good
*Duplicate Detection
Level of Risk Management Adequacy:
FIs should have at least 1.5 Total Circles per risk type, 2+ for Fraud Risk Types.
9 RDC Risk Management Update 2011
RDC Risk Management
Striking the perfect balance between BSA/Compliance and Treasury Management
Heather Holliway, Product Manager Synovus Financial Corp.
September 30, 2011
Let the Tug-of-War Begin • Synovus released RDC in 2005
– Rush to market, high profile product – Treasury Management is eager to sell, sell, sell! – BSA wants control!
11 Copyright 2010, RemoteDepositCapture.com
Results of Tug-of-War
• Customer dissatisfaction with turn-around time on approval
• Sales team frustrated with documentation requirements and approval process
• Resource intensive for both BSA and Treasury
Management teams
• BSA now referred to as “BPU” (Business Preventative Unit)
12 Copyright 2010, RemoteDepositCapture.com
The Dilemma Question: How can we sell the service and deliver quickly while
appropriately mitigating risk? Answer: Restructure the customer approval process based on
customers’ risk classifications. Revise the Risk Policy!
13 Copyright 2010, RemoteDepositCapture.com
A Realistic Approach • Treasury Management must partner with BSA/Compliance and
Operational Risk to create a realistic and reasonably designed risk based Remote Deposit Capture policy based on FFIEC guidance
• Implement monitoring or audit procedures – Understand your customers’ activity to identify red flags before it’s too
late – Be proactive vs. reactive – Determine both business segment and BSA Risk tolerance thresholds
14 Copyright 2010, RemoteDepositCapture.com
Customer Approval Process • Customer approval process
– Define customer risk categories based on FFIEC guidance and your bank’s risk appetite (e.g. low, medium and high)
– Determine which categories are permitted and prohibited – Determine who owns the approval based on risk type (e.g. moderate
risk requires dual approval, high risk RDC prohibited)
• Regardless of risk level, due diligence must be performed and
documented – Know your customer: apply your bank’s CIP and CDD/EDD standards – Document anticipated volume and $ deposited – Review previous statements to understand customer’s activity – Verify account ownership – Verify credit relationship is in good standing (if applicable)
15 Copyright 2010, RemoteDepositCapture.com
Account Monitoring • Ongoing Account Activity/Transaction Monitoring
– Examples of valuable data: • customer account balances and deposit history • spiked activity or trends that are inconsistent with anticipated account
activity • overdrawn accounts • higher incident of NSF checks, returned items or customer complaints • routinely resubmitted data files or duplicate presentment of checks or
images • changes in business profile or ownership
– Accounts with significant variances should be reviewed, explanations should be documented and archived for audit
– Accounts with suspicious activity: • should be reported to Loss Prevention, Operational Risk and
BSA/Compliance • work with Relationship Manager to determine whether or not service
should be removed
16 Copyright 2010, RemoteDepositCapture.com
Training • Critical for both Treasury Management and Customers!
• Treasury Management Training
– Sales must understand policy before selling – Mandatory Product and Risk training on at least an annual basis – Identify BSA/Compliance red flags for suspicious activity – Escalation Criteria – both Operational and BSA compliance – Standardize documentation for monitoring and exception reviews to
meet compliance, audit and regulatory scrutiny
• Customer Training - end user should understand the policies and procedures set forth in the legal agreement – Deposit deadline – Eligible / Ineligible items – Handling of duplicate items – Retention requirements – Prohibited use
17 Copyright 2010, RemoteDepositCapture.com
Striking the Perfect Balance • Simplify the customer approval process based on FFIEC guidance • Implement risk based account and transaction monitoring based on your
bank’s BSA risk profile and business segment risk tolerance
• Sales Team – selling and generating fee income! • BPU returns to BSA – no longer “the bad guys”!
18 Copyright 2010, RemoteDepositCapture.com
Summary of Risk Management Standards - FFIEC:
• Comprehensively identify and assess RDC risk prior to implementation • Conduct appropriate customer CDD and EDD on new RDC customers • Create risk-based parameters that can be used to conduct RDC customer suitability
reviews • Obtain expected account activity from the RDC customer, such as the anticipated
RDC transaction volume, dollar volume, and type (e.g., payroll checks, third-party checks, or traveler’s checks), comparing it to actual activity, and resolving significant deviations
• Compare expected activity to business type to ensure they are reasonable and consistent
• Develop well-constructed contracts that clearly identify each party’s role, responsibilities, and liabilities, and that detail record retention procedures for RDC data
• Implement additional monitoring or reviews when significant changes occur in the type or volume of transactions
• Ensure that RDC customers receive adequate training
19 Copyright 2010, RemoteDepositCapture.com
Questions?
20 Copyright 2010, RemoteDepositCapture.com
Additional Takeaways
• Determine both business segment and BSA Risk tolerance thresholds
• Design a reasonable and realistic policy based on FFIEC guidance and controls currently in place – e.g. assume more risk on the front line due to in depth monitoring on
the back end
• Partner with BSA/Compliance…tap into their knowledge!
21 Copyright 2010, RemoteDepositCapture.com
Questions?
22 RDC Risk Management Update 2011
Additional Takeaways
• Determine both business segment and BSA Risk tolerance thresholds
• Design a reasonable and realistic policy based on FFIEC guidance and controls currently in place – e.g. assume more risk on the front line due to in depth monitoring on
the back end
• Partner with BSA/Compliance…tap into their knowledge!
23 RDC Risk Management Update 2011
About The Presenter Heather Holliway •Synovus Financial Corp. •[email protected]
24 RDC Risk Management Update 2011