Remote Deposit Capture - State of Oregon: State of Oregon

Remote Deposit Capture Sound Practices for Implementation and Risk Avoidance

Payments Strategy Series

©2012, Western Payments Alliance. All rights reserved.

www.wespay.org

300 Montgomery Street, Suite 400 San Francisco CA 94104 (415) 433-1230

Remote Deposit Capture: Sound Practices for Implementation and Risk Avoidance

Review ProcessThe review will examine your financial institution’s remote

deposit capture program policies, procedures, forms and

agreements and compare these to sound practices of peer

organizations. WesPay staff will work with your staff to

understand the risk factors and make recommendations

to minimize the risks of your financial institution’s RDC

program. All work is completed at your business location

and will engage key stakeholders across your financial

institution. Onsite work is typically completed within two

business days and includes an exhaustive review of your

current practices.

Review Service Includes:• A preparation document to assist your staff in

understanding the scope of the review.

• An onsite review of policies, procedures, forms, agreements, reports, documentation and business practices.

• A written report of findings to include an opinion on current practices and advice for possible changes that can strengthen your risk mitigation practices.

• Assistance in developing a “dynamic matrix” that can become a living document of your financial institution’s evolving risks and mitigating factors related to the RDC program.

ADVERTISEMENT

RDC Risk Management Review Service

For pricing and additional information, contact WesPay:

(415) [email protected]

MENTION THIS AD AND

Get an ADDITIONAL

10% OFFYour Review

Valid through July 31, 2012

www.wespay.org/auditservices

WesPay Payments Strategy Series

Page 1

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Why RDC? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Implementing RDC . . . . . . . . . . . . . . . . . . . . . . 6

Understanding Risks . . . . . . . . . . . . . . . . . . . . . 7

Assessing Your Risk . . . . . . . . . . . . . . . . . . . . . . 8

FFIEC RDC Guidance . . . . . . . . . . . . . . . . . . . . . 10

FFIEC Guidance on Customer Suitability . . 11

Customer RDC Agreements . . . . . . . . . . . . 12

The Future of RDC . . . . . . . . . . . . . . . . . . . . . . 13

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15


Page 2

IntroductionIn 1980, five years after the development of the national ACH network, people within the financial services industry started predicting that the United States would be a completely checkless society before the end of the 20th century. Clearly, that has not happened although the use of paper checks has declined substantially over the years, and the 24.4 billion checks that were written in 2009 comprised only 22 percent of the total payments1.

A more substantial change that has occurred as check volume has declined is the way financial institutions process checks, particularly since Check 21 was implemented in 2004. What used to be an entirely physical processing method - gathering the checks from a number of different points, manually creating cash letters, transporting them to a processor, and then delivering them to the financial institution that holds the account - can now be streamlined to be mostly electronic. The implementation of Check 21 made remote deposit capture (RDC) possible, and as a result, financial institutions have been converting their


Page 3

operations to more electronic methods of capturing checks from a variety of endpoints, including branches, merchants, ATMs, and most recently home computers and mobile phones. This in turn, makes the check processing cycle more efficient and less expensive than manual processing. This change in the way paper checks are processed is considered to be one of the most important advances in the financial services industry by customers, financial institutions, and regulators.

When remote deposit capture (RDC) was first introduced, there were few rules and regulations that applied to check image and presentment. Thus, in 2009, the Federal Financial Examination Committee (FFIEC) issued guidance to support any financial institution interested in providing RDC, particularly beyond their branches, teller windows, and ATMs. This WesPay white paper examines the role of RDC in today’s financial services environments and suggests best practices for implementation and mitigating risk.


Page 4

Why RDC?RDC gives financial institutions the ability to capture check images from remote locations, such as branch offices, merchants, corporate customers, or individual customers. The financial institution can then either pass the scanned image on for posting and settlement under Check 21 rules, clearing house rules (such as Electronic Check Clearing House Organization (ECCHO)), or send the information via an ACH item. Processing checks can be accomplished more quickly and efficiently when the financial institution does not have to wait for the physical item to be processed or sent on to the payer’s bank. The physical check is truncated.

There are generally three types of RDC:

• Internal Capture: Financial institutions implemented RDC to capture checks deposited at ATMs or in the branches. Many financial institutions use this method to capture and post checks deposited at a branch, at the teller window, or in an ATM. Since so many financial institutions use RDC within their operation, industry experts do not expect to see much growth in internal capture.

• Commercial Capture: Financial institution corporate and merchant customers capture checks and send images or data to their FI for processing. Many industry observers consider commercial RDC to be somewhat mature and cite the slowing sales growth of hardware that supports RDC as evidence. However, there is still interest in commercial capture and there may be some growth in this type of RDC. Providing RDC to corporate and merchant customers solidifies the banking relationship.

• Retail Capture: The fastest growing segment in RDC is in the retail sector where individuals can use mobile phone solutions to deposit a check or scan a check at home and submit the information to a financial institution for deposit via a computer or mobile phone. This capability is driving customers to move to financial institutions that offer this service. Celent2 found that 80 percent of financial institutions are either planning or considering a mobile RDC offering. Thus, retail capture is the fastest growing form of RDC with significant volume growth expected in the next few years.


Page 5

Ease of use is most often cited as the reason to use RDC. Speeding up the capture process, reducing float, and eliminating high transportation costs also are attractive to many financial institutions, as well as their customers. Customers don’t have to make a deposit in person at a local branch; immediate transportation of checks is no longer necessary; funds availability is granted more quickly based on the check image or ACH item data. And finally, if a potential fraud is identified, forensics can be started earlier in the process. Financial institutions that provide RDC for commercial capture and retail capture have a competitive advantage over counterparts that do not offer this as a service.

?

…speed …convenience …security


Page 6

Implementing RDCLike any new business implementation, there are steps that need to be followed before a financial institution can start using RDC. Some of these steps are:

� Determine the type of RDC that will be implemented. Will your financial institution limit RDC to branch, teller, ATM, and/or other internal activities only? Will you extend RDC to your corporate and/or merchant customers so they can take advantage of the benefits of RDC? Will you allow individuals to send copies of checks via mobile phone or computer to your institution for processing?

� Develop a business case that examines costs, potential savings, return on investment, and how RDC would integrate with other processing methods;

� Identify potential vendors for RDC software, hardware, and integration with your current core processing system;

� Identify potential processors for RDC, if you do not process internally;

� Implement strong customer selection guidelines if you are extending RDC to corporate or individual customers. These include integrating:

� KYC (Know Your Customer) principles;

� BSA/AML procedures;

� Credit analysis standards; and

� Customer management standards and processes;

� Work with your legal department to develop all contracts and agreements for both vendors and customers;

� Develop internal training materials for staff and external marketing and education materials for customers; and

� Finalize procedures for implementation and test.


Page 7

Understanding RisksRDC is a new delivery system, rather than a new service, and there are unique risks that need to be considered as any financial institution plans their implementation. One major risk, regardless of where the image comes from, is the risk associated with duplicate transactions (e.g., a paper transaction and an image transaction). Other risks are related to protecting sensitive customer information, image quality, and ensuring that the check information is legitimate. In addition, there are legal and compliance risks. However, risks internal to a financial services organization are different that those associated with commercial RDC or retail RDC. The following are some considerations you need to think through as you implement RDC beyond an internal/branch deployment.

Who should use RDC?

Knowing your customer for RDC, or any other banking-related function, is critical. Some of the things to be considered when determining which customers are eligible for RDC are:

• How long has the individual, merchant, or company been a customer?

• Have you had customer service issues with this particular customer in the past?

• Is a line of credit available or is there money in another account that can cover problems?

• Does the customer meet your standards for ACH participation?

How do you monitor RDC account risk?

Once a customer has been identified as eligible to participate in RDC, a continual monitoring program should be established. This allows you to evaluate how they use the service, determine if changes are needed in your RDC offering, and identify potential red flags that could limit or remove their ability to use RDC. Some of the behaviors you might want to continually monitor are:

• Does the customer display consistent behavior, e.g., no unanticipated spikes in the dollar amounts or frequency of deposits through RDC?

• Has the number or checks returned or declared NSF increased since RDC was implemented?

• Have duplicate transactions been caught for this customer (e.g., duplicate images or an image submitted and the check deposited)?

• Is customer data being protected?


Page 8

Assessing Your RiskWhen conducting an assessment of the RDC risk, the evaluation should include a review of the customer agreement, the methodology used for customer due diligence, customer training procedures, and the schedule for follow-up and monitoring for each customer using the RDC service to deposit checks. WesPay recommends the following components for the RDC risk management review process:

� Review board actions and policies related to RDC;

� Verify appropriate management responses and resolutions to any findings or concerns from previous RDC audits and risk assessments;

� Review the deposit account agreement terms and conditions;

� Verify desk procedures related to RDC operational processes;

� Assess staff training;

� Review reports available to monitor and mitigate risk;

� Confirm appropriate vetting of vendors providing services or equipment;

� Compare the financial institution’s RDC user agreement against list of minimum standard clauses;

� Review user vetting and approval methodology;

� Confirm all users have a signed agreement and recent deposit limit (exposure) review and approval;

� Review user training and document (check) control requirements;

� Confirm the financial institution has appropriate:

� Information technology (IT) policy for secure transmission of data;

� Business continuity plan that has been tested;

� Dual control where necessary;

� Regulatory compliance policies (KYC, BSA/AML, OFAC);

� Fraud prevention systems (kiting, dual presentments, fraudulent file detection);

� Image quality standards and controls; and

� Review clearing, settlement and reconcilement procedures.


Page 9

Financial institutions are encouraged to regularly, if not continually, complete a formal review of their risks and mitigation procedures. To ensure adequacy and consistent application, an annual review of these internal procedures should be scheduled. Internal audit departments are an excellent resource for completing this process. External organizations, including WesPay, provide advisory services to help financial institutions complete these reviews and identify recommendations that will further improve internal controls.


Page 10

FFIEC RDC GuidanceWith remote deposit capture, the speed of clearing and paying the check reduces one aspect of check fraud simply because of the shortened amount of time for settlement. But the existence of any original check creates opportunities for fraud and theft, including identity theft. Unfortunately, the rules and regulations that apply to check image and presentment are silent, not just as they relate to how the original check should be secured, but other concerns as well. To support financial institution’s efforts to implement RDC, the FFIEC issued guidance3 in 2009 for financial institutions offering RDC to customers.

The FFIEC Guidance identified these areas of concern related to an institution’s RDC risk assessment:

• Security and confidentiality of non-public personal information;

• Exposure to legal and compliance risks, including BSA/AML and OFAC compliance;

• Operational risks (e.g., poor image quality, unintended alteration, duplicate items, etc.) and how to evaluate the controls in place to mitigate internal risks, as well as potential risks at a customer‘s site;

• The potential for fraud, including ineffective controls that could lead to the alteration of deposited items, duplicate presentments or misuse of personal information;

• Security risks and technology-related operational risks associated with network applications at the customer site; and

• The presence of a risk mitigation program to include customer due diligence and suitability, vendor due diligence and suitability, RDC customer training, business continuity, contracts and agreements, risk measurement and monitoring.

The level of concern changes according to the financial institution’s RDC program. Of least concern is when the service is limited to the financial institution’s own branches. With branch capture, the checks are still deposited at the branch or ATM, and remain under the control of the institution. There are still risks associated with image quality and the possibility of duplicate presentments, but these risks are easily controlled with proper operational procedures.

More importantly, the FFIEC’s Guidance was concerned with the commercial roll out of RDC for businesses.


Page 11

FFIEC Guidance on Customer SuitabilityThe FFIEC Guidance has some specific concerns, regarding the steps a financial institution should take to ensure the suitability of a customer before they can begin the RDC process. Due diligence should include answering the following questions that can usually only be answered with a site visit(s).

• Does this business demonstrate strong controls over its own sensitive information?

• Does the business apply proper controls over its own accounting functions, such as dual control when necessary?

• Who within the organization will be performing the imaging and depositing tasks and who will have administrative responsibility for controls?

• Does the organization show a commitment to commercially reasonable security procedures and are they willing to accept the financial institution’s suggestions for strengthening their controls?


Page 12

Customer RDC AgreementsThe agreement between the financial institution and the business should include specific terms that clearly state the depositor’s responsibility in the safe storage and secure destruction of the checks received by the business. Businesses must understand that checks contain information that criminals can use to commit fraud, and it’s the depositor’s responsibility to protect this information. Recent reports confirm that criminals with access to business computer systems through corporate account takeovers have stolen RDC deposits files, and they have used the information, including the signature of the authorized signer, to create exact duplicates of company checks. This means both the image and the physical check must be secured.

Customer agreements should address the following:

• The staff position responsible for receiving and processing checks through the RDC system;

• Recommended levels of dual control;

• Check storage requirements before and after deposit;

• Requirements for endorsement and/or franking;

• Paper check retention period;

• Method of destruction;

• Secure storage of information while it remains on the depositor’s computer system;

• The need for access controls, fraud detection systems and virus protection within the physical and system’s environment;

• Notification requirements in the case of a data breach; and

• The business’ liability for lax controls and any data breach.

When conducting an assessment of the financial institution’s RDC risks, the evaluation should include a review of the customer agreement and how the customer conducts their due diligence. Most importantly, the financial institution must ensure that RDC users are educated about the service, the risks associated with RDC, and their responsibility for safety and security. Education should be considered an ongoing issue and not a one-time event.


Page 13

The Future of RDCThe financial services industry has seen substantial growth in the adoption of RDC and many consider it to be one of the most successful product introductions in the history of the banking industry. With internal and commercial capture reaching maturity, many financial institutions are looking at retail capture. Recently, almost all financial institutions have been asked by their depositors when they would be implementing “smart phone” photo or mobile RDC for retail deposits. This deposit option has gained significant traction as large national banks have started to advertise the convenience of using a cell phone to capture a check image and send it to the financial institution for deposit. Industry expectations are that mobile RDC will continue a healthy growth rate for several years.

However, more than one financial institution’s risk manager has asked the question, “But how are they securing the check and preventing the person from depositing the photo here and the physical check at another financial institution down the street?” The short answer: there is nothing to prevent this double deposit. The financial institution accepting the image as a deposit must have the controls in place to ensure that double deposits are not taking place. In addition, financial institutions generally limit the number of items and the dollar limits associated with each deposit in an effort to control risk.

There are other risks to mobile RDC as well. Some of the major concerns in the industry are the lack of encryption on mobile phones, the inability of the owner of the phone to intercept and stop malicious malware, and the design of phone apps that provide inadequate security for the user. These are primarily technology issues that many industry experts expect will be addressed in the near future. While this may prevent some institutions from participating, eliminating these security concerns will make mobile RDC more attractive to both the financial institution and the customer.

And finally, the FFIEC Guidance ends with the appropriate warning: “As with other financial services, RDC may not be appropriate for all customers or for all financial institutions.” Whether offering remote deposit capture to a large business or to a consumer, if a customer is not willing to assume the responsibility of securing the sensitive information they have been given, it’s time to recognize the situation and correct it before the financial institution receives a call from a regulator or the press.


Page 14

WesPay (Western Payments Alliance) has a long tradition of working with financial institutions in the Western US to promote the use of electronic payments and increase effectiveness through professional development and client support. The Payments Strategy Series is a collection of white papers that examine industry best practices in the areas of payment systems, risk management, customer engagement and revenue stabilization. These insights are designed to help financial institutions of any size develop comprehensive payments strategies.

WesPay Publications

Payments Strategy Series


Page 15

References

RDC ResourcesWesPay provides comprehensive RDC training, information, and audits. Please see our website at www.wespay.org for RDC resources. Some additional resources include:

• Remote Deposit Capture: a Primer, FDIC, 2009. See www.fdic.gov/regulations/emaminations/supervisory/insights/sisum09/primer.html

• Risk Management of Remote Deposit Capture, FFIEC, 2009. See www.ffiec.gov/pdf/pr011409_rdc_guidance.pdf

Cited Sources1 2010 Federal Reserve Payments Study. See http://www.frbservices.org/files/communications/pdf/

press/2010_payments_study.pdf for a summary report.

2 The State of Consumer RDC 2011: Mobile Takes Center Stage, Celent, 2011. See http://www.celent.com/reports/state-consumer-rdc-2011-mobile-takes-center-stage

3 Risk Management of Remote Deposit Capture, FFIEC, 2009. See http://www.ffiec.gov/pdf/pr011409_rdc_guidance.pdf

Contributors and EditorsKathleen Aswell, Ph.D.

William Bley, AAP/NCP

William Schoch

WesPay is a membership-based professional association with over 1,000 member financial institutions and nearly 100 associate member corporations. Our service area is home to 20 percent of the nation’s population and a corresponding volume of payments covering eight Western states and Pacific territories: Alaska, California, Hawaii, Idaho, Nevada, Oregon, Utah, and Washington, as well as American Samoa, Guam, and the Northern Mariana Islands.

Industry leadership and advocacy are two of the most vital roles WesPay plays for members. This is an important avenue for members wishing to participate in ACH rules development, and provides a unified voice and strong visibility for institutions of any size.

WesPay offers members a suite of services related to check, image and RDC products. WesPay’s services include Education, Advisory Services—including an RDC Risk Management Review—and preparation for the National Check Professional (NCP) accreditation.

©2012, Western Payments Alliance. All rights reserved.

www.wespay.org

300 Montgomery Street, Suite 400 San Francisco CA 94104 (415) 433-1230

Documents

Remote Deposit Capture - State of Oregon: State of Oregon