The Federal Financial Institutions Examination Council (FFIEC) issued guidelines on risk management of remote deposit capture (RDC) processes at banks. RDC is a deposit transaction system which permits banks to receive digital information from deposit documents recorded at remote locations. RDC allows banks to attract new customers, provide convenience to current customers and reduce costs; however, it also elevates exposure to legal, regulatory, and operational risks.
Benefits of RDC
Banks that use RDC can benefit from new revenue streams and reduced processing, clearing and transportation costs.
New Revenue Streams
One of the benefits of RDC is access to new revenue streams. See below for examples.
- RDC can attract new customers
- It can enable existing customers to consolidate deposits
- This may result in customers needing enhanced liquidity services; an increased volume of checks generally results in larger balances in customer accounts
- Provides flexibility to banks in receiving deposits from different geographic locations
Another benefit of RDC is the potential to reduce costs. See below for examples.
- Clearing checks as images can reduce check courier pickup fees.
- The Federal Reserve charges less to clear items as images vs. as paper
- ATM deposit pickups- RDC at the ATM allows banks to reduce daily trips to ATM
- Reduce number of branch pickups per day
Prior to RDC implementation, banks must identify and asses the risks associated with the activity. As part of the assessment, management must verify that the activity fits into the banks strategic goals and is within its risk appetite. In addition, return on investment must be considered prior to deployment of RDC. During the risk assessment process, the following key areas must be evaluated:
Information Security- To be in line with best practices, banks should implement the following procedures:
- Effective disaster recovery plan
- Ensure proper protection of consumer information (Fair and Accurate Credit Transactions Act of 2003)
- Preferred response procedures if there is suspicion of unauthorized access to customer information
- Procedures which monitor attempted or actual attacks into customer information systems
- When necessary, electronic customer information in transit must be encrypted
- Selective pre-employment screening process and proper segregation of duties for employees which have access to customer information
- Physical locations that contain customer information must have restricted access solely to authorized individuals
- Notify customers of any breach of security data without delay
Legal & Compliance Risks- When deploying RDC, management must consider the Bank Secrecy Act, Check 21 Act, Regulation CC, Regulation J, and other applicable laws and regulations. In addition, specific agreements and clearinghouse rules apply.
Operational Risks- For RDC processes which take place at a customer location (vs. branch location) expose the bank to operational risks from the point of initial capture. Operational risk of RDC includes defective equipment, inadequate processes, insufficient training of customers (and their employees), poor image quality, and inaccurate electronic data. The inadequacy of proper controls at the customer’s location may lead to alteration of deposit item information. Generally, original deposit items are housed at the customer’s location; therefore it is important for the bank to require their customers to have proper document management procedures in place.
Risk Mitigation and Controls
Upon completion of the risk assessment, bank management must decide whether RDC is an activity which may be pursued within its risk appetite and with accordance to its strategic plan. To mitigate the risk, suitable risk management policies and procedures must be established.
Customer Due Diligence
To reduce exposure to RDC risks it is important to have a vigilant customer selection process. Customer suitability can be facilitated via the bank’s BSA/AML (Bank Secrecy Act/Anti-Money Laundering Act) program. For customers considered high risk, the initial or periodic suitability assessment must include a visit to the customer’s physical location.
Note: High risk customers may be defined by industry type, frequency or severity of incidents of fraud, etc.
Vendor Due Diligence
In addition to customer due diligence discussed above, it is important to assess vendors which provide remote deposit capture services.
To ensure that customers understand their roles and responsibilities of RDC, banks must provide periodic training which includes routine operations processes and how to handle unusual occurrences (i.e. duplicate presentment and problem resolution).
Proper contracts and agreements are a key component of risk mitigation of RDC. Each party’s roles and responsibilities must be clearly defined and should include consequences of noncompliance with stated control requirements.
In the case of a disruption of business activity, management should ensure the ability to continue operations to meet customer demands.
Risk Measurement and Monitoring
To management ongoing RDC activities, banks must have effective measurement and monitoring processes in place. Critical operational performance metrics must be established to help monitor the risk of RDC activity. These metrics will allow the bank to ensure that processes reflect policies and procedures and to provide appropriate oversight.
Types of reports that can be established to allow for proper monitoring for fraudulent activity, operational efficiency, and capacity utilization include:
- Duplicate entries
- Violations of deposit thresholds
- File size and number of files
- Transaction dollar value and volume
- Return item dollar value and volume
- Rejected items and corrections
To ensure effective oversight, reports must be suitable for various management levels. The reports should focus not only on point-in-time activities but also on various trends.
FFIEC: Risk Management of Remote Deposit Capture (January 14, 2009) http://www.ffiec.gov/pdf/pr011409_rdc_guidance.pdf
CoNetrix Security: Risk Management Consideration for Remote Deposit Capture (October 2009)
Best Practices Guide: Risk Management of Remote Deposit Capture http://www.conetrix.com/articles/Risk-Management-Consideration-for-Remote-Deposit-Capture.aspx
Remote Deposit Capture: Key Benefits of Remote Deposit Capture for Banks (2011)