Federal financial regulators this week issued much-anticipated guidance for managing the risks associated with remote deposit capture. Industry experts said the guidance could have far-ranging impact.
Remote deposit capture (RDC) allows banking customers to deposit checks from their home or office by scanning a check and transmitting the image to the bank for posting. This process was made possible by the Check 21 Act, legislation implemented in 2004 that allows banks to clear checks based on digital images in lieu of paper.
The Federal Financial Institutions Examination Council (FFIEC) on Wednesday released guidance for examiners, financial institutions and technology service providers to identify risks and evaluate controls associated with RDC systems. The guidance addresses the core elements of RDC risk management, including assessing legal, compliance and operational risks and mitigation measures.
"When properly managed, RDC can reduce processing costs, support new and existing products by financial institutions, and accelerate the availability of customers' funds," the FFIEC said. "However, RDC also introduces new risks and increases existing risks in processing deposits originated by an institution's commercial or retail customers, or by customers of other financial institutions domestically and abroad."
John Leekley, founder and CEO of RemoteDepositCapture.com, an Alpharetta, Ga.-based independent company covering the RDC industry, said the financial industry had been eagerly awaiting the FFIEC's guidance.
"As the industry has evolved, remote deposit capture has become a critical service that just about every financial institution needs to offer in order to be competitive," Leekley said. But concerns over RDC risks held back many banks from deploying it, he added.
"The guidance is really helping the financial community better understand what the risks are with remote deposit capture … and it provides a framework banks can use to determine how to manage those risks," Leekley said.
He predicts that the guidance, combined with a dire need for banks to grow their deposit base during the economic crisis, will spur increased adoption of RDC.
According to Celent LLC, a Boston-based research and consulting firm, two-thirds of U.S. banks and 40% of all U.S. financial institutions had adopted RDC by the end of last year. Most have targeted existing commercial clients for RDC, according to Celent.
But as banks move to adopt RDC, experts have said they need to take into account the risks associated with it, such as duplicate check presentment and client systems that store check images.
Dan Fisher, president and CEO of The Copper River Group Inc., a Fargo, N.D.-based firm offering consulting and research services to the financial industry, said the FFIEC RDC guidance "ushers in a new age of regulatory exam scrutiny."
"They make it clear that before you implement this product, you have to conduct a risk assessment. They assert that you need to understand the risks and conclude you can manage those risks," he said.
Among the FFIEC's specific recommendations are deploying multifactor authentication for RDC systems using the Internet, and RDC training for customers.
Throughout the FFIEC's guidance states that senior managers and board of directors are responsible for overseeing RDC operations in their organizations, Fisher said. "That says the technology issues can no longer be moved to the back office as far as responsibility is concerned, it's moving to the front," Fisher said.
The scope of the guidance was greater than many in the industry expected by addressing more than RDC technology on the client desktop, he added. He also noted that the FFIEC said interagency RDC examination procedures will be published in an updated FFIEC Retail Payment Systems booklet scheduled for early this year.
"To me, the greatest single risk in bank technology decisions has to be with omission and this guidance adds a large measure to eliminating that when it comes to technology decisions in financial institutions," Fisher said.