Banks that haven't paid much attention to the guidance federal banking regulators released earlier this year for managing remote deposit capture risks might want to get busy.
In January the Federal Financial Institutions Examination Council (FFIEC) released guidance for identifying risks and evaluating controls associated with remote deposit capture (RDC). Since then, regulators have been more focused on capital liquidity issues than examining how banks are following the FFIEC guidance, but that's about to change, industry experts said.
"What regulators told me two weeks ago is that the party is over," said Ruth Razook, CEO of RLR Management Consulting Inc., a La Quinta, Calif.-based firm that provides IT, strategy and other services to banks. "The remote deposit capture exam will be part of the IT exam and they'll start examining the banks."
Dan Fisher, president and CEO of The Copper River Group Inc., a Fargo, N.D.-based consulting firm and author of a book on RDC, said he expects regulators to pay more attention to how banks manage their RDC risks as more financial institutions return to profit.
"The guidance was effective the day it was issued and there was no grace period. But with the financial crisis, TARP and all these things going on, there's been basically an unofficial grace period," he said. "I believe as profitability returns, they'll ramp up."
Remote deposit capture allows banking customers to deposit checks from their home or office by scanning a check and transmitting the image to the bank for posting. The process was made possible by the Check 21 Act, legislation implemented in 2004 that allows banks to clear checks based on digital images in lieu of paper.
The FFIEC guidance addresses the core elements of RDC risk management, including assessing legal, compliance and operational risks and mitigation measures. In a press release announcing the guidance, the FFIEC said remote deposit capture can reduce costs and support new products but also introduces new risks.
Razook said many banks reviewed the guidance quickly when it came out and assumed they were in compliance but haven't performed a gap analysis. Her firm has found gaps in each of the RDC audits it's done so far.
"They're not doing the risk assessments or looking at customer eligibility. … The banks think they're ready. I'm concerned that they're not," she said.
Fisher said large financial institutions may be closer to complying with the FFIEC's RDC guidance because they have the resources, but added that the guidance expanded the definition of remote deposit capture to any form of deposit document imaging.
"This is not a product as much as a technology, and this guidance applies to all forms -- branch capture, teller capture, ATM capture, consumer capture." he said. "I don't think a single institution was in compliance. They weren't expecting that broad of guidance."
Boston-based research and consulting firm Celent LLC conducted a survey of 174 banks, thrifts and credit unions that deployed RDC and concluded that the FFIEC guidance has had little impact on the operational readiness of banks' RDC programs.
In a blog post about the RDC survey, Bob Meara, senior analyst at Celent, said survey participants were asked to describe what activities they undertook in response to the FFIEC guidance. Most of the banks took action, he said; the top activities included reviewing and revising policies and procedures, performing an internal risk assessment, and tightening up deposit services agreement for RDC.
"Thus, the FFIEC guidance has precipitated significant effort among thousands of banks -- at great cost -- to document and formalize what many banks were already doing. Tangible new efforts that would arguably identify and mitigate risk (deposit limits, improved reporting, intra-day deposit review, etc.) were relatively infrequent responses to the guidance," Meara said.