FFIEC releases risk management guidance for remote deposit capture

By Marcia Savage, Features Editor, Information Security magazine 19 Jan 2009 | SearchSecurity.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Federal financial regulators this week issued much-anticipated guidance for managing the risks associated with remote deposit capture. Industry experts said the guidance could have far-ranging impact.

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Remote deposit capture (RDC) allows banking customers to deposit checks from their home or office by scanning a check and transmitting the image to the bank for posting. This process was made possible by the Check 21 Act, legislation implemented in 2004 that allows banks to clear checks based on digital images in lieu of paper.

The Federal Financial Institutions Examination Council (FFIEC) on Wednesday released guidance for examiners, financial institutions and technology service providers to identify risks and evaluate controls associated with RDC systems. The guidance addresses the core elements of RDC risk management, including assessing legal, compliance and operational risks and mitigation measures.

FFIEC news and information: Using the FFIEC Examination handbooks to produce a harmonized audit guide: In the final piece of our FFIEC series, compliance expert Dorian Cougias explains how a harmonized audit guide can save financial firms some headaches. Examining the FFIEC Business Continuity Planning Guide: The FFIEC IT Examination Handbooks are a valuable tool for financial firms. Compliance expert Dorian Cougias explores the FFIEC Business Continuity Planning Guide. An overview of the FFIEC IT Examination Handbooks: The FFIEC IT Examination Handbooks are a valuable tool for financial firms. In part one of our five-part series on the handbooks, compliance expert Dorian Cougias gives an overview of the FFIEC.

"When properly managed, RDC can reduce processing costs, support new and existing products by financial institutions, and accelerate the availability of customers' funds," the FFIEC said. "However, RDC also introduces new risks and increases existing risks in processing deposits originated by an institution's commercial or retail customers, or by customers of other financial institutions domestically and abroad."

John Leekley, founder and CEO of RemoteDepositCapture.com, an Alpharetta, Ga.-based independent company covering the RDC industry, said the financial industry had been eagerly awaiting the FFIEC's guidance.

"As the industry has evolved, remote deposit capture has become a critical service that just about every financial institution needs to offer in order to be competitive," Leekley said. But concerns over RDC risks held back many banks from deploying it, he added.

"The guidance is really helping the financial community better understand what the risks are with remote deposit capture … and it provides a framework banks can use to determine how to manage those risks," Leekley said.

He predicts that the guidance, combined with a dire need for banks to grow their deposit base during the economic crisis, will spur increased adoption of RDC.

According to Celent LLC, a Boston-based research and consulting firm, two-thirds of U.S. banks and 40% of all U.S. financial institutions had adopted RDC by the end of last year. Most have targeted existing commercial clients for RDC, according to Celent.

But as banks move to adopt RDC, experts have said they need to take into account the risks associated with it, such as duplicate check presentment and client systems that store check images.

Dan Fisher, president and CEO of The Copper River Group Inc., a Fargo, N.D.-based firm offering consulting and research services to the financial industry, said the FFIEC RDC guidance "ushers in a new age of regulatory exam scrutiny."

"They make it clear that before you implement this product, you have to conduct a risk assessment. They assert that you need to understand the risks and conclude you can manage those risks," he said.

Among the FFIEC's specific recommendations are deploying multifactor authentication for RDC systems using the Internet, and RDC training for customers.

Throughout the FFIEC's guidance states that senior managers and board of directors are responsible for overseeing RDC operations in their organizations, Fisher said. "That says the technology issues can no longer be moved to the back office as far as responsibility is concerned, it's moving to the front," Fisher said.

The scope of the guidance was greater than many in the industry expected by addressing more than RDC technology on the client desktop, he added. He also noted that the FFIEC said interagency RDC examination procedures will be published in an updated FFIEC Retail Payment Systems booklet scheduled for early this year.

"To me, the greatest single risk in bank technology decisions has to be with omission and this guidance adds a large measure to eliminating that when it comes to technology decisions in financial institutions," Fisher said.

Tags: FFIEC compliance guidelines,  Compliance best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT FFIEC compliance guidelines Gartner's Avivah Litan on the online banking fraud surge Multifactor authentication options to secure online banking Five mistakes banks make in pandemic planning Data breach lawsuit puts spotlight on bank's security measures Get ready for remote deposit capture risk management scrutiny Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Defendants in banking fraud scheme accused of exploiting regulation FFIEC guidance on RDC: Guidance overview FFIEC guidance on RDC: Risk management basics Compliance best practices Regulators issue standardized privacy notice form for GLBA compliance Seven GRC best practices for information security Keeping up with state data protection laws Five mistakes banks make in pandemic planning Get ready for remote deposit capture risk management scrutiny Google ordered to deactivate Gmail account after bank email error Vendor risk management: process and documentation How to manage security risks in vendor contracts How to streamline role-based access control Five considerations for choosing network access control products

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Bank Secrecy Act (BSA)  (SearchFinancialSecurity.com) FFIEC compliance  (SearchFinancialSecurity.com) Financial Crimes Enforcement Network (FinCEN)  (SearchFinancialSecurity.com) Podcast: What is FFIEC compliance?  (SearchFinancialSecurity.com) remote deposit capture (RDC)  (SearchFinancialSecurity.com) Suspicious Activity Report (SAR)  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary