Get ready for remote deposit capture risk management scrutiny

By Marcia Savage, Site Editor 05 Oct 2009 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Banks that haven't paid much attention to the guidance federal banking regulators released earlier this year for managing remote deposit capture risks might want to get busy.

In January the Federal Financial Institutions Examination Council (FFIEC) released guidance for identifying risks and evaluating controls associated with remote deposit capture (RDC). Since then, regulators have been more focused on capital liquidity issues than examining how banks are following the FFIEC guidance, but that's about to change, industry experts said.

"What regulators told me two weeks ago is that the party is over," said Ruth Razook, CEO of RLR Management Consulting Inc., a La Quinta, Calif.-based firm that provides IT, strategy and other services to banks. "The remote deposit capture exam will be part of the IT exam and they'll start examining the banks."

Dan Fisher, president and CEO of The Copper River Group Inc., a Fargo, N.D.-based consulting firm and author of a book on RDC, said he expects regulators to pay more attention to how banks manage their RDC risks as more financial institutions return to profit.

"The guidance was effective the day it was issued and there was no grace period. But with the financial crisis, TARP and all these things going on, there's been basically an unofficial grace period," he said. "I believe as profitability returns, they'll ramp up."

Remote deposit capture allows banking customers to deposit checks from their home or office by scanning a check and transmitting the image to the bank for posting. The process was made possible by the Check 21 Act, legislation implemented in 2004 that allows banks to clear checks based on digital images in lieu of paper.

The FFIEC guidance addresses the core elements of RDC risk management, including assessing legal, compliance and operational risks and mitigation measures. In a press release announcing the guidance, the FFIEC said remote deposit capture can reduce costs and support new products but also introduces new risks.

Razook said many banks reviewed the guidance quickly when it came out and assumed they were in compliance but haven't performed a gap analysis. Her firm has found gaps in each of the RDC audits it's done so far.

"They're not doing the risk assessments or looking at customer eligibility. … The banks think they're ready. I'm concerned that they're not," she said.

Fisher said large financial institutions may be closer to complying with the FFIEC's RDC guidance because they have the resources, but added that the guidance expanded the definition of remote deposit capture to any form of deposit document imaging.

"This is not a product as much as a technology, and this guidance applies to all forms -- branch capture, teller capture, ATM capture, consumer capture." he said. "I don't think a single institution was in compliance. They weren't expecting that broad of guidance."

Boston-based research and consulting firm Celent LLC conducted a survey of 174 banks, thrifts and credit unions that deployed RDC and concluded that the FFIEC guidance has had little impact on the operational readiness of banks' RDC programs.

In a blog post about the RDC survey, Bob Meara, senior analyst at Celent, said survey participants were asked to describe what activities they undertook in response to the FFIEC guidance. Most of the banks took action, he said; the top activities included reviewing and revising policies and procedures, performing an internal risk assessment, and tightening up deposit services agreement for RDC.

"Thus, the FFIEC guidance has precipitated significant effort among thousands of banks -- at great cost -- to document and formalize what many banks were already doing. Tangible new efforts that would arguably identify and mitigate risk (deposit limits, improved reporting, intra-day deposit review, etc.) were relatively infrequent responses to the guidance," Meara said.

Tags: FFIEC compliance guidelines,  Compliance best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT FFIEC compliance guidelines Multifactor authentication options to secure online banking Five mistakes banks make in pandemic planning Data breach lawsuit puts spotlight on bank's security measures Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Defendants in banking fraud scheme accused of exploiting regulation FFIEC guidance on RDC: Guidance overview FFIEC guidance on RDC: Risk management basics FFIEC guidance on RDC: Top five RDC mistakes Download presentations from Financial Information Security Decisions 2009 Compliance best practices Regulators issue standardized privacy notice form for GLBA compliance Seven GRC best practices for information security Keeping up with state data protection laws Five mistakes banks make in pandemic planning Google ordered to deactivate Gmail account after bank email error Vendor risk management: process and documentation How to manage security risks in vendor contracts How to streamline role-based access control Five considerations for choosing network access control products How to shift to centralized authentication and ease compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Bank Secrecy Act (BSA)  (SearchFinancialSecurity.com) FFIEC compliance  (SearchFinancialSecurity.com) Financial Crimes Enforcement Network (FinCEN)  (SearchFinancialSecurity.com) Podcast: What is FFIEC compliance?  (SearchFinancialSecurity.com) remote deposit capture (RDC)  (SearchFinancialSecurity.com) Suspicious Activity Report (SAR)  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary