The Federal Financial Institutions Examination Council (FFIEC) published its updated Retail Payment Systems IT Examination Handbook in February. Prior to that, the last update was March 2004. It would be an understatement
The updated handbook includes revised examination procedures that will be used by state and/or federal examiners to review institutions. A major component of the revised procedures is a new section (Section N) that focuses specifically on managing remote deposit capture risks and contains 18 pages that track very closely to the RDC guidance, which the FFIEC issued last year.
We can't possibly cover all of the new examination procedures for managing remote deposit capture risks, but here are some critical areas you must address:
RDC technology selection and implementation
Along with the updated handbook, the FFIEC added a companion document called a work program. This document contains the examination procedures in the handbook and is the template most regulatory examiners will use as the checklist to examine your institution. Contained in the key objectives of the work program pertaining to remote deposit capture risks is a review of the organization's rationale in the strategic for RDC. Examiners will look to see whether the implementation of RDC was defensive in nature in order to retain customers or a strategic move to expand and reach out to new customers. Furthermore, the exam procedural steps preceding the rationale review focus on the organization's effort in the consideration of RDC, including a review of the proposed technology features, volumes, work flow, security and system integration. The conclusion here is that an organization needs to demonstrate that the selection and implementation process was deliberate, thoughtful, thorough and planned with a specific objective in mind.
Customer due diligence
Consistent with the previous section, the exam procedures continue the theme of being thorough in regard to the customer. The remote deposit capture customer application is the first step in documenting the entire customer relationship and is very similar to the same level of due diligence that is required for Automated Clearing House (ACH) customers. It should be noted that the exam procedures expect a separation of duties; the application process must be clearly separated from the review and approval process. The review process should include specific criteria and a risk rating. Each of these steps should be policy driven and documented.
Customer audits and self assessments
There are several sections contained in the exam procedures that review an institution's relationship with the customer, but the essence of the procedures point directly at the institution's knowledge of the customer's activities before, during and after the installation of RDC at the customer's business location. What's essential to examiners is an awareness of the specific circumstances relative to the customer's ability to comply with the contract, fulfill their obligations in managing risk and maintain appropriate security controls regarding the care of portable RDC equipment, and whether the institution is monitoring the customer. This is expected to be accomplished through a variety of methods, including on-site reviews, continuous monitoring and customer audits in the event of a material change, such as a quantitative, significant volume increase in items or value or qualitative activity such as duplicate items, returned items and bad image quality.
A self assessment is an option under the examination guidance and can reduce costs for a financial institution. The self-assessment option allows a financial institution to create a program where the commercial customer can conduct a review of their company based on the due diligence criteria established by the financial institution. Examiners will check to see if the self assessment has been formalized, is approved and addresses the associated risks. Self assessments are appropriate when a customer has a remote location (domestic) or a large number of locations, making it difficult to review them. In either case, a self assessment should only be reserved for your best customers.
Fundamental to the exam procedures is the need for an institution to be able to demonstrate an understanding of remote deposit capture risks. In particular, examiners will ask an institution how it identifies and monitors fraudulent activity associated with RDC. A follow-up question asks what specific action plan the institution has established to mitigate fraud. The procedures go beyond covering overt fraud by requiring a comprehensive oversight and monitoring plan for all RDC-related activity, which is developed from policies reviewed and approved by the company's board of directors. The plan needs to allow an organization to respond to a changing situation before it deteriorates into a significant problem.
The new examination procedures for managing remote deposit capture risks should not be taken lightly. They offer a clear picture of how an examination of your organization's RDC implementation will be conducted. Your organization should review the updated Retail Payment Systems IT Examination Handbook and the companion examination procedures before your next exam. It also would be beneficial for your internal audit department to conduct a review of your RDC implementation using the new exam procedures as a compliance pre-test. It will be time well spent.
About the author:
Dan Fisher is president and CEO of The Copper River Group, a consulting firm based in Fargo, N.D. that focuses on technology, payment systems research and consulting for community financial institutions. For nearly 30 years, Fisher has worked in the financial industry using technology to improve the bottom line. He has served as a director of the Federal Reserve Board of Minneapolis, chairman of the American Bankers Association Payment Systems Committee, and member of the Independent Community Bankers of America Payments Committee. He has written numerous articles on banking technology and the payments system, has authored or co-authored six books, including"Capturing Your Customer! The New Technology of Remote Deposit." Contact him at email@example.com
This was first published in May 2010