RDC Compliance Remains Thin: Few Banks Are Aware of the Broad Scope of FFIEC Guidance on the Risk Management of Remote Deposit Capture
Fisher, Dan, ABA Banking Journal
In January of this year, the FFIEC issued the long awaited guidance on remote deposit capture. The industry expected the guidance to address the use of check scanners by commercial customers. The guidance, however, is much more far reaching and carries with it a significant impact on the management of technology. The comprehensive nature of the FFIEC definition of RDC means that any place where deposit documents are scanned--ATMs, branch (back counter), commercial (merchant), consumer (retail), kiosk, or back office--and any device for doing so including cell phones, faxes, and emails (with scanned checks attached) are covered by the guidance, not just merchant capture.
Furthermore, the FFIEC clarified the definition of remote deposit capture technology as a transaction delivery system that results in the movement of money. So, institutions need to be mindful of the additional regulatory implications in regard to the Bank Secrecy Act, Gramm-Leach-Bliley, and the Patriot Act.
Early exam findings
Shortly after the release of the guidance, Tony DaSilva, a bank examiner with the 6th Federal Reserve Bank of Atlanta, gave a presentation summarizing the RDC exam findings in the 6th Federal Reserve District in regard to the FFIEC guidance and compliance.
The top five findings were:
* Lack of senior management oversight;
* Lack of adequate MIS and reporting Lack of monitoring;
* Inappropriate approval process (separation of duties);
* Inadequate limits or no limits.
With the newness of the guidance and the preoccupation of the industry with the financial crisis, it would be an understatement to say that bank management was focused on other things. The findings are, nonetheless, the findings. Questions need to be asked, especially: Has progress been made in the 11 months since the release of the guidance?
Many bank executives do not yet understand the broad scope of the FFIEC definition of RDC, according to Patti Murphy, president of the Takoma Group and an expert on check technology. But, she adds, "the guidance is bringing to the forefront the issue of risk management and the fact that compliance will not gain traction without senior management attention." Susan Orr, of Susan Orr Consulting, agrees, and says that, "understanding IT risk is not a priority right now when the industry is focusing on other issues such as credit quality."
Dan Haffner, director of SAS and Item Processing Services at Myriad Systems, Oklahoma City, comments that, "most Fl's do not understand, but quickly become hyper focused after examiners start asking questions about RDC compliance."
Barry Landry, senior vice-president of C&A Associates, Denham Springs, La., (an RDC vendor) adds that the majority of banks have not had an RDC exam.
C & A Associates and Myriad Systems are both developing system application changes that will aid their clients with compliance, particularly in the area of activity monitoring, a central theme of the guidance.
RDC increases risk, but how much?
The thrust of the guidance points directly to the increased risk associated with the implementation of remote deposit capture and the need for banks to take deliberate measures to identify, assess, manage, monitor, and mitigate gate this risk. The guidance is very clear in the expectations of the role of management, and about how the increased technology risk is managed.
Clifton Stanford, director of the Atlanta Fed's Retail Payments Risk Forum, says that RDC raises a range of issues regarding financial services products, including the emerging role of independent sales organizations (ISO's) into the mix, remotely created checks, and consumer capture. Sanford reminds institutions that they "need to be thorough in their due diligence, being sure to identify the associated risks," in advance of implementing any new RDC technology or product. …