Risk Management Consideration for Remote Deposit Capture

By: (CISA, CISSP, CRISC)

Publication: The Colorado Banker , September/October 2009

Remote Deposit Capture (RDC) is a popular deposit activity that is quickly growing and expanding in delivery method and overall acceptance. While some forms of RDC have been around for some time, many forms of RDC have only recently been widely adopted and could introduce new or additional risks to a bank. Just like any other new product, service, or delivery method, banks should use a formal risk management approach for implementing and managing all forms of RDC.

What is RDC?

First, what is RDC? According to the FFIEC:

Remote Deposit Capture (RDC), a deposit transaction delivery system, allows a fi nancial institution to receive digital information from deposit documents captured at remote locations. These locations may be the fi nancial institution’s branches, ATMs, domestic and foreign correspondents, or locations owned or controlled by commercial or retail customers of the fi nancial institution. In substance, RDC is similar to traditional deposit delivery systems at fi nancial institutions; however, it enables customers of fi nancial institutions to deposit items electronically from remote locations. RDC can decrease processing costs, support new and existing bank products, and improve customers’ access to their deposits; however, it introduces additional risks to those typically inherent in traditional deposit delivery systems.

Some typical types of RDC include branch capture, merchant capture, consumer capture, ATM capture, etc.

Risk Management: Risk Assessment

Prior to implementing new forms of RDC, the bank should conduct a formal Risk Assessment, taking into consideration legal, compliance, reputation, and operational risks associated with the new deposit method. In general, implementing RDC within the bank (i.e. branch capture) would be less risky than implementing it at a customer’s business (i.e. merchant capture), which would probably be less risky than implementing it for general consumers (i.e. commercial or consumer capture). While the RDC risk assessment can take on different forms, the overall depth of the risk assessment process should be based on scope and complexity of the RDC implementation, and size and complexity of the bank. In general, the following areas should be considered during the risk assessment process:

  1. Implementation of RDC
  2. Strategic planning - does RDC follow the bank’s strategic plan?
  3. ROI - has the bank calculated the ROI and does Sr. Management understand it?
  4. Authentication method - If RDC systems will be using the Internet as a communication medium, the bank should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate risk.
  5. Legal and compliance risks - specifically, considering risks associated with the Bank Secrecy Act, Check 21 Act, Regulation CC, Regulation J, and other applicable state and federal laws, including applicable agreements and/or clearinghouse rules.
  6. Operational risks - including, but not limited to, physical and local access controls, original deposit items at customer locations, electronic fi les, and retained nonpublic personal information.
  7. Information security risks - per Interagency Guidelines Establishing Information Security Standards guidelines.
  8. Technology-related risks - bank, vendor, and customer equipment and controls, including types of controls (i.e. antivirus, patches, fi rewall, etc.) and who is responsible for implementing the controls.
  9. Other risks - including credit, fraud, and reputation risk.

Risk Management: Mitigation and Controls

If the bank concludes, after the Risk Assessment, the risk associated with the desired method of RDC can be mitigated, measured and monitored to an acceptable level, then the bank should develop appropriate controls. Common controls might include:

  1. RDC policies and procedures
  2. Customer due diligence and suitability
  3. Segregation of duties
  4. Vendor due diligence and suitability
  5. Training for employees and customers
  6. Contracts and customer agreements
  7. Business continuity considerations

Risk Management: Measuring and Monitoring

Once RDC has been implemented, the bank must put continuous measuring and monitoring processes in place to manage ongoing activities. Identifying key operational metrics, benchmarks, and standards help give a baseline to measure reports against. Examples of reports that should be considered include:

  1. Duplicate entries
  2. Violations of deposit thresholds
  3. Total number and size of files
  4. Transaction dollar value and volume
  5. Return item dollar value and volume
  6. Rejected items and corrections
  7. CAR/LAR/ICR adjustments

At the time of writing this article, the FDIC and OCC have not released their audit work program for RDC; however, the NCUA has released a work program which can be downloaded at www.ncua.gov/letters/2009/CU/09-CU-07attachment.xls.