REMOTE DEPOSIT CAPTURE: ARE YOU MEETING

REGULATORY EXPECTATIONS

Susan Orr Susan Orr Consulting, Ltd.

1

RDC includes:

Remote Merchant Capture

Mobile Consumer Capture

ATM Source Capture/Image Capture

Photo Bill Pay

Branch Capture

Lockbox

2

REGULATORY GUIDANCE

FFIEC Retail Payment Systems Handbook, February 2010

FFIEC RDC Interagency Guidance Risk Management of Remote Deposit Capture, January 14, 2009

FDIC Supervisory Insights RDC Primer

FFIEC BSA/AML Expanded Exam Procedures 2007

FFIEC Operations Examination Handbook, June

3

RISK MANAGEMENT OF RDC GUIDANCE

RDC should be viewed as a delivery system and not just a service

RDC is a payments platform

4

RDC GUIDANCE - RISK MANAGEMENT

Management

Mitigation and control

Measuring and monitoring

5

MANAGEMENT

Board or designated committee

Strategic plan (Tactical Plan, Operational Plan)

Understand ROI

Ensure ability to manage

Awareness of security and risks

Involvement of senior management 6

IT PLANNING

Identify need and alignment with goals/objectives

Due diligence of vendors/providers

Understand functionality

Ensure interoperable

Identify infrastructure needs

Identify/track timeframe for implementation

Budget

7

MANAGEMENT

Evaluation of insurance needs

Determine functionality

Establish definitions for business types

Acceptable

Restricted

Prohibited

Determine target market

Merchant/Consumer

Foreign based

8

MANAGEMENT

Risk Assessment (All forms of RDC)

Prior to implementation and annually thereafter

Product oriented

Each Customer/Member/Merchant

9

RISK ASSESSMENT

Operation/Transaction

Security/Integrity

Fraud

Credit

Legal/Compliance/Regulatory

Reputation 10

11 12

SUITABILITY/DUE DILIGENCE

Merchant

Type of business/products and services

Type of deposit and volume of transactions

Current customer/member

Location

Legal structure

Sales volume

Actual

Projected

Charge backs

13

SUITABILITY/DUE DILIGENCE

Consumer

DBA/individual

Relationship history

How long

Loan and/or deposit

Volume/amount of deposits

KYC

14

SUITABILITY/DUE DILIGENCE FORM

15

ANNUAL RISK ANALYSIS

16

CONTRACT/AGREEMENTS

Governing laws/regulation

Roles/responsibilities

Liabilities

Funds Availability

Image Quality

Security - physical/logical

IT requirements/standards

17

CONTRACT/AGREEMENTSTransaction limits

$ limits

Item limits

Total deposit limit

Overdraft limits

Exception volumes

Submission and processing dealines

Institutions method of clearing/settling

18

CONTRACT/AGREEMENTS

Return items

Receipt of files

Warranty/liabilities

No duplicate items

Restriction on type of items

“Institution will not sustain loss due to deposited image”

19

CONTRACT/AGREEMENTS

“Only responsible for performing services described”

Check retention, storage, destruction

Contingency plan

Incident response

Errors or discrepancies

Financial information

20

CONTRACT/AGREEMENTS

Right to Audit clause

Fees

Termination

Confidentiality

Internal controls

Limitation on accounts 21

CONTRACT/AGREEMENTS

Limitation on types of deposits

“Only items received in ordinary course of business

No 3rd party checks

No non-US funds, only from qualified US Financial Institution

22

CONSUMER MOBILE CAPTURE SPECIFIC - AGREEMENT

Use of service

Enrollment

Service availability

Fees charged

Mobile device and communications

Lost or Stolen device or logon credentials 23

CONSUMER MOBILE CAPTURE SPECIFIC - AGREEMENT

Security

Eligible items

Image quality

Receipt, Security, Errors

Endorsement

Retaining/destroying items 24

MITIGATION AND CONTROLS

Written RDC Program

Information/Cyber Security Program

BCP

Incident Response Plan

Outsourced Third Party Risk Mgmt Program

Security and Controls 25

MITIGATION AND CONTROLS

Written Program

Policy Statement

Overview of operations, product/service

Who offered to

Compliance with applicable laws

26

MITIGATION AND CONTROLS

Roles/Responsibilities

Board

Senior Management

RDC Officer

Internet Banking Officer (as applicable)

Customer relations staff

Operations staff

Internet Banking staff (as applicable)

27

MITIGATION AND CONTROLS

Product risk assessment process

Mitigation strategies (controls)

Onsite visits/self certification

Underwriting and Customer/Member suitability

Selection criteria

Completion of Suitability Form

Completion of credit underwriting worksheet

Member risk assessment

28

MITIGATION AND CONTROLS

Approval process and authorities

Reporting

Audit

Acceptable/restricted/prohibited businesses/consumers

Outsourced third party risk management

Contingency planning

29

MITIGATION AND CONTROLS

Consumer setup

Use of data collection form

Installation and training

User instructions

Post installation

Reporting/Monitoring

Billing

Institution staff training

30

MITIGATION AND CONTROLS

Address in Institution’s BCP

Recover and restore operations

Recovery time objectives

Testing

Processing procedure 31

MITIGATION AND CONTROLS

Provide guidance for Merchant Business Continuity

Non-operating scanner

Connectivity issues

PC inoperable

Solutions

Physically transport

Have alternate site with secure connectivity and PC

32

MITIGATION AND CONTROLS

Incident Response

Include in Institution’s Incident Response Plan

Provide merchant with guidelines on developing a Plan

33

MITIGATION AND CONTROLS

Third Party Contracts

Responsibilities

Security

Fees

Ownership 34

MITIGATION AND CONTROLS

Third Party Contracts

Oversight and monitoring

Right to Audit

Confidentiality

Termination 35

MITIGATION AND CONTROLS

Merchant training - setup and use

Onsite

User manual

Risk management/security

User controls and best practices

Incident response and business continuity

Fraud/counterfeit check identification

36

MITIGATION AND CONTROLS

Training - Consumer

Website and/or Agreement

Use of application

Risk awareness

Security/controls 37

MITIGATION AND CONTROLS

Institution

Change management/patch management processes

Hardware

Software

User controls/access 38

MITIGATION AND CONTROL

Institution

Restricted Access

Limit administrator profile

Do not share administrator or user profiles

Segregation of duties

39

MITIGATION AND CONTROLS

Institution

Monitoring of administrator and user activity

Training

Sales/marketing

Operations

40

MITIGATION AND CONTROLS

Merchant/Consumer

Multi-Factor Authentication

Individual unique logon credentials

41

MITIGATION AND CONTROLS

Merchant/Consumer Account

Set velocity limits

$ amount/check

# of checks deposited

# of checks per batch

Limit fields that can be altered and overwritten

No edit capabilities

42

MITIGATION AND CONTROLS

Merchant/Consumer Account

Review of items by institution

Implement behavioral monitoring and fraud prevention detection software

43

MITIGATION AND CONTRO

Merchant/Consumer Account

Restricted access to computer, application, and scanning equipment

Encryption of data in-transit

Encryption of electronically stored data

44

MITIGATION AND CONTROLS

Merchant/Consumer Account

Endorsement/Franking of every item

Duplicate detection

Image of front and back of item

45

MITIGATION AND CONTROLS

Merchant/Consumer

Physical security of items

Storage prior to and post scanning

Destruction

Prohibit physical copying of items 46

MITIGATION AND CONTROLS

Consumer Specific

Audit trail

Transaction record

Failed access attempts

Attempts to change restricted information

Messages received, read, deleted 47

MITIGATION AND CONTROLS

Consumer Specific

Opt in/enrollment

Deactivation procedures

Service/account terminated

Consumer looses phone

Consumer changes phone number 48

MITIGATION AND CONTROLS

Security recommendations - Merchant/Consumer

Firewalls, encryption, anti-virus, anti-malware

Keep operating systems, firewalls, antivirus, anti-malware up to date

Use only secure connections (no public systems)

49

MITIGATION AND CONTROLS

Merchant specific

Network vulnerability assessment

Network penetration test

No remote access

Physical review of items (sampling of images)

50

MITIGATION AND CONTROLS

Merchant specific

Limit access to:

Archives, history

Implement:

Patch management/Change control procedures

No editing of application software 51

MITIGATION AND CONTROLS

Consumer security recommendations

Implement device locking/passcode

Only install apps from known source

Don’t jailbreak phone

Do not share or provide logon credentials to anyone

52

MITIGATION AND CONTROLS

Do not store logon credentials, account numbers etc. on device unless encrypted/secured

Do not use public wireless/Internet, only secure connections

Don’t click on links in emails unless you know the source

53

MEASURING AND MONITORING

Financial institution - Internal Reports

Status of RDC services

Duplicate deposit thresholds

Velocity metrics

Total number of RDC users

% of deposits via RDC vs. overall deposits 54

MEASURING AND MONITORING

Institution

Review merchant and consumer activity reports

Large items

Deposit history

Batch total reports

Receipt acknowledgement

55

MEASURING AND MONITORING

Institution

Maintain transaction/processing flow chart

Track losses/fraud

Track monthly transactions/volume

Perform onsite visits of merchants/or develop self certification

As warranted by risk rating

Develop audit/visit checklist

56

MEASURING AND MONITORING

Institution

Positive Pay

ChexSystems

Other fraud detection software

Review Merchant/Consumer activity reports

Review rejects/edits made

Review for duplicate items

Review over limit reports

Review deposit items

57

MEASURING AND MONITORING

Onsite visit

Look for multiple scanners

Review physical security

Check storage and review destruction procedures

Who has access to PC/what is PC used for

Review logical security (firewalls, anti-virus, connectivity)

58

MEASURING AND MONITORING

Merchant

Review images

Review user activity reports

Review pending and transmitted file report

Review batch totals

Review duplicate items

Review return item report

59 60

61

SOFTWARE/APPLICATION CONSIDERATIONS

Duplicate detection

MICR detection

Field permission capabilities

Multi-level, multi-user security

Aggregate reporting capabilities

62

SOFTWARE/APPLICATION CONSIDERATIONS

Audit trail (logging)

Integrity controls

Batch total verification

Out of balance verification

63

QUESTIONS??Susan Orr

CISA, CRISC, CISM, CRP

630.248.7788 www.susanorrconsulting.com

susan@susanorrconsulting.com

Dan HeldmannTTS800-831-0678www.BankWebinars.cominfo@ttsTrain.com

64

Upcoming Webinars

April 21, 2016 - Reg E. Compliance - Five Best Practices for Handling Disputes

April 26, 2016 - Analyzing Appraisals for Mortgage Decisions

April 27, 2016 - TRID for Construction LoansApril 28, 2016 - Properly Audit Your Safe Deposit Department: 30 Important steps (2016 Update)

April 28, 2016 - Compliance Perspectives: A Monthly Update

April 28, 2016: Opening New Accounts III - Trust, Fiduciary and Minor Accounts