VISTA RDC rdc.eortc.be EORTC Remote Data Capture System For trials with electronic queries.
RDC includes: Remote Merchant Capturettsmedia.ttstrain.com/RDC2PerHA042016.pdf · RDC includes:...
Transcript of RDC includes: Remote Merchant Capturettsmedia.ttstrain.com/RDC2PerHA042016.pdf · RDC includes:...
REMOTE DEPOSIT CAPTURE: ARE YOU MEETING
REGULATORY EXPECTATIONS
Susan Orr Susan Orr Consulting, Ltd.
1
RDC includes:
Remote Merchant Capture
Mobile Consumer Capture
ATM Source Capture/Image Capture
Photo Bill Pay
Branch Capture
Lockbox
2
REGULATORY GUIDANCE
FFIEC Retail Payment Systems Handbook, February 2010
FFIEC RDC Interagency Guidance Risk Management of Remote Deposit Capture, January 14, 2009
FDIC Supervisory Insights RDC Primer
FFIEC BSA/AML Expanded Exam Procedures 2007
FFIEC Operations Examination Handbook, June
3
RISK MANAGEMENT OF RDC GUIDANCE
RDC should be viewed as a delivery system and not just a service
RDC is a payments platform
4
RDC GUIDANCE - RISK MANAGEMENT
Management
Mitigation and control
Measuring and monitoring
5
MANAGEMENT
Board or designated committee
Strategic plan (Tactical Plan, Operational Plan)
Understand ROI
Ensure ability to manage
Awareness of security and risks
Involvement of senior management 6
IT PLANNING
Identify need and alignment with goals/objectives
Due diligence of vendors/providers
Understand functionality
Ensure interoperable
Identify infrastructure needs
Identify/track timeframe for implementation
Budget
7
MANAGEMENT
Evaluation of insurance needs
Determine functionality
Establish definitions for business types
Acceptable
Restricted
Prohibited
Determine target market
Merchant/Consumer
Foreign based
8
MANAGEMENT
Risk Assessment (All forms of RDC)
Prior to implementation and annually thereafter
Product oriented
Each Customer/Member/Merchant
9
RISK ASSESSMENT
Operation/Transaction
Security/Integrity
Fraud
Credit
Legal/Compliance/Regulatory
Reputation 10
11 12
SUITABILITY/DUE DILIGENCE
Merchant
Type of business/products and services
Type of deposit and volume of transactions
Current customer/member
Location
Legal structure
Sales volume
Actual
Projected
Charge backs
13
SUITABILITY/DUE DILIGENCE
Consumer
DBA/individual
Relationship history
How long
Loan and/or deposit
Volume/amount of deposits
KYC
14
SUITABILITY/DUE DILIGENCE FORM
15
ANNUAL RISK ANALYSIS
16
CONTRACT/AGREEMENTS
Governing laws/regulation
Roles/responsibilities
Liabilities
Funds Availability
Image Quality
Security - physical/logical
IT requirements/standards
17
CONTRACT/AGREEMENTSTransaction limits
$ limits
Item limits
Total deposit limit
Overdraft limits
Exception volumes
Submission and processing dealines
Institutions method of clearing/settling
18
CONTRACT/AGREEMENTS
Return items
Receipt of files
Warranty/liabilities
No duplicate items
Restriction on type of items
“Institution will not sustain loss due to deposited image”
19
CONTRACT/AGREEMENTS
“Only responsible for performing services described”
Check retention, storage, destruction
Contingency plan
Incident response
Errors or discrepancies
Financial information
20
CONTRACT/AGREEMENTS
Right to Audit clause
Fees
Termination
Confidentiality
Internal controls
Limitation on accounts 21
CONTRACT/AGREEMENTS
Limitation on types of deposits
“Only items received in ordinary course of business
No 3rd party checks
No non-US funds, only from qualified US Financial Institution
22
CONSUMER MOBILE CAPTURE SPECIFIC - AGREEMENT
Use of service
Enrollment
Service availability
Fees charged
Mobile device and communications
Lost or Stolen device or logon credentials 23
CONSUMER MOBILE CAPTURE SPECIFIC - AGREEMENT
Security
Eligible items
Image quality
Receipt, Security, Errors
Endorsement
Retaining/destroying items 24
MITIGATION AND CONTROLS
Written RDC Program
Information/Cyber Security Program
BCP
Incident Response Plan
Outsourced Third Party Risk Mgmt Program
Security and Controls 25
MITIGATION AND CONTROLS
Written Program
Policy Statement
Overview of operations, product/service
Who offered to
Compliance with applicable laws
26
MITIGATION AND CONTROLS
Roles/Responsibilities
Board
Senior Management
RDC Officer
Internet Banking Officer (as applicable)
Customer relations staff
Operations staff
Internet Banking staff (as applicable)
27
MITIGATION AND CONTROLS
Product risk assessment process
Mitigation strategies (controls)
Onsite visits/self certification
Underwriting and Customer/Member suitability
Selection criteria
Completion of Suitability Form
Completion of credit underwriting worksheet
Member risk assessment
28
MITIGATION AND CONTROLS
Approval process and authorities
Reporting
Audit
Acceptable/restricted/prohibited businesses/consumers
Outsourced third party risk management
Contingency planning
29
MITIGATION AND CONTROLS
Consumer setup
Use of data collection form
Installation and training
User instructions
Post installation
Reporting/Monitoring
Billing
Institution staff training
30
MITIGATION AND CONTROLS
Address in Institution’s BCP
Recover and restore operations
Recovery time objectives
Testing
Processing procedure 31
MITIGATION AND CONTROLS
Provide guidance for Merchant Business Continuity
Non-operating scanner
Connectivity issues
PC inoperable
Solutions
Physically transport
Have alternate site with secure connectivity and PC
32
MITIGATION AND CONTROLS
Incident Response
Include in Institution’s Incident Response Plan
Provide merchant with guidelines on developing a Plan
33
MITIGATION AND CONTROLS
Third Party Contracts
Responsibilities
Security
Fees
Ownership 34
MITIGATION AND CONTROLS
Third Party Contracts
Oversight and monitoring
Right to Audit
Confidentiality
Termination 35
MITIGATION AND CONTROLS
Merchant training - setup and use
Onsite
User manual
Risk management/security
User controls and best practices
Incident response and business continuity
Fraud/counterfeit check identification
36
MITIGATION AND CONTROLS
Training - Consumer
Website and/or Agreement
Use of application
Risk awareness
Security/controls 37
MITIGATION AND CONTROLS
Institution
Change management/patch management processes
Hardware
Software
User controls/access 38
MITIGATION AND CONTROL
Institution
Restricted Access
Limit administrator profile
Do not share administrator or user profiles
Segregation of duties
39
MITIGATION AND CONTROLS
Institution
Monitoring of administrator and user activity
Training
Sales/marketing
Operations
40
MITIGATION AND CONTROLS
Merchant/Consumer
Multi-Factor Authentication
Individual unique logon credentials
41
MITIGATION AND CONTROLS
Merchant/Consumer Account
Set velocity limits
$ amount/check
# of checks deposited
# of checks per batch
Limit fields that can be altered and overwritten
No edit capabilities
42
MITIGATION AND CONTROLS
Merchant/Consumer Account
Review of items by institution
Implement behavioral monitoring and fraud prevention detection software
43
MITIGATION AND CONTRO
Merchant/Consumer Account
Restricted access to computer, application, and scanning equipment
Encryption of data in-transit
Encryption of electronically stored data
44
MITIGATION AND CONTROLS
Merchant/Consumer Account
Endorsement/Franking of every item
Duplicate detection
Image of front and back of item
45
MITIGATION AND CONTROLS
Merchant/Consumer
Physical security of items
Storage prior to and post scanning
Destruction
Prohibit physical copying of items 46
MITIGATION AND CONTROLS
Consumer Specific
Audit trail
Transaction record
Failed access attempts
Attempts to change restricted information
Messages received, read, deleted 47
MITIGATION AND CONTROLS
Consumer Specific
Opt in/enrollment
Deactivation procedures
Service/account terminated
Consumer looses phone
Consumer changes phone number 48
MITIGATION AND CONTROLS
Security recommendations - Merchant/Consumer
Firewalls, encryption, anti-virus, anti-malware
Keep operating systems, firewalls, antivirus, anti-malware up to date
Use only secure connections (no public systems)
49
MITIGATION AND CONTROLS
Merchant specific
Network vulnerability assessment
Network penetration test
No remote access
Physical review of items (sampling of images)
50
MITIGATION AND CONTROLS
Merchant specific
Limit access to:
Archives, history
Implement:
Patch management/Change control procedures
No editing of application software 51
MITIGATION AND CONTROLS
Consumer security recommendations
Implement device locking/passcode
Only install apps from known source
Don’t jailbreak phone
Do not share or provide logon credentials to anyone
52
MITIGATION AND CONTROLS
Do not store logon credentials, account numbers etc. on device unless encrypted/secured
Do not use public wireless/Internet, only secure connections
Don’t click on links in emails unless you know the source
53
MEASURING AND MONITORING
Financial institution - Internal Reports
Status of RDC services
Duplicate deposit thresholds
Velocity metrics
Total number of RDC users
% of deposits via RDC vs. overall deposits 54
MEASURING AND MONITORING
Institution
Review merchant and consumer activity reports
Large items
Deposit history
Batch total reports
Receipt acknowledgement
55
MEASURING AND MONITORING
Institution
Maintain transaction/processing flow chart
Track losses/fraud
Track monthly transactions/volume
Perform onsite visits of merchants/or develop self certification
As warranted by risk rating
Develop audit/visit checklist
56
MEASURING AND MONITORING
Institution
Positive Pay
ChexSystems
Other fraud detection software
Review Merchant/Consumer activity reports
Review rejects/edits made
Review for duplicate items
Review over limit reports
Review deposit items
57
MEASURING AND MONITORING
Onsite visit
Look for multiple scanners
Review physical security
Check storage and review destruction procedures
Who has access to PC/what is PC used for
Review logical security (firewalls, anti-virus, connectivity)
58
MEASURING AND MONITORING
Merchant
Review images
Review user activity reports
Review pending and transmitted file report
Review batch totals
Review duplicate items
Review return item report
59 60
61
SOFTWARE/APPLICATION CONSIDERATIONS
Duplicate detection
MICR detection
Field permission capabilities
Multi-level, multi-user security
Aggregate reporting capabilities
62
SOFTWARE/APPLICATION CONSIDERATIONS
Audit trail (logging)
Integrity controls
Batch total verification
Out of balance verification
63
QUESTIONS??Susan Orr
CISA, CRISC, CISM, CRP
630.248.7788 www.susanorrconsulting.com
64
Upcoming Webinars
April 21, 2016 - Reg E. Compliance - Five Best Practices for Handling Disputes
April 26, 2016 - Analyzing Appraisals for Mortgage Decisions
April 27, 2016 - TRID for Construction LoansApril 28, 2016 - Properly Audit Your Safe Deposit Department: 30 Important steps (2016 Update)
April 28, 2016 - Compliance Perspectives: A Monthly Update
April 28, 2016: Opening New Accounts III - Trust, Fiduciary and Minor Accounts