RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011...

RDC Risk Management Update 2011

Heather Holliway, Product Manager Synovus Financial Corp.

Ed McLaughlin, Executive Director

RemoteDepositCapture.com

September 30, 2011

Regulatory Guidance Overview 1. FFIEC RDC Risk Management Guidance released January 14, 2009

– RDC risk management process in an electronic environment – Focusing on RDC deployed at a customer location

– Principles of RDC risk management discussed are applicable to: • FI’s Internal deployment – ATM, Branch, Cash Vault • Other forms of electronic deposit delivery systems (e.g., mobile banking and

automated clearing house [ACH] check conversions).

2. Retail Payment Systems Booklet (N), (M) – February 10, 2010 3. 2010 Version of the Bank Secrecy Act/Anti-Money Laundering Examination

Manual – Updated April 29, 2010 4. Authentication in an Internet Banking Environment – October 12, 2005

1. Supplement to Authentication in an Internet Banking Environment – June 22, 2011

5. Reg. CC changes are coming…

2 RDC Risk Management Update 2011

New Challenges • Mobile, Flatbed, Merchant, Fax

– Treat as new products in the process – Device security – Check security – Compliance

• Mobile for small business and the consumer – The farther down you go the less the sophistication of the business

• Keep it simple • Fewer checks and balances • Segregation of duties • Documented risk practices

• FFIEC Guidance is risk management oriented, not device oriented


FFIEC guidance was a watershed event But what value will all the resulting effort produce?

• Nearly 90% of FIs surveyed have suffered NO LOSS uniquely attributed to RDC

– This includes CUs offering consumer RDC

• Losses among the 12% were not recurring events

• Fraud mechanisms are not a mystery, nor many:

– Duplicate presentment – Kiting – Insider fraud

• Duplicate presentment is the most commonly cited mechanism by a large margin

RDC Loss Profile

1%

8%

91%

1%

6%

93%

0%

8%

92%

21%

17%

63%

0% 20% 40% 60% 80% 100%

We have recurring loss incidents

We have had several lossincidents

We have had a single lossincident

We have suffered no lossuniquely attributed to RDC

Resp (%)

>$50b

$10b - $50b

$1b - $10b

<$1b

Source: Celent FI survey, September 2010, n=194

“Almost exclusively in our cases, our losses are due to insider fraud at our customer sites, due to a lack of or failing to follow existing dual controls” – US Mid tier bank

This slide provided courtesy of Celent.


System Capabilities & Integration System Functionality • Duplicate item detection • Scanner options • Data Integration & Usability • Audit logs and event logs (MIS reporting) • IQA and IUA • Front and Back of the Check

– MICR & CAR/LAR Controls – Marking Capability – Presence of Endorsements

• Clearing options – LCR (lowest cost routing) Includes rules for ACH vs.. Image and IRD

• ABA Validation routines • Integration of

– BSA/AML systems and processes – OFAC – BCP (Enterprise)

• IT Security Infrastructure (SSO, rights and privileges, etc.)


Know Your Customer Key Information: • Understand Business

– Finances, Customers, Processes – CDD (Customer Due Diligence,

EDD (Enhanced Due Diligence, – CIP (Customer Identification Program)

• Understand Deposits – Obtain History – Volumes & Values of Items, deposits, returns, – Velocity

• Use this data to custom-fit RDC – Thresholds, Limits, Holds & Availability Schedules – Separation of Duties, Approvals – Functional Capabilities – Pricing, Balances, monitor deposit & data trends.

RDC Should be customized to each individual client. 6 RDC Risk Management Update 2011

Duplicate Detection Duplicate Detection should ideally be done across

all levels & accounts, channels and products. •Levels & Accounts •User, Location, Account

•Channels •RDC Location, Lockbox, ATM, Branch, Mail Drop, Kiosk & Inclearings, etc.

•Products •Check and ACH (for converted items)

•Network •All banks using a specific service provider

•Industry •i3G / Fed Initiative •More??


The Importance of Endorsements

• Endorsements can help prevent duplicates – Restrict deposit to a specific bank & account

• Legal & Regulatory implications

– Appropriate endorsement can be identified • Teller • Payor • Systemic Identification

– Decreases likelihood item will be used • Criminals can also see the restrictive

endorsement

• Systemic Capabilities are evolving – Hardware & Software


Testing Risk Management Risk Control / Risk

Type Operational

Error Check Kiting

Duplicate Error

Duplicate Fraud

Value Fraud

Volume Fraud

Return Items

Value / Volume Thresholds -

RDC System DD* - - - -

Cross-Channel DD* - - - - IQA / IQU / CAR / LAR - - - -

Patterning

Holds

Availability Schedules

Balances

*Duplicate Detection

¼ Circle = Minimal ½ Circle = Fair ¾ Circle = Moderate Full Circle = Good

*Duplicate Detection

Level of Risk Management Adequacy:

FIs should have at least 1.5 Total Circles per risk type, 2+ for Fraud Risk Types.


RDC Risk Management

Striking the perfect balance between BSA/Compliance and Treasury Management

Heather Holliway, Product Manager Synovus Financial Corp.

September 30, 2011

Let the Tug-of-War Begin • Synovus released RDC in 2005

– Rush to market, high profile product – Treasury Management is eager to sell, sell, sell! – BSA wants control!

11 Copyright 2010, RemoteDepositCapture.com

Results of Tug-of-War

• Customer dissatisfaction with turn-around time on approval

• Sales team frustrated with documentation requirements and approval process

• Resource intensive for both BSA and Treasury

Management teams

• BSA now referred to as “BPU” (Business Preventative Unit)


The Dilemma Question: How can we sell the service and deliver quickly while

appropriately mitigating risk? Answer: Restructure the customer approval process based on

customers’ risk classifications. Revise the Risk Policy!


A Realistic Approach • Treasury Management must partner with BSA/Compliance and

Operational Risk to create a realistic and reasonably designed risk based Remote Deposit Capture policy based on FFIEC guidance

• Implement monitoring or audit procedures – Understand your customers’ activity to identify red flags before it’s too

late – Be proactive vs. reactive – Determine both business segment and BSA Risk tolerance thresholds


Customer Approval Process • Customer approval process

– Define customer risk categories based on FFIEC guidance and your bank’s risk appetite (e.g. low, medium and high)

– Determine which categories are permitted and prohibited – Determine who owns the approval based on risk type (e.g. moderate

risk requires dual approval, high risk RDC prohibited)

• Regardless of risk level, due diligence must be performed and

documented – Know your customer: apply your bank’s CIP and CDD/EDD standards – Document anticipated volume and $ deposited – Review previous statements to understand customer’s activity – Verify account ownership – Verify credit relationship is in good standing (if applicable)


Account Monitoring • Ongoing Account Activity/Transaction Monitoring

– Examples of valuable data: • customer account balances and deposit history • spiked activity or trends that are inconsistent with anticipated account

activity • overdrawn accounts • higher incident of NSF checks, returned items or customer complaints • routinely resubmitted data files or duplicate presentment of checks or

images • changes in business profile or ownership

– Accounts with significant variances should be reviewed, explanations should be documented and archived for audit

– Accounts with suspicious activity: • should be reported to Loss Prevention, Operational Risk and

BSA/Compliance • work with Relationship Manager to determine whether or not service

should be removed


Training • Critical for both Treasury Management and Customers!

• Treasury Management Training

– Sales must understand policy before selling – Mandatory Product and Risk training on at least an annual basis – Identify BSA/Compliance red flags for suspicious activity – Escalation Criteria – both Operational and BSA compliance – Standardize documentation for monitoring and exception reviews to

meet compliance, audit and regulatory scrutiny

• Customer Training - end user should understand the policies and procedures set forth in the legal agreement – Deposit deadline – Eligible / Ineligible items – Handling of duplicate items – Retention requirements – Prohibited use


Striking the Perfect Balance • Simplify the customer approval process based on FFIEC guidance • Implement risk based account and transaction monitoring based on your

bank’s BSA risk profile and business segment risk tolerance

• Sales Team – selling and generating fee income! • BPU returns to BSA – no longer “the bad guys”!


Summary of Risk Management Standards - FFIEC:

• Comprehensively identify and assess RDC risk prior to implementation • Conduct appropriate customer CDD and EDD on new RDC customers • Create risk-based parameters that can be used to conduct RDC customer suitability

reviews • Obtain expected account activity from the RDC customer, such as the anticipated

RDC transaction volume, dollar volume, and type (e.g., payroll checks, third-party checks, or traveler’s checks), comparing it to actual activity, and resolving significant deviations

• Compare expected activity to business type to ensure they are reasonable and consistent

• Develop well-constructed contracts that clearly identify each party’s role, responsibilities, and liabilities, and that detail record retention procedures for RDC data

• Implement additional monitoring or reviews when significant changes occur in the type or volume of transactions

• Ensure that RDC customers receive adequate training


Questions?


Additional Takeaways

• Determine both business segment and BSA Risk tolerance thresholds

• Design a reasonable and realistic policy based on FFIEC guidance and controls currently in place – e.g. assume more risk on the front line due to in depth monitoring on

the back end

• Partner with BSA/Compliance…tap into their knowledge!


Questions?


Additional Takeaways

• Determine both business segment and BSA Risk tolerance thresholds

• Design a reasonable and realistic policy based on FFIEC guidance and controls currently in place – e.g. assume more risk on the front line due to in depth monitoring on

the back end

• Partner with BSA/Compliance…tap into their knowledge!


About The Presenter Heather Holliway •Synovus Financial Corp. •[email protected]


mailto:[email protected]

RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011...

Documents

Transcript of RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011...