In January, the financial industry finally received what it had been expecting for over a year: The Federal Financial...
Institutions Examination Council (FFIEC) issued the long awaited guidance for managing risks with remote deposit capture (RDC). The sense of anticipation, however, was quickly replaced with a new feeling of anxiety because with the guidance, the FFIEC provided a definition of the technology that extends beyond the current industry application and clearly asserts that RDC does, in fact, introduce new risks that need to be addressed.
RDC allows banking customers to deposit checks from their home or office by scanning a check and transmitting the image to the bank for posting. Banks have been adopting RDC since the process was made possible by the Check 21 Act legislation implemented in 2004, which allows banks to clear checks based on digital images in lieu of paper. The FFIEC's guidance makes it clear that financial institutions should conduct a risk assessment before implementing RDC and understand how to manage the risks associated with the technology.
The definition of RDC provided by the FFIEC -- which is very important -- recognizes that it is a transaction delivery system which digitizes information from deposit documents and transmits the information for subsequent processing. Applying this definition means RDC and the guidance now includes the merchant capture (the most common solution), consumer capture, branch capture, teller capture, image processing (back office operations), and in some cases, mobile banking. Not specified but implied are solutions that offer the scanning of a check for deposit using a flat bed scanner and then attaching the imaged item on to an email along with the use of fax technology to achieve the same result.
Before this definition, the general assumption in the industry was that RDC was a merchant or retail product rather than a digitizing technology. Now with the FFIEC's broader definition, financial institutions and service providers have a lot more to consider before they install RDC technology. And if they have already installed it, they may have some catching up to do.
Role of executive management in risk assessment
The next critical aspect of the guidance is the introduction of the role of management and the board of directors with respect to accountability and the understanding of risk associated with RDC. Even though it can be construed as rhetorical to emphasize the role of board and the executive management team, the FFIEC makes it very clear what the expectation is. With shades of gray eliminated, the board and senior management team of an organization are expected to fully understand the risk associated with RDC, and the organization's ability to manage the risk, in advance of implementing the technology.
For those institutions that have already implemented RDC (in any form), it is important they take note. The guidance was effective on the date issued. Organizations should expect their next exam to include a review of their risk assessment plan, risk management plan, risk mitigation plan and ongoing monitoring relative to their RDC technology installed. If multiple technologies are installed such as merchant capture and branch capture, the guidance applies to both and should be addressed accordingly.
The guidance also describes the information security implications of various RDC solutions and cites the need for additional security layers (i.e., multifactor authentication or similar technology) if the solution uses the Internet. It calls for the involvement of all potential stakeholders in an organization during the technology selection and risk assessment process.
In addition, the FFIEC points out that RDC should be compatible with an organization's strategic business objectives for stakeholders to understand the system integration risk associated (or lack thereof) with the technology selected for implementation.
Beyond the context of the technology, the guidance conveys the need for each organization to create and implement a variety of organizational policies and procedures in addition to conducting vendor and customer suitability reviews, referred to as due diligence.
Finally, the FFIEC notes that defining the relationship between the customer, the vendor (if applicable and depending on the solution implemented), and the institution is critical. Effective and relevant customer and vendor agreements are paramount to managing risk, establishing responsibility and reflecting the RDC environment implemented.
To conclude, the guidance makes it clear that technology risk is real in the context of RDC. Organizations are expected to ramp up their risk assessment, management and mitigation efforts. This guidance could very well signal that regulatory scrutiny as it pertains to technology decisions is intensifying. Financial institutions should expect it and be prepared.
About the Author:
Dan Fisher is president and CEO of The Copper River Group, a consulting firm based in Fargo, N.D. that focuses on technology, payment systems research and consulting for community financial institutions. For nearly 30 years, Fisher has worked in the financial industry using technology to improve the bottom line. He has served as a director of the Federal Reserve Board of Minneapolis, chairman of the American Bankers Association Payment Systems Committee, and member of the Independent Community Bankers of America Payments Committee. He has written numerous articles on banking technology and the payments system, has authored or co-authored six books and recently published "Capturing Your Customer! The New Technology of Remote Deposit." You can contact him at [email protected]