RDC and Risk Management

By Mark Brousseau

On January 14, 2009, the FFIEC (Federal Financial Institution Examination Council) published long-awaited guidance on “Risk Management of Remote Deposit Capture.”

This guidance defines Remote Deposit Capture (RDC) as a “deposit transaction delivery system” rather than simply as a new service. It talks about RDC in terms of information received by a financial institution from checks sent electonically from remotely located businesses and individuals, as well as the financial institution’s branches, automated teller machines (ATMs), and domestic and foreign correspondents. However, it focuses primarily on RDC deployed at a customer location.

RDC introduces some new risks and increases some existing risks in processing deposits, says Kathy Levin, AAP, managing director, Payments Information Circle (404-478-3491, kathy.levin@paymentsinformation.com). Some financial institutions have begun offering the service without fully understanding the risks involved in RDC, she notes.

“The guidance addresses expectations for identifying, assessing and mitigating risk and discusses roles and responsibilities in implementing and operating RDC in a financial institution,” Levin told me. “It makes it clear that, as with any new payment delivery system offered, there should be no implementation of these services without management oversight, compliance/internal audit involvement and board approval.”

Levin adds that the guidance addresses the necessary elements of an RDC risk management program and provides strategic, credit/underwriting, vendor management, legal and compliance, fraud management, and operational and implementation direction for financial institutions. It also emphasizes the importance of adequate risk management at the remote locations, she says.

“Many financial institutions implemented RDC quickly and experienced rapid adoption of the service,” Levin says. “Some may need to go back and revise their policies and procedures to ensure they are in line with the new guidance.”

In addition to the suggestions contained within the guidance itself, Levin says financial institutions will need to utilize information contained in the FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, Interagency Guidance on Authentication in an Internet Banking Environment, Interagency Guidelines Establishing Information Security Standards, and sections of the FFIEC IT Examination Handbook, including the Information Security Booklet, the Management Booklet, the Outsourcing Technology Services Booklet, the Business Continuity Planning Booklet, and the Operations Booklet, to ensure compliance in specific areas.

For a copy of the new FFIEC guidance, visit http://www.ffiec.gov/pdf/pr011409_rdc_guidance.pdf.