rdc risk management 2011 update - remote deposit capture ... · rdc risk management update 2011...
TRANSCRIPT
![Page 1: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/1.jpg)
RDC Risk Management Update 2011
Heather Holliway, Product Manager Synovus Financial Corp.
Ed McLaughlin, Executive Director
RemoteDepositCapture.com
September 30, 2011
![Page 2: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/2.jpg)
Regulatory Guidance Overview 1. FFIEC RDC Risk Management Guidance released January 14, 2009
– RDC risk management process in an electronic environment – Focusing on RDC deployed at a customer location
– Principles of RDC risk management discussed are applicable to: • FI’s Internal deployment – ATM, Branch, Cash Vault • Other forms of electronic deposit delivery systems (e.g., mobile banking and
automated clearing house [ACH] check conversions).
2. Retail Payment Systems Booklet (N), (M) – February 10, 2010 3. 2010 Version of the Bank Secrecy Act/Anti-Money Laundering Examination
Manual – Updated April 29, 2010 4. Authentication in an Internet Banking Environment – October 12, 2005
1. Supplement to Authentication in an Internet Banking Environment – June 22, 2011
5. Reg. CC changes are coming…
2 RDC Risk Management Update 2011
![Page 3: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/3.jpg)
New Challenges • Mobile, Flatbed, Merchant, Fax
– Treat as new products in the process – Device security – Check security – Compliance
• Mobile for small business and the consumer – The farther down you go the less the sophistication of the business
• Keep it simple • Fewer checks and balances • Segregation of duties • Documented risk practices
• FFIEC Guidance is risk management oriented, not device oriented
3 RDC Risk Management Update 2011
![Page 4: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/4.jpg)
FFIEC guidance was a watershed event But what value will all the resulting effort produce?
• Nearly 90% of FIs surveyed have suffered NO LOSS uniquely attributed to RDC
– This includes CUs offering consumer RDC
• Losses among the 12% were not recurring events
• Fraud mechanisms are not a mystery, nor many:
– Duplicate presentment – Kiting – Insider fraud
• Duplicate presentment is the most commonly cited mechanism by a large margin
RDC Loss Profile
1%
8%
91%
1%
6%
93%
0%
8%
92%
21%
17%
63%
0% 20% 40% 60% 80% 100%
We have recurring loss incidents
We have had several lossincidents
We have had a single lossincident
We have suffered no lossuniquely attributed to RDC
Resp (%)
>$50b
$10b - $50b
$1b - $10b
<$1b
Source: Celent FI survey, September 2010, n=194
“Almost exclusively in our cases, our losses are due to insider fraud at our customer sites, due to a lack of or failing to follow existing dual controls” – US Mid tier bank
This slide provided courtesy of Celent.
4 RDC Risk Management Update 2011
![Page 5: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/5.jpg)
System Capabilities & Integration System Functionality • Duplicate item detection • Scanner options • Data Integration & Usability • Audit logs and event logs (MIS reporting) • IQA and IUA • Front and Back of the Check
– MICR & CAR/LAR Controls – Marking Capability – Presence of Endorsements
• Clearing options – LCR (lowest cost routing) Includes rules for ACH vs.. Image and IRD
• ABA Validation routines • Integration of
– BSA/AML systems and processes – OFAC – BCP (Enterprise)
• IT Security Infrastructure (SSO, rights and privileges, etc.)
5 RDC Risk Management Update 2011
![Page 6: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/6.jpg)
Know Your Customer Key Information: • Understand Business
– Finances, Customers, Processes – CDD (Customer Due Diligence,
EDD (Enhanced Due Diligence, – CIP (Customer Identification Program)
• Understand Deposits – Obtain History – Volumes & Values of Items, deposits, returns, – Velocity
• Use this data to custom-fit RDC – Thresholds, Limits, Holds & Availability Schedules – Separation of Duties, Approvals – Functional Capabilities – Pricing, Balances, monitor deposit & data trends.
RDC Should be customized to each individual client. 6 RDC Risk Management Update 2011
![Page 7: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/7.jpg)
Duplicate Detection Duplicate Detection should ideally be done across
all levels & accounts, channels and products. •Levels & Accounts •User, Location, Account
•Channels •RDC Location, Lockbox, ATM, Branch, Mail Drop, Kiosk & Inclearings, etc.
•Products •Check and ACH (for converted items)
•Network •All banks using a specific service provider
•Industry •i3G / Fed Initiative •More??
7 RDC Risk Management Update 2011
![Page 8: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/8.jpg)
The Importance of Endorsements
• Endorsements can help prevent duplicates – Restrict deposit to a specific bank & account
• Legal & Regulatory implications
– Appropriate endorsement can be identified • Teller • Payor • Systemic Identification
– Decreases likelihood item will be used • Criminals can also see the restrictive
endorsement
• Systemic Capabilities are evolving – Hardware & Software
8 RDC Risk Management Update 2011
![Page 9: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/9.jpg)
Testing Risk Management Risk Control / Risk
Type Operational
Error Check Kiting
Duplicate Error
Duplicate Fraud
Value Fraud
Volume Fraud
Return Items
Value / Volume Thresholds -
RDC System DD* - - - -
Cross-Channel DD* - - - - IQA / IQU / CAR / LAR - - - -
Patterning
Holds
Availability Schedules
Balances
*Duplicate Detection
¼ Circle = Minimal ½ Circle = Fair ¾ Circle = Moderate Full Circle = Good
*Duplicate Detection
Level of Risk Management Adequacy:
FIs should have at least 1.5 Total Circles per risk type, 2+ for Fraud Risk Types.
9 RDC Risk Management Update 2011
![Page 10: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/10.jpg)
RDC Risk Management
Striking the perfect balance between BSA/Compliance and Treasury Management
Heather Holliway, Product Manager Synovus Financial Corp.
September 30, 2011
![Page 11: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/11.jpg)
Let the Tug-of-War Begin • Synovus released RDC in 2005
– Rush to market, high profile product – Treasury Management is eager to sell, sell, sell! – BSA wants control!
11 Copyright 2010, RemoteDepositCapture.com
![Page 12: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/12.jpg)
Results of Tug-of-War
• Customer dissatisfaction with turn-around time on approval
• Sales team frustrated with documentation requirements and approval process
• Resource intensive for both BSA and Treasury
Management teams
• BSA now referred to as “BPU” (Business Preventative Unit)
12 Copyright 2010, RemoteDepositCapture.com
![Page 13: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/13.jpg)
The Dilemma Question: How can we sell the service and deliver quickly while
appropriately mitigating risk? Answer: Restructure the customer approval process based on
customers’ risk classifications. Revise the Risk Policy!
13 Copyright 2010, RemoteDepositCapture.com
![Page 14: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/14.jpg)
A Realistic Approach • Treasury Management must partner with BSA/Compliance and
Operational Risk to create a realistic and reasonably designed risk based Remote Deposit Capture policy based on FFIEC guidance
• Implement monitoring or audit procedures – Understand your customers’ activity to identify red flags before it’s too
late – Be proactive vs. reactive – Determine both business segment and BSA Risk tolerance thresholds
14 Copyright 2010, RemoteDepositCapture.com
![Page 15: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/15.jpg)
Customer Approval Process • Customer approval process
– Define customer risk categories based on FFIEC guidance and your bank’s risk appetite (e.g. low, medium and high)
– Determine which categories are permitted and prohibited – Determine who owns the approval based on risk type (e.g. moderate
risk requires dual approval, high risk RDC prohibited)
• Regardless of risk level, due diligence must be performed and
documented – Know your customer: apply your bank’s CIP and CDD/EDD standards – Document anticipated volume and $ deposited – Review previous statements to understand customer’s activity – Verify account ownership – Verify credit relationship is in good standing (if applicable)
15 Copyright 2010, RemoteDepositCapture.com
![Page 16: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/16.jpg)
Account Monitoring • Ongoing Account Activity/Transaction Monitoring
– Examples of valuable data: • customer account balances and deposit history • spiked activity or trends that are inconsistent with anticipated account
activity • overdrawn accounts • higher incident of NSF checks, returned items or customer complaints • routinely resubmitted data files or duplicate presentment of checks or
images • changes in business profile or ownership
– Accounts with significant variances should be reviewed, explanations should be documented and archived for audit
– Accounts with suspicious activity: • should be reported to Loss Prevention, Operational Risk and
BSA/Compliance • work with Relationship Manager to determine whether or not service
should be removed
16 Copyright 2010, RemoteDepositCapture.com
![Page 17: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/17.jpg)
Training • Critical for both Treasury Management and Customers!
• Treasury Management Training
– Sales must understand policy before selling – Mandatory Product and Risk training on at least an annual basis – Identify BSA/Compliance red flags for suspicious activity – Escalation Criteria – both Operational and BSA compliance – Standardize documentation for monitoring and exception reviews to
meet compliance, audit and regulatory scrutiny
• Customer Training - end user should understand the policies and procedures set forth in the legal agreement – Deposit deadline – Eligible / Ineligible items – Handling of duplicate items – Retention requirements – Prohibited use
17 Copyright 2010, RemoteDepositCapture.com
![Page 18: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/18.jpg)
Striking the Perfect Balance • Simplify the customer approval process based on FFIEC guidance • Implement risk based account and transaction monitoring based on your
bank’s BSA risk profile and business segment risk tolerance
• Sales Team – selling and generating fee income! • BPU returns to BSA – no longer “the bad guys”!
18 Copyright 2010, RemoteDepositCapture.com
![Page 19: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/19.jpg)
Summary of Risk Management Standards - FFIEC:
• Comprehensively identify and assess RDC risk prior to implementation • Conduct appropriate customer CDD and EDD on new RDC customers • Create risk-based parameters that can be used to conduct RDC customer suitability
reviews • Obtain expected account activity from the RDC customer, such as the anticipated
RDC transaction volume, dollar volume, and type (e.g., payroll checks, third-party checks, or traveler’s checks), comparing it to actual activity, and resolving significant deviations
• Compare expected activity to business type to ensure they are reasonable and consistent
• Develop well-constructed contracts that clearly identify each party’s role, responsibilities, and liabilities, and that detail record retention procedures for RDC data
• Implement additional monitoring or reviews when significant changes occur in the type or volume of transactions
• Ensure that RDC customers receive adequate training
19 Copyright 2010, RemoteDepositCapture.com
![Page 20: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/20.jpg)
Questions?
20 Copyright 2010, RemoteDepositCapture.com
![Page 21: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/21.jpg)
Additional Takeaways
• Determine both business segment and BSA Risk tolerance thresholds
• Design a reasonable and realistic policy based on FFIEC guidance and controls currently in place – e.g. assume more risk on the front line due to in depth monitoring on
the back end
• Partner with BSA/Compliance…tap into their knowledge!
21 Copyright 2010, RemoteDepositCapture.com
![Page 22: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/22.jpg)
Questions?
22 RDC Risk Management Update 2011
![Page 23: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/23.jpg)
Additional Takeaways
• Determine both business segment and BSA Risk tolerance thresholds
• Design a reasonable and realistic policy based on FFIEC guidance and controls currently in place – e.g. assume more risk on the front line due to in depth monitoring on
the back end
• Partner with BSA/Compliance…tap into their knowledge!
23 RDC Risk Management Update 2011
![Page 24: RDC Risk Management 2011 Update - Remote Deposit Capture ... · RDC Risk Management Update 2011 Heather Holliway, Product Manager Synovus Financial Corp. Ed McLaughlin, Executive](https://reader031.vdocuments.site/reader031/viewer/2022013000/5c2e97f309d3f2e90b8c9eb1/html5/thumbnails/24.jpg)
About The Presenter Heather Holliway •Synovus Financial Corp. •[email protected]
24 RDC Risk Management Update 2011