-
Creative Payment Solutions, a unit of BB&T (BBT), has launched a new remote deposit capture (RDC) risk self-assessment tool that financial institutions can provide to customers.
August 7 -
Mitek's new remote capture product for prepaid customers requires a driver's license for added security.
May 31
As remote deposit capture becomes a popular way for banks and their business customers to save time and money depositing checks, security risks linger — exposing the banks to liability.
BB&T (BBT) sees an opportunity here. This week the bank began offering a part of its internally-developed web-based RDC compliance suite to other banks. The new
But RDC compliance is a crowded market, including dozens of websites that provide self-assessment compliance questionnaires that banks can forward to businesses. Also, firms that sell the check imaging technology that powers RDC, such as
BB&T is seeking to differentiate itself by offering testing, analysis and advisory services to help businesses create best practices for RDC compliance.
"There's often staff turnover at businesses, which may not be getting the initial training on RDC use and compliance, or the training may be word-of-mouth from the prior person who was responsible, so there can be variations in RDC management," says Brian McCollum, a product manager for Creative Payment Solutions.
The self-assessment test is a web-based tool developed by the BB&T unit, which plans to charge financial institution clients a volume-based fee, with a minimum fee for community banks. The banks' business clients get a "white label" email from Creative Payment Solutions (with the client bank's brand), which includes about a dozen questions covering topics such as how the business is protecting confidential information, check storage and destruction and how the business manages the staff who handle deposits (i.e. how many people actually see checks, and how many deposit processing steps does a particular staffer handle).
The businesses submit the answers to the BB&T unit's hosted testing engine. The engine analyzes the answers against Federal Financial Institutions Examination Council guidance and the client bank's desired "weighting" for specific questions. The result is a report with recommended corrective actions for the businesses to shore up holes in compliance. The financial institution also receives reports on individual businesses and consolidated reports that can be provided to internal auditors and regulators.
Businesses are also given reminders if they haven't completed the self-assessments, and a tracker produces reports on which businesses haven't responded. BB&T has used the tests internally and with clients of Creative Payment Solutions for under a year and reports a return rate of about 80%. The testing campaigns are usually yearly and last about 30 days.
RDC risks include fraud, such as depositing a check via imaging then later depositing the physical check in person at a bank (something that can also happen by mistake); errors in processing; or mistakes that result from poor image quality. Banks' responsibilities for RDC controls are covered under anti-money laundering regulations and state laws. According to the FFIEC, which has published a series of RDC guidance documents, financial institutions have legal exposure related to the controls over the process used for image capture or image exchange and the institution's arrangement and contracts for clearing and settling checks.
A lot of this risk management is handled by banks on the front end through limits on deposits and vetting the actual client before offering the RDC product. But there are still ongoing risks, since the business client retains much of the control over how checks are managed and imaged. The FFIEC guidance says RDC risks at the client location include faulty equipment, poor processing procedures, inadequate training of staff (which can lead to inaccurate document processing), poor image quality and bad electronic data. Ineffective controls can also lead to intentional or unintentional alteration of deposit item information, resubmission of an electronic file or redeposit of physical items. Workflows are also important. The guidance suggests separation of duties to deny any one person end-to-end access to the RDC process, so no one can alter information on a check without being detected. Since the original checks aren't sent to the bank, the client is responsible for managing the storage and destruction of checks. The guidance suggests keeping checks for about a month, then shredding the paper.
"It's a matter of keeping items secure to make sure the business has control over the paper items. In theory the business can get rid of the paper checks right away if they have a valid image. Or once the bank gets the image, it can create an IRD [image replacement document] for the business," McCollum says.
The BB&T product is designed to accommodate mobile RDC testing, though McCollum says testing and regulatory standards for consumer RDC are still a work in progress, citing the consumer RDC market's early stage. "Mobile RDC is just coming into the marketplace. You need to emphasize to your mobile customers the importance of destroying the paper items that have already been deposited."
Bob Meara, a senior analyst in the research firm Celent's banking group, says one of the benefits of RDC self-testing is it gives the banks a document that can be passed along to regulators in the case of an exam. And in a sensitive time for fraud and money laundering, demonstrating clean controls has become table stakes in the check imaging space.
"Vendors aren't necessarily making more money off of RDC compliance, but are increasing the capability of their back office tools to make RDC as squeaky clean as possible. And they are winning or losing deals on that basis," Meara says.
The self-assessments aren't required by law. Nor do they address all RDC risks, such as how a bank determines if it's the first bank to view a check. Meara says these risks can be best managed through a broader, industrywide network of check images. There are large quantities of check images processed by large firms such as Fiserv (FISV), Viewpointe and SVPCO, but Meara says "nobody has a complete industrywide view of everything…most banks use more than one image exchange network."
In a statement to BTN on Friday afternoon, Gary Brand, director of Source Capture Solutions at Fiserv, said the firm offers a range of source capture solutions that can stop the same check from being deposited though multiple channels. He also said the firm has a strategic initiative underway to leverage all Fiserv deposit capture areas to develop a real time "good funds network."
