Exam Time: RDC Safeguards Under More Scrutiny

When three-year-old Community Bank Delaware in Lewes went through its latest regulatory exam, president and CEO Lynda Messick was a little surprised that the bank's remote deposit capture service ranked among examiners' top concerns.

Though the $74 million-asset bank had just three remote deposit clients at the time, Messick was diligently quizzed and prodded about the bank's risk management safeguards. Examiners wanted to know, for example, how the bank monitors RDC activity, how the RDC exceptions handling process works, and whether it provides adequate training for both staff and clients on the security issues of handling electronic check conversions.

"What we walked away with was that the monitoring of this program would be on a par with something along the lines of the merchant programs," Messick said. "It would have the [same] scrutiny that banks' credit card merchant programs have come under in recent years."

Remote deposit capture has been a huge hit with financial institutions since it was rolled out about four years ago. Roughly 4,500 banks and credit unions now offer the service (mostly to commercial customers) and many more are likely to add it in the coming years. But it is also receiving heightened scrutiny following the Federal Financial Institutions Examination Council's guidance issued in January for RDC risk assessments.

The guidelines, like the FFIEC's 2005 rules on authentication for online banking, instruct banks to make sure they have safeguards in place to detect potential fraud, though they stop short of prescribing specific measures.

The inherent risks of remote capture haven't snuck up on bankers, but its application to the wider cross-section of compliance regulations has begun to dawn on institutions and vendors - and is going to require more persistent monitoring and managing.

"It's not just check processing or check scanning," says remote capture security consultant Dan Fisher of The Copper River Group in Fargo, N.D. RDC's money-movement features subject it to Bank Secrecy Act scrutiny. Potential consumer data vulnerabilities put it under the privacy and security requirements of Gramm-Leach-Bliley. There's also the aspect of how these electronic deposit instruments are to be judged under Regulation CC, to determine whether nonlocal deposits become local ones that require shorter hold periods.

Analysts say that banks are pressing their RDC vendors to provide them with more risk management protocols in their deployments, including audit-trail capabilities that make it easier to track duplicate deposits and control end-user access of the remote capture devices.

Banks want to "find ways to identify early on when you're getting a duplicate item either from branch sources, image exchange, lockbox, or ACH," said Paul Colbeck, senior manager of banking strategy and operations at Deloitte. That would include a "unified database to help identify those [items] in the Day 1 process and can mitigate any of the Day 2 adjustments."

While duplicate detection technology is part of nearly all deployments, its included in batch-processing tasks that aren't done in real-time, and aren't tied in to other deposit channels where an RDC item might be mistakenly or fraudulently re-entered. End-to-end detection is "what the goal should be, but it's difficult to achieve that goal because banks use different systems" for their branch, remote and ATM capture needs, said consultant John Leekley, CEO of RemoteDepositCapture LLC in Atlanta.

Many of the newer RDC systems from vendors like Fidelity NIS, Fiserv, Jack Henry and Goldleaf Technologies do provide adequate reviews of automated deposit activity per client, said Celent senior banking analyst Bob Meara. More sophisticated auditing capabilities permit banks, for instance, to track how and when end-users make offsite correction of codeline misreads from the scanner, to ensure that client is following procedures. "There are systems that provide detailed keystroke-b-keystroke audit trails," says Meara.

Meara, like other observers, says the FFIEC guidance scrutiny isn't due to any epidemic of RDC fraud or security breaches, and most system functionality would most surely pass muster. But it's in the assessment of clients where banks have been more or less on their own in determining the risk assessment. Leekley points out some institutions are establishing deposit history parameters on commercial customers so they can spot unusual high-dollar amounts. There is also tighter scrutiny for RDC privileges, including credit checks and evaluations of third-party relationships to other banks or independent hardware contractors selling RDC services. "The No.1 policy when thinking about merchant capture is 'one [scanner] per customer,'" said Fisher. "If you walk into a potential customer installation, and they have more than one - walk away." That's a clear sign of potential check-kiting activity, he noted.

Training clients in the proper handling of checks is crucial - they must follow laws and guidelines on customer data protection and check disposal. Celent's Meara thinks this may be crucial enough where non-compliant merchants may get blacklisted.

The accidental duplication of deposits in RDC can also play havoc with accounting systems that may be integrated into the RDC platform. And companies might also refrain from high-dollar RDC items because of the liability to cover a mistaken re-deposit of a check that had been converted and deposited previously.

Clients may also not understand the rules they must follow for handling check items, such as whether the check is cleared under Check 21 imaging procedures or under automated clearing house rules - which differ, for example, on whether a physical voiding or franking process is required.

That's why, as part of the examination process, many banks are getting the hint (the FFIEC guidance provides no required prescriptive) that an RDC relationship manager should be the norm. At a de novo banking conference in Washington in July, Messick said she met one banker who had gone as far as to assign a relationship manager to each individual remote capture client. "They had that along with the ongoing monitoring on the operation side," said Messick.

To expect that kind of one-on-one within community banks might be hopeful thinking, though. Small businesses are one of the key targets for RDC growth at all size of institutions, but at small banks, only 43 percent of the small-businesses currently have account-based relationship managers, according to Aite Group.

Messick's RDC client roster is small, but she expects to boost it this fall following the completion of an internal IT project. It will be a central part of Community Bank's growth plans, particularly with trying to land account relationships throughout Sussex County, with clients up to 45 miles away. But the bank will move prudently and cautiously with its RDC. "In a de novo bank you try to get everything rolled out as quickly as possible," said Messick. "But I think their [examiners'] concern is exactly that...we don't do that before we have the systems and people in place."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER