In January 2009, the Federal Financial Institutions Examination Council (FFIEC) issued joint guidance identifying a number of regulatory compliance and operational risks tied to the use of remote deposit capture (RDC). The FFIEC's guidance was the first of its kind issued by federal regulators related to RDC and prescribed actions banks, thrifts and credit unions should take to minimize such risks.
In a statement issued along with its guidance, the FFIEC acknowledged RDC technology, when properly managed, can reduce processing costs for financial institutions and make the deposit process faster and easier for customers. However, the organization also strongly recommended institutions lookout for legal, compliance, reputational and operational risks that accompany the use of RDC systems. In addition, the council said institutions should regularly monitor their RDC activities and conduct periodic assessments to help detect and address these risks.
Some of the risks associated with the use of RDC technology are easy to spot, such as the failure by customers to retain or destroy paper copies of a check as required by institutions. Others seem simple enough on the surface but can lead to much larger problems. For instance, poor image quality of deposit instruments, often caused by a customer's faulty RDC equipment, may cause an institution to have greater difficulty in detecting alterations, forgeries, missing endorsements and counterfeit items.
There are many other risks related to potential fraudulent activity perpetrated by customers using RDC technology. For example, a crook could make multiple deposits of the same check at one institution or throughout multiple institutions. RDC technology can also be used to commit identity theft. In addition, it can be used to further money laundering activities, especially if deposits are permitted from foreign locations.
There are a number of steps your institution should take to minimize its exposure to RDC technology risks, perhaps the most important of which is adequately knowing your customers that are using it. It is essential to conduct careful due diligence of these customers and be very selective as to which ones you allow to use the service. You should make sure the customers using RDC are well-trained and policed in their use of this service and in their obligations with respect to the retention or destruction of the paper checks, the protection of nonpublic personal information and the avoidance of fraud.
All of this starts with a well-designed and clearly written RDC agreement that will be the cornerstone for you and your customers to use the technology successfully. The agreement should start by describing the roles and responsibilities of the parties relating to the sale or lease of equipment and software needed at the customer or member location. It should also specify the necessary handling and record retention procedures with respect to paper checks, remote deposits, and related information, including security expectations regarding access, transmission, storage, and disposal of items containing nonpublic personal information.
A well-constructed RDC agreement should identify the types of deposit items that may be transmitted and the processes and procedures the customer must follow to submit them, including those related to image quality. It should spell out the imaged documents (or paper originals if available) that customers must provide to facilitate investigations regarding unusual transactions, poor quality transmissions, or disputes in need of resolution. In addition, it should identify funds availability, collateral and collected funds requirements and establish cut-off times and specification of when the customer or member will know the financial institution has accepted the deposit.
As part of the agreement, an institution should inform customers it can and will perform periodic audits of their remote deposit capture process, including their IT infrastructure to ensure performance standards for the institution and customer. The agreement should also assert the authority of the financial institution to mandate specific internal controls at the customer or member location, to audit customer or member operations, or to request additional customer or member information. Finally, the agreement should define the laws, regulations and rules governing remote deposit capture and identify the authority of the parties to terminate the remote deposit capture relationship.
If your institution uses or is planning to use RDC technology, it will be important to visit the FFIEC Web site and review the organization's recent guidance. Doing so will help you not only get started in identifying and assessing the risks associated with RDC technology, but determine the extent to which you wish to incur them. As the FFIEC states, RDC technology presents financial institutions and their customers with numerous potential benefits if risk is managed correctly. Establishing the policies and procedures you will need to minimize these risks and making your customers aware of them is the first step in making the most of RDC technology.
Karl Leslie is a senior attorney for Wolters Kluwer Financial Services.
For more Perspectives columns, visit www.americanbanker.com/btn.