This month marks a year and a half since the Federal Financial Institutions Examination Council issued its guidance on remote deposit capture. So, having had plenty of time to prepare, how are banks doing in meeting the RDC technology risk management mandate?
Not that well. Even with the council's "IT Examination Handbook," issued in February, banks are uncertain about their preparation for their RDC exams.
Banks' risk management framework should be based on various components of the guidance:
- Set business objectives at the board and senior management level.
- Set standards for RDC vendors, from initial selection to ongoing management.
- Create a risk assessment and management strategy involving all stakeholders and capitalizing on existing risk assessment standards. This should also address legal and operational risks based on the size and complexity of the financial institution and the nature of RDC services offered.
- Establish risk-based standards for qualifying customers for the service and implement mechanisms for tracking due diligence.
- Implement bank- and customer-level training strategies for RDC users. Include standards for ensuring the security and confidentiality of nonpublic information.
- Address customer contract stipulations up front.
The board and senior management team should review performance and risk management reports on the implementation and operation of RDC systems and services. Analyzing trends and identifying exceptions in merchant use (including deposit detail) of RDC will confirm that risk management strategies are working as intended. The goal is not to eliminate residual risk, but to manage and address issues in a timely manner.
