Oklahoma Bankers Association We make bankers better!
Risk Management of Remote Deposit Capture
Risk Management of Remote Deposit Capture
In January the FFIEC issued risk-management guidance for all financial institutions offering “remote deposit capture” services for customers.
To more effectively attract small-to-mid-size businesses as deposit customers, many banks “lead” with the benefits of “remote deposit capture”– as an almost automatic feature of new commercial accounts. One of the clear messages in this new guidance is that not every commercial depositor should be automatically approved for “remote deposit capture.”
Instead of viewing “remote deposit capture” (RDC) as another feature available to commercial accounts, the FFIEC wants banks to consider RDC separately–a relationship involving different risks between bank and customer. Based on a written policy setting out risk factors, or case-by-case, the FFIEC wants banks to consider whether the operations of a particular business will make it an acceptable entity to use RDC. A commercial depositor that is approved for RDC should be required to use appropriate bank-established minimum procedures and safeguards.
The FFIEC guidance outlines some very general principles and concepts that are not specific to a particular technology or format. Falling within these general provisions is a depositor’s off-bank-site conversion of paper checks to electronic images. However, the guidance is sufficiently broad in scope that it also covers (and its principles should be applied to) any off-bank-site conversion of checks, including conversion to ACH (in a point-of-sale merchant transaction or a back-room conversion, such as at a payment-receiving company’s back office).
Before establishing an RDC program, a bank should have a broad-based internal discussion of the potential risks involved, and of various steps or controls that the bank could use to limit some of those risks. As outlined below, an effective program for mitigating the bank’s risks from RDC activity should include a well-drafted contract allocating loss appropriately between the bank and the RDC depositor, written bank policies, written procedures that RDC depositors must follow, some level of training and ongoing assistance for RDC customers, and some requirement that minimum security controls be established at the depositor’s own offices.
As also discussed below (perhaps varying with a bank’s size and the importance of RDC to the bank’s overall business), a bank may want to adopt guidelines for denying availability of RDC where higher-risk factors identified by the bank are present, including the customer’s distant geographical location or type of business activity, the customer’s lack of internal control procedures, the large size of typical items processed, the overall dollar volume of items processed, and/or the customer’s lack of sufficient financial strength or long-term business prospects (potential inability to reimburse the bank for returned items as required by the RDC contract).
1. Why RDC is Different
From a risk standpoint, RDC differs from “traditional” (paper-based) commercial deposits, which are more completely under a bank’s control. With RDC a bank essentially “outsources” to its customer the check-imaging function, the storage of check images (for a time), the storage of original checks as back-up records (until later destroyed), and the eventual responsibility for disposing of the original items.
A commercial depositor is generally focused on whatever it takes to run a business, instead of RDC-related issues, which usually won’t get such careful attention as the bank itself or a bank services provider would give. However, less focus (or looser procedures) can create an opportunity for problems to arise, such as a breach of nonpublic personal information, improperly prepared RDC items, or even fraud. These issues can create liability for both the depository bank and the RDC depositor.
As a sample of some of the issues involved, a small-business RDC depositor, in contrast to a bank, (1) probably does not obtain background checks on employees, including those involved with imaging of checks; (2) may have no effective controls to limit access to its check-imaging equipment, stored images, and stored original checks; (3) may have little sensitivity to “customer privacy” or identity theft issues that might relate to the business; (4) may produce check images that sometimes lack high-enough quality, and (5) may be transmitting check images for deposit over the internet, without adequate procedures for encryption or authentication by the depository bank.
A bank should not look at RDC as “something our customer does, outside of our own control.” The FFIEC expects a bank to have an active influence, as much as needed (by written policies, training, customer service, audits, etc.), on how the customer’s RDC activities are carried out and how such activity is meshed with the bank’s own operations.
Ideally, after setting up an RDC customer a bank will continue to monitor that customer’s activities, either at regular intervals or when a problem appears. It should be understood by all parties that a depository bank has the right to “pull the plug” on RDC if it becomes uncomfortable with a particular depositor’s activities.
2. Operational Risks
The FFIEC expects a bank’s senior management to understand the operational risks involved in RDC. (Some banks should not offer RDC at all—and particularly if they do not have appropriate systems and procedures in place.) A bank’s board or management should approve the bank’s RDC plans and policies. Further, a bank should commit “significant expenditures” (if it offers RDC at all) for implementation and ongoing operation of RDC systems and services. Bank personnel should prepare risk management reports from time to time, relating to RDC activities. Going forward, a bank should recognize that some amount of oversight, auditing of RDC depositors’ activities, and/or update training may be necessary.
a. Unauthorized Access. Bank policies, procedures and controls for RDC should minimize operational risks. One category of risk is unauthorized access (either physical or electronic access) to a depositor’s RDC systems, the original checks stored as back-up at the depositor’s office, the computer files of images generated from those checks, and/or any other retained nonpublic personal information collected by the depositor in accepting those checks.
To break these risks down into smaller parts, a bank’s policies might consider what controls are in place for an RDC system at a commercial depositor’s office or home (the storage location of the imaging system itself, what level of security it will have, and who will be able to gain access); where the original checks that have been imaged will be kept by the RDC depositor (in the attic or basement, in a locked cabinet or drawer, in a safe, etc.)–and who can access those checks (only office personnel, all employees, anyone who walks into the building, children visiting in the home, etc.); who will have access to the computer or server on which files of imaged checks are stored, and what level of security will block non-authorized persons from gaining access; how other nonpublic personal information collected by the RDC depositor is stored and protected (for example, copies of drivers’ licenses or contracts between the RDC depositor and its customers); and how that depositor’s older documents and electronic data are disposed of.
One approach might be for a depository bank to impose the same minimum requirements on all RDC depositors—providing written procedures, explaining specific risks, and outlining what minimum controls a business should impose to lessen those risks. However, using a “risk-based” approach, a bank may also impose enhanced requirements (or oversight) on RDC depositors that pose greater risk for the bank because of their line of business, large dollar amounts per item, large total dollars of imaged items, or unusual activity.
Either way, “required procedures” are based on an assumption that RDC depositors are more likely to take appropriate action if a bank “educates” them concerning RDC-related risks existing at their businesses and mandates certain steps. (This assumption may not prove true; but certainly RDC depositors cannot protect against risks if they have never considered those risks.)
The “standard procedures” approach also implies that there will be some degree of oversight of RDC depositors’ activities by the depository bank from time to time. (If rules exist but everyone knows there will be no effective enforcement, compliance is unlikely.) Perhaps a bank can reserve “hands-on” inspections of customer operations for situations where procedural issues or processing errors are obviously occurring–but a bank must make such decisions for itself.
b. Faulty Equipment. A second category of operational risk relates to the “initial capture” of images. Various technical problems can occur with document imaging or ACH check conversion. “Faulty equipment” is one example. (In most cases, the bank owns the RDC system, allowing a customer to use it without cost. Where this is true, it’s typically the bank’s responsibility to maintain the equipment in good working order or replace it. Interestingly, poor image quality can result in liability to the depository bank, but completely broken equipment simply means that images can’t be made or deposited. Either way, RDC customers should immediately report any problems with equipment functionality. In cases where the depositor owns the RDC system, the bank should require the customer to keep it functioning properly.)
c. Operator Error. Another category of initial capture problem involves “operator” error (as one example, failure to image both sides of a check legibly). Inappropriate document processing may result (1) if a depository bank has not established adequate procedures, (2) if training or supervision is not adequate to ensure that a depositor’s employees follow already appropriately-outlined procedures, or (3) if an RDC depositor is left short-handed (vacation, sickness, turnover), and a new hire or someone else who is not cross-trained attempts to operate the equipment. Follow-up assistance is needed from a depository bank to cover problems like this.
d. Ineffective Controls. Some additional initial capture problems might fall within a category of “ineffective controls.” The FFIEC mentions “intentional or unintentional alteration of deposit item information.” For example, dollar-amount encoding related to an imaged item might not match the original item. This might be an error, and might be caught if the customer had a procedure to double-check imaged items before they are deposited. Alternatively, the incorrect encoding might be intentional, carried out by an employee who plans to pocket the difference.
When there is “inadequate separation of duties at a customer location,” and therefore “end-to-end access to the RDC process,” an employee has greater opportunity to alter items without detection. RDC depositors may not understand the advantage of having more than one employee involved in this process.
Another aspect of “ineffective controls” involves erroneous resubmission of the same item (duplicate presentment), either (1) by unintentionally sending the same image or same file of images for deposit twice, or (2) by sending both the image and the original check for collection, at different times. These errors are more likely if a company’s records are in a state of confusion (for example, if there is no fixed procedure for moving processed items to another spot, marking, and storing them) or if different people are handling transactions on two different days, and one doesn’t know where the other one stopped.
In some cases a business chooses to deposit some of its checks electronically and others in paper form—depending on whether the items are “local” or not, how much the business needs “funds availability” immediately, and the different cost per item for processing items by one method or the other. This shifting between alternative collection methods can especially create confusion at a small business that has sloppy recordkeeping.
Concerning document storage and eventual document destruction, the FFIEC notes that “it is important for the financial institution to require [RDC] customers to implement appropriate document management procedures to ensure the safety and integrity of deposited items [for example, paper checks retained as back-up] from the time of receipt until the time of destruction or other voiding.”
e. Information Technology. Information security risks or information technology compatibility issues comprise another category of “initial capture” problems. Banks are well-focused on limiting and controlling access to their own computer networks, but RDC customers may have a much lower level of security features or access control at their own offices where items are processed. Even with awareness, small businesses are unlikely to devote the same resources to information security that a bank does–but hopefully, explaining the need to protect access to electronic images may result in adoption of at least basic security procedures.
Relating to transmission and interchange of RDC information between a depositor, a bank’s service provider and the depository bank, a modification of RDC-related software or hardware by an RDC customer or service provider can result in loss of compatibility or functionality between systems. Each party’s system must be maintained, upgraded or patched, whenever vulnerabilities or other problems are discovered, or newer software is adopted. A depository bank should require (and perhaps verify) that such RDC-related changes are made promptly.
The FFIEC is also very concerned with the general vulnerability of RDC information sent over the internet from an RDC depositor to the depository bank. A bank should carefully consider what “authentication” method it uses for RDC customers. Transactions are considered “high-risk”–requiring multifactor authentication, layered security or other controls—whenever what is transmitted involves “access to customer information or the movement of funds to other parties.” Check images contain several types of sensitive information (customer name, account number, address, and often a written driver’s license number). Check images transferred for deposit and collection have the same value as paper checks, and should be considered as a transfer of funds. This analysis justifies higher security for transmission of images.
f. Fraud Risk. An additional sub-category of “initial capture” risk is “fraud risk.” The same risks that a bank has with deposited paper checks will also apply to RDC—including check alteration, forged signature of a maker, and forged or missing endorsements; but each of these problems may result in greater losses in the RDC context, simply because check imaging (or conversion of items to ACH) can allow more bad items to slip through, undetected. Depending on internal controls, RDC also creates new opportunities for fraud by dishonest employees of the depositor. With higher “fraud risk” from both of these directions, the depository bank may experience a somewhat higher level of losses when taking imaged (or ACH conversion) items for deposit instead of original items.
A basic reality behind Check 21 is that paying banks would not put up with a regulation requiring them to pay check images (or substitute checks) instead of original items, unless by doing so the paying banks remain in roughly the same position legally and financially as they do in paying the original items. Because of Check-21-related rules, a depository bank generally cannot shift any of its increased check-image-related losses to the paying bank. Instead, the depository bank must absorb any increased risk of loss, or else must have a way to shift any increased losses back to the RDC depositor originating the images. As discussed below, appropriate contractual provisions are necessary to allocate losses properly between the depository bank and the RDC depositor; but it’s also important for the RDC depositor to be strong enough financially to stand good for whatever amount of increased loss a depository bank needs to shift back to that RDC depositor.
I will explain some situations in which there can be increased risk of loss to the depository bank from handling RDC deposits instead of original items.
As a beginning example, the fact that a check has been “washed” or otherwise altered might be fairly obvious from the original item but not from an image. Although the depository bank might have caught the original of the altered item at deposit, it does not do so based on the image. The depository bank gives its depositor credit, the item comes back, and the depository bank takes a loss, at least temporarily. (Here, by contract, the loss needs to flow back to the RDC depositor– which hopefully will be good for that amount.)
As another example, a company’s “genuine” checks may contain security features (such as watermarks) that make that company’s checks much more difficult to counterfeit; but these security features may not be captured at all by the imaging process. If imaging basically destroys the usefulness of a security feature that a particular company builds into the check-handling process to avoid fraud, the paying bank (and its customer) might successfully argue that the obscuring of the security feature by imaging is what resulted in the loss—and by this means, the depository bank may be liable, although the otherwise-applicable midnight deadline for returning the item to the depository bank has passed. (In turn, based on contract, the RDC depositor should be liable, because it did the imaging–regardless of whether it was in any way aware of or involved in the counterfeiting of the item).
As a third example of higher risk to a depository bank presenting check images to a paying bank (instead of original items), a well-made “forged signature” is often considerably harder to identify from an image than from an original paper check. For items that a paying bank “manually examines” (those above a certain dollar size), a good forgery may be harder to notice on an image because of absence of certain clues available only by examining the original item. If, for example, a paying bank examines and pays a check image without detecting forgery, but it argues that it could have spotted the problem from the original (if the original had been presented instead of the image), the depository bank could be liable for the paying bank’s loss.
Handwriting experts often examine the reverse side of a paper document containing an original inked signature, to see whether there is uniform “pressure” applied to the paper by the pen throughout the signature. In the case of a forgery there may be some unusual variation in how deeply the pen indents the paper. (A forger who stops and starts will not sign with a continuous flow.) To the trained eye, someone who is either tracing another person’s signature, or “drawing” another’s signature free-hand, may produce a result looking somewhat different than a real signature made at a higher speed. An original check (having no imaged blurriness) may also show some slight variations in width of the inked writing making up the signature. This may occur if the forger needs to use smaller, separate strokes to get the signature right, and he removes the pen from the page after each stroke—which the real signer would not do.
As another example, it may be possible for a fraudster to prepare a “dummied up” original check that would not look “real” to anyone. (The “original” may have started as either a stolen or “counterfeit” blank check—perhaps with a photocopied or scanned signature added.) With care an imaged copy prepared from it may look good enough to “pass” as real. (Here, the person doing the imaging is the perpetrator. The opportunity to send only an image of the item through the collection process can create enhanced opportunity for fraud, in cases where presentment of the “original” would never pass.)
Although a depository bank may be comfortable that its RDC depositor is “legitimate” and a reputable company (an issue already reviewed to some extent in opening an account), that bank’s policies still should assume that some employee of the business could attempt fraud if given the opportunity—just like at any other business.
(Unfortunately, a dishonest employee at a company using RDC may have greater resources for fraud and identity theft than an employee at a company without RDC. The potential financial damage from exploitation of the RDC process should not be dismissed out of hand.)
A bank, concerning the known integrity of its employees, is in a position not automatically shared by RDC customers. In order to satisfy its bonding and regulatory requirements, a bank regularly obtains criminal background checks on its own job applicants, and also (in most cases) their credit reports. As a result, when a bank itself does on-site document imaging, the persons who have access to that process have already been at least minimally screened.
A bank should assume that the average RDC depositor is not doing background checks on employees, and also wouldn’t welcome the bank’s suggestion that its employees involved with imaging, or with storing paper checks (retained as backup), should be subject to background checks. An RDC depositor’s hiring practices (often looser than for a bank) can create a vulnerability. Although for smaller RDC depositors a bank may be unable to impose any type of employee-screening requirement, the issue becomes even more important with large-volume RDC depositors. Hopefully, at least the entities with more financially significant operations will be receptive to the need to impose tighter hiring procedures to protect their own businesses—completely apart from decreasing RDC-related risks.
3. Risk-based Decision-making.
A relevant question (perhaps stated in an unusual way) is whether a bank is “pricing” its RDC program correctly, in light of the bank’s at least somewhat increased risk of loss. If a bank is “leading” with RDC to attract customers, it’s possible that the “cost” to the bank of providing this service (including increased losses) may be acceptable in terms of the overall customer relationship.
But there are customers who are paying nothing extra for this service (beyond costs of a regular commercial deposit account), who also are bringing no other “value” to the bank. In each such case a bank might ask itself, “Why are we doing this?” (Ideally, a bank should be able to answer that question, at least generally. The answer hopefully will involve the existence of appropriate controls and/or other mitigation of “risk-based” issues that the bank has identified as important.)
For a particular business, part of the answer might be that (1) the business is small, with low deposit activity and resulting small risk; or (2) the individual business, its owners, its activities, and its internal controls are familiar to the bank; or (3) by imposing tighter controls than normal, the bank is able to reduce its risk for the particular business to a very low level.
The FFIEC observes, “A financial institution may determine that risks associated with RDC warrant greater customer selectivity than the risks associated with traditional deposit services and may choose to reduce and control those risks by limiting the availability of this system.” (Translation: It’s permitted, and may be very smart, to tell some customers “no” when they request RDC capability.)
The FFIEC further states, “Management should establish appropriate risk-based guidelines to qualify customers for this service.” A bank should not approach this as if everyone will qualify unless something unusual pops up. Rather, a customer who wants RDC should meet the bank’s pre-determined standards—and if exceptions are made, it should be because other considerations still make the risk acceptable, on balance.
The guidance notes, “For new and existing customers, a suitability review should involve consideration of the customer’s business activities and risk management processes, geographic location, and customer base. The depth of such review should be commensurate with the level of risk. When the risk level warrants, financial institution staff should include visits to the customer’s physical location as part of the suitability review. During these visits [when the circumstances require it], the institution should evaluate management, operational controls and risk management practices, staffing and the need for training and support, and the IT infrastructure.”
A commercial customer that is already generally known to the bank, with ordinary and easy-to-understand business activities that do not raise any higher-risk concerns, will probably not require an on-site visit by the bank. Instead, the bank may just ask the customer some appropriate questions about the customer’s operations. The guidance states, “When appropriate, based on risk, financial institutions may choose to rely on self-assessments by their RDC customer when these address the controls and risk management practices that would otherwise be reviewed during on-site visits by financial institution staff.” Again, the extensiveness of this (or not) should be risk-based.
But based on either an on-site visit or in-bank questioning, there may be some businesses that just shouldn’t qualify for RDC. These customers might have (1) internal business controls that are non-existent, (2) employee turnover that’s like a revolving door, (3) a line of business activity that’s unsavory or that involves higher levels of customer complaints and returned items, or (4) a dollar volume of items deposited that is oversized in relation to the company’s financial condition and ability to stand good for returned items. In such cases (and any other higher-risk scenarios identified by the bank), the correct response to a request for RDC capability may be “no.”
4. Qualifying a Customer Financially?
Should a bank “screen” an RDC customer based on financial strength (particularly where the expected dollar volume of imaged items to be deposited, or their type, or their level of risk, is an issue)? Is it better to decline a request for RDC activity if a deposit customer is thinly capitalized and may lack sufficient net worth or liquidity to make good on deposit items that are returned? (Even the best contract, requiring an RDC depositor to indemnify the bank for bad items, will prove inadequate as protection if the customer cannot stand good for its obligation.)
Assuming that RDC depositors create somewhat higher risks to the bank than ordinary depositors, the issue of “financial soundness” may be even more important in approving RDC than in approving a traditional commercial account. The FFIEC does not specifically mention a customer’s financial capability (one way or the other) but generally expects a bank to consider all relevant RDC-related risks.
One approach (not mandatory) might be for a bank to require an RDC depositor to show a certain minimum financial stability if anything about the company’s business operations creates a higher-than-normal risk of liability for the bank. (The more likely that a company’s loose operations or high-volume activity will lead to significant amounts of return items, the more financial strength a bank may legitimately require before feeling comfortable with a customer as an RDC depositor.)
It should be noted that when a deposit customer is a separate legal entity (corporation or LLC) and is not especially strong financially, one way to increase the bank’s comfort level is to require the owner to guarantee the entity’s deposit agreement. Even in a case where a bank would not request this for an ordinary deposit agreement, the bank still might require the owner to guarantee the entity’s RDC agreement, on the basis that RDC deposits create a higher risk of return items, for which the bank needs greater financial protection.
Depositors that regularly cash a high volume of third-party checks for their customers (including grocery stores or check cashers) may have a volume of return items that is disproportionately large compared to other businesses of the same size. While there is nothing inherently wrong with these businesses, the level of items may warrant stricter requirements.
Certain other categories of business activity may result in a higher level of return items or attempted returns, including internet sales, telephone sales or mail-order sales. Such issues are appropriate to factor into a bank’s policies. Some other types of business are so high-risk that banks may want to avoid them altogether, including internet gambling, credit-repair services, adult entertainment, and businesses located offshore.
From an opposite standpoint, some businesses are sufficiently small, and have such a low level of deposit activity (not many checks, and not in large amounts) that the owner’s lack of net worth may be of little importance to the bank. Although the business “operates on a shoestring,” the bank may be very comfortable with the owner’s character and the absence of any other employees. With a sensible, case-by-case, “risk-based” approach, there’s no issue here.
5. Legal and Compliance Risks
The FFIEC notes, “When a financial institution sends a check for collection or presentment, it makes warranties and takes on liabilities with respect to that check under Regulation CC, state law (the Uniform Commercial Code), and, if it sends the check to a Federal Reserve Bank, Regulation J.” (Check images, or “substitute checks” under Check 21, give rise to additional warranties not applicable to the processing of original paper items.) “In addition, the financial institution may take on other responsibilities with respect to the check as agreed to between the participating institutions by contract or clearinghouse rules.” Based on any of these various grounds, a depository bank can become liable for items deposited by its customer.
Where a deposit customer converts a check to ACH (another form of RDC covered by the FFIEC’s guidance), the depository bank makes an automatic warranty that the item it sends into the ACH system is authorized (which assumes not only that the item itself is authorized, but also that there is appropriate authorization for converting the item to ACH). Of course, the bank is liable for anything not authorized.
In properly assessing what level of “risk” will be involved with RDC activities, a depository bank needs to understand all of the ways that it can become financially liable for items sent by an RDC depositor, if those are returned by a paying bank. A wide range of actions taken by the RDC depositor (fraudulently, negligently, or without authorization) can cause liability to the bank, in addition to normal liability for “bad” items (alterations, forgeries) that this depositor (like any depositor) innocently handles and does not catch.
(Fraud issues, various negligence issues, and “bad signature” or alteration issues have already been adequately discussed. As some other examples, if a “telephone check” originated by the deposit customer in connection with its business (and imaged) comes back as “unauthorized,” the depository bank is liable; or if the RDC depositor “over-encodes” an imaged item, the Federal Reserve’s encoding warranty is breached and the depository bank is liable. If someone with rights relating to a check sustains a loss and is entitled to indemnity because a check image made by an RDC depositor does not legibly show all of the information visible on the original check, the bank is liable. Or if both the original check and a Check 21 substitute check (or the original check and a check image; or duplicate images) are presented for payment, violating a warranty against double presentment, the bank is liable. If a dollar-amount error occurs in converting an original check to ACH, the bank is liable. These and other examples mentioned in this article are not an all-inclusive list.)
As suggested above, “warranty” provisions may come from a variety of sources (Federal Reserve regulations dealing with check-clearing between banks and relating only to banks; ACH rules agreed to by banks, but not entered into by customers; and clearinghouse rules accepted by banks, but not by customers). Necessarily, each such provision extends only as far as the legal authority on which it rests. As a result, many warranties are only effective to shift losses back from a paying bank to the depository bank. Most such regulations and rules do not automatically shift losses back from a depository bank to a customer that sent the problem item. To accomplish that result, a depository bank needs an appropriate contract that allocates liability for items—in other words, that pushes liability back to the depositor for any items that the depositor sends, for which the depository bank becomes liable.
6. RDC Depositor Agreements
When a customer originates ACH items, a bank uses its ACH agreement to allocate losses on those ACH items to the customer. Similarly, when a depositor uses RDC, there must be a carefully drafted RDC agreement that more broadly allocates any kind of losses or related liability (including RDC-specific losses) to the RDC depositor. (As outlined above, the RDC environment involves potential liability for some issues that generally aren’t involved in an ordinary deposit situation, including risk of “double presentment” of the same items, and possible third-party claims resulting from poor image quality. Also, because the RDC depositor would normally use bank-supplied equipment, and should be using bank-prescribed procedures under bank supervision in originating RDC items, there might be some issue as to whether the RDC depositor is the bank’s agent in doing whatever may go wrong. The RDC contract probably should disclaim any agency relationship or any other liability on the bank’s part for whatever the depositor does, while also providing that the depositor will indemnify and hold the bank harmless for any loss, cost, liability, etc., that the bank may incur, arising out of the RDC depositor’s actions, inaction, negligence, etc.
The FFIEC emphasizes, “Strong, well-constructed contracts and customer agreements are critical in mitigating the financial institution’s risks.” It adds, “RDC agreements should establish the control requirements identified during the risk assessment process and the consequences of noncompliance.” The FFIEC apparently assumes that the bank’s agreement with each RDC customer may be personalized (as necessary) to include special requirements that the bank imposes on that specific customer, in light of any unique risk factors raised by the particular business.
Most banks using a contract with RDC customers are probably now using a “generic” contract, and are not tailoring anything to the specific customer. It’s fairly unrealistic for anyone to assume that a bank (particularly a smaller bank) will develop an individualized contract in response to each separate RDC depositor’s circumstances and business. However, a “middle ground” approach is possible and might be worth adopting: The “generic” RDC contract used by a bank could state that the depositor also agrees to comply with each of the additional requirements set out in Exhibit A. The bank can then fill out the blank Exhibit A to deal with special concerns it may have for each customer. The bank can type “no additional requirements” on Exhibit A, or can list some procedures to mitigate certain “risks” or issues that the bank wants that specific customer to deal with.
The guidance includes a list of various provisions a depository bank should consider placing in its RDC depositor contract:
(1) Roles and responsibilities of the parties, including those related to equipment and software needed for RDC;
(2) Handling and record retention procedures for the information involved in RDC (both the paper items retained as back-up, and the electronic records), including the bank’s expectations for access, transmission, storage and disposal of deposit items;
(3) Types of items that may be transmitted as a result of RDC;
(4) Processes and procedures the customer must follow, including those related to image quality;
(5) What imaged documents (or originals) an RDC customer must provide to facilitate investigations related to unusual transactions, poor quality transmissions, or disputed transactions;
(6) Performance standards for the bank and customer to meet;
(7) Allocation of liability between the parties, warranties, indemnification, and dispute resolution;
(8) Authority of the financial institution to mandate specific internal controls at the customer’s locations, audit the customer’s operations, or request additional customer information; and
(9) Authority of the financial institution to terminate the RDC relationship.
7. Appropriate Controls
Much of the guidance focuses on RDC-related risks, because the FFIEC wants banks to evaluate those risks thoroughly before deciding on appropriate “risk-mitigation” policies and controls.
Getting beyond that point, the essence of the guidance is that three things are necessary for a bank offering RDC services while minimizing its risk of loss: (1)RDC capability should be denied to entities exceeding the bank’s risk-tolerance levels; (2) the bank should require or provide appropriate controls, procedures, training and supervision for its approved RDC depositors, so that risks from authorized RDC activities will be minimized; and (3) the bank needs good RDC contracts, clearly laying out the parties’ rights and entitling the bank to shift any RDC-related losses (for which the bank has liability)to the RDC customer that deposited the item.
Regarding appropriate controls the FFIEC states, “Management [of the bank] should implement as appropriate . . . controls [at customer locations] that mitigate the operational risks of RDC . . .” The FFIEC suggests “appropriate periodic training” (from the bank or its service provider) so that RDC customers can “understand their roles in managing risks and monitoring for processing errors or unauthorized activity.” This should include “documentation that addresses routine operations and procedures, including those related to the risk of duplicate presentment and problem resolution.” (The expectation is that higher standards will minimize the number of improper items.)
There should be appropriate “controls over the process used for image capture or image exchange . . .” Controls can be designed and implemented “to ensure the security and integrity of nonpublic personal information throughout the transmission flow and while in storage.” In addition, “[s]eparation of duties or other compensating controls at . . . the customer location can mitigate the risk of one person having responsibility for end-to-end RDC processing.” The FFIEC also states, “To reduce the risk of items being processed more than once, deposit items can be endorsed, franked, or otherwise noted as already processed.” And when insurance is available at reasonable cost, this may further mitigate risk.
The FFIEC wants the bank to give the customer appropriate written procedures (and perhaps training) for RDC. It assumes that the bank may exercise ongoing supervision of the customer’s RDC activities from time to time, including possibly on-site visits. The FFIEC expects everyone to recognize that RDC is not, in fact, any automatic feature of some type of commercial account, but rather a separate activity that the bank can cancel for any reason.