When it comes to Remote Deposit Capture (RDC), many members have reached out wondering if their program aligns with best practices for the industry. We’re so glad you’ve asked! Let’s talk about it.
First, let’s level-set and cover the basics. What is RDC?
RDC has become the prominent way to process a check since the adoption of the Check Clearing for the 21st Century Act (Check 21), which became effective in October of 2004. Check 21 was developed to streamline and improve the efficiency of check processing. As a result, Check 21 enabled financial institutions to process checks electronically. This meant checks could be remotely deposited rather than having to exchange physical checks. Although 19 years have passed since implementation, many institutions still struggle to identify all the methods to be included within their RDC program.
RDC is a deposit transaction delivery system that allows a financial institution to receive digital information from deposit documents captured at remote locations. These locations may be the financial institution’s branches, ATMs, domestic and foreign correspondents or locations owned or controlled by commercial or retail account holders of the financial institution. RDC deposit documents can even be received from consumer account holders via mobile banking software.
Unless you are exclusively exchanging physical checks with other financial institutions, you are likely utilizing an RDC program to deposit most, if not all, check deposits received by your institution. Yes, that does mean Branch/Teller and ATM Capture are considered a part of your RDC program.
Identifying the Risks
Risk Management is the key to growth and success. Now that we have defined what types of check processing activities are considered RDC, let's identify the risks that should be addressed. A strong risk assessment analyzes all aspects of a financial institution's RDC activity, and it should be conducted prior to implementation and then reviewed periodically thereafter to mitigate and manage the risks associated with converting paper checks to remote deposits.
Strategic - Strategic risks arise from adverse business decisions or the failure to implement appropriate business decisions in a manner that is consistent with the financial institution’s strategic goals. The Board of Directors and Senior Management must determine if it is in the best interest of the financial institution to undertake remote deposit, set policies and parameters and maintain or expand that function as appropriate. Strategic risks can be mitigated with controls, parameters and standards for an RDC program, written policies and procedures, ensuring adequate resources, management and Board of Directors involvement and oversight procedures.
Operational - Operational risk occurs when a transaction is altered or delayed due to an unintentional error, or when a payment transaction is initiated or altered to misdirect or misappropriate funds with fraudulent intent. The risk may arise from the financial institution failing to process a transaction properly, having inadequate controls, an employee error, a computer malfunction, natural catastrophe, internal or external fraud, etc. A failure anywhere in the remote deposit transaction process can result in risk to the financial institution’s earnings and capital. Operational risks can be mitigated with a consistent monitoring process, commercially reasonable controls for RDC software, scanners, mobile access, security standards, image quality and an ongoing training program.
Fraud - Risks can arise with the RDC product when fraud is perpetrated by employees or by external sources. A financial institution is exposed to the risk of fraud when a wrongful or criminal deception leads to a financial loss for one of the parties involved. The risk for fraud from clients that utilize RDC can be managed more effectively with the use of activity and fraud monitoring tools. Fraud risks can be mitigated by policies and procedures specific to monitoring activity and identifying improper use of RDC products.
Legal and Compliance - Legal and compliance risk arises from failure to comply with statutory or regulatory obligations. Decisions made by the financial institution or by third parties acting on behalf of the financial institution can cause fines, penalties and financial losses. Safeguards must be in place for compliance with existing consumer protection statutes, regulations, the ACH Rules and state laws. Legal and compliance risks can be mitigated by regulatory and consumer protection obligations, commercially reasonable agreements with each RDC user and establishing audit requirements.
Due Diligence and Suitability - Management should establish appropriate risk-based guidelines to qualify and monitor clients using RDC services. For new and existing clients, a suitability review should involve consideration of the client’s business activities and risk management processes, geographic location and client base. Due diligence and suitability risks can be mitigated by commercially reasonable RDC user due diligence procedures that include enhanced procedures for users who pose a higher risk to the institution, as well as vendor management procedures.
Information Security - Financial institutions must evaluate the information technology and information security risks associated with RDC. Financial institutions must adjust their information security programs in light of any relevant changes in technology, the sensitivity of client information, internal or external threats to information and their own changing business policies. A financial institution providing RDC services must consider information security risks associated with RDC technology and operations. Information security risks can be mitigated by adequate physical and logical assessment controls and a business continuity plan that addresses RDC activity.
Credit - Credit risk with check processing occurs due to the float time between funds availability and settlement of funds. To mitigate credit risk, management should establish appropriate risk-based guidelines to qualify accountholders for this service initially and periodically, which includes setting deposit limits. Additionally, management should establish and adequately disclose funds availability and returned check policies and procedures.
A financial institution offering RDC services should develop adequate policies and procedures that address the specific risks associated with each type of RDC activity, including Branch/Teller Capture, ATM Capture, Merchant/Business Capture and Mobile Deposit Capture. Need some help getting started? EPCOR’s team of experts can help financial institutions analyze their RDC program and share best practices with financial institutions to support their efforts towards maintaining compliance, improving operational processes, and mitigating risks by collaborating to conduct RDC Audits and Risk Assessments.
Republished with permission from EPCOR