Compliance

11:45 AM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
50%
50%

How to Ace RDC Compliance Audits

With annual RDC audits weighing heavily on banks, we offer some tips to help compliance officers get through the auditing season.

Although surveys show that few banks have experienced fraud through Remote Deposit Capture (RDC), the flexibility and convenience that have drawn customers to RDC also make it a tempting target for fraudsters. With the use of RDC rising quickly, it’s reasonable to expect that fraudsters will take notice and try to make use of it for criminal purposes. Regulatory guidance on risk management from the FFIEC requires banks to undergo regular audits to ensure their policies and systems are up to date with the latest trends in fraud and RDC.

We asked Trudy Lotter, a strategic sales consultant at Wausau Financial Systems, which provides RDC solutions, for some insight on what auditors are looking for now that RDC has gone mainstream, and what banks should do to ensure compliance.

BS&T: What kinds of trends are you seeing in terms of what auditors are looking for to show compliance?

Lotter: Throughout annual RDC audits, auditors expect banks to demonstrate the following:

  1. Understand the responsibilities in offering RDC. Do the bank’s policies address risks associated with RDC? Banks should review and update policies annually to evolve with the changing industry.
  2. Demonstrate how exactly a bank is implementing its RDC program. Is the bank adhering to its own policies?
  3. Prove that a bank takes corrective action when necessary. Do banks have tools in place to monitor expected behaviors? Behaviors can include staying within deposit limits and volumes, depositing more than one check drawn on the same account, attempting to deposit checks that have already been deposited, etc. Banks should take action when behaviors are inconsistent with their set rules.
  4. Take advantage of the tools made available by their vendor. At Wausau, we provide our auditors with demos and application documentation. The auditors use this knowledge to create a checklist of things they think Wausau RDC customers should be incorporating into their process, procedure, and best-practices.

[For more on payments security, check out: 3 Keys to Making Payments More Secure]

BS&T: What kind of pain points do you see for banks in delivering on the items that auditors need from them?

Lotter: Identifying expected behaviors in a bank’s policies is only half the battle. Figuring out how to implement and monitor policies can be a challenge. How should a bank match a rule to a policy, then implement the rule? What’s the best way to monitor behaviors to ensure they are consistent with the rule? With an ever growing number of customers capturing checks remotely and the rapid adoption of mobile deposit, homegrown systems for monitoring behaviors are no longer adequate. On top of that, outdated systems require more resources to manage. Until banks feel comfortable proving they can “keep an eye on everyone” to auditors, they are reluctant to add new users to remote capture.

BS&T: What steps need to be taken to address those pain points?

Lotter: Banks can offer RDC to the masses in a controlled, responsible manner that fulfills auditors’ expectations by leveraging technology. Automation technology can help banks identify rules, monitor deposits, and notify those companies that fall outside the expected behaviors.

BS&T: Now that RDC has grown in the industry and many banks have a good deal of maturity with it, what are some ways that banks can improve on the policies and procedures they have in place to both meet compliance, and maybe go beyond compliance in risk management?

Lotter: Now that we know how remote capture is used to perpetrate fraud, banks can use their own experience as well as the experience of their peers to fine-tune their rules, focusing on known risky behaviors. Participating in internal policy and procedure reviews has also proven to be an effective way to stay up to date and compliant.

Before, banks were casting too wide a net because they didn’t know what they didn’t know. Today, banks can better tailor their risk monitoring to capture only those behaviors that are indicative of potential fraud.

BS&T: Do you see that banks can be challenged sometimes in balancing customer experience and risk management in RDC?

Lotter: Absolutely. Consumers might not understand why they can deposit a $150 check via mobile deposit, but they have to take a $3,000 check into the branch. Business customers might not understand why they can only deposit up to $10,000 a day. After all, they are trying to deposit money, not borrow it. To meet compliance and accommodate user experience, banks must be flexible with their rules.

BS&T: How do some of the common, broad challenges that banks deal with, such as organizational and systems silos, impact the ability to meet auditors' demands in this area?

Lotter: When the information that demonstrates compliance is stored across different systems and formats by different departments, it’s challenging to pull it all together in a digestible way for auditors. Each department and system has its own needs regarding compliance, and even though the product is common between departments, the rules and monitoring behaviors may differ.

Utilizing common platforms across capture points ensures that rule sets, monitoring, reporting, and tracking are consistent. When the information is available in a single location, it’s easier for auditors to validate.

BS&T: What other best-practices would you recommend?

Lotter: Auditors want banks to demonstrate an understanding of the risks and show that the appropriate measures have been taken to identify, mitigate, and remedy them. Banks should use their own experience and that of their peers to build out a program, policies, and procedures to minimize risk. Leverage technology to implement policies, ensure that customers are following procedures, track the behaviors and, take the appropriate action. And don’t forget to review the program every year to evaluate its effectiveness!

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Brook Zimmatore
100%
0%
Brook Zimmatore,
User Rank: Apprentice
8/26/2014 | 12:15:46 PM
Too little focus on external threats
I think great strides have been made by the FCA to increase urgency and awareness of risk mitigation. However, the elephant in the room still seems to be inadequate external threat intelligence either through direct intel channels or peer to peer relationships. It's still early days in that regard.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology Dec. 2, 2014
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.