The Green Sheet Online Edition
December 22, 2014 • Issue 14:12:02
RDC and improved FI risk management
Editor's Note: Editor's note: The following reports were originally published Nov. 25 and Dec. 1, 2014, by RemoteDepositCapture.com. Adapted with permission. © RemoteDepositCapture.com. All rights reserved.
Report 1: Multilayered enterprise risk management is the new normal
Enterprise risk management is the new normal for banks and credit unions, regardless of size. "The regulators are looking at us, as a small institution, in very much the same way they look at larger institutions," said Robin Trimm, Chief Financial Officer at SouthPoint Bank in Birmingham, Ala. "Their focus on risk management is across the board."
That focus has sharpened as more financial institutions offer remote deposit capture products. "It's important not only to be vigilant, but to be very good at risk management," said Mark Feagin, Senior Vice President at Iberia Bank, Lafayette, La.
Feagan and Trimm discussed this focus during a webinar – Enterprise Risk Management: A Financial Institution Perspective – sponsored by Cachet Financial Solutions and presented by RemoteDepositCapture.com.
Regulators are taking note
SouthPoint is a $205 million asset bank with four full-service locations throughout Alabama and a focus on small businesses and government. "Remote deposit is an essential product for us," said Trimm.
When SouthPoint opened in 2005, its risk management was largely limited to manual reviews on Day 2 – a shortcoming regulators noticed during a bank examination. "The regulators pointed out that we needed more and better risk controls," Trimm said.
The bank found Check Risk Pro from Cachet, a solution with robust, same-day risk management controls and compliance monitoring – one it could bolt onto its existing RDC solution, thereby minimizing any impact on customers and supporting enterprise integration. "It's a very scalable solution," Trimm said. SouthPoint plans to roll out a mobile deposit offering now that it has a firm grip on risk and compliance monitoring.
Poster child for FFIEC compliance
Like SouthPoint, Iberia Bank is relatively young. Iberia is unique in that it charted significant growth during the economic downturn that began in 2008. It has continued to grow – from $10 billion in assets in 2009 to $15 billion in assets today. Much of that growth came from acquisitions; many were FDIC-assisted. Today Iberia has branch operations in seven states.
"Our growth has been made so much easier because of remote deposit," explained Feagin. "This has been a very strategic product."
RDC also triggered changes in Iberia's approach to risk management. "We wanted to be the poster child for FFIEC compliance," Feagin said, referring to federal regulatory RDC guidance issued in 2009. The bank's initial RDC solution fell short. So in 2011, Iberia installed an RDC solution from Cachet with comprehensive reporting functionality and customized reports if needed. "The regulators have been pleased with our progress," Feagin said, adding that Iberia plans to extend RDC to additional channels.
Successfully navigating regulatory expectations requires the ability to act on good data and analytics. "Financial institutions need to be able to take action in as close as real-time as possible," said John Leekley, founder and CEO of RemoteDepositCapture.com.
"The regulators believe that if financial institutions have data, or the capability to have data, then there is no excuse for not knowing what's going on," added Skip Hall, Senior Product Manager for Risk/Fraud at Cachet.
Hall said, to successfully implement enterprise risk solutions, FIs offering RDC products need near real-time processing, rules-augmented processing, and reporting and analytics. Diligence and resources are required in the initial set up, but once a bank sets its rules and other risk parameters with a good solution, little human intervention is required. "The heavy investment is upfront in terms of setting it up the way you want it to work," said Feagin. For example, at Iberia, which has over 1,700 business customers using RDC, manual check reviews take less than two hours a day to complete.
A replay of the webinar is available free of charge at www.remotedepositcapture.com/webinars/Enterprise-Wide-RDC-Risk-Mitigation-A-Financial-In.aspx.
Report 2: Risk management plans should be realistic, comprehensive and heeded
Risk management isn't one-size-fits-all. But lessons can be learned from what has worked for individual financial institutions' risk management programs. At the RDC Summit 2014, Keven Olsen of Payments Space Advisors and Vice President for Education at EastPay, discussed trends he's witnessed while conducting dozens of compliance and audit reviews of financial institutions' RDC programs.
Lesson 1: Developing risk policies for RDC is a critical part of product deployment. Worse than not having an RDC risk management policy is having one that isn't followed. "Not adhering to your own policies puts you at risk," Olsen said. "An institution's RDC policy … needs to be approved by the Board and adhered to by all."
An RDC policy should include written procedures that clearly define risk management for the product, as well as detailed procedures for vendor management, staff and customer training, deposit availability and velocity thresholds, fraud prevention, customer audits, terminations, file monitoring, franking and endorsement requirements, records retention, and reporting. Olsen advised reporting "what makes sound business sense to tell your board of directors," for example, number of RDC users, scanner locations, deposit and item totals, exceptions, and key information about high-risk customers.
Lesson 2: Everyone in the bank or credit union should be on board with the RDC program, from the board of directors down. "Your BSA officer needs to be part of the product team," Olsen said. And RDC should be included in the FI's regular BSA/AML risk assessments.
Lesson 3: Risk rate your customers before offering them RDC products. Customer agreements should reflect that understanding of risks, and clearly define each party's roles, responsibilities and liabilities. They also should be current, regularly updated and "specific to the customer and the product," Olsen said.
Lesson 4: Training is crucial. It can't be limited to the installation process. All aspects of training must be documented in writing and available for customer reference. Customer training checklists are helpful; items to consider include:
Procedures for ensuring security and confidentiality of customer information
Guidelines for handling, storing and destroying original paper checks
Separation of duties and dual control procedures
Minimum requirements for image quality
Franking and/or endorsement requirements
Duplicate item/file management procedures
To see the original articles, visit www.remotedepositcapture.com/news/rdc.insider.aspx.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.