Risk Plans Critical Prior to RDC Launch
There’s no doubt that member demand for convenient banking services such as remote deposit capture and person-to-person payments is high. But some credit unions may be overwhelmed by the homework required to implement these services, especially the need to comply with applicable regulations such as Bank Secrecy Act/Anti-Money Laundering.
Developing an enterprise-wide risk mitigation plan that addresses legal, compliance and operational risks will prepare credit unions for visits from examiners and is a necessary pre-requisite to offering services that meet the growing needs of their members, said Maleka Ali, director of customer relations for Banker’s Toolbox, an Austin, Texas-based risk management software company that works with several dozen credit unions, and Debra Eshbaugh, product manager for the same company.
“There’s a demand in the marketplace for new products, and as long as they consider regulatory compliance and the risks involved, credit unions should offer them,” Ali said. “We don’t believe there should be any limits to what a credit union can offer.”
Preventing fraud losses as a result of money laundering and check kiting, which are key parts of complying with BSA/AML, can be achieved by performing a thorough risk assessment, setting up effective controls for services that carry a high potential for risk, and implementing software to help automate the risk management process, Ali and Eshbaugh said.
Following a risk assessment, it’s critical for credit unions to update materials such as policies, procedures, disclosures, contracts and agreements accordingly, as examiners will want to view those updates and ensure all changes are in effect, Ali explained.
In particular, RDC may pose unique fraud risks and opportunities to slip on compliance. Ken Otsuka, a senior risk management consultant with CUNA Mutual Group in Madison, Wisc., said RDC presents all the typical risks associated with check fraud, such as forgeries, alterations and counterfeits, but at a higher level because the checks are not physically inspected. Members may also attempt to make duplicate deposits more easily with RDC, for example, by depositing the same check using their mobile device or in person at a branch, he said.
Credit unions implementing RDC must know that not every member should be entitled to RDC, and those that are should be assigned deposit limits, Otsuka said.
“Do your due diligence in qualifying members for RDC,” Otsuka advised credit unions. “Evaluate their credit-worthiness; look at their credit score. If it’s a business member, you might request their financial statements or tax returns. Depending on their volume of checks, you might decide to visit the business and get a feel for the environment. Find out if they do background checks on their employees.”
Credit unions may not view every individual check image that comes in through a mobile device, but as a best practice, Otsuka suggested they view each check image during the first 30 days of a member’s use of RDC and keep a close eye out for suspicious activity.
Another important component of RDC risk management is creating a member service agreement that establishes minimum requirements for image quality, defines what types of checks may be deposited via mobile devices – for example, a credit union might ban foreign and third party checks from RDC – and includes a warranties and indemnification section that pushes as much liability as possible onto the member, Otsuka said.
While Regulation CC, which requires financial institutions to provide customers who have a transaction account with disclosures stating when their funds will be available for withdrawal, does not apply to checks deposited via mobile devices, Otsuka said credit unions do need to consider how they will determine and disclose their withdrawal availability timelines for funds deposited using RDC.
Other regulations that need to be considered during RDC implementation include Check 21, BSA/AML and Regulation J, Otsuka said. Regulation J provides guidelines for depository institutions to collect checks and other items and to settle balances through the Federal Reserve System. He recommends that credit unions review the Federal Financial Institutions Examination Council’s guidance on RDC as a starting point for risk assessment and compliance.
Otsuka concluded that choosing a quality RDC vendor such as one that offers a system that can detect duplicate checks and measure check quality, for instance, is an important part of an RDC implementation program. He also noted that while the risks associated with RDC are very real, their related losses have not been as widespread as expected.
“When RDC was first introduced in 2004, we expected the worst with check-related losses,” Otsuka said. “That didn’t materialize, but unless a credit union does its due diligence, it may be at risk of experiencing check fraud.”