On-Site Visits to RDC Customers

Issue/Inquiry

The Bank asks, “How often should site visits be made to the place of business of a Remote Deposit Capture (“RDC”) customer?”

Response Summary

On-site visits of RDC customers will be made as part of the Bank’s ongoing due diligence process. Whether and how often visits should be made will depend upon risk. An on-site visit should almost always be made as part of the process in determining the suitability of the customer for RDC. Thereafter, visits should be made on the basis of the risk associated with the particular customer.

Response Detail

Introduction

There are no regulatory requirements for site visits of RDC customers or for any particular number of visits to be made, but the regulators have expectations, and these are based on risk. The Bank should have an on-site visit as part of its due diligence process in determining whether or not the customer is suitable for RDC. Whether visits should be made periodically thereafter or at all would depend on the degree of risk associated with the particular customer.

RDC Risk

RDC may expose financial institutions to various risks, such as money laundering and identification theft, but the primary associated risk is fraud. When an institution takes a risk-sensitive function (in this case, accepting items for deposit and credit to a customer’s account), and allows it to be conducted outside the “trusted zone” that includes its internal network and closed check-processing environment, the risk of fraud increases. Fraudulent, sequentially numbered, or physically altered documents, particularly money orders and traveler’s checks, may be more difficult to detect when submitted by RDC and not inspected by a qualified person.

Financial institutions also face challenges in controlling or knowing the location of RDC equipment, because the equipment can be readily transported from one jurisdiction to another. This challenge is increased as foreign correspondents and foreign money services businesses are increasingly using RDC services to replace pouch and certain instrument processing and clearing activities. As a result, recordkeeping, data safety, and integrity issues may increase.

Higher-risk customers may be defined by industry, incidence of fraud, or other criteria. Examples of higher-risk parties include online payment processors, certain credit-repair services, certain mail order and telephone order companies, online gambling operations, businesses located offshore, and adult entertainment businesses.

Customer Due Diligence

A financial institution should create risk-based parameters that can be used in conducting RDC customer suitability reviews. These may include a list of acceptable industries, standardized underwriting criteria (e.g., credit history, financial statements, and ownership structure of business), and other risk factors (customer’s risk management processes, geographic location, and customer base).

The institution should also consider the customer’s business line, geographic location, and client base. In evaluating a customer’s client base, the institution should distinguish those from higher-risk industries, such as mail order or Internet retailers, adult entertainment, offshore businesses, and online gambling. These industries have demonstrated a greater risk of fraud and nonpayment than more traditional, domestic, face-to-face businesses. Customers that serve these higher-risk businesses may not be appropriate candidates for RDC or may be required to maintain higher deposit balances or agree to more stringent on-site audit procedures.

After determining that a customer’s business is suitable for RDC services, the institution may consider evaluating the customer’s operational controls:

• Separation of duties
• Implementation of dual controls
• Endorsement of items to prevent redeposit
• Secure storage and disposal of original checks) on-site
• Assessing how the customer’s employees responsible for depositing items will be trained
• Reviewing the physical and logical security measures surrounding the RDC system

Confirming that the customer securely stores and disposes of the original paper checks is particularly important as these items contain sensitive financial information (name, address, bank name, and account number) that can be used by identity thieves. In some cases, an independent audit of the customer may be warranted.

The FFIEC has indicated that, when the level of risk warrants it, the staff of the institution should consider visiting the customer’s physical location as part of the due diligence process. Given the inherent risk involved in RDC transactions and the difficulty of evaluating a customer’s operational controls without being on-site, we would recommend that an on-site visit be standard practice at this stage in the relationship between the Bank and its customer. Not making such a visit would be an exception to policy.

Subsequent Visits

All banking relationships involve due diligence by the financial institution during the term of the relationship. A financial institution should develop and implement risk measuring and monitoring systems for effective oversight of RDC activities. Effective management oversight will involve regularly reviewing reports measuring results against operational benchmarks and conducting reviews and risk assessments.

Whether on-site visits of an RDC customer should be made as part of an annual audit, more often, or not at all, would depend upon the same risk factors identified by the institution during its initial due diligence of the customer, as well as what its oversight of the customer has revealed. The higher the risk or the more often the RDC activities of the customer have exceeded the expectations of the institution, the more likely it is that an on-site visit is warranted.

The Bank’s RDC customers may be drawn from its marketing area and thus, are in close physical proximity. Therefore, on-site visits to customers when the relationship is established or afterwards should not prove difficult.

This entry was posted on Monday, February 1st, 2016 at 2:00 pm.