Supervision and Regulation Letters
FFIEC Guidance Addressing Risk Management of Remote Deposit Capture Activities
SUPERVISION AND REGULATION
|SUBJECT:||FFIEC Guidance Addressing Risk Management of Remote Deposit Capture Activities|
The Federal Financial Institutions Examination Council (FFIEC) member agencies issued guidance today for use by financial institutions, technology service providers, and examiners to identify risks in financial institutions’ remote deposit capture (RDC) systems and to evaluate the adequacy of associated controls and applicable risk management practices.1
RDC is a delivery system that enables financial institution customers to initiate deposits in digital format at customers’ locations and, in most instances, eliminates the requirement to physically deliver deposited items to the financial institution. RDC systems have the potential to decrease processing costs, support new and existing banking products, and accelerate customer funds availability. However, RDC also introduces new risks and increases existing risks inherent in traditional deposit processing, including legal, compliance, reputational, and operational risks.
Financial institutions that have implemented RDC or are considering doing so should use sound risk management processes, including risk identification, assessment, and mitigation, as well as measuring and monitoring residual risk exposure. As noted in the attached interagency guidance, an effective risk management program includes:
- Sound risk management and mitigation processes at the financial institution and at customer locations;
- An initial assessment, and periodic assessments thereafter, to identify the types and levels of risk exposure presented by RDC implementation;
- Comprehensive customer contracts and agreements that clearly identify roles, responsibilities, and liabilities of all parties in the RDC process;
- Appropriate technology and process controls at both the institution and customer locations to address operational risk; and
- Effective risk measurement and monitoring by the institution.
Federal Reserve Banks are asked to distribute this letter to financial institutions supervised by the Federal Reserve in their districts, as well as to their own supervisory and examination staff. If you have any questions, please contact Mary Frances Monroe, Manager, Supervisory Policy and Guidance, at (202) 452-5231, or Kenneth Fulton, Supervisory Financial Analyst, Operational and IT Risk, at (202) 452-2314. In addition, questions may be sent via the Board’s public website.2
Roger T. Cole