Strengthening Your RDC Risk Assessment Brian Stearns, VP & Supervisor, Risk Management Services

WesPay, as a Direct Member of NACHA – The Electronic Payments Association and through its affiliation with the Electronic Check Clearing House Organization (ECCHO) as an NCP Trusted Partner, is a specially recognized and licensed provider of ACH and Check education, publications and support. Regional Payments Associations are directly engaged in the ACH rulemaking process and support of the Accredited ACH Professional (AAP), Accredited Payments Risk Professional (APRP) and National Check Professional (NCP) programs.   This material may be derived from collaborative work product developed by NACHA, ECCHO and other member Regional Payments Associations. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only. © 2018 Western Payments Alliance (WesPay). All rights reserved. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) and Accredited Payments Risk Professional (APRP) are registered service marks of NACHA. The National Check Professional (NCP) is a registered service marks of ECCHO.

Risk Management Responsibility “Senior management should identify and assess the legal, compliance, reputation, and operational risks” - FFIEC RDC Guidance “Everyone in the organization plays a role in ensuring successful enterprise-wide risk management but the primary responsibility for identifying risks and managing them lies with management.” - Institute of Internal Auditors

In Practice… Financial institution management is responsible for assessing and managing risks Risk appetite can vary by institution Consumer focused Credit Union or Community Bank Business Bank

Risk Definitions Inherent Risk Risk Mitigation Controls Residual Risk Risks that exist in the product or service Risk Mitigation Controls “Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.” – IIA Residual Risk Risk that remains after controls are applied

Risk Management Approaches Avoid Don’t offer the service! Mitigate Reduced using controls such as limits Accept Institution is willing to take the risk Transfer Use insurance (bond) to cover unacceptable risk

RDC Risks Strategic Compliance Credit Operational Fraud Customer/Member Service

Common RDC Risk Review Comments Strategic goals of RDC Documentation of Image Quality/Duplicate Detection controls Amount Validation Timing of Controls Business Continuity Plans

RDC Strategy Many FIs rolled out RDC programs to meet competitive pressures Strategic goals of RDC are not understood or documented Common Goals: Account holder convenience Expand market beyond branch network Increase efficiency Fee income

RDC Strategy (Cont.) Understand the risks of RDC Place appropriate limits Develop reporting to keep management and/ or board apprised of the progress of the RDC program Is RDC meeting its strategic goals Are risks managed effectively

Exercises Discuss and document why RDC is offered Establish goals for the program Define success! Determine the FI’s risk appetite Determine the residual risk of the RDC program Develop reporting to determine if the program is meeting its goals Determine if resources are properly allocated

Control Documentation Bank of First Deposit (BOFD) is responsible for compliance with rules and warranties Image quality Duplicate presentment Proper payee endorsement Many FIs outsource these controls to a vendor FI is still responsible! Ensure controls are documented to demonstrate compliance

Exercises Review vendor agreements to validate Vendor management Control responsibility Ability to hold vendor responsible Vendor management Verify the vendor is doing their job Document responsibilities in policy: Controls

Amount Validation CFPB finding requires BOFDs to credit consumer for the full amount of deposits CFPB order to Citizens Bank dated August 12, 2015 BOFDs should validate amount of deposits to consumer accounts RDC vendor may perform amount validation controls Need to ensure controls are documented to demonstrate compliance

Exercises Document the party responsible for controls: Vendor review FI staff Verify controls are performed properly

Timing of Controls Once a check is transmitted through the check clearing network, the BOFD is responsible for rules and warranties If an issue is discovered after check has been processed, BOFD can’t recall the item Funds must be made available to account holder per agreement/disclosures Warranty timeframes can be three years from deposit

Timing of Controls (Cont.) Day 1 Day 2

Exercises Create a workflow to determine when controls are applied Develop processes to address issues after items have been cleared Holds on deposits Contacting Paying Bank(s)

Business Continuity RDC functions may be a critical function for the institution Criticality depends on strategy May need to rely on multiple vendors (and connections between them) for RDC RDC vendor(s) Core system Connections to the Fed or Clearinghouse

Exercises Identify vendors that are needed to complete RDC functions Outline Recovery responsibilities Vendors FI staff Determine Recovery Timeframes (RTOs) Test the plan!

Resources FFIEC Resources WesPay Website www.ffiec.gov http://ithandbook.ffiec.gov/ WesPay Website www.wespay.org

Questions?

Payments Hotline - 415-373-1200 or info@wespay.org Please contact us at: 300 Montgomery St, Suite 400 San Francisco, CA 94104 Phone: 415-433-1230 Fax: 415-433-1370 www.wespay.org memberservices@wespay.org Payments Hotline - 415-373-1200 or info@wespay.org Participants from other Regional Payments Associations are encouraged to contact your Regional Payments Association directly. You can find them here: www.nacha.org/regpayassoc

Thank you for participating PLEASE – Complete your evaluation