Making Remote Deposit Capture Audit-Ready
As a consumer of banking services, I can’t wait for my bank to offer mobile remote deposit capture (RDC) – and I’ll be happy to pay for it. Yet, as a consultant to the banking industry, I can tell you exactly why my small community bank has yet to jump on the mobile RDC bandwagon: the expenses involved. Aside from the technology, infrastructure and fees associated with processing the deposits, there are the internal resources required to launch and manage a new RDC platform.
Programs and policies need to be written and approved by the board. Processes and procedures have to be reviewed and updated or added to. Deposit agreements have to be modified or addendums created. Systems have to be put in place to ensure that the new processes and procedures are being followed. Deposit behavior rules have to be established and implemented, monitored and tracked. And when necessary, corrective action has to be taken. All of this needs to be tracked and reported and, above all, audited.
We’ve been here before. When the Check 21 legislation went into effect, the brave banks jumped out in front of the pack, anxious to get a new service rolled out to their customers that would surely make everyone’s lives easier. There wasn’t a lot of guidance then about the risks introduced by electronic check truncation. After all, we didn’t know what we didn’t know. As a result, there were a few missteps. But with the help of the regulatory authorities, we rallied together, helped each other interpret, comprehend and then implement the elements needed to define our boundaries and shore up our defenses against those who would use this new service in nefarious ways. It took a while to get it all figured out but based on recent fraud loss surveys, I’d say we did something right.
Just when we finally got comfortable with remote capture, along came mobile RDC. Whoa! We just went through years of trial and error to convince our board and the auditors that we know what we’re doing with remote capture and now you want me to start all over with a new platform?
The good news is that all the heavy lifting is already done. We know now what we didn’t know then – what needs to be done, what questions need to be asked and the fundamentals the auditors are going to look for. Consider some of the questions we stewed over and spent time addressing in the past:
How do I qualify my customers for remote capture? How do I figure out how much money they can deposit, or how many checks they can deposit? What changes do I need to make to my depositor agreements? How do I know if they deposited a check more than once? How do I implement the rules I expect my customers to abide by? What do I need to track and monitor to make sure that my customers are not violating rules?
And perhaps most importantly:
What are the auditors going to need to see?
The thought processes we went through to meet the auditors’ requirements for remote capture can be leveraged for mobile RDC, particularly when it comes to the day-to-day operation of the service. The technology to apply rules, monitor deposits and report on suspicious behavior before the deposit is posted is keeping pace with capture technology. That’s the kind of thing the auditors are going to want to see more of.
So, if you’re still waiting to see how everything will play out before you launch mobile RDC, take comfort in knowing that much of what you need you already did when you launched remote capture. The same thought processes, questions, and concerns you worked through to put your remote capture program in place are the same ones you’ll pose as you work through mobile RDC. Only this time, you know what to expect.
As for the auditors, they’ll want to see that you did your homework; that you understand how the risks associated with mobile RDC are like and not like remote capture. They want to see how you leveraged what you learned and how you’re taking advantage of technology to help you keep an eye on your customers.
Déjà vu has its advantages.