• about us
• our services
• our team
• contact us
• news & events
• enterprise risk management
• remote deposit capture guidance
• technology guidance program
• newsletter
• downloads
• privacy policy
• consultant login

Newsletter 1st Quarter 2009 Issue No: 2009-001

Download or print the newsletter:

RLR Newsletter 1st Quarter 2009

If you would like to subscribe to our mailing list, please contact us.

Many moons ago, RLR published a quarterly newsletter to our industry colleagues. For some unknown reason (think we got a little busy!), we stopped publishing that newsletter. Well, we are back. We have a new electronic format, and will publish a newsletter on a quarterly basis. We hope that you find it informative and entertaining. Please feel free to provide us feedback, or even ideas for what you would like us to cover. Happy Reading!

For those of you not familiar with RLR, a brief introduction:

Ruth L. Razook founded RLR in 1988. Yes, over 20 years ago (just 17 at the time!). Ruth had spent ten years at First Interstate Bank paying consultants lots of money, and finally figured out that maybe she could be that consultant too! RLR was born and Ruth began consulting to Community Banks. What a leap from a mega bank, but it worked. The first RLR assignment was with One Central Bank in Glendale, CA. Lorena McWilliams and Liz Toton remain my confidants to this day! Since that time, RLR has become a nationwide consulting firm focused on providing high quality consulting assistance to independent and community banks in the areas of corporate strategy, organizational analysis, operations management, general management, information technology, payments and regulatory compliance.  Our staff is comprised of seasoned professionals with extensive practical, line management and consulting experience. We currently have 25 individuals within the firm, with our headquarters in La Quinta, California.

We have worked with over 500 clients in our 20 years, and look forward to continuing to work with more! You can find more information about our firm on our about page.

From the CEO

Where is my crystal ball?
I cannot find it!
Does it even matter anymore?

Unfortunately, I don’t think so. We are experiencing times that are unprecedented in my lifetime. I really never thought I would see such an unstable economy in my time, but it is here and there is no ignoring it. I do have to say that today, while checking MSNBC throughout the day, I did not see any blurbs about the nationalization of banks, what the Fed is worried about today, what Obama is going to say, etc. and the stock market actually went up. Maybe we don’t need a crystal ball, we just need to get the banking news out of the headlines, and leave the bankers and regulators to do their job.

Yes, there are banks out there today that behaved badly and need to either go away or need to turn around. We know that. With predications that the economy may not “improve” until 2010, it is going to be a tough ride this year. We are just hopeful that we can keep the press quiet, and give the time and consideration to the bankers and regulators to get their job done.

Ruth L. Razook, CEO

Remote Deposit Capture Guidance

On January 19, 2009, FIL – 4- 2009 – Risk Management of Remote Deposit Capture was published.

The guidance is pretty much what we expected, with a few twists. The theme of the guidance compliments the guidance of late – Risk Management. The guidance states that a financial institution offering Remote Deposit Capture (RDC) should have in place sound risk management and mitigation systems and require adequate risk management at customer locations including, but not limited to, controls over nonpublic personal information. Further, financial institutions whose RDC systems use the Internet as a communication channel should use effective methods to authenticate the identity of customers using those services. Single-factor authentication methods may not provide sufficient protection. The guidance clearly states that RDC should be viewed as a new delivery system, not simply a new service.

Highlights of the guidance include:

Overview

• Prior to implementing RDC, and periodically thereafter, management should conduct a risk assessment to identify the FI’s risks inherent in RDC
• Additional FFIEC guidance is referenced and should be reviewed and included in the risk assessment for RDC (FFIEC IT Examination Handbook, FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual, Interagency Guidelines Establishing Information Security Standards).

The Risk Assessment:

• The Risk Assessment should include the identification of the risks to the security and confidentiality of nonpublic personal information
• Guidance suggests that the FI adjust their information security programs to address RDC
• The Risk Assessment will differ based upon the manner in which the FI clears the items (image exchange, ACH, etc.)
• The Board and Senior Management are ultimately responsible for safe and sound operations, including RDC products and services. Prior to implementation they should ensure it fits into the business strategy and understand the ROI
• The Risk Assessment needs to include Legal and Compliance Risk, as well as Operational Risk considerations:
• Legal and Compliance Risk
  • Check 21
  • Reg CC
  • Reg J
  • NACHA
  • BSA/AML
  • Applicable State Laws
• FI’s should ensure that legal agreements properly allocate and limit liability, identify methods for resolving disputes, and define choice of legal jurisdiction (such as UCC Articles 3 & 4, Reg CC, Clearinghouse Rules, FRB Operating Circulars, etc.)
• Operational Risk
  
  • FI’s must develop policies and procedures for their processes
  • Require customers to implement document management procedures
  • Guidance considers the transfer of deposit transaction information to represent “the movement of funds to other parties”
  • RDC systems using the Internet should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate risk
• If the Risk Assessment supports the conclusion that the risks associated with RDC can be effectively mitigated, measured and monitored, then the FI should implement appropriate risk management policies (in addition to the operational policies and procedures)

Customer Due Diligence and Suitability

• Financial Institutions should establish appropriate risk-based guidelines to qualify customers for this service. In general, information gathered while conducting customer identification and customer due diligence procedures in fulfillment of the institution’s BSA/AML program can support the assessment of customer suitability. Some items to consider are:
  • Customer’s business activities and risk management processes
  • Geographic Location
  • Customer Base
  • The depth of the review should be commensurate with the level of  risk
  • Visits to the customer’s location may be required
  • Review of independent audits of the customer may be required, or, at a minimum, a self-assessment conducted by the customer
• Customers should receive sufficient training and the training should include documentation that addresses routine operations and procedures
• Strong, well constructed contracts and customer agreements are critical in mitigating their FI’s risk. The FI’s legal counsel should assist in developing the contracts and agreements. Specific contract provisions for consideration are:
• Contracts and agreements should identify roles, responsibilities and liabilities
• RDC agreements should establish the control requirements identified during the risk assessment process and the consequences of noncompliance
• Specific contract provisions for consideration include:
• Roles and responsibilities of the parties, including those related to the sale or lease of equipment and software needed for RDC at the customer location;
• Handling and record retention procedures for the information in RDC, including physical and logical security expectations for access, transmission, storage, and disposal of deposit items containing nonpublic personal information;
• Types of items that may be transmitted;
• Processes and procedures that the customer must follow, including those related to image quality;
• Imaged documents (or original documents, if available) RDC customers must provide to facilitate investigations related to unusual transactions or poor quality transmission, or to resolve disputes;
• Periodic audits of the RDC process, including the IT infrastructure;
• Performance standards for the FI and the customer;
• Allocation of liability, warranties, indemnification, and dispute resolution;
• Funds availability, collateral, and collected funds requirements;
• Governing laws, regulations, and rules;
• Authority of the FI to mandate specific controls at the customer’s locations, audit customer operations, or required additional customer information; and,
• Authority of the FI to terminate the RDC relationship

Vendor Due Diligence and Suitability

• FI’s that rely on service providers for RDC activities should ensure implementation of sound vendor management processes as described in the Outsourcing Technology Services Booklet of the FFIEC IT Examination Handbook.

Business Continuity

• The FI’s business continuity plan should address RDC systems and business processes
• Testing activities should assess whether restoration of systems and processes meets recovery objectives and time frames
• To the extent possible, contingency plan development and testing should be coordinated with customers using RDC

Other Mitigation and Control Considerations

• FI’s should implement appropriate controls that mitigate the operational risks of RDC, including those related to item processing as discussed in the Operations Booklet of the FFIEC IT Examination Handbook
• Controls should be designed and implemented to ensure the security and integrity of nonpublic personal information
• Separation of duties at both the FI and customer location can mitigate the risk of one person having responsibility for end-to-end RDC processing
• Strong change controls processes for changes to the platform should be implemented
• Controls to reduce the risk of processing an item more than once should be implemented

Measuring and Monitoring

• FI’s should develop and implement risk measuring and monitoring systems for effective oversight
• FI’s should ensure that customers using RDC have implemented operational and risk monitoring processes
• Effective management oversight involves regularly reviewing reports and periodically conducting reviews and operational risk assessments
• FI’s should establish key operational metrics that support accurate and timely monitoring of risk within the RDC process
• Reports that may provide oversight of RDC include:
• Duplicate entries
• Violations of deposit threshold limits
• Velocity metrics, such as file size and number of files, transaction dollar value and volume, and return item dollar value and volume
• Reject items and corrections
• CAR/LAR adjustments
• Point-in-time activities and trend analysis for individual, groups of customers and for the product as a whole

AND SEE WHAT’S NEW!

RLR welcomes John Neely as Executive Vice President

John Neely joins RLR Management Consulting, Inc. as Executive Vice President, Sales and Marketing. John brings to RLR over 30 years of Financial industry experience. Most recently, John was with RSM McGladrey where he was instrumental in developing their Southern California Risk Management Services Consulting Practice, and directing sales of IT Risk Management Services to Community Banks in Southern California.

Prior to his six years with McGladrey, John’s extensive experience includes positions with the California Bankers Association, ALLTEL Information Systems and Checkfree. His Banking career included management positions with American Express, Wells Fargo and Cal Fed. John will be responsible for directing RLR’s business development activities and will lead RLR’s efforts in meeting our clients and working with them to ensure that required strategies are created and executed and desired consulting services are delivered.

John is a graduate of the University of Louisville, School of Business and resides in Palos Verdes, CA.

Technology Guidance Program

Sign up for our Technology Guidance Program to receive detailed, timely updates on our guidance and a summary of the impact to your financial institution.

Where RLR will be:

Conferences & Exhibits

• 4/26-4/28: ITI National Conference - Las Vegas, NV
• 5/3-5/6: PCBB 2009 Executive Management Conference-San Francisco, CA
• 6/17-6/19: CBA Security Management & IT Conference - Costa Mesa, CA
• 9/23-9/26: Harland Client Connections Conference-San Diego, CA
• 9/24-9/25: WSUG Fall Meeting – Sacramento, CA
• 10/14-10/16: WIB 2009 Annual Bank Technology & Security Summit - San Diego, CA

Speaking Engagements

• 6/16: Ruth Razook, CEO: Harland Financial Seminar - Costa Mesa, CA

How to contact RLR

Corporate Office:
78-010 Main St., Suite 200
La Quinta, CA 92253

1-888-757-7330 toll-free
(760) 771-5036
(760) 564-1839 fax

Ruth Razook, CEO:
Mitch Razook, President & COO:
John Neely, EVP, Sales & Marketing:
Cathi Wickham, SVP:

Adobe Acrobat PDF file (get Acrobat here)