FFIEC Guidance on RDC Risk Management: Are We any Safer Now?
16 September 2009
The Federal Financial Institutions Examination Council, FFIEC, issued its long-awaited guidance on remote deposit capture risk management in January 2009. The document clearly precipitated a flurry of activity among virtually every bank engaged in RDC. To many banks, the guidance was akin to raising the homeland security threat level from Green to Orange. RDC must be risky – I’d better do something! But a question arises now, some nine months since its release; did the guidance help banks better manage the risks associated with distributed capture? Are we any safer now? Celent offers two data points that suggest the FFIEC’s efforts, while well intentioned, did little to impact the operational readiness of banks’ RDC programs. What Really Matters Celent conducted a survey of US financial institutions in August 2009, generating 174 responses among RDC deploying banks, thrifts and credit unions. Respondents were a mix of product managers, executives, sales managers, operations and IT personnel. The survey sought to better understand the state of the industry and gauge future opportunity and adoption trends. One question asked respondents to rank various aspects of their RDC program in order of importance. The question was a forced ranking, so respondents couldn’t say that everything was important. The specific items on the list were drawn from multiple bank interviews that preceded the survey. The results were telling. With so much on their plates, and with so much unrealized opportunity in RDC, regulatory compliance was considered among the most important activities to be undertaken. Matters of customer service and reducing operational risk were judged to be less important. Interesting. The reported focus on regulatory compliance – second only to maximizing deposits (the very reason RDC exists for most banks) was reinforced in post survey telephone interviews. Banks have been so demonized by the press, administration and elected officials, the last thing banks need is any further risk of bad PR or regulatory punishment. Hence compliance is nearly Job #1. [caption id="attachment_900" align="aligncenter" width="468" caption="Source: Celent FI survey, August 2009, n=174"]
[/caption] What Specific Actions has the Guidance Caused? Another question in Celent’s August 2009 survey specifically asked: “What specific activities, if any, have you undertaken in response to the FFIEC guidance on RDC risk published in January 2009?” The question invited an open-ended response. Virtually every bank took action. A very small number of responding FIs asserted that no action was required because, after reading the guidance, they found themselves to be 100% in compliance. Hardly. The table below groups the open-ended responses and lists them in order of frequency. The top 3 actions account for the majority of responses. Specific Activities Undertaken as a Result of FFIEC Guidance • Reviewed and revised policies and procedures • Performed an internal risk assessment • Tightened up deposit services agreement for RDC • Ensured process and product in compliance • Implemented deposit limits and improved reporting • Implemented spot check of client retention and destruction procedures • Tightened underwriting • Increased security guidelines • Improved intra-day deposit review Source: Celent FI survey, August 2009, n=174 Thus, the FFIEC guidance has precipitated significant effort among thousands of banks - at great cost – to document and formalize what many banks were already doing. Tangible new efforts that would arguably identify and mitigate risk (deposit limits, improved reporting, intra-day deposit review, etc.) were relatively infrequent responses to the guidance. Hopefully, now that the dust has settled on the FFIEC guidance, financial institutions can get back to creating new ways to better serve their customers.
[/caption] What Specific Actions has the Guidance Caused? Another question in Celent’s August 2009 survey specifically asked: “What specific activities, if any, have you undertaken in response to the FFIEC guidance on RDC risk published in January 2009?” The question invited an open-ended response. Virtually every bank took action. A very small number of responding FIs asserted that no action was required because, after reading the guidance, they found themselves to be 100% in compliance. Hardly. The table below groups the open-ended responses and lists them in order of frequency. The top 3 actions account for the majority of responses. Specific Activities Undertaken as a Result of FFIEC Guidance • Reviewed and revised policies and procedures • Performed an internal risk assessment • Tightened up deposit services agreement for RDC • Ensured process and product in compliance • Implemented deposit limits and improved reporting • Implemented spot check of client retention and destruction procedures • Tightened underwriting • Increased security guidelines • Improved intra-day deposit review Source: Celent FI survey, August 2009, n=174 Thus, the FFIEC guidance has precipitated significant effort among thousands of banks - at great cost – to document and formalize what many banks were already doing. Tangible new efforts that would arguably identify and mitigate risk (deposit limits, improved reporting, intra-day deposit review, etc.) were relatively infrequent responses to the guidance. Hopefully, now that the dust has settled on the FFIEC guidance, financial institutions can get back to creating new ways to better serve their customers.