AMLA RDC & ACH BEST PRACTICES TRAINING June 23, 2010 Conducted by Michelle Hemerley Senior Vice President, Kenney Bank & Trust OVERVIEW • Definitions of RDC, RCC, ACH & Third Party • Risk and Best Practices for RDC, RCC, ACH & Third Party Accounts • Unfair and Deceptive Acts or Practices (UDAP) • OFAC & Reporting Suspicious Activity • Best Practices Checklists • Questions Definitions Remote Deposit Capture (RDC) • Remote Deposit Capture, in its most simple terms, is a service which allows a user to scan checks and transmit the scanned images to a bank for posting and clearing. • The basic requirements for an RDC service currently include a PC, an internet connection, a check scanner and a service provider that offers RDC services. • Checks received at a business or bank location can be scanned to create a digital deposit. • This digital deposit is then transmitted (usually over an encrypted internet connection) to the RDC bank or service provider who then accepts the deposit, posts the deposit to the business account and assigns availability based upon the availability schedule. Remote Deposit Capture (RDC) • “The most important development the (U.S.) banking industry has seen in years” • Benefits include convenience, better deposit availability and reduced cost, risk and volume of paper associated with physically mailing or depositing checks • Not all RDC solutions are the same. Additional functionality such as Intelligent Character & Document Recognition, data management through business rules, the ability to feed internal systems, intelligent clearing capabilities and many others can further add value to the business case Remotely Created Checks (RCC) • "Remotely created checks" typically are created when the holder of a checking account authorizes a payee to draw a check on that account but does not actually sign the check. • The check is authorized remotely by telephone or on-line. • In place of the account-holder's signature, the remotelycreated check generally bears a statement that the customer authorized the check or bears the customer's printed or typed name. Remotely Created Checks (RCC) • Remotely Created Checks are being used more often because they have up to 40 characters in the notes section to explain the transaction (as opposed to only 12 characters for ACH transactions) • Although remotely created checks are a useful payment device for consumers and vendors, they have also become vulnerable to fraud because they do not bear a signature or other verifiable authorization. Automated Clearing House (ACH) • The Automated Clearing House Network is a processing and delivery system that provides for the distribution and settlement of electronic credits and debits among financial institutions. • The ACH Network was developed in response to the huge growth in check payments and provides an efficient, electronic alternative to paper checks. • The Network is governed by the National Automated Clearing House Association (NACHA) Operating rules, commonly referred to as the ACH Rules. Automated Clearing House (ACH) • The ACH Network operates as a batch processing, value-dated, electronic funds transfer between an originating and a receiving bank. • Transactions received by the financial institution during the day are stored and processed later in a batch mode. Instead of sending each payment individually, ACH transactions are gathered and sorted by destination for transmission during a set time period. • This provides for faster processing than paper checks and allows all necessary transaction information to be transmitted electronically. • The ACH Network is used for all kinds of fund transfer transactions, including direct deposit of paychecks and monthly debits for routine payments such as mortgage payments. Automated Clearing House (ACH) • An ACH transaction is authorized by an individual or organization (Receiver), to be initiated by another individual or organization (Originator) • The Originator then provides to an Originating Depository Financial Institution (ODFI) or its third party processor a file containing information on the ACH transaction formatted per NACHA rules • The ODFI or its third party processor then transmits the information in a file to an operator (ACH Operator) • The file is made up of a batch of ACH transactions. Each transaction is either an electronic debit or credit formatted per NACHA rules Automated Clearing House (ACH) • The ACH Operator then sorts the transactions and transmits to a Receiving Depository Financial Institution (RDFI) or its third party processor • The RDFI then posts the ACH transaction to the Receiver’s account • A return notification is sent if there are insufficient funds in the account • There are new rules for any International ACH transaction (IAT) Automated Clearing House (ACH) • Each ACH transaction is required to be identified by a Standard Entry Class (SEC) Code - a three character code that identifies the payment type. • SEC Codes are divided into various types: consumer, corporate, both consumer and non-consumer accounts, and other. • In addition to the SEC Code, an Originator must include a Transaction Code - a two-digit code that determines whether the entry is a debit or credit to a DDA account, savings account, or general ledger account, or whether the entry is a credit to a loan account. Third Party Payment Processor • Non-bank or third-party payment processors are bank customers that provide payment-processing services to merchants and other business entities. • These merchant transactions include credit card payments, ACH, Remotely Created Checks and debit and stored value cards transactions. • With the expansion of the Internet, processors now service a variety of merchant accounts including conventional retail and internet based establishments. Risks and Best Practices for RDC, RCC and ACH Accounts FFIEC RDC Guidance • Risk management, governance and oversight should be based on the size and complexity of the Bank & relative scale and impact of RDC activities • RDC Risk Assessment should include: • Risks – Strategic, Credit, Compliance/BSA, • • Operational, Transaction, Legal and Reputation Risks Security and confidentiality risks as well as vulnerability and business continuity risks Risk tolerance levels RDC / RCC / ACH Risks • Bank has two primary responsibilities: 1) Complete Due diligence & underwriting on customer - Consider customer’s business activities, geographic location and customer base 2) Monitor for high levels of unauthorized returns or suspicious or unusual patterns of activity • Ensure the Bank maintains appropriate policies, procedures and controls relative to risk • Train the RDC customer RDC / RCC / ACH Risks • Create customer parameters which include: • • • A list of acceptable industries Standardized underwriting criteria (i.e., credit history, financial statements, ownership structure, types of business, google, etc.) Set maximums for large dollar items • Obtain expected account activity such as the anticipated number, dollar volume and type of transaction • Monitor the returns and any changes in the volume or dollar amounts of the transactions RDC / RCC / ACH Risks • Visit the high-risk RDC,RCC or ACH customers and obtain enhanced due diligence • Contracts should include: • • • • Requirements to retain, protect, and ultimately destroy original documents Requirements for properly securing equipment to prevent inappropriate use and effective equipment security controls (i.e., passwords, dual control access) Event of counterfeit documents or double deposits Additional laws such as Unlawful Internet Gambling Enforcement Act (UIGEA) Third-party Payment Processors • Risk – Money laundering, identity theft, fraud, & reputational risks • Know your customer’s customer, understand the nature and source of transactions as well as their target clientele (i.e., review websites, promotional materials) • Determine if the processor re-sells services to a 3rd party who may be referred to as an agent or Independent Sales Organization (ISO) • Review the processor’s policies, procedures and processes to determine the adequacy of its due diligence standards Third-party Payment Processors • • Identify the processor’s major customers • • Visit the processor’s business operations center Review corporate documentation including independent reporting services and documentation on principal owners The bank should have a good understanding of: • Merchant base and activities • Average number and dollar volume as well as number of transactions • Account history including rates of return and anticipated rates of return Third Party Payment Processor • • Google and read the information – customer indicted • • Sites dedicated to complaints about company • • Obtain examples of due diligence third party obtains Obtain written agreements between the processor and their customers Be sure to train the third party on why you need enhanced due diligence information Just because Payroll doesn’t mean they are clean Unfair and Deceptive Acts or Practices (UDAP) UDAP – “Unfairness” • Causes “substantial” consumer injury – Can be substantial for few or slight for many – Normally monetary, not emotional harm • Is not outweighed by consumer or competitive market benefits • Could have been reasonably avoided UDAP – “Deceptive” • Representation, omission or practice that: – Is likely to mislead a consumer acting reasonably – Is material in impacting consumer decisions and behavior • A statement can be literally true but still deceptive • Hard to identify UDAP – Recent Cases • Wachovia – OCC fine 5/08 - $144 million – 3rd party actions by telemarketers & payment processors involving remotely created checks – Lesson: You are responsible for what’s being done by 3rd party relationships • CompuCredit & 3 Banks – FDIC fine 6/08 - $114 million, $2.4 million Civil money penalties – Misleading credit card solicitations – $300 limit / $185 fee – targeting people with bad credit UDAP – Recent Cases & Lessons • Providian – OCC fine 6/00 - $300+ million in restitution and fees – Hidden fees, omission of terms, late disclosures – Didn’t know rate until transfer balances – 3% to exit • Lessons – Be sure what they offer is what people are getting – Potential issue if you or 3rd parties are targeting elderly, minorities, non-english speaking, bad credit – Review complaints – document oral complaints OFAC & Reporting Suspicious Activity Office of Foreign Asset Control • Run all signers through OFAC • Run all owners and high-risk customers through Worldcheck (includes OFAC), including owners of LLCs • Perform OFAC Scrub regularly • The ODFI is responsible for verifying the Originator is not a blocked party and the RDFI is responsible for verifying the receiver is not a blocked party. They rely on each other. Reporting Suspicious Activity • If suspicious activity is noted, complete Unusual Activity Form and send to BSA/AML Department immediately • Be sure to explain “Who”, “What”, “When”, “Where”, “How” and “Why” you are suspicious • Keep CONFIDENTIAL – never discuss with customer Enhanced Due Diligence Checklists Questions? Agenda items will follow the Q & A Session Regulatory Update FinCEN April 16, 2010: FinCEN Encourages Financial Institutions to Consider Benefits of BSA E-Filing. Fincen developed and released a brochure explaining the benefits of efiling. Found on their website. April 27, 2010: FinCEN Advisory-2010-A004: Filing Suspicious Activity Reports Regarding FHA Home Equity Conversion Mortgage Fraud Schemes – This scheme targets the elderly and a form of reverse mortgages under FHAs Home Equity conversion program. Advisory contains examples of common fraud schemes and potential "red flags" for fraudulent activity. (Continued) Regulatory Update FinCEN • Suggests key words for financial institutions to use when completing SARs involving fraud related to the HECM program. FinCEN is requesting that you enter specific language in your SAR if you note this kind of activity within your organization so they may readily identify these schemes. You do not have to be a provider of this product to see activity as you might have a customer that has an elderly parent and they deposit funds into their bank account with your FI and never disburse the money to the elderly parent. Regulatory Update FinCEN April 29, 2010: FFIEC 2010 BSA/AML Examination Manual Interagency Release. Significant Updates are noted in the table of contents as “2010.” Most recent MSB List As of May 2010 on FinCEN site June 17, 2010: FinCEN released its first analysis of suspicious activity reports containing information about potential foreclosure rescue scams. The report, Loan Modification and Foreclosure Rescue Scams – Evolving Trends and Patterns in Bank Secrecy Act Reporting , involved an analysis of more than 3,500 SARs filed from 2004 through 2009. (Continued) Regulatory Update FinCEN A majority, 3,000, were filed last year. Also FinCEN provided updated guidance to the financial industry concerning new scam techniques that financial professionals should watch for and report. June 21, 2010: Notice of Proposed Rulemaking: Amendment to the Bank Secrecy Act Regulations applicable to MSBs with regard to stored value or prepaid access. The Prepaid Access Rule Proposes Greater Transparency to Help Curb Money Laundering and Terrorist Financing and to fill in regulatory gaps and areas of vulnerability with a more comprehensive regulatory framework. (Continued) Regulatory Update FinCEN Major features of the proposal are: Renaming “stored value” as “prepaid access” without intending to broaden or narrow the term and defining the term to allow for future changes in technology and prepaid devices; Deleting the terms “issuer” and “redeemer” of stored value and adding the terms "provider" and "seller"; Regulatory Update FinCEN Continued----Major features of the proposal are: Placing registration requirements on providers of prepaid access and suspicious activity reporting, customer information recordkeeping, and new transactional recordkeeping requirements on both providers and sellers of prepaid access; and Exempting certain categories of prepaid access products and services posing lower risks of money laundering and terrorist financing from certain requirements. Enforcement / Other Regulatory Actions June 3, 2010: FinCEN: CMP of $1 Million against Pamrapo Savings Bank, S.L.A., of Bayonne, N.J. for violating requirements under the Bank Secrecy Act. May 4, 2010: FinCEN and FDIC: $25,000 CMP against Eurobank, San Juan, Puerto Rico. FinCEN and FDIC allege Eurobank failed to implement an adequate antimoney laundering program and monitor accounts for suspicious activity. June 3, 2010- OFAC Penalties & Enforcement Actions - 2 actions: $16,366.00 total. OFAC OFAC Release March 1, 2010: 2009 OFAC Annual Report-Assets in the United States of Terrorist Countries and International Terrorism Program Designees Reports/Fact Sheets 314(a) Facts and Figures (06/15/2010) Law Enforcement Information Sharing with the Financial Industry (06/1/2010) The SAR Activity Review-By the Numbers: January 2010 SAR Activity Review Trends and Tips-Issue 17 Casino and Gaming Industry –May 2010 314a Point of Contact Info Change-April 8, 2010 MEETING ADJOURNED Thank you for attending and participating with us today. Visit us at www.theamla.com