AMLA RDC ACH Training 6 10 v2 - The Anti

advertisement
AMLA
RDC & ACH BEST PRACTICES
TRAINING
June 23, 2010
Conducted by Michelle Hemerley
Senior Vice President, Kenney Bank & Trust
OVERVIEW
• Definitions of RDC, RCC, ACH & Third Party
• Risk and Best Practices for RDC, RCC, ACH &
Third Party Accounts
• Unfair and Deceptive Acts or Practices (UDAP)
• OFAC & Reporting Suspicious Activity
• Best Practices Checklists
• Questions
Definitions
Remote Deposit Capture (RDC)
• Remote Deposit Capture, in its most simple terms, is a
service which allows a user to scan checks and transmit
the scanned images to a bank for posting and clearing.
• The basic requirements for an RDC service currently
include a PC, an internet connection, a check scanner
and a service provider that offers RDC services.
• Checks received at a business or bank location can be
scanned to create a digital deposit.
• This digital deposit is then transmitted (usually over an
encrypted internet connection) to the RDC bank or
service provider who then accepts the deposit, posts
the deposit to the business account and assigns
availability based upon the availability schedule.
Remote Deposit Capture (RDC)
• “The most important development the (U.S.) banking
industry has seen in years”
• Benefits include convenience, better deposit availability
and reduced cost, risk and volume of paper associated
with physically mailing or depositing checks
• Not all RDC solutions are the same. Additional
functionality such as Intelligent Character & Document
Recognition, data management through business rules,
the ability to feed internal systems, intelligent clearing
capabilities and many others can further add value to
the business case
Remotely Created Checks (RCC)
• "Remotely created checks" typically are created when the
holder of a checking account authorizes a payee to draw a
check on that account but does not actually sign the check.
• The check is authorized remotely by telephone or on-line.
• In place of the account-holder's signature, the remotelycreated check generally bears a statement that the
customer authorized the check or bears the customer's
printed or typed name.
Remotely Created Checks (RCC)
• Remotely Created Checks are being used more often
because they have up to 40 characters in the notes section
to explain the transaction (as opposed to only 12
characters for ACH transactions)
• Although remotely created checks are a useful payment
device for consumers and vendors, they have also become
vulnerable to fraud because they do not bear a signature or
other verifiable authorization.
Automated Clearing House (ACH)
• The Automated Clearing House Network is a processing
and delivery system that provides for the distribution
and settlement of electronic credits and debits among
financial institutions.
• The ACH Network was developed in response to the
huge growth in check payments and provides an
efficient, electronic alternative to paper checks.
• The Network is governed by the National Automated
Clearing House Association (NACHA) Operating rules,
commonly referred to as the ACH Rules.
Automated Clearing House (ACH)
• The ACH Network operates as a batch processing, value-dated,
electronic funds transfer between an originating and a receiving
bank.
• Transactions received by the financial institution during the day
are stored and processed later in a batch mode. Instead of
sending each payment individually, ACH transactions are
gathered and sorted by destination for transmission during a set
time period.
• This provides for faster processing than paper checks and allows
all necessary transaction information to be transmitted
electronically.
• The ACH Network is used for all kinds of fund transfer
transactions, including direct deposit of paychecks and monthly
debits for routine payments such as mortgage payments.
Automated Clearing House (ACH)
• An ACH transaction is authorized by an individual or
organization (Receiver), to be initiated by another
individual or organization (Originator)
• The Originator then provides to an Originating Depository
Financial Institution (ODFI) or its third party processor a
file containing information on the ACH transaction
formatted per NACHA rules
• The ODFI or its third party processor then transmits the
information in a file to an operator (ACH Operator)
• The file is made up of a batch of ACH transactions. Each
transaction is either an electronic debit or credit formatted
per NACHA rules
Automated Clearing House (ACH)
• The ACH Operator then sorts the transactions and
transmits to a Receiving Depository Financial
Institution (RDFI) or its third party processor
• The RDFI then posts the ACH transaction to the
Receiver’s account
• A return notification is sent if there are insufficient
funds in the account
• There are new rules for any International ACH
transaction (IAT)
Automated Clearing House (ACH)
• Each ACH transaction is required to be identified by a
Standard Entry Class (SEC) Code - a three character
code that identifies the payment type.
• SEC Codes are divided into various types: consumer,
corporate, both consumer and non-consumer accounts,
and other.
• In addition to the SEC Code, an Originator must include
a Transaction Code - a two-digit code that determines
whether the entry is a debit or credit to a DDA account,
savings account, or general ledger account, or whether
the entry is a credit to a loan account.
Third Party Payment Processor
• Non-bank or third-party payment processors are bank
customers that provide payment-processing services to
merchants and other business entities.
• These merchant transactions include credit card
payments, ACH, Remotely Created Checks and debit
and stored value cards transactions.
• With the expansion of the Internet, processors now
service a variety of merchant accounts including
conventional retail and internet based establishments.
Risks and Best Practices for
RDC, RCC and ACH
Accounts
FFIEC RDC Guidance
•
Risk management, governance and oversight
should be based on the size and complexity of the
Bank & relative scale and impact of RDC activities
•
RDC Risk Assessment should include:
• Risks – Strategic, Credit, Compliance/BSA,
•
•
Operational, Transaction, Legal and Reputation Risks
Security and confidentiality risks as well as
vulnerability and business continuity risks
Risk tolerance levels
RDC / RCC / ACH Risks
•
Bank has two primary responsibilities:
1) Complete Due diligence & underwriting on customer
- Consider customer’s business activities,
geographic location and customer base
2) Monitor for high levels of unauthorized returns or
suspicious or unusual patterns of activity
•
Ensure the Bank maintains appropriate policies,
procedures and controls relative to risk
•
Train the RDC customer
RDC / RCC / ACH Risks
•
Create customer parameters which include:
•
•
•
A list of acceptable industries
Standardized underwriting criteria (i.e., credit history, financial
statements, ownership structure, types of business, google,
etc.)
Set maximums for large dollar items
•
Obtain expected account activity such as the anticipated
number, dollar volume and type of transaction
•
Monitor the returns and any changes in the volume or
dollar amounts of the transactions
RDC / RCC / ACH Risks
•
Visit the high-risk RDC,RCC or ACH customers and
obtain enhanced due diligence
•
Contracts should include:
•
•
•
•
Requirements to retain, protect, and ultimately destroy original
documents
Requirements for properly securing equipment to prevent
inappropriate use and effective equipment security controls
(i.e., passwords, dual control access)
Event of counterfeit documents or double deposits
Additional laws such as Unlawful Internet Gambling
Enforcement Act (UIGEA)
Third-party Payment Processors
•
Risk – Money laundering, identity theft, fraud, &
reputational risks
•
Know your customer’s customer, understand the nature
and source of transactions as well as their target clientele
(i.e., review websites, promotional materials)
•
Determine if the processor re-sells services to a 3rd party
who may be referred to as an agent or Independent Sales
Organization (ISO)
•
Review the processor’s policies, procedures and
processes to determine the adequacy of its due diligence
standards
Third-party Payment Processors
•
•
Identify the processor’s major customers
•
•
Visit the processor’s business operations center
Review corporate documentation including independent
reporting services and documentation on principal owners
The bank should have a good understanding of:
• Merchant base and activities
• Average number and dollar volume as well as number
of transactions
• Account history including rates of return and
anticipated rates of return
Third Party Payment Processor
•
•
Google and read the information – customer indicted
•
•
Sites dedicated to complaints about company
•
•
Obtain examples of due diligence third party obtains
Obtain written agreements between the processor and
their customers
Be sure to train the third party on why you need
enhanced due diligence information
Just because Payroll doesn’t mean they are clean
Unfair and Deceptive
Acts or Practices
(UDAP)
UDAP – “Unfairness”
• Causes “substantial” consumer injury
– Can be substantial for few or slight for many
– Normally monetary, not emotional harm
• Is not outweighed by consumer or competitive
market benefits
• Could have been reasonably avoided
UDAP – “Deceptive”
• Representation, omission or practice that:
– Is likely to mislead a consumer acting reasonably
– Is material in impacting consumer decisions and
behavior
• A statement can be literally true but still deceptive
• Hard to identify
UDAP – Recent Cases
• Wachovia – OCC fine 5/08 - $144 million
– 3rd party actions by telemarketers & payment processors
involving remotely created checks
– Lesson: You are responsible for what’s being done by 3rd
party relationships
• CompuCredit & 3 Banks – FDIC fine 6/08 - $114
million, $2.4 million Civil money penalties
– Misleading credit card solicitations
– $300 limit / $185 fee – targeting people with bad credit
UDAP – Recent Cases & Lessons
• Providian – OCC fine 6/00 - $300+ million in
restitution and fees
– Hidden fees, omission of terms, late disclosures
– Didn’t know rate until transfer balances – 3% to exit
• Lessons
– Be sure what they offer is what people are getting
– Potential issue if you or 3rd parties are targeting elderly,
minorities, non-english speaking, bad credit
– Review complaints – document oral complaints
OFAC & Reporting
Suspicious Activity
Office of Foreign Asset Control
• Run all signers through OFAC
• Run all owners and high-risk
customers through Worldcheck
(includes OFAC), including owners of
LLCs
• Perform OFAC Scrub regularly
• The ODFI is responsible for verifying
the Originator is not a blocked party
and the RDFI is responsible for
verifying the receiver is not a blocked
party. They rely on each other.
Reporting Suspicious Activity
• If suspicious activity is noted,
complete Unusual Activity Form
and send to BSA/AML
Department immediately
• Be sure to explain “Who”, “What”,
“When”, “Where”, “How” and
“Why” you are suspicious
• Keep CONFIDENTIAL – never
discuss with customer
Enhanced Due Diligence
Checklists
Questions?
Agenda items will follow the
Q & A Session
Regulatory Update FinCEN
April 16, 2010: FinCEN Encourages Financial Institutions
to Consider Benefits of BSA E-Filing. Fincen developed
and released a brochure explaining the benefits of efiling. Found on their website.
April 27, 2010: FinCEN Advisory-2010-A004: Filing
Suspicious Activity Reports Regarding FHA Home
Equity Conversion Mortgage Fraud Schemes – This
scheme targets the elderly and a form of reverse
mortgages under FHAs Home Equity conversion
program. Advisory contains examples of common fraud
schemes and potential "red flags" for fraudulent activity.
(Continued)
Regulatory Update FinCEN
• Suggests key words for financial institutions to use
when completing SARs involving fraud related to
the HECM program. FinCEN is requesting that you
enter specific language in your SAR if you note this kind
of activity within your organization so they may readily
identify these schemes. You do not have to be a
provider of this product to see activity as you might
have a customer that has an elderly parent and they
deposit funds into their bank account with your FI and
never disburse the money to the elderly parent.
Regulatory Update FinCEN
April 29, 2010: FFIEC 2010 BSA/AML Examination
Manual Interagency Release. Significant Updates are
noted in the table of contents as “2010.” Most recent
MSB List As of May 2010 on FinCEN site
June 17, 2010: FinCEN released its first analysis of
suspicious activity reports containing information about
potential foreclosure rescue scams. The report, Loan
Modification and Foreclosure Rescue Scams –
Evolving Trends and Patterns in Bank Secrecy Act
Reporting , involved an analysis of more than 3,500
SARs filed from 2004 through 2009.
(Continued)
Regulatory Update FinCEN
A majority, 3,000, were filed last year. Also FinCEN provided
updated guidance to the financial industry concerning new scam
techniques that financial professionals should watch for and
report.
June 21, 2010: Notice of Proposed Rulemaking: Amendment to
the Bank Secrecy Act Regulations applicable to MSBs with
regard to stored value or prepaid access. The Prepaid Access
Rule Proposes Greater Transparency to Help Curb Money
Laundering and Terrorist Financing and to fill in regulatory gaps
and areas of vulnerability with a more comprehensive regulatory
framework.
(Continued)
Regulatory Update FinCEN
Major features of the proposal are:
Renaming “stored value” as “prepaid access” without
intending to broaden or narrow the term and defining
the term to allow for future changes in technology and
prepaid devices;
Deleting the terms “issuer” and “redeemer” of stored value
and adding the terms "provider" and "seller";
Regulatory Update FinCEN
Continued----Major features of the proposal are:
Placing registration requirements on providers of prepaid
access and suspicious activity reporting, customer
information recordkeeping, and new transactional
recordkeeping requirements on both providers and
sellers of prepaid access; and
Exempting certain categories of prepaid access products
and services posing lower risks of money laundering
and terrorist financing from certain requirements.
Enforcement / Other Regulatory Actions
June 3, 2010: FinCEN: CMP of $1 Million against
Pamrapo Savings Bank, S.L.A., of Bayonne, N.J. for
violating requirements under the Bank Secrecy Act.
May 4, 2010: FinCEN and FDIC: $25,000 CMP against
Eurobank, San Juan, Puerto Rico. FinCEN and FDIC
allege Eurobank failed to implement an adequate antimoney laundering program and monitor accounts for
suspicious activity.
June 3, 2010- OFAC Penalties & Enforcement Actions - 2
actions: $16,366.00 total.
OFAC
OFAC Release March 1, 2010:
2009 OFAC Annual Report-Assets in the United States of Terrorist
Countries and International Terrorism Program Designees
Reports/Fact Sheets
314(a) Facts and Figures (06/15/2010)
Law Enforcement Information Sharing with the Financial
Industry (06/1/2010)
The SAR Activity Review-By the Numbers: January 2010
SAR Activity Review Trends and Tips-Issue 17 Casino and
Gaming Industry –May 2010
314a Point of Contact Info Change-April 8, 2010
MEETING ADJOURNED
Thank you for attending and participating
with us today.
Visit us at www.theamla.com
Download