How AML compliance applies to remote deposit capture
Financial institutions rushing to deploy remote deposit capture (RDC) need to consider how the Bank Secrecy Act and anti-money laundering regulations apply to the technology. In this tip, Dan Fisher explains what measures institutions need to take to ensure compliance with BSA/AML laws in their RDC implementations.
Remote deposit capture emerged as an unintended consequence of the Check Clearing for the 21st Century Act and is growing in popularity. Fundamental to the efficient and effective deployment of banking technology is the understanding of the regulatory implications and the development and integration of a compliance program as part of the design and implementation process.
Consequently, financial institutions need to consider how the Bank Secrecy Act and anti-money laundering regulations (BSA/AML) apply to remote deposit capture (RDC).
BSA/AML regulations, in large measure, have to do with required financial transaction record keeping by federally insured financial institutions and other designated entities. The requirements are in the areas of monitoring, risk assessments and reporting. The purpose of the act and subsequent regulations relate to the information and how the information is considered beneficial in investigations of criminal wrongdoing, tax code or regulatory violations.
There's no question that the Bank Secrecy Act applies to remote deposit capture, said Paul Carrubba, a payments system law expert with Adams and Reese LLP, a regional law firm with offices throughout the South. In fact, he said financial institutions can expect increased regulatory scrutiny with the use of RDC technology and cross-border transactions. Carrubba cautions institutions using RDC for customers located in foreign countries depositing checks drawn on domestic institutions, particularly instruments such as official checks, money orders and traveler's checks that are known vehicles for money laundering.
"When offering RDC," Carrubba said, "knowing your customer, in regard to these types of transactions, is critical to understanding and managing risk and to reduce potential adverse exposure to fraud and illegal activities."
In January, the Federal Financial Institutions Examination Council issued guidance regarding RDC, but it should be pointed out that in August of 2007 the FFIEC updated the BSA/AML examination handbook. Included in the electronic banking section is a discussion of examination control objectives regarding RDC that was issued almost 15 months prior to the issuance of specific guidance on RDC, which expanded the definition and scope of RDC technology. Ultimately, just including RDC in the exam objectives is enough to support the assertion that BSA/AML does, in fact, apply.
So, what are the issues and what steps should institutions take?
Complying with BSA/AML translates into taking overt and active measures that specifically address the control objectives outlined in the updated FFIEC BSA/AML handbook. Institutions need to establish:
- Controls that can effectively monitor RDC activity, including:
- Type of instruments deposited.
- Dollar limits.
- Transaction volume and frequency.
- Specific "Know Your Customer" criteria that comply with the Customer Identification program requirements (CIP) such as:
- The type of business.
- Location of business.
- Seasonal trends that may impact the business.
- Deviations or swings in account activity based on business environment.
- A continuous reporting process that will identify and inform the organization immediately of suspicious activity.
- A mechanism for the timely reporting of suspicious activity in compliance with BSA/AML.
Key to an effective KYC program is an aspect noted by Carrubba: "An institution should also put controls in place so the customer cannot go unnoticed as a money service business without registering."
Finally, BSA/AML is not the only regulatory implication financial institutions need to address. The FFIEC Guidance on RDC picked up where the BSA/AML exam handbook left off. Simply stated, The FFIEC defines RDC as:
- A deposit transaction delivery system.
- The digitizing of public and non-public information.
- The movement of money.
The conclusion is not only does BSA/AML apply, but both the Gramm-Leach-Bliley Act (GLBA) and the U.S. Patriot Act apply as well.
Ultimately, RDC is a tremendously beneficial technology; however, it is not without risks. The guidance is clear about what needs to be done in regard to establishing a comprehensive and effective compliance program.
About the author:
Dan Fisher is president and CEO of The Copper River Group, a consulting firm based in Fargo, N.D. that focuses on technology, payment systems research and consulting for community financial institutions. For nearly 30 years, Fisher has worked in the financial industry using technology to improve the bottom line. He has served as a director of the Federal Reserve Board of Minneapolis, chairman of the American Bankers Association Payment Systems Committee, and member of the Independent Community Bankers of America Payments Committee. He has written numerous articles on banking technology and the payments system, has authored or co-authored six books and recently published "Capturing Your Customer! The New Technology of Remote Deposit" You can contact him at [email protected]