An official website of the United States government
OCC Bulletin 2009-4
January 14, 2009
Share This Page:
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers, Department and Division Heads, and All Examining Personnel
The guidance attached to this bulletin continues to apply to federal savings associations.
The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, "Risk Management of Remote Deposit Capture" (RDC). RDC, a deposit transaction delivery system, can decrease processing costs, support new and existing banking products, and improve customers’ access to their deposits. RDC exposes banks to additional risks to those inherent in traditional deposit delivery systems.
The guidance addresses the necessary elements of an RDC risk management process in an electronic environment, focusing on RDC deployed at a customer location. The general principles of RDC risk management discussed in the guidance are also applicable to banks’ internal deployment and to other forms of electronic deposit delivery systems (e.g., mobile banking and automated clearing house check conversions).
A financial institution offering RDC should have sound risk management and mitigation systems in place and should require adequate risk management at their customers’ locations. As a part of the financial institution’s risk assessment process, prior to implementing RDC and periodically thereafter, management should identify the related types and levels of risk exposure. Comprehensive contracts and customer agreements should identify clearly the roles, responsibilities, and liabilities of all parties in the RDC process to minimize exposure to legal and compliance risks. Appropriate technology and process controls should be implemented at both the financial institution and the customer’s locations to address operational risk. Financial institution management and the customer should implement effective risk measurement and monitoring systems. Where appropriate and available, insurance coverage should be considered as a risk transfer mechanism. As with other financial services, RDC may not be appropriate for all customers or for all financial institutions.
For questions concerning the guidance, contact Bank Information Technology at (202) 649-6340.
Mark L. O'DellDeputy Comptroller for Operational Risk