More and more financial institutions are rolling out a mobile deposit capture product to their account holders. Whether you have been offering this service for several years or are contemplating adding it, here are some key things to keep in mind related to procedures and controls surrounding this service offering.
Ideally, before offering any new service or product, you should complete a risk assessment to ensure the risks are captured, documented and mitigated to the extent possible. The risk assessment process can also help you choose between vendors and compare those that have controls built into their software products versus those that would require additional legwork from your staff.
In addition to the initial implementation risk assessment, management should ensure mobile deposit capture is considered within the internal audit work plan and tested at least once every three years, or more often based on significant risk factors like number of transactions, dollar amount of transactions, amount of management oversight, and personnel turnover. This detailed testing will determine whether actual processes in place agree with established written procedures (more on that in a second) and whether risks are being properly addressed and mitigated.
Written Procedures and Controls
A significant way to mitigate risk in any process is to document the procedures and controls involved. Although some of this documentation may seem tedious at times, it is important that this guidance be written so that work performed is consistent and all necessary steps are completed. These written procedures can also be utilized as a training tool and a measure of employee performance.
Deposit Limits and Fraud Monitoring
Setting item limits and daily limits on transactions through mobile deposit is a critical component of risk mitigation with this type of service. Get to know your account holders and the type of transactions that are within the normal range. Set limits high enough to minimize the amount of manual review and deposit limit exceptions that must occur but low enough to minimize the risk to your institution.
In addition to deposit limits, you should ensure any transactions posting through mobile deposit capture are subjected to the same fraud monitoring protocol as other types of transactions. In our work with financial institutions, we have seen where the fraud software utilized doesn’t include transaction codes related to mobile deposit transactions or where the transactions were not subject to duplicate deposit review on the core system. This made fraud and losses go undetected longer than they should have.
A change to Regulation CC effective July 1, 2018, clarified that if a check is presented for payment more than once, the institution physically holding the check will receive the payment, while any institution that accepted an electronic item (such as one received through mobile deposit capture) could be left with a loss for that item. To mitigate this risk, the change to Regulation CC allows an institution accepting an electronic item to protect itself by ensuring its account holder puts a restrictive endorsement on the check. By requiring your account holder to put “For mobile deposit only at ABC Financial Institution” on the back of the check, this is seen as an intent to deposit, which would then ensure your institution maintains the right to those funds.
In conclusion, making sure you have written policies and procedures, a risk assessment that is updated at least annually, and loss mitigation strategies such as deposit limits, fraud monitoring, and restrictive endorsements will help ensure this product is a win for your institution and your account holders.