Over the past few years, we’ve gotten a lot of questions from the banks and credit unions we serve about what we can do to help them comply with rules set down by various regulatory bodies including the FFIEC, OFAC, FinCEN, OCC, FDIC, and others. Our main hardware-specific tool for this purpose is Advisor by Digital Check®, a geolocation service that can track the physical location where deposits originate and flag suspicious activity.
Remote Deposit may be one of the more obscure payment methods covered by BSA/AML rules, but they do apply, so it’s important to know the lay of the land. Here are some helpful hints* on a few of the basics:
What do the regulations say about remote deposit and money laundering or other prohibited transactions?
In a nutshell, that you are responsible for monitoring suspicious activity just as you would with any other type of transaction, and that failing to take reasonable precautions exposes you to fines and other penalties.
A lot of these are going to be the same precautions you take already: Monitoring account behavior such as the number and type of transactions; verifying the source and destination of funds, etc. Remote deposit just adds a couple of extra wrinkles that you need to keep an eye on. An excerpt from the FFIEC’s official guidelines reads as follows:
The financial institution should evaluate potential risks and regulatory requirements under Bank Secrecy Act laws and regulations when designing and implementing RDC. The institution should consider whether and to what extent it could be exposed to the risk of money laundering activities as well as its ability to comply with anti-money laundering laws and regulations and suspicious activity monitoring. In particular, the growing use of RDC by foreign correspondent financial institutions and foreign money services businesses to replace pouch and certain instrument processing and clearing activities raises money laundering risks the institution should understand and mitigate. Additional due diligence may be necessary where there is evidence that the RDC capture device is in a foreign location, or when a customer has been otherwise identified as being high risk.
So, this just says that we need to beware of foreign RDC transactions. Does it require us to do anything specific?
That is where it falls on the financial institution to do whatever is reasonably possible to address these risks. When the auditor comes calling, it’s up to you to show that you’re accounting for them.
What about RDC transactions should be scrutinized more closely than with other transactions?
Two issues come up repeatedly in compliance guidelines: The first is that the lack of a physical paper document provides more opportunity for a money launderer (or any criminal, really) to alter, forge, or commit various other acts of check fraud. In the United States, studies have shown that ordinary fraud is not much more likely with RDC than with paper checks; however, for the more sinister types of fraud, it is wise to watch RDC more closely. Possible approaches would include tools such as signature verification software, behavioral analysis, biometrics, and of course, Enhanced Due Diligence (EDD) according to Know Your Customer procedures. (It should be noted that Digital Check is not currently in the business of providing the above services.)
The second added BSA/AML risk with remote deposit is that someone other than the original customer is the one actually using the account. In other words, if the person who you think is using your RDC service is a tire shop owner in Phoenix – but the account is really a front for a South American drug cartel, who’s taken the scanner across the border and used it to send money from another country – it’s not necessarily going to be easy or quick to figure that out.
Do the regulations say we NEED to use geolocation?
Not at all. Just that it would be wise to verify the identity of customers using the service. For example, page 211 of the FFIEC’s BSA/AML Examination manual recommends:
So, the official guidelines point out that a change in physical location is something to look out for, and the requirement is simply to “Implement additional monitoring or review.” What does that mean?
Some banks we’ve talked to accomplish this with periodic visits to the customer’s physical location – a method that’s certain, but can obviously only be carried out infrequently. What geolocation does is provide a way to continuously monitor a device’s position, so problems are detected in real time, and can be acted upon immediately.
Have banks actually been penalized and fined under the BSA/AML rules for their RDC processes?
Yes, there have been a number of such events, including two high-profile cases that caught the attention of a lot of people in our space. One major bank was hit with an $8 million fine by the OCC and FinCEN in 2011, partly over monitoring of RDC transactions involving foreign correspondents. Another major national bank took a $50 million penalty and $110 million in forfeitures from the OCC, FinCEN and DOJ, also triggered in part by foreign RDC transactions. Publicly calling out the individual banks for missteps is not the point of this article; if you’d like, you can read more about the above incidents here. Several other banks large and small have been slapped with warnings and cease-and-desist orders over similar remote deposit problems.
What’s important to notice here is that BSA/AML penalties can and do happen as a direct result of RDC activities. And you don’t have to be deliberately facilitating illegal transactions or turning a blind eye to suspicious activity – just not paying close enough attention – for it to turn into a fine you can’t afford.
What about your own bank’s compliance requirements?
Many bank compliance departments require the treasury team to do annual onsite audits of their RDC customers to verify that they are still conducting business from the registered location with the bank. These visits can be time consuming and costly to the bank, especially with small businesses that have limited opportunities for additional services with the bank. Advisor can help the bank to meet these compliance requirements by verifying that deposits are coming from the location that the business registered with the bank. It may also prompt a phone call or visit to the business should the deposit location change. This can be a tremendous cost savings to the bank.
* The statements contained on this page are intended to be helpful but informal commentary, and should not be confused with official legal or regulatory advice. When in doubt about the legality or necessity of any operational procedure, please consult with your attorney, compliance officer, or appropriate regulatory agency.
|More on AML Regulations and Guidelines
FFIEC: BSA/AML Examination Manual
Want to know more? Contact us or schedule a demo: