Resource Documents Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency Office of Thrift Supervision Financial Crimes Enforcement Network Office of Foreign Assets Control

Examination Procedures Core Procedures Expanded Procedures

Bank Secrecy Act Anti-Money Laundering Examination Manual

Backward | Table of Contents | Forward

Electronic Banking—Overview

 

Objective. Assess the adequacy of the bank’s systems to manage the risks associated with electronic banking (e-banking) customers, and management’s ability to implement effective monitoring and reporting systems.

E-banking systems, which provide electronic delivery of banking products to customers, include automated teller machine (ATM) transactions; on-line account opening; Internet banking transactions; and telephone banking. For example, credit cards, deposit accounts, mortgage loans, and funds transfers can all be initiated on-line, without face-to-face contact. Management needs to recognize this as a potentially high-risk area and develop adequate policies, procedures, and processes for customer identification and monitoring for specific areas of banking. Refer to the core examination procedures, "Customer Identification Program" (CIP), page 52, for further guidance. Additional information on e-banking is available in the FFIEC Information Technology Examination Handbook.¹⁶⁰

Risk Factors

Banks should ensure that their monitoring systems adequately capture transactions conducted electronically. As with any account, they should be alert to anomalies in account behavior. Red flags may include the velocity of funds in the account or, in the case of ATMs, the number of debit cards associated with the account.

Accounts that are opened without face-to-face contact may be a higher risk for money laundering and terrorist financing for the following reasons:

• More difficult to positively verify the individual’s identity.
• Customer may be out of the bank’s targeted geographic area or country.
• Customer may perceive the transactions as less transparent.
• Transactions are instantaneous.
• May be used by a "front" company or unknown third party.

Risk Mitigation

Banks should establish BSA/AML monitoring, identification, and reporting for unusual and suspicious activities occurring through e-banking systems. Useful management information systems for detecting unusual activity in high-risk accounts include ATM activity reports, funds transfer reports, new account activity reports, change of Internet address reports, Internet Protocol (IP) address reports, and reports to identify related or linked accounts (e.g., common addresses, phone numbers, e-mail addresses, and tax identification numbers). In determining the level of monitoring required for an account, banks should include how the account was opened as a factor. Banks engaging in transactional Internet banking should have effective and reliable methods to authenticate a customer’s identity when opening accounts on-line and should establish policies for when a customer should be required to open accounts on a face-to-face basis.¹⁶¹ Banks may also institute other controls, such as establishing transaction dollar limits for large items that require manual intervention to exceed the preset limit.

Remote Deposit Capture

Remote Deposit Capture (RDC) is an emerging technology that has made processing checks and monetary instruments (e.g., traveler’s checks or money orders) more efficient. In broad terms, RDC provides a means of depositing checks into a bank account by scanning the checks and then transmitting the scanned or digitized image to a financial institution. This eliminates the need for face-to-face contact that results from in-person deposits, and reduces the cost and volume of paper associated with physically mailing or depositing checks or monetary instruments. Because the hardware needed to facilitate RDC transactions can be expensive, customers using the service are primarily business entities, although some banks also offer remote deposit services to their foreign correspondents.

Risk Factors

RDC may expose banks to various risks, including money laundering, fraud, and compromised transmission of financial data. Inadequate controls could result in the transmission of fraudulent monetary instruments, exposing the bank to financial and reputational risks. Because RDC equipment is located outside of bank facilities, data and hardware security issues may increase.

Risk Mitigation

Management should develop appropriate policies, procedures, and processes to mitigate the risks associated with RDC services and to effectively monitor for unusual or suspicious activity. Examples of risk mitigants include:

• Creating RDC customer parameters, which may include a list of acceptable industries approved for RDC services, standardizing underwriting criteria (e.g., credit history, financial statements, ownership structure of business, types of business customer), and setting maximums for large dollar items.
• Obtaining expected account activity from the RDC customer, such as the anticipated RDC number volume, dollar volume, and type (e.g., payroll checks, third-party checks, traveler’s checks).
• In contracts, requiring RDC customers to retain, protect, and ultimately destroy original documents. This may also include requirements that the RDC customer provide original documents to the bank when needed to facilitate investigations related to unusual transactions or poor quality transmissions, or to resolve disputes. Additional monitoring or review when significant changes occur in the type or volume of transactions, or when significant changes occur in the underwriting criteria that the bank relied on when establishing RDC services.
• Ensuring that RDC customers properly secure equipment and prevent inappropriate use, including establishing effective equipment security controls (e.g., passwords, dual control access).
• Using improved aggregation and monitoring capabilities as facilitated by the digitized data.

Backward | Table of Contents | Forward