Pub. 2 2011 Issue 1

spring 2011 17 not have to worry about the controls since it was not at their lo- cation and under their direct control. The bank must include in its risk assessment process how the Merchant Capture solution was implemented. Depending on how the Merchant Capture so- lution was implemented, the bank’s risk assessment may have to include not only their own information technology systems, but also those of other third-party service providers and customers. A couple of areas that should be considered include Confidenti- ality of Nonpublic Personal Information and Operational Risks. Con fi dentiality of Nonpublic Personal Information. When implementing the remote deposit capture solution, the re- quirements under the Interagency Guidelines Establishing Information Security Standards must be considered. In the traditional deposit taking environment, the focus was on the controls at the bank and their employees. When Merchant Capture is considered, the bank may have to include the con- trols at their customers including: • Network security settings • Security of the solution utilized by the customer • Encryption • Reentry and repair • Physical security controls • Controls over and methods of destruction of original transactions • Customer employee training • Regulatory changes Operational Risks. The operational risks that are introduced with the implementation of Merchant Capture should also be understood. Some of these risks include: • Errors – Increased risk of errors due to being new to the process, absence of detective controls, diligence or lack thereof of customer employees (do they understand the importance of the transaction) • Security – IT equipment and infrastructure (including firewalls, intrusion detection systems, intrusion prevention systems), retention of original documents including policies, destruction policies including how are documents destroyed and frequency, confidentiality of nonpublic personal information as noted previously, logical access controls, employee turnover and employee separation controls and procedures, disgruntled employees • Technological – Faulty equipment, compatibility issues including upgrades to the remote deposit capture solution, patch management policies and procedures, anti-virus policies and procedures • Natural – Interruption of services including transaction processing (timely postings, duplication of postings, missing postings), contingency planning • Fraud – Check alteration, segregation of duties, duplicate presentment, identity theft Risk Assessment. How do you address these and other po- tential risks? The level of the risk assessment and controls to address the identified risks will be dependent on the solution in place and the scope of the implementation. The risk assess- ment should involve the potential stakeholders of the solution which could include personnel from multiple areas and third parties, depending on the complexity of the solution. Assum- ing the risk assessment supports the conclusion that the risks associated with remote deposit capture can be mitigated, measured and monitored the appropriate risk management policies should be implemented. As in any risk assessment process, the mitigating controls, tolerance levels, stakehold- ers, direction of risk and source of risk should be considered. Areas that may need to be considered by the bank to address the risk include: • Customer due diligence and suitability – customers should be qualified based upon specific pre-defined guidelines that conform to the bank’s risk tolerance for the service. • Vendor due diligence and suitability – proper controls in the selection and ongoing monitoring of solutions from third parties should be followed to assess the solutions in place by the bank. • Training – Customer training should be conducted on a periodic basis. Without proper training, customers may not understand the importance of their role in managing the risks, processing errors, unauthorized activity and privacy of nonpublic personal information. Periodic training is recommended to address changes in regulations, best practices and employee turnover. • Contracts and agreements – The bank should consider developing and using a strong contractual agreement with their customers that includes provisions between the bank and their customer. The contract should address the roles and responsibilities of each party, record retention, termination clause, laws and regulations, etc. The bank’s legal counsel should be consulted when developing and monitoring customer contract agreements. Conclusion. Merchant Capture provides banks with oppor- tunities to provide additional services to their customers with the possibilities of increasing efficiencies and reducing processing costs. With the growing trend in the utilization of Merchant Capture, it is important to identify and address the risks introduced with the service and the different method of delivery of customer deposit transactions. An effective risk assessment for the service can be used to identify the signifi- cant risks and provide the bank with the tool to develop the appropriate controls to mitigate and monitor the risk of using the Merchant Capture service. Q Chris Joseph is a P.L.L.C. Member of Arnett & Foster, P.L.L.C., Certified Public Accoun- tants, in Charleston, West Virginia. A Certified Public Accountant and Certified Infor- mation SystemAuditor, Mr. Joseph has over twenty-five years experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@afnetwork.com. Q Merchant Capture — continued from page 16