Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

Electronic payments and remote deposit capture - recognition and risks

By: Jennifer Morrison, VP, Senior Risk Manager

Jennifer MorrisonOctober 21, 2014 -- In keeping with the theme of “creating a culture of compliance at credit unions” for BSA/AML, I want to discuss the recognition and risks associated with electronic payments and remote deposit capture. Electronic payments are ubiquitous, but there are many consumer misconceptions as well as BSA/AML risks associated with electronic payments. The Federal Financial Institutions Examination Council (FFIEC) IT Examination Hand Book InfoBase1 states, “A properly-prepared substitute check is the legal equivalent of the original check and includes all of the information contained on the original check.” But to many consumers, the payment is still somewhat foreign, so they need guidance.

Remotely Created Checks

Tracking return reason codes as a percentage of ACH origination over time will first establish the normal rate of returns for your credit union, allowing you to then determine when you have a spike of activity in a particular code. Combined with the information about the originator, a spike in a return reason code may be grounds for a Suspicious Activity Report if the dollar threshold for filing is met.

Remotely created checks (RCCs) are electronically created payment orders that originate in a paper “check” form. The authorization to debit (charge) a member’s account must be obtained, but the resulting paper item has no signature. In the signature line, there is a printed or typed name or a statement that the account holder has authorized the share draft (or check). The authorization for the RCC occurs via telephone or via the Internet with the member/account owner providing the MICR data from his/her account. RCCs may be processed through check clearing systems or they may be converted and processed as an ACH debit.

Frequent users of RCC technology include:

  • Credit card companies
  • Telemarketers
  • Utility companies
  • Bill collectors

Consumers often mistake RCCs for unauthorized items because the processed items do not resemble their other share draft images and because the image lacks a physical signature on the signature line.

Handling unauthorized RCC transactions depends on the method of processing. In the case of a payment processed via ACH, the re-credit falls under the terms of Reg. E and Uniform Commercial Code (UCC) while, if the payment is processed as a share draft, the re-credit falls under the terms of Reg. CC, Reg. J, and UCC.

The MICR line of a share draft is not protected, nor is it considered private information – after all, we all put our MICR line information out into the world when we write a share draft and put it in the mail or in the hand of a merchant.

Electronic Check Conversion

Electronic “check” conversion (ECC), or electronically created payment orders also known as a “non-check /e-checks,” occurs when a merchant takes payment instructions for goods and services and places them in an electronic template to create an electronic file for processing through check clearing networks. ECCs do not begin with a paper check, but like RCCs, ECCs have no signature. Because ECCs do not originate as a paper “check,” they are governed by Reg. E since they are typically processed via ACH.

ECCs are indistinguishable from signed checks when included in bulk deposits of items that are processed by automated means. In the Federal Reserve Revised Circular 3, the Fed clearly states the financial institution sender of the electronic check file to the Fed is liable for the legitimacy of the items in that file. ECCs are not eligible for collection through the Fed’s check image services, and the Fed has no liability for them. Rather, these items fall under the National Automated Clearing House Association (NACHA) rules.

Corporate One sees RCCs and ECCs returned as “fraud” or “unauthorized” payments every day. While some of the returns may be legitimately unauthorized payments, many are legitimate but mistakenly returned by the member. It is typical of entities that process a large number of payments to use electronic payment methods for expediency and for cost savings. For example, a collection agent tells the customer the payment is due “now” and collects information to process the payment with today’s payment file transmitted to their credit union or bank. When a member states an item is unauthorized, a quick review of the item can often help to remind the member the image is different because he or she may have authorized the payment over the telephone or via the Internet. Further, in the case of an ECC, the member might be looking for an image when none exists.

NACHA has designated specific Standard Entry Class (SEC) codes that specifically designate electronic payments processed via ACH. Telephone-Initiated Entry (TEL) transactions allow for the oral authorization of a single ACH debit to a Receiver’s (member’s) account. Web transactions are Internet-Initiated Entries authorized in writing (via Internet entry) by the member over the Internet. The ability to track ACH activity by SEC code and by return reason code enables credit unions to identify problem originators and potentially suspicious or illegal activity.

NACHA and FinCEN require financial institutions to monitor their ACH returns. Tracking return reason codes as a percentage of ACH origination over time will first establish the normal rate of returns for your credit union, allowing you to then determine when you have a spike of activity in a particular code. Combined with the information about the originator, a spike in a return reason code may be grounds for a Suspicious Activity Report if the dollar threshold for filing is met.

A review of the Department of Justice’s Deferred Prosecution Agreement with Wachovia Bank, N.A. from March 17, 2010, resulting in $160 million in fines tells us what can go wrong with electronic payments. Among the cited infractions, Wachovia maintained account relationships with certain third-party payment processors (TPPPs) for the telemarketing industry from 2003 to 2008. Wachovia processed more than $418 million in RCCs into Wachovia accounts on behalf of the telemarketers. This despite the fact these checks were often returned as “unauthorized” resulting in return rates in some cases that exceeded 40% of the deposited items. Wachovia additionally admitted it failed to conduct appropriate customer due diligence on these TPPPs, delegating most of the responsibility to its business units instead of to compliance personnel.

Remote Deposit Capture

Finally, a discussion of electronic payment processing must not neglect the role of Remote Deposit Capture (RDC). RDC is the digital processing of paper checks/share drafts and monetary instruments at remote locations for deposit and clearing through check (image) or ACH networks. RDC is a delivery system, not a service. RDC includes deposit capture at the teller line and backroom processing, at ATMs, and at member locations. RDC is attractive as a convenient, safe method for handling large numbers of items and/or dollars for deposit for many business members.

RDC conducted at a member location poses a number of legal, BSA/AML compliance, and operational risks to your credit union. First, the member may not have adequately secured access to their RDC equipment and technology, including the data images. The member is also responsible to keep their RDC technology compatible with your credit union's technology to ensure that data files transmit properly. The member is responsible for controls over the physical deposit handling and storage, including proper retention periods. Finally, your member is responsible to conduct due diligence on the customers they serve to protect against money laundering and terrorist financing. To the extent your RDC member fails in any or all of these areas, these risks are transmitted to you. RDC compliance is ultimately your responsibility and part of your examination.

Because of the RDC risks, FinCEN has highlighted these third-party processors and RDC in particular as high risk. High-risk members and activities require you to conduct enhanced due diligence, as has been discussed here in prior Solutions articles.

Managing electronic payments is not only required from a regulatory and legal standpoint, but also results in positive member experiences. Many credit union members may be unfamiliar with how these payments are presented in their statements and in the image archive. Needless returns can be prevented with a little bit of member knowledge, while risks to your credit union can be mitigated through due diligence and monitoring returns activity.