Jay Butler, Senior Technical Consultant
With the passage of Check 21 in 2004, Financial Institutions (FI) have been racing to establish competitive advantage through products like Branch Capture, Teller Capture, ATM Capture, Consumer Capture, Merchant Capture, and even Mobile Capture. Recent economic challenges have accelerated the proliferation of Remote Deposit Capture (RDC) because many FI’s have honed in on RDC as a method to grow core deposits. Driving forces such as consumer convenience and business profit are the same forces that slow the development and implementation of strong security. Tight security controls are neither cheap nor convenient for the business or the consumer, so security often lags behind. I hope this brief article will increase awareness about RDC compliance because the new fervor around RDC is sure to perk up the interest of auditors in 2010.
Remote computing as a whole may be the weakest component of your IT security posture because it involves activity that occurs outside the fortress of security layers deployed locally on your network. Remote computing is commonly thought of as an employee that carries their laptop home on occasion and uses VPN for accessing private network resources. Armed with full disk encryption, corporate owned laptops secure data from thievery. Laptops benefit from the same security as desktops when they are directly connected to the private network, and security layers such as antivirus, critical updates, firewalls, access limits, and complex passwords travel with laptops regardless of location. The problem is that not all remote computing is performed on corporate owned laptops as we know.
Remote Deposit Capture and more substantially RDC products like Merchant (and Consumer) Capture introduces an entirely new dynamic. Unlike laptops, remote machines that scan images for Merchant Capture exist permanently outside the corporate network in the hands of customers who probably lack IT security expertise and focus. Without some kind of monitoring, Financial Institutions have no way of knowing the condition of these RDC machines. Is your Financial Institution at all responsible for the security of them? The FFIEC guidance (http://www.ffiec.gov/pdf/pr011409_rdc_guidance.pdf) issued in February of 2009 suggests the answer is yes as the document’s focus is on customer locations. Here are a few excerpts from the guidance to that effect:
Risk Management: Risk Assessment
- In general, implementing RDC in the institution’s backroom operations may present less risk and complexity than deploying RDC at remote locations, such as customers’ business premises or homes, where the capture process is outside the direct control of the institution.
- Depending on how RDC is implemented, the financial institution’s risk assessment should include its own IT systems as well as those of its third-party service providers and RDC customers.
- Senior management should understand operational risks and ensure that appropriate policies, procedures, and other controls are in place to mitigate them, including physical and logical access controls over RDC systems, original deposit items at customer locations, electronic files, and retained nonpublic personal information.
- Management should consider the confidentiality, integrity, and availability of data afforded by its IT systems and by the systems used by its service providers and RDC customers.
- RDC processes at a customer location expose the financial institution to operational risks from the point of initial capture.
- Ineffective controls at the customer location may lead to the intentional or unintentional alteration of deposit item information, resubmission of an electronic file, or re-deposit of physical items.
- These technology-related operational risks include failure to maintain compatible and integrated IT systems between the financial institution, service providers, and the customer. For example, a customer or service provider may modify RDC-associated software or hardware or fail to update or patch an associated operating system in a timely manner. There also may be risks related to Web application vulnerabilities, authentication of a customer to the RDC system, and encryption used at any point in the process.
- For those RDC systems using the Internet as a communication medium, management should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate risks.
- In addition, the financial institution should review available reports of independent audits performed at the customer location related to IT, RDC, and associated operational processes.
- Management should ensure that customers receive sufficient training, whether the customer obtains the RDC system from the financial institution or from a third-party servicer.
- A financial institution offering RDC should have sound risk management and mitigation systems in place and should require adequate risk management at customer locations.
- Appropriate technology and process controls should be implemented at both the financial institution and the customer locations to address operational risk. Financial institution management and the customer should implement effective risk measurement and monitoring systems.
The entirety of the FFIEC guidance describes the fundamental components required to practice effective risk management for RDC deployed at a customer’s location. In practical application terms for the remote computers, the first step is to gain some kind of insight into their security controls. At a bare minimum, each should have antivirus, firewall, and security updates to help thwart common malware. Additional controls such as dual factor authentication, full disk encryption, intrusion prevention, and user training may also be applicable for high risk deployments of RDC.