CMS Case Study

C loyd Bank and Trust Risk Assessment Summary 2020-2021

Audit Area

Remote Deposit Capture (RDC)

Definition (score range)

Risk Factor

Score

High (21-30)

Moderate (11-20)

Low (0-10)

Rationale

Remote Deposit Capture (RDC) is subject to multiple laws and regulations, including the Regulation J, UCC codes, the Bank Secrecy Act, NACHA rules, the Gramm-Leach Bliley Act, and interagency guidance. Additionally, RDC has experienced greater regulatory scrutiny as examiners continue to focus on RDC compliance matters.

Regulatory requirements are limited to low-profile regulations and law issues that warrant action but have significantly lower levels of risk. Impact on accurate timely financial reporting is minimal. Likelihood of material financial reporting effect is negligible.

Significant regulatory requirements are evident; however, regulatory expectations are clear, seasoned, and considered routine. Violations if any will be technical in nature. Material financial effect is possible; however, activity is routine and noncomplex and errors would be readily evident in normal operations.

Potential violations of high profile regulations with potential fines, legal liability or costly corrective action are possible. Material financial misstatement is possible due to incorrect handling of infrequent, complex transactions or estimates. Critical management decisions may be based on these financial areas.

Compliance

17

RDC presents a higher risk to the Bank when scanners are utilized at customers' locations because the capture process is outside of the Bank's direct control. Similar to typical deposit transactions, the nature of the transactions is such that significant errors could result in a material effect on the financial statements. Also, certain fraud risks are elevated in an RDC environment. For example, check alterations may be more difficult to detect when deposited items are received through RDC and are not inspected by a qualified employee. Also, forged or missing endorsements and other counterfeiting techniques may be less easily detected in a RDC environment. Duplicate presentment of items also poses an increased risk. However, the Bank RDC software (CCX - Commercial Capture Xpress by FIS) employs a duplicate check detection system in an effort to ensure that items are not deposited more than once. With RDC scanners in place at customers' locations, the Bank is exposed to multiple risks from the point of initial capture, including the risk of faulty equipment, inadequate training of the customers' employees, poor image quality, and inaccurate electronic data. Also, ineffective controls at the customers' location could lead to intentionalor unintentionalalteration of deposit item information, re-submission of an electronic file, or re-deposit of physical items. Inadequate segregation of duties could also exist at the customer's location. Customers' document management procedures and information security also pose risk. As noted above, a duplicate check detection system has been implemented. The system is configured with enhanced levels of security related to customer log in and passwords. Additionally, the Bank's RDC customer agreement helps to protect the Bank from other risks associated with RDC. Currently, the Bank has 51 RDC customers using the service with 78 accounts.

Nature of Transactions

18

Noncomplex systems and operations are seasoned, with well established back up routines.

Seasoned and complex manual or automated systems are important to management decision making or product delivery; however, collaborating or alternative back-up systems exist.

Complex manual or automated systems are new, critical to management

Nature of Operations

decision making, or important to product delivery.

18

Controls are nonexistent or known to be weak.

There is no basis for control assessment, or they are thought to be weak. Minor changes since last audit are anticipated this year.

Controls are strong or adequate.

The most recent internal audit resulted in two recommendations. The Bank has updated their entire treasury management program and is in the process of implementing the updates.

Internal Controls

15

Major changes since last audit are anticipated this year or not recently reviewed.

No changes since last audit are planned this year.

The Bank is in the process of implementing updates to the treasury management program which includes RDC. The volume of RDC customers and their transactions have gradually increased over the past year and is expected to continue to increase at a steady rate.

Changes to systems, processes, or procedures

15

Management lacks experience or places low priority on internal controls.

Management has average experience.

Management is experienced and has high priority on controls.

The Treasury Services Manager responsible for RDC continues to gain experience. The Compliance Department is involved in monitoring RDC and assisting the Treasury Services Manager in establishing proper procedures and processes. There is an elevated risk in this area because the progress to address findings is ongoing.

Management

15

98

Risk Score

- 10 -