Preliminary risk assessments do not apply to SCUEP defined-scope exams. SCUEP exams include a review of IP/RDC programs in the Transaction Risk tab. For more information, see NCUA Instruction5000.20,
The scope of an IP/RDC review depends on:
- The products and services offered by the credit union
- The complexity of operational activity, and
- Risks related to the delivery of product and services.
In order to effectively develop the scope of an RDC review, examiners should first identify the credit union’s deposit methods:
- Mobile capture (computer, tablet, phone, or other electronic device with scanning device)
- Merchant capture
- Remote lockbox deposit
- Teller capture (at each teller station or centralized on each teller line)
- Branch capture (at each branch location or centralized in back office location)
- ATM capture
- Kiosk capture
At a minimum, examiners should consider the potential risks described below when determining the extent of the review of a credit union’s IP/RDC systems.
| Step | Potential Risk Impact |
|---|---|
| Determine if the credit union has physical and logical access controls over paper and imaged checks | This represents an operational risk if not in place. |
| Determine if the credit union has adequate internal controls over how and where non-public personal information is captured, transmitted, retained, and destroyed | This represents an operational risk if not in place. |
| Determine if the credit union has adequate separation of duties where an individual has end-to-end access to the IP and RDC processes and the ability to alter logical and physical information without detection | This represents an operational risk if not in place. |
| Determine if the credit union educates members on adequate document management procedures | This represents an operational risk if not in place. |
| Determine if the credit union ensures the safety and integrity of data from the time of receipt until the time of destruction or other voiding | This represents an operational risk if not in place. |
| Determine if the credit union maintains compatible and integrated IT systems between itself, its service providers, and members | This represents an operational risk if not in place. |
| Determine if risks related to internet application vulnerabilities are identified and mitigated | This represents an operational risk if not in place. |
| Determine if credit union has business continuity planning and testing | This represents an operational risk if not in place. |
| Determine if the credit union has any undetected alterations and forged or missing endorsements | This represents a fraud risk if alterations or forged/missing endorsements are identified. |
| Determine if the credit union has any undetected cross-method duplication resulting from multiple entry points | This represents a fraud risk if cross-method duplications are identified. |
In addition to these steps, examiners should consult the EPS Risk Overview job aid and document their findings as appropriate. Examiners should pay particular attention to:
- Violations of law, regulations, and third-party agreements;
- Significant issues that warrant inclusion in the exam report; and
- Potential impact of the observations on the CAMELS and risk ratings.
Examiners may refer to Letter to FCUs 02-FCU-09, Risk-Focused Examination Program, for broad guidance on how to assign risk levels.
The information obtained during the scope development, combined with the level of risk assigned during the preliminary assessment, determines the extent of review necessary to complete an exam of the IP/RDC system.
Last updated October 14, 2021
