Good Morning,

I was hoping to get some feedback on limits (if any) that are being enforced for online transactions. Do you limit your customers with dollar amount thresholds for the following transactions?

RDC/Mobile Deposit
Pay a Person (P2P)
Bill Payer
Linked External Accounts (A2A)
Wires
ACH Origination

Do you use a tiered approach? Do you have different limits for consumer and business accounts? If so, what are those limits? If you do not use limits, what other risk mitigation do you have in place for these transaction types. What is your asset size? Thank you in advance for any help you can provide.

Of course, all of these responses depend dramatically on the controls you have in place, and your management should ultimately make decisions but my thoughts are below.
Business RDC - I think soft limits are necessary (in other words, review thresholds). These should be personalized for each client. I think there should be a hard limit (the check will not process) that is institution wide (e.g. we want a teller to personally review and handle any check over $500,000 or $1,000,000)
Consumer Mobile Deposit - I think all consumers should have a standard limit for mobile deposits. Ideally, all deposits should be reviewed by experts (tellers), but that is not possible these days. Setting limits helps manage it though. I think ours is $5,000, but yours should be dependent on what's normal for your clients.
We do not offer P2P so I haven't thought about it much, but I suspect I would be more lenient with this. They have to login to online banking to process the transaction, and I would assume it's only a debit to their account that they are approving. As long as you have adequate online banking identity verification tools, I would be inclined to worry less about this. My opinion here assumes that the debit memo posts to the account the moment they submit the transaction and that your staff know to not give out funds if a memopost shows they're gone. I could also see setting limit simply to prevent unfortunate typos that customers could come back and complain about (to reduce reputation risk).
Bill Pay - same opinion as P2P.
I don't understand the difference between A2A and P2P. If one only involves internal customers, the risk would be somewhat lower internally, but I would still probably have the same opinion.
Wires - For accounts that regularly wire (e.g. business), you should absolutely have limits. These would be personalized to the account. I believe the customer should be involved in setting these and staff should encourage them to set them reasonably low.
ACH - see all of the above. This one has risks like wires, like RDC, and like P2P. ACH origination can get pretty complex, so your other controls really play and important role in deciding what limits are appropriate.