The Green Sheet Online Edition
October 12, 2009 • Issue 09:10:01
How to leverage available technologies to manage risk and prevent fraud in RDC
Editor's Note: This story was published by RemoteDeposit Capture.com Aug. 19, 2009; reprinted with permission. (c) 2009 RemoteDepositCapture.com. All rights reserved.
While good risk management tools are available, few organizations currently use them effectively. As with many new technologies or services, skeptics abound, and sometimes irrational fear of risk or loss may prevent us from fully recognizing potential advantages and benefits. This very issue has seemed to plague the remote deposit capture (RDC) industry since its inception in 2004.
To this day, the perceived risk of RDC has prevented many financial institutions (FIs) from realizing the benefits of RDC, and we constantly receive questions about risk and fraud in RDC.
Thus far, actual losses to FIs that can be contributed at least in part to RDC have been negligible. The primary reason we feel risk is largely overblown lies in the misperception that RDC as an entirely new service (in accordance with the Federal Financial Institutions Examination Council Guidance released on Jan. 14, 2009) built upon new processes and new technologies.
RDC processes and technology are not entirely but rather largely, improvements to systems, processes and technologies that have been used to clear hundreds of Trillions (yes, with a T) of dollars over the past decade alone. In short, RDC is built upon trusted, well-tested and reliable technologies and processes. (This article focuses upon RDC technologies; legal issues such as agreements are a completely different issue.)
The technology that enables merchant and corporate RDC is scanner technology to capture an image of the check. RDC uses desktop scanners that employ both image cameras and magnetic ink character (MICR) readers (in most cases), and, yes, they could be used to perpetrate a fraud. If you think about it, simply by using a scanner, a photo editor and/or a page design system a fraudster can generate a check.
The check can include all of the elements to allow it to be read by a check scanner (reading the MICR line in optical character recognition and/or with a magnetic ink cartridge) and be transmitted to the bank for deposit. In any form of RDC where the bank of first deposit (BOFD) and the paying bank are relying on an image for clearing and settlement there need to be other ways to identify the check as being real and means to mitigate the risk in case it is not.
While there is no substitute for customer due diligence and regular KYC (know your customer) policies and procedures, FIs should complement this process by tying their KYC information to the technical tools at their disposal to effectively mitigate RDC risk.
If the business being set up has been scrutinized and a risk category or number has been provided (for example, risk number based on an analysis of the type of business, credit score, size of business, longevity with the bank, transaction and balance history, return/reject overdrawn history, location, etc.) that should be used as the basis for the model to determine the parameters and settings that need to be established to mitigate risk.
RDC systems technologies have the ability to analyze an item being presented before it is accepted as part of a deposit. The features and capabilities vary by vendor, but here is a variety (or samples) of parameters that should be monitored for an item, a deposit and - by collection of the information in a database - for longer periods of time to develop trends. Examples include:
- Dollar amount of the item: It should be set by account and based on history of that account or what is expected as a maximum item. It doesn't mean that the item is rejected if it exceeds the amount established but that it is reviewed at the FI and questioned if there is a concern. This will also prevent processing items that may have been misread by the scanner and the associated software that reads the courtesy amount recognition (CAR) and the legal amount recognition (LAR).
- Dollar amounts of deposits: Thresholds should be established per day, per period (week, month etc.).
- Availability schedules: Availability should be based upon the risk involved with the item and the customer. Availability might be extended for new accounts and accounts with credit or transaction history issues, for items exceeding certain thresholds, etc.
- Volume of checks received: Thresholds should be established per day, per period (week, month etc.).
- Image quality and usability analysis: Determine the presence and the ability to read the payee, payor, CAR, LAR, date, signature, MICR and endorsement, and establish variable parameters for setting a review or rejection.
- Negotiability factors: Payee should match account holder name; third-party check rules apply.
- Alterations: These include alt-ered or manually entered items that modify what was captured by the scanner.
- Pattern analysis: When during the month the majority of deposits arrive (property management etc.), times of day and days of the week when deposits are received, number of items reviewed and number of items rejected and why.
- Source of deposit by client, location and user: The parameter to set up a user and the privileges assigned is critical, for example, the ability to set up a user and to say the hours of deposit, days of deposits and location. In some instances it may be a best practice to require an approval by a supervisor before a deposit can be sent to the FI.
- Cross channel duplicate detection: Automated clearing house, RDC (branch, image cash letter, correspondent, ATM, merchant, corporate), operations (incoming).
- Exception database: This is for items to be reviewed based on experience or regulation, including routing numbers, account number of check and missing items (serial number).
These are some of the items that can be looked at to minimize the risk at the point of entry. (I hope we hear from you if there are others you think should be included in this list.)
One of the many advantages of RDC is the electronification of the payment. The receipt and the processing now can be modified in real time based on a rule, a flag or warning generated in the receipt and analysis of a deposit or item.
This ability to have different workflows that can be set up to allow for additional manual review or comparison against regulatory and exception databases, and then be processed based on the decisions made during the workflow, will improve the risk assessment and mitigation process within the FI.
This process can also be of great value and importance to corporate or merchant customers. Most RDC agreements between financial institutions and their customers place the ultimate financial risk upon the end user.
It is only logical to assume that if the customer is assuming the risk (via legal agreement), that customer will value the ability to manage that risk.
Examples of this would be where workflows are exercised by the FI's customer to minimize risk before the deposit is sent to the FI.
This approach can be seen today in merchant processing applications where an item is sent to be verified before being sent for deposit; or in a brokerage houses where a payment is reviewed by the firm's internal processes before being accepted and before going to the FI.
The BOFD has its role in minimizing fraud in RDC, but so do the paying bank and the services it offers to its corporate clients through their cash management practice.
Positive pay (an automated fraud detection tool) is still one of the best ways for a business to mini-mize the potential for fraud, and positive pay's use with the advent of Check 21 and image processing can be argued as being more central and important than ever.
The RDC process and system itself is the best protection against fraud because the technology used in image capture is so ubiquitous that it cannot be limited, and the RDC process will have to add the controls necessary to allow us to develop effective deterrents. Look at your RDC system. Are you taking advantage of the tools it offers? We have heard of instances where the parameters are getting in the way, so they have been turned off or set so high as to be meaningless. Use the tools provided, be confident in your process and expand the roll out of RDC to your customers.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.