 |
New Wrinkle in Remote Deposit Capture:
Duplicate Check Presentments
By Betsy Didan |
Cyber thieves are stealing the shine off of
Remote Deposit Capture by presenting duplicate
check images to multiple banks. Some estimates
of total duplicate check fraud in the U.S. are
now topping $864 million per year.
Remote
Deposit Capture (RDC) roared onto the banking
scene only five years ago with the promise of
capturing new commercial deposits without
building branches. Early adopters praised the
new technology, claiming it had extended bank
geographic footprints at zero cost.
Security for RDC focused on the bank’s
commercial customers as they scanned the checks
in their deposits. A tight customer agreement
plus careful monitoring of activity seemed to
protect everyone involved. Unfortunately, the
industry didn’t look carefully enough at cyber
thieves who have since learned how to intercept
check images and present them at multiple
financial institutions.
In a recent
incident, a group of Russian criminals broke
into an online check-image database, reproduced
3,000 checks and sent them to money ‘mules’ for
deposit, after which they wired the proceeds to
the thieves. Approximately 1,200 U.S. bank
accounts lost $9 million in total.
Unfortunately, this is just one statistic in a
growing wave of duplicate check presentments. In
2006, banks expected five to seven duplicate
items per million payments processed. Today,
CONIX reports that high-volume banks intercept
between 40 to 100 duplicate items per million
payments processed, an increase of more than
1100%.
The reasons for the increase are
simple: thieves have discovered a few gaps in
the security surrounding RDC and check image
databases. First, the thieves have seen that the
same payment can be processed through multiple
banking channels without detection. Second, the
same check payment can be submitted to multiple
institutions without detection as well.
The big question is: How quickly can a bank stop
a duplicate check? If the duplicate is stopped
at the deposit window, there is no impact. If
the duplicate is stopped at the end of Day 1,
the costs are minimal. If the duplicate is
stopped on Day 2 or later, the cost and time to
rise exponentially while customer trust
plummets.
A further weak point is
unencrypted check image databases. Bank
regulators do not require their check image
databases to be encrypted, and while the NCUA
recommends that such databases be encrypted –
credit unions aren’t required to encrypt them
either. When the machines hosting these
databases are infected by botnets, encryption is
the institution’s last line of defense.
The good news is that most check image
processors do encrypt their databases and
duplicate detection systems are available to
financial institutions. These systems review
check images in two ways: they look for
duplicate items within the deposit, and for
duplicate items in previous deposits. The bank
can set the time frame for how far back the
system will look.
Additional solutions
include aggregators of check image images – such
as check processors, payment clearinghouses, and
consortiums which scan check images from
hundreds of financial institutions and return
items with duplicate MICR lines. An Early
Warning System that scans items at the time of
deposit can do wonders to cut down on duplicate
check fraud.
The ultimate solution will
be ‘live payment’ at the time of deposit. That
is, the check is processed for payment when
deposited, and financial institutions will be
prohibited from process it a second time.
Unfortunately, ‘live payment’ technology
hasn’t taken hold in enough financial
institutions to protect us from duplicate check
images. But with proper vigilance, bankers can
hold the line against duplicate check images and
keep Remote Deposit Capture free of check fraud.
#####
BETSY DIDAN
manages Document Processing for Avon, Conn. -
based COCC, Inc., (www.cocc.com), a 44 year old
firm specializing in outsourced information
technology and support.
|
