The Truth about Santa and Remote Deposit Fraud Risk

  Author: Lee Wetherington, Director of Strategic Insight, lwetherington@profitstars.com

I remember the day I discovered the truth about Santa Claus. I was with my Dad raking pine straw off the roof of our house when I noticed two small holes atop our chimney. Odd, I thought. How’s a big guy with a big bag of gifts going to fit into one of those little holes?

When I put this question to my Dad, he referred me immediately to my Mom. After a little hemming and hawing, she fessed up, and that’s when I began to question everything.

Easter Bunny? Nope. Tooth Fairy? Busted. Big Foot? Big lie.

You might assume that your adulthood minimizes your gullibility. From time to time, however, it’s good to get back on the roof, take a look around, and see whether what you’ve been told checks out.

The Specter of Remote Deposit Fraud: The Cause for Pause

Since the advent of remote deposit capture (RDC) in 2004, we’ve been repeatedly warned about its potential risks, especially duplicate presentment and fraud. The specter of RDC fraud risk, reinforced by compliance fears surrounding the 2009 FFIEC Guidance on RDC Risk Management and the 2010 FFIEC Exam Manual, have had a major and sustained chilling effect on RDC deployments.

According to Aite Group’s recent report, Small-Business RDC: Strategies for Success, while over 55% of U.S. banks offer RDC and 42% of credit unions plan to begin offering it in the next two years, less than 5% of small businesses have RDC. The reason? According to Celent’s State of Remote Deposit Capture 2011, “the FFIEC guidance on RDC risk continues to cause institutions pause.”

Myth Busting

So let’s climb up to the roof to get a better view and truth test what we’ve been told about RDC. Just exactly how much RDC fraud has materialized? According to the Financial Crimes Enforcement Network’s (FinCen’s) latest SAR Activity Review released in October:

• While over 13% of checks are now remotely deposited, RDC items comprise only one tenth of one percent of Suspicious Activity Reports (SARs) related to check fraud, check kiting, and counterfeit checks reported to FinCen between 2005 and 2011. Yes, that’s right, RDC-related SARs comprise 0.1% of all SARs related to check fraud. Or, in other words, 99.9% of SARs related to check fraud stemmed from paper checks that were manually deposited.

• There were “no real differences in the various fraud and money laundering schemes perpetrated through the RDC check deposit channel when compared with the check deposits completed through more traditional means.”

• “Overall, RDC-related filings have been minimal,” and they “comprise a miniscule portion of all check-related bank SARs.”

“Minimal” and “miniscule.” According to the FinCen numbers, remotely deposited checks are actually less fraud prone than paper checks.

But just as you begin to get more comfortable with RDC, along comes a new compliance deadline (January 1, 2012) for the FFIEC’s revision to its guidance on Authentication in an Internet Banking Environment. To comply, financial institutions must identify “high risk transactions” and ensure appropriate authentication controls and security layers are in place.

So, Are Remote Deposits “High Risk” Transactions per the FFIEC?

The new 2011 supplement reaffirms the original 2005 guidance’s definition of what constitutes a “high risk” transaction: “…electronic transactions involving access to customer information or the movement of funds to other parties.” This rather broad definition, if read strictly, doesn’t allow for the very real differences in risk between remote deposits on the one hand and ACH/wires on the other.

Based on conversations with lead examiners, RDC transactions are not as “high risk” as ACH and Wires. Nevertheless, the key is the financial institution’s payments risk assessment and how RDC transactions are qualified in that assessment. Since RDC systems can’t be used to distribute funds (as ACH and Wires can) and since RDC fraud has been “miniscule” according to FinCen, the financial institution could designate RDC transactions as “moderate risk.” As such, for RDC, multi-factor authentication (MFA) and reasonable velocity controls should satisfy the FFIEC guidance without need for additional “anomaly detection” layers.

Understanding, explaining, and stipulating the differences between low, medium, and high-risk payments in your risk assessment is the key off of which examiners will base the rigor of your exam. If you designate remote deposits as high risk as ACH and wires, your examiner will oblige your designation by requiring similar authentication controls and layers across all three payment types, even though such controls/layers may be unnecessary overkill for remote deposits.

Reason and Rooftop Truth

Remember, as long as the risk designations in your assessment can be proven to be “reasonably calculated,” your institution will be in good stead. If your examiner seems to lack reason, however, hand him a rake and head to the roof.

The truth is clearer up there.

Source: Aite Group survey of 291 U. S. small businesses, August 2011