Remote Deposit Capture: Is Fraud Risk Remote?
Over the past year, we've discussed the risks involved in remote deposit capture (most recently here) and that financial institution regulators expect banks that offer RDC to customers to examine, underwrite, and educate customers who use this service, in order to minimize those risks. According a recent article in The American Banker (paid subscription required), thus far, "community banks play it safe. Some say too safe."
The banks' main concern is getting burned by check fraud. To forestall that risk, the first customers a community bank typically offers the deposit scanners to are those that have had long-term relationships with the bank.
Though this approach can be effective in retaining valuable customers, it is not going to win much new market share, said Bob Meara, a senior analyst at Celent LLC, a Boston financial research arm of Marsh & McLennan Cos.
"A great deal of banks are inherently defensive in their use of remote deposit," he said. "But there are huge lost opportunities in being so passive in today's environment."
The article confirms what I've been seeing as the standard approach to business customer screening (I've not been involved with a bank that offers the service to consumers): evaluating potential customers as if they were borrowers, using the merchant services guidelines of Visa and MasterCard to evaluate the business customers, and onsite inspections of the customers operations. The banks also will, if they think it necessary, "train" customers not only on check scanning procedures and the use of the scanners and software, but on the safe handling, securing and disposal of the scanned checks.
What the article does not discuss is that community banks that think through the process and the risks involved will also require specific protections in the contract between the customer and the bank that govern the service, often as part of a treasury management services agreement. Some banks are also requiring a special guaranty of the obligations (including indemnity and hold harmless obligations) of the customer to the bank under the appropriate agreement, if the bank's underwriting standards would indicate that such a guaranty is appropriate.
The author of the article, David Brietkopf, asserts that "banks are not seeing much fraud involving remote-deposit customers." That certainly appears to be true. However, that may be (a) a testament to conservative customer underwriting by banks and (b) a justification for banks continuing to "go slow." On the other hand, all this caution rankles critics. Mr. Meara, for one, thinks community banks are being "overly cautious."
All new customers--whether in a bank's market area or not--are risks to some degree, he said, but he argued that offering them remote deposit actually minimizes, not increases, the chances for fraud.
The early capture of images and code-line information lets banks subject checks to fraud systems much faster than the next-day scans typical for teller-presented checks. Fraud suspects, therefore, can be identified and examined before banks must pay on the items, he said.
A customer could accidentally deposit an item more than once, but banks' back-office systems are designed to flag second deposits, he added.
A fraudster could scan a check into one deposit account and then deposit it in another account with another bank. But Mr. Meara said he doubted such a fraudster would have any long-lasting success because a bank would "know who you are, where you are, and when you made this deposit, and what account you made the deposit to. Of the many banks I've spoken to about this, I have not been aware of a single bank who can attribute fraud uniquely to remote deposit capture."
I'll defer to bank IT and operational professionals as to whether or not the ability of a bank's "back-office systems" to flag second deposits justifies a bank being more aggressive in marketing remote deposit capture services. Thus far, from the meetings I've attended, no employee who mans the back office operations of a bank is sticking his or her head on the chopping block.
Complaints about bank caution are also coming from a not surprising source: technology service providers who make money from providing RDC software and/or services to banks.
David Peterson, an executive vice president at Goldleaf Technologies, which offers remote deposit services to banks, said "the needle is moving too slowly" in regard to deploying scanners to customers.
"If they're that high a risk, then the risk is there whether they're scanning the checks at their location or walking into your teller line with a manual deposit," Mr. Peterson said. "Either you have a bad check or bad person, but scanning is a zero-risk issue."
Banks, he pointed out, can do due diligence, train the proper person at an office, then see that person leave the company or the scanner be sent to a distant site. This should not matter as long as checks are secured properly and destroyed about a month after the deposit. The technology's fraud detection capability also should override these risks, he said.
Mr. Peterson said many scanners are set up to conceal checks with red ink across their face so they cannot be resubmitted. He added that banks can also establish their own safeguards, such as initially capping the number of checks and the amounts that could be deposited by a new customer until the bank is comfortable with the customer.
Some of Mr. Peterson's observations may be valid, but I wonder if he realizes how little banks like being lectured about their underwriting practices by their vendors. It builds SUCH good will. As for scanning being a "zero-risk issue," neither the banks nor, more importantly, the regulators, see it that way. Making such bold statements that insult your potential customers and their regulators because they're too stupid to see that Goldleaf Technologies needs to make more money is an unusual marketing approach. I'll have to try that some time, perhaps when I'm ready to retire.
Obviously, there is some risk in remote deposit capture, and such risk is not necessarily analogous to other risks. In other words, Mr. Peterson's implied allegation that what the banks underwrite is solely the likely criminal behavior of the customer is inaccurate. Banks also underwrite the customer's creditworthiness, its understanding of the product, its proper use, and the risk of duplicate deposits, and the systems and safeguards the customer has in place to minimize these risks. Also, the allegation that "the technology's fraud detection capability should override these risks" has thus far proved unconvincing to community bank personnel who have the expertise to make that judgment call. Perhaps Mr. Peterson is right and they are wrong. If so, he'll need to do a better job of convincing them than he's done thus far. Again, in effect calling them stupid is not likely to be successful, in my opinion, but that's merely an opinion, not a statement of fact.
If there's "zero risk" in scanning, and if the RDC technology a vendor sells a bank will override any risks that remain in the process, then the vendor should be willing to warrant its technology to this effect, to agree to fully reimburse a lender that uses the technology for all losses (actual and consequential) that it incurs without any limitation on amount, arising out of a breach of that warranty or the vendor's negligence, and to indemnify and to hold the bank harmless from all third party claims arising out of the breach of the all-encompassing warranty or the negligence of the vendor. Hey, the product's "zero risk," so what's the problem?
As the technology continues to improve and, more critically, as banks gain more experience with the product and in the actual occurrence (or paucity) of fraud, banks may very well overcome their initial cautious approach, and regulators may ease their preference for "strict underwriting." However, notwithstanding the critics, it doesn't appear that this product will be adopted with the rapidity that vendors would prefer.
Comments