Despite the newest bells and whistles of today’s banking industry, checks remain a common part of the customer experience, and remote deposit capture (RDC) has followed. What risk management strategies should banks consider when offering this convenient service?
By Colleen Morrison
According to the most recent Federal Reserve Payments Study, there were 19.4 billion checks written in 2015, which equates to nearly 60 checks written by every person in the U.S. today. While checks continue to experience a slow decline, with numbers like that, eliminating them from the payments system remains a distant possibility.
However, thanks to check electronification, consumers and businesses benefit from a more streamlined deposit experience. An increasing number of banks offer mobile remote deposit capture, or RDC, because they recognize the convenience and benefits it brings to their customers.
The number of checks written in the U.S. in 2015
“Consumers and businesses have spoken loudly for years that they want more instant, more convenient access to their accounts,” says Rayleen Pirnie, founder and CEO of RP Payments Risk Consulting Services in Orrick, Mo. “Driving to a branch to deposit a $25 check for babysitting is often more hassle than it’s worth, especially for people who live in rural communities. Community banks are positioned to reduce customer frustrations and provide a valuable service that, when appropriately controlled, presents a win-win.”
Yet with this convenience for the customer comes added risks for the financial institution. A decade ago, the Federal Financial Institutions Examination Council (FFIEC) issued guidance on risk management around RDC, advising, “A financial institution offering RDC should have sound risk management and mitigation systems in place and should require adequate risk management at customer locations.”
While that guiding principle remains the same, today’s risks have evolved with the growth in mobile RDC, which affects how community banks evaluate their risk management programs.
Today’s top risk considerations
When discussing mobile RDC risk, banks’ top concern is duplicate deposits. Amendments to Regulation CC support financial institutions in recovering losses when a check has already been paid through RDC, but that loss still hits the banking system overall.
“Unfortunately, the fraudsters caught onto the loopholes in RDC and potentially made a convenient service for our customers a huge risk to the [financial institution],” says Sarah Hitchens, an operations payment specialist with $1.1 billion-asset Heartland Bank in Whitehall, Ohio. “It is much easier and more likely for a bad actor to commit an illegal act behind the safety of their phone rather than in person at a branch. But with strong policies and procedures in place surrounding RDC, this should not be the case at all.”
Outside of the duplicate deposit risk with mobile RDC, the traditional issues of account compromise and check fraud play an important role in planning appropriate risk mitigation procedures. Pirnie recounts one example of the intersection of mobile RDC with a broader fraud attempt. A fraudster was able to load a bank’s mobile app on his phone and access a viable customer account using stolen credentials. He then proceeded to deposit counterfeit checks, in addition to draining the account via P2P payments and mobile wallet payments. The recipients of the funds were retailers and suspected money mules.
Heartland Bank has experienced attempted account compromise relating to mobile RDC.
“We had a customer who deposited three checks via mobile deposit over a four-day period,” Hitchens recalls. “The account was opened in November 2018 and had very little activity over the six-month period. Then, just 10 days past the six-month mark of the account being opened—bam—three mobile deposits. Sure enough, within three days, we received the checks back as fraudulent items.”
Effective anti-fraud strategies
Fortunately for Heartland, the community bank had strong procedures in place that raised red flags around the transactions. “Our policy is to review all mobile deposits over $200 for proper endorsement, and anything over $500 is to be reviewed for general negotiability and analyzed for a possible hold,” Hitchens explains. “This is just one example of how strong risk controls and diligent review practices saved our institution $4,100.61.”
Setting transaction limits can help in containing losses. In fact, RemoteDepositCapture.com recently reported that more than half (51%) of financial institutions have mobile deposit limits between $2,001 and $5,000. But effective mobile RDC risk management extends beyond the transactional to the relational. That’s why banks also are employing strategies to customize limits based on their relationship with the customer, looking at criteria like length of time as a customer, type of account and if there are other products carried with the institution.
“Knowing your customer is key,” says Dal Bolt, a director of education at the Electronic Check Clearing House Organization (ECCHO), a division of The Clearing House, who is based in New York City. “Ensure that the new delivery service, as FFIEC refers to RDC, is provided to a customer who qualifies for the service. It’s a bad idea when the only qualification is having a pulse.”
Community banks can also avoid losses by examining the big picture of how the customer interacts with the institution, including examining daily activity.
“Failure to monitor activity such as new devices, locations of services and overall activity across business lines can lead to significant losses, not to mention compliance risk,” Pirnie says. “Strong internal controls and monitoring are your first line of defense. Reviewing and investigating the account across payment services is your second. Using these appropriately will likely reduce your exposure in this environment.”
In addition, community banks want to take the time to fully understand the RDC indemnity, educate staff on risk, rules and regulations, and work with customers to be the first line of defense by helping them understand how to protect their accounts.
Hitchens has one more must-do for community banks: share successes internally. “Too often when it comes to fraud, we only emphasize the losses,” she explains. “We also find it very beneficial to share with the entire team, including retail staff, when we identify fraud attempts. Sharing characteristics of a check or specific circumstance that triggered further investigation helps to educate and arm everyone.”
By the numbers: Remote deposit capture
- More than 85% of banks in the U.S. offer RDC
- 25% of consumers use a camera on their smartphone to deposit checks
- 58% of financial institutions offering mobile banking services to businesses have active usage rates of less than 5%
Colleen Morrison is a writer in Maryland.