As smartphones and other mobile devices become the norm to hold conference calls, send highly sensitive emails, shop online and more, mobile banking via these devices has also dramatically increased in popularity. With many banks offering mobile apps, it has become fairly easy and common for consumers to scan checks with their mobile devices, and simultaneously deposit that check into their bank account without ever visiting an ATM or bank branch. This unprecedented convenience has led to a series of risks, ranging from outright fraud to unintended errors.
After all, the people scanning deposits or taking pictures of checks on mobile phones are for the most part neither professional photographers nor check-cashing professionals. Picture angles and shadows may affect image quality, which in turn can lead to processing errors.
The Check 21 Act of 2004 legalized the creation of digital versions of paper checks for processing and spells out a variety of rules required for check-imaging. But in mobile depositing, there is one notable difference — the consumer holds onto the check.
Examples of fraud via mobile deposits
In a world where anyone can deposit a paper check and hold on to the original, the risk of fraud always exists. As with any new technology, people are finding ways to “game” the system by depositing a check through a smartphone, and then cashing that very same check at a currency exchange or unrelated bank. In essence, they are double-cashing (or even triple-cashing) a check, leaving the check issuer liable to make good on all three transactions. In certain circumstances, remote devices are being used to deposit checks at multiple financial institutions. Simply put, there is a growing wave of duplicate check presentments which is uniquely enabled through mobile deposits.
This happens because cyber thieves have learned how to intercept check images and present them for deposit at multiple institutions. Additionally, these thieves have mastered processing the same payment through multiple banking channels without detection.
When this happens (and it clearly does), the Uniform Commercial Code (UCC) provides an answer to the proverbial question, “Who is left holding the bag?” The answer, of course, is the issuer of the check, who may in turn have a claim against the person who made the multiple deposits. But such a claim will likely be worthless. Simply put, the UCC needs to be updated to address mobile deposits. And financial institutions need to adopt additional security procedures, such as requiring encryption for check image databases. This is not required today at banks or credit unions, let alone other non-bank depositories.
CONIX Systems has reported that high-volume banks intercept between 40 and 100 duplicate items per every one million payments processed, an increase of more than 1,000 percent since 2006. Once currency exchanges and the like are included in the analysis, the numbers will inevitably increase. According to a recent publication from the Federal Reserve, check fraud (which has been termed “a growth crime”) affects every financial institution, every business and every individual throughout the United States, and costs upwards of $10 billion per year.
One question to consider is whether there is more security today being employed via mobile deposits than existed in previous decades when a window teller with scant training in fraud detection was responsible for screening false items. One advantage in years past was that banks tended to know their customers. Today, anonymity is unfortunately the norm.
Strategies to help reduce fraud
One tactic that financial institutions can employ to clamp down on such fraud is by not offering mobile deposits to all customers for all accounts. By imposing limits, such as a specific length of time an account needs to be open, or imposing financial limits on deposits, the instances of fraud may be minimized. But this does nothing for currency exchanges, credit unions or other non-bank locations where checks can be cashed.
Fraud issues do not disappear simply by requiring that all checks be directly deposited. Identity theft leaves employees vulnerable, which in turn threatens the stability of a company’s workforce. For example, in late 2013, monthly paychecks were stolen from 10 Boston University employees after an Internet scammer obtained usernames and passwords, and changed the direct deposit information for these employees. The same incident happened to a faculty member at Western Michigan University where the school’s system was hacked. The employee’s paycheck was re-routed to a Utah-based bank, and the crime was traced to a computer in New Mexico. Authorities were only able to recover $11.08 of the paycheck, demonstrating a devastating outcome of mobile banking. Such maladies are not limited to universities. AARP magazine reported that between October 2011 and June 2013, $28 million in social security benefit payments were stolen in a similar fashion.
The backside of a check could also provide part of the solution. Paper checks must be endorsed. Requiring specific endorsements, including account numbers for electronic deposits may help mitigate against the risk of double or triple deposits.
Stripped of its veneer, this is a risk management issue. Financial institutions need to balance the customer experience with risk management strategies. For businesses issuing checks, the goal is getting payment to the correct end-user without having to pay multiple times. And for most of us as individuals, the goals are getting and keeping those dollars that are rightfully ours.