"The back office of a bank is moving to the desktop of a customer so our financial institutions need to understand that since the environment around the processing of that check has changed, you can't treat it the same way," said Dan Fisher, president and CEO of The Copper River Group Inc., a Fargo, N.D.-based firm offering consulting and research services to the financial industry.
Remote deposit capture allows banking customers to deposit checks from their home or office by scanning a check and transmitting the image to the bank for posting. This process was made possible by the Check 21 Act, legislation implemented in 2004 that allows banks to clear checks based on digital images in lieu of paper.
"In the history of U.S. financial services, there's never been a technology adopted faster than RDC," said Bob Meara, senior analyst in the banking group at Celent LLC, a Boston-based research and consulting firm.
In the past year, more than 3,000 U.S. financial institutions have adopted RDC, he said. By the end of 2008, he expects 7,200 institutions will have adopted the technology. RDC was initially reserved for large business customers but has expanded to small business clients; it's not yet in widespread use for consumers, Meara said.
For customers, RDC offers convenience and other benefits like earlier availability of funds, he said. For banks, the practice is a quicker and cheaper way to grow their core deposits.
The benefits don't come without risks, though. According to Fisher, thick client systems that store check images pose one of the biggest information security risks with RDC.
"You have all kinds of financial information there in the form of check images. If that file isn't encrypted and password protected and someone breaks into an office and steals that fat-client desktop, financial information could be compromised," he said. "What you need to do is encrypt that data file and have password protection."
Businesses that have mobile employees using RDC face another point of potential compromise at the desktop level, he said. For example, some businesses issue a laptop with a wireless card to truckers so they can scan checks received after delivery. "That laptop they're using could be compromised or the wireless card can be intercepted," Fisher said.
RDC users need to be aware of the security issues associated with Wi-Fi and deploy encryption and other security software, he said. "Part of financial institutions' due diligence is to make sure users are properly educated about the risks and advise them on how they can safeguard their information. I don't think enough of that is being done."
Patty Hines, research director in the wholesale banking practice at TowerGroup Inc., a Needham, Mass.-based research and advisory services firm, said the information security concerns with RDC are the same as those with any business online banking application: secure data transmission and secure Internet connections. Check images also need to be encrypted and the application should be protected with multifactor authentication, she said.
But the bigger issue Hines sees with RDC is the fraud risk of duplicate check presentment, which can be a result of human error or a thief stealing checks from a business and taking them to a check cashing store, she said.
Most banks require their business customers to store checks for a certain period of time, which means customers must make sure those checks are physically secure, Hines said. Some RDC scanners mark the check on deposit. But that doesn't solve the duplicate presentment problem because banks will request a check be re-scanned if the image quality is poor, she said.
RDC customers can set deposit limits with a bank and RDC software can enforce deposit limits, which will help prevent fraud, Hines said. Also, customers should practice segregation of duties as another layer of security, she advised: "Maybe the bookkeeper scans the checks and the controller actually releases that batch to the bank."
"Credit worthiness" often plays a big role in whether a bank extends RDC to a business customer, she added. "Although a bank has deployed remote deposit capture, there may be certain businesses or business types that they feel are riskier and they may not allow it," she said. "In many ways, it's close to having a credit relationship."
The key concern for a bank rolling out RDC is "know thy customer," said Cary Whaley, associate director of payments and technology policy at the Independent Community Bankers of America. "You need to know your customer really well. It puts a level of temptation on your business customer that a bank needs to monitor."
The easiest place to thwart fraud, he added, is on-boarding of customers. Thoroughly vet customers before providing them with RDC and conduct "relentless monitoring," Whaley said. If a customer starts using the service in a different way or if transactions start popping up from different IP addresses, a bank should see red flags.
For his part, Meara thinks the fraud risk with remote deposit has been overstated. "Even though there was this widely perceived significant risk fraud from duplicate presentment, in survey after survey, less than one percent of banks have had a problem with this," he said.
He also downplays infosecurity issues with RDC, but Fisher noted that the Federal Deposit Insurance Corporation last December updated its information technology officer questionnaire to address RDC. An executive officer must sign off on the questionnaire.
"Regulators are beginning to insist that executives and boards became more informed and involved in the implementation of technology because of the risks," Fisher said.
Fisher advises financial institutions to seek out a professional before selecting an RDC product.
"Vendors bring a lot to the table, but they're not your only source of information," he said. "You need to talk to other banks that have installed it and hire a professional who knows this stuff. Even though it's an old technology, it's being done in a whole new way and can expose you to a whole series of risks."