Financial institutions need to take action to manage remote deposit capture risks before fraud losses associated with the technology jump, according to a report by Aite Group.
Banks are losing about $1.4 million annually due to fraud losses related to remote deposit capture (RDC), but as deployment of the technology becomes more widespread, losses could range from $5 million to $10 million annually in just four to five years, the Boston-based research and advisory firm said in its report.
"Now is the time to start thinking of the potential risks and to begin collaborating to manage those risks proactively," wrote Wesley Wilhelm, Aite Group senior analyst and co-author of the report. "Waiting for risks to generate losses sufficient for remediation investments will waste considerable capital."
The report, released Monday, examines the fraud and operational risks associated with RDC and how financial institutions and vendors can manage remote deposit capture risks. RDC allows banking customers to deposit checks from their home or office by scanning a check and transmitting the image to the bank for posting. Aite Group estimates that 300,000 to 350,000 accounts are enabled with RDC capability today.
In an interview, Wilhelm said RDC carries the same risks as depositing paper checks, such as counterfeit checks and kiting, but also introduces new risks.
"Over and above the baseline risks with regular deposits, you've got risks inherent from the fact that the personally identifiable information is digitized," he said. "You've got an information security problem, where you need to make sure those digitized images are protected from being compromised from a fraudster. If a fraudster was able to get a hold of a file with check images, they'd have an invaluable resource to create counterfeit checks."
Internal fraud at the business customer site is another major remote deposit capture risk; an employee of the business could use RDC to facilitate embezzlement schemes, he said. Banks have to rely on their customers implementing separation of duties to combat internal fraud, but that can be difficult for small business clients who don't have many employees, Wilhelm added.
Banks need to be careful in selecting customers as RDC clients and should examine a variety of aspects, including the customer's financial stability and whether they can implement and maintain separation of duties, according to the Aite Group report. Also, customer RDC activity must be monitored on an ongoing basis to manage remote deposit capture risks.
Financial institutions should work together to fight RDC fraud by sharing fraud information, Wilhelm said.
"The fraud scenarios are not that different across banks. … By pooling examples of fraud activity in RDC and examples of non-fraud activity, one can create a robust set of predictions," he said. "So the risk analysts at various banks can proactively and accurately pick which deposits to review."
The collaboration could be leveraged by both in-house and hosted systems, he said.
Wilhelm also recommends development of RDC data security guidelines for RDC customers, based on the Payment Card Industry Data Security Standard, in order to prevent mass compromises of check images and thefts of stored paper checks.