Article

Play it Safe

By Yvonne Pesquera

8 minutes

remote deposit capture with a smartphoneConvenience always introduces risk.

Take the automobile, for example. Since the introduction of affordable cars at the turn of the 20th century,  people have been better able to get where they’re going, and there have been countless accidents.

But throughout history, mishaps have spawned discoveries. Today, consumers benefit from major improvements in car safety, such as seat belts and air bags.

Similarly, mobile devices have introduced a new level of personal convenience. But mobile also brings risk—like the ability to “accidentally” deposit a check twice, once digitally and once physically, when remote deposit capture is used.

Solutions for the risks associated with mobile apps and remote deposit capture are still developing, and credit unions are wisely paying attention. Information from a March 20 Bankinfosecurity.com webinar, “Mobile Deposits and Fraud,” suggests that 9 percent of account fraud losses come from mobile deposits.

For example, Railway Credit Union is weighing the balance between meeting the mobile preferences of members while keeping their transactions and the CU protected from fraud.

“We are spending a lot of time researching what is or is not working with other credit unions that currently have the product,” before jumping in, says CUES member Heather Fleck, AVP/operations at the $88 million CU in Mandan, N.D.

Still, convenience continues to be a driving factor for those credit unions offering this service.

“We are using RDC and have been for a little over a year,” says CUES member Doug Wilkerson, president of $108 million RTP Federal Credit Union, Research Triangle Park, N.C. “With only having three branch locations, we like the fact that this service removes the stigma that we aren’t convenient because we don’t have a branch on every corner.”

Notably, convenience—like being able to do everything using a smartphone—is hugely important to members of the younger generation that credit unions must attract to stay competitive.

“Full-featured mobile banking, including mobile RDC, is no longer a nice-to-have feature, it is a requirement if credit unions want to remain relevant, especially with growing, tech-forward younger generations,” asserts Alissa Fry-Harris, director of marketing at CUES Supplier member Bluepoint Solutions, Carlsbad, Calif.

Management of any kind of risk requires identifying and understanding the full nature of the risk, and then enforcing policies to prevent it. So here’s how mobile deposit capture works, and some thoughts about how to manage the associated risks.

RDC and its Risks

Based on a scan of CU websites, it’s fair to say that mobile deposit apps vary. Generally speaking, a member downloads the app onto a smartphone or tablet, opens the app, and taps on the mobile deposit icon. Next, the member types in the check amount (as a means of verification) and indicates the account for deposit.

Typically, the mobile device’s camera is activated. Some apps instruct the member to manually take the photos (front and back of check), whereas other apps prompt the member with an on-screen frame and automatically snap the picture. Before the development of mobile apps, transmitting a check image wasn’t possible. The earliest remote deposit processes included sending in the check later.

Wilkerson says RTP FCU’s mobile deposit feature requires a second enrollment, in addition to setting up the base app. “To use mobile deposit, the member is required to accept a secondary disclosure before the app will enable the feature,” he explains. “So it’s part of the general mobile banking app, but not automatically activated.”

Two fraud risks are emerging with mobile deposits: human initiated fraud and random attacks from malware.

Human initiated fraud is when a member purposely double-draws on the value of a check—either through a second deposit or cashing it. This potential for fraud exists because the member remains in possession of the check after submitting an image of it for deposit. The potential for a double dip is enhanced when CUs have a lag time between mobile and in-house processing.

So a fraudster may be able to deposit the check via mobile from his car in the credit union’s parking lot, then head to the branch and successfully deposit it a second time.

That person’s activity will typically be found out in 24-72 hours. In many cases it will be very hard for the credit union to prove deliberate fraud. The member can easily say it was a mistake. So that then begs the question: Can the CU just reverse the duplicate deposit from the account when it’s discovered?

“We have had this happen a few times,” Wilkerson says. “Each time, we contacted the member to explain what happened. One member was removed from mobile deposit due to usage behavior.”

In other scenarios, the fraudster deposits the check with the CU. But because of unspecified endorsement requirements, the person can then present the same check to a third-party check-cashing service.

The CU is none the wiser about this, until the check issuer cries foul. In that case, it’s not even fraud against the credit union; it’s fraud against the person who wrote the check.

To counter this scenario (which Wilkerson describes as “the greater risk”), RTP FCU requires that endorsements on checks deposited remotely include the words “for mobile deposit.”

“We will only accept a deposit without this wording one time,” he says. “Once warned, we note the account and will reject any and all future checks that do not include those words in the endorsement.”

Another, more arcane risk to mobile deposits is random attacks from malware—which Bankinfosecurity.com reports is growing at a rate of 40 percent.

An example of a particularly disturbing malware is one that captures checking account and routing numbers by taking screen shots of a check deposited via mobile.

“A fraudster’s goal is to capture credentials,” says Ken Jacobi, senior marketing manager for enterprise and financial services at Webroot, which offers a suite of cybersecurity products to protect consumers and businesses from malware and other cyberattacks. Gaining access to a customer’s login credentials or personal checking information could lead to fraud in their accounts that includes unauthorized transactions, transfers, forged checks, dual deposits or sale of the information online.

“Effective endpoint protection (which secures every device on a network) is critical in protecting a user’s online or mobile banking session and their transactions,” Jacobi says.

So how can credit unions get ahead of these issues?

Preventing Problems

“We started our program in January 2015 and really like it and feel comfortable,” says CUES member Sarah Mosley, CEO/president of $311 million Telcoe Federal Credit Union, Little Rock, Ark.

One reason for Telcoe FCU’s high comfort is that it has specific endorsement instructions for members. Each check must state on the back: “For remote deposit only to Telcoe FCU.”

“We are issuing cards with the endorsement requirements and we are adding the date” to what they must put on the back of a check when using remote deposit if the credit union is to accept it, Mosley says. “The addition of the date hopefully will help them (members) manage the copies they will have at home and also, as we suggested, they destroy the checks after 60 days.”

Talking with members about how they can safely use RDC is an important step, suggests Jacobi.

“Risk mitigation tactics include customer education,” Jacobi says. “The challenge is complacency on the customers’ part as well, as they feel protected by the bank (CU).”

Fry-Harris offers Bluepoint Solutions’ top strategies for preventing fraud with mobile RDC:

“The first and best safeguard for the credit union and its members is to set deposit limits,” says Fry-Harris. These limits vary widely by credit union, but are often based on such variables as length of membership, type of account and a third-party risk score.

“The second method of mitigation is to allow the mobile RDC system to compare checks received through the mobile channel to all other checks received through any channel and/or to nationwide shared fraud or counterfeit databases,” she adds. “This is a secondary line of defense.”

Another, longer-term strategy for manag-ing the fraud associated with remote deposit capture is to leverage information about member behavior captured by the app as it is used by members.

According to the article “Fraud Analytics in Retail Banking”, once a fraud technique is identified, the computer system needs to quickly assimilate that information and start looking for the next loophole a fraudster may exploit.

Pressure to Provide RDC

Customer satisfaction rates have placed financial institutions under increasing pressure to roll out such advanced features as remote check deposit. For example in 2014, FICO (Fair Isaac, www.fico.com) found that 82 percent of mobile banking app users are satisfied with their bank, compared with only 71 percent of those who do not use a mobile banking app.

The operational risk comes down to this: Not all remote deposit capture systems are the same. Therefore, some problems can get missed, such as check alteration, forged or missing endorsements, and counterfeit items. As a result, most credit unions prefer to roll out a mobile banking app that is integrated with a remote deposit capture feature, the underlying payment and document imaging solution.

Depending on who is asked, the risk/reward balance for mobile deposits and fraud is either equal or tipped to one side. But just as the lesson of the speedy automobile teaches, risk can always be managed and, in some cases, even reduced.

Yvonne Pesquera is a freelance writer based in Boston.

Compass Subscription