Shutting Out Fraud

By Chris Costanzo

As check fraud migrates to smaller institutions, banks of all sizes need to share more information with each other.

Check fraud, banks are discovering, is like an air bubble in a hose: push down on one end and the bubble pops up at the other. With the battle against fraudsters going well in the large-bank arena, problems are now cropping up at smaller institutions.

The American Bankers Association's biennial check fraud survey, released last November, shows that the industry overall managed to keep check fraud losses fairly level, even though the number of attempts to foil the system doubled. But closer scrutiny of the survey of 400 banks shows new cracks in the security fortress, namely among community banks, and looming threats that are potentially more insidious than traditional check fraud.

The success that large banks have had in using technology and information-sharing to defend themselves is clearly shifting more of the fraud problem to smaller institutions, which typically don't have the resources and expertise to commit to the fight. But in an industry whose viability depends on public trust and confidence, the large banks will need to expand their information-sharing practices to include grass-roots players.

Such cooperation would also help the industry head off some other looming threats, the two most serious of which are identity theft and fraud stemming from the increased use of electronic transactions. Large and small banks are equally vulnerable to these emerging threats. Big banks must start rounding out their current arsenal for fighting check fraud with measures that address the new menaces. Small banks may have the tougher job, as they need to begin reaching parity with the larger institutions on basic fraud prevention routines first.

"The place to solve fraud will be at the industry level, not at the bank or regional level," says Edward J. Potter, president of PSI Fraud Solutions, a security consulting firm based in Staten Island, N.Y. "It's critical that banks share information."

Banding Together

Check fraud began increasing noticeably in the early to mid-'90s with the emergence of laser printers that simplified the creation of counterfeit checks. Larger banks responded to the challenge by adopting new technologies of their own.

For example, nearly 150 banks have enrolled in a fraud detection system maintained by Dallas-based Carreker Corp. since it was rolled out in 1994. Known as "FraudLink," this software compares account activity with a database of statistically "normal" patterns, highlighting exceptions. In corporate banking, meanwhile, institutions have gotten good results from "positive-pay," a procedure by which companies provide banks with lists of the checks they have issued, virtually eliminating doubt about which checks may be fraudulent.

Large banks have also banded together to share information on fraud detection, beginning with an informal effort by some regional banks in 1995. "Fraud is not a competitive issue," says Robert W. Jones, the director of operating risks at FleetBoston Financial Corp. and a co-chair of the fraud steering committee of the Banking Industry Technology Secretariat.

Since 1998, BITS and the ABA have sponsored a loss-reporting program that evolved from the earlier effort. Thirty-eight banks now participate in quarterly conference calls, conducted by region over the course of two days, in which they share information about the volumes of losses they have suffered in 12 major categories developed and standardized by BITS.

On these calls, bankers also trade tips on techniques for stopping fraud. One bank, for example, recently explained how its use of ultra-violet light detection systems at the teller line had helped identify forged drivers licenses. "Sharing of information is the key to success," says Robin Slade, a BITS director.

Based on the results of the ABA check fraud survey, BITS calculates that banks participating in the loss-reporting program experienced a decrease in check fraud of 3% per account, versus a 1% increase for the industry as a whole. Large banks as a group, in fact, seem to be getting the check fraud problem under control. According to the ABA survey, banks with more than $5 billion of assets were able to stop more than 80% of check-fraud attempts, which dropped their share of total fraud losses to 55%, from 60% in 1999.

Rebuffed by the large institutions, fraudsters have shifted their attention elsewhere. The share of losses at banks with less than $500 million of assets more than doubled during the same period, from 6% to 13%. Community banks stopped only a little more than half the fraud attempted at their institutions, according to the ABA.

Another finding: although the number of check-fraud incidents increased 34% to 600,085 cases in 2001, the average loss per case decreased from $1,518 to $1,163 during the two-year period. This suggests criminals have reduced the amounts on their fraudulent checks to avoid detection, a response to the fact that banks prioritize fraud investigation on checks over a certain limit, usually about $1,000.

"Fraud has become less a crime of opportunity and more a crime of careful planning and multiple attempts," says Potter, a former executive with J.P. Morgan Chase & Co. "Fraudsters are writing more checks against more accounts for smaller dollar amounts."

Tracking Software

Vendors have responded to these trends by designing fraud-detection systems more appropriate for smaller banks. Service bureau providers, who do much of the data processing for small banks, are now offering these systems. And Carreker introduced a PC-based version of its FraudLink system for small banks about two years ago. It plans to offer an application service provider version of the system as well, which would deliver the service cheaply over the Internet, says Paul A. Carrubba, an executive vice president and managing director.

When it comes to information-sharing, however, small banks face some difficulties. On the bright side, the BITS program is open to members of the Independent Community Bankers Association and other small-bank organizations. It costs each institution only $1,000 a year to participate per region, with a maximum cost of $2,000 a year to participate in five regions.

However, few community banks have the resources to effectively track fraud in all its forms and thus are limited in what they can share among themselves. "If you can't give information, you can't participate," says Debbie Teryison, the head of operations and client care at Silicon Valley Bank, a $5.6 billion-asset institution in Santa Clara, Calif. Teryison, in her previous job at San Francisco-based Union Bank of California, helped create the original group of regional banks that began sharing fraud-loss data.

Community banks often can't get a clear picture of the amount and type of check fraud hitting them. While they could purchase "case management" software to support fraud investigation, that can amount to a six-figure expense. Absent a tracking mechanism, executives are hard-pressed to convince upper management that fighting fraud is worth the investment. "It's really tough to get management to spend money on systems that don't generate revenue," Teryison says.

She recommends that community banks use basic database and spreadsheet software to start tracking fraud volumes in the various categories developed by BITS, which include counterfeit checks, forged signatures, debit card fraud, and so on. A lot of work went into developing the BITS categories, she says, "and that information is available to anyone who wants it."

For the typical institution, patterns will start to emerge after about a year of tracking losses, and informed decisions can be made then about the most effective type of fraud-fighting software to purchase. Silicon Valley Bank, for example, spent one and a half years tracking fraud losses before management finally invested about $300,000 in detection software, Teryison says. She expects to recoup the cost of the investment through loss reduction within three to six months.

Bolstering the business case for such investments, fraud detection software can also be used to help an institution meet the requirements of 2001's USA Patriot Act, which increases the obligations of banks to monitor money-laundering activities. The software also has value as a sales tool, since information on where clients have other accounts appears in check kiting reports, Teryison says.

Electronic Drawbacks

Yet even as the industry strives to cope with traditional check fraud, other threats are looming. Identity theft is becoming a bigger problem and electronification — heralded as a means to curb fraud — is proving to have some vulnerabilities of its own.

Fraud through electronic transactions seems almost a misnomer, since much has been made of the security-enhancing potential of innovations such as electronic check presentment and imaging. Both are supposed to help combat fraud by permitting institutions early access to critical check data. And it's true that the benefit of electronics outweighs the negative when it comes to fraud prevention.

But every innovation in payments opens the door to new ways of perpetrating crime. In fact, check fraud today really might be better defined as "deposit-account fraud," to cover the new forms of crime made possible through transactions that go through the automated clearing house and other electronic switches.

It turns out there are genuine drawbacks to not having physical checks available for human inspection. Electronic checks do not carry the physical characteristics — such as special coloring, raised printing, or even smells — that processing staff rely on to detect fraud, for example. Vendors are addressing this problem with systems that let authorized account holders encrypt information, such as the payee name, account number and dollar amount of a check, onto a bar code that appears on the front of a check.

By decoding the information, banks can authenticate the account holder as the originator of the document, and also prove that check information has not been altered. This bar-coded information can be translated as easily from check images as physical checks. "The technology is here," Potter says. "It needs to be integrated into bank processes and merchant processes."

Checks converted to ACH transactions at the point of sale are even more difficult to physically inspect than ECP and image items, since they are immediately handed back to consumers and disappear from the processing stream entirely.

Jane C. Yao, the ABA's managing director of surveys and statistics, says the quarterly reporting program run by BITS and the ABA only began collecting data on ACH fraud last year, and not many banks were able to provide information on it. ACH fraud includes not only fraud that occurs at the point of sale, but also through the telephone and the Internet. NACHA, the Electronic Payments Association, based in Herndon, Va., says the incidence of unauthorized ACH payments was 0.02% in 2001; since this total includes honest mistakes, the amount of actual fraud was probably less than that.

In the case of ACH conversions at the point of sale, banks are concerned that they face greater liability for fraudulent transactions once a check is converted. Under Regulation CC, which covers check transactions, consumers have a window of only 48 hours to dispute a transaction and thus push the cost of a fraudulent transaction onto a bank; under Regulation E, which covers ACH transactions, consumers have a full 60 days to dispute a transaction. "As liability shifts upstream, it's much more important to know your customer," says consultant Potter. "Now there's a real bottom line to it."

The solution, as Potter and others see it, is for banks to work more closely with merchants to share information on fraudsters. In turn, "the best thing for the merchants to do is interact more with each other," Potter says.

That is an extension of a strategy that has worked well for the industry so far. No one disputes the power of sharing information to combat ever more wily criminals. When it comes to fraud, the best defensive strategy is share and share alike. And that applies to banks of all sizes.

Ms. Costanzo is a freelance writer based in Brooklyn, N.Y.

Copyright © 2003 by Banking Strategies, published by BAI.

back to top