Last week, a Louisville, Ky., man named Boma Robert Spero-Jack caused a ripple in the banking security community by pulling off one of the largest reported cases to date of mobile remote deposit “double dipping,” making off with more than $12,000 in fraudulently deposited cash. The scam itself was a simple one – deposit a series of money orders to a bank account by phone, then take the physical items and cash them out at a local grocery store – yet perhaps surprisingly, no automatic safeguard was in place to stop the scam before it got started.
As others have correctly pointed out, there exists a loophole in the framework of remote deposit that can be exploited by those with dishonest intentions: After depositing a check or money order by RDC, the customer still retains possession of the original document, and there is a brief window in which s/he can attempt to deposit it a second time at a different financial institution, or to exchange it for cash. We believe this is a poor overall strategy for those seeking to commit fraud – in cases like Spero-Jack’s, the duplicate deposits are linked with a personal bank account, and the perpetrator is easily identified – however, the disruption caused can still be significant. Even if an amateur fraudster is caught quickly, it may be impossible to recover the money if he has already spent most of it. And some have expressed serious concern over what might happen if these techniques were employed by an organized “hit-and-run” gang using false identities.
To close the loophole, the obvious solution is a national database that banks could use to identify duplicate items before they entered the clearing process, and indeed, several companies are currently developing versions of such a system. But the soonest any of them are expected to be available is next year, and implementation will take some time, leaving banks and credit unions to fend for themselves in the meantime.
The commonly accepted way for financial institutions to limit their risk is through daily and per-item deposit limits (known in the industry as velocity controls), and nearly every institution using mobile RDC has them in place. This provides a measure of protection against a single ruinous loss, but at the typical limits of $3,000 or even $1,500 per day, fraud like the Louisville case can still get through for a time. Spero-Jack may come off as a small-time thief, but considering how his double-dipping was spread out – 32 money orders, all of $500 or less – it’s clear that velocity controls alone aren’t enough to head off a scam before it gets going. Furthermore, utilizing multiple bank accounts would render dollar-amount limits ineffective, or at least less effective.
That’s where we reach the current last line of defense for banks: funds availability. In the Louisville case, even if Spero-Jack had gotten away with double-dipping, if he couldn’t withdraw the funds from his bank account, most of the losses would have been prevented. That’s where we enter a legal tangle over federal regulations – many checks are subject to partial immediate availability and next-day availability of the complete amount, which in this case would mean the fraud still got through. But checks not received in person have looser wait-time requirements; two days instead of one would go a long way toward preventing serious damage. (When PayPal rolled out its own version of mobile RDC, the wait time for funds availability was up to six days!) At this point, the decision of whether and how long to hold on to funds also becomes a customer-service issue, though, and many banks may decide that the risk of occasional fraud is less than the very real risk of upsetting their customers. Ultimately, the final decision rests with the institution.
But what about the most important tool of all in the fraud-prevention kit? At the end of the day, all this talk about velocity limits and funds availability boils down to one thing: How much do you trust the customer? Those of us who have followed remote deposit capture from the very start will remember that a lot of the same concerns about security and dishonesty were coming up all the way back in 2004, when RDC was very different from how it is today.
Initially, the initial investment for RDC was substantial, most users were large and mid-sized businesses, and fraud concerns were largely unfounded. The same worries came up again and again as the barriers to entry became lower and eventually disappeared altogether, but one underlying principle held true: The incidence of fraud was low among well-known customers who had little incentive to commit it. Factors like these could become a useful in determining who is allowed what limits, or who is allowed access to the service in the first place.
As RDC has been pushed out to the public, the need for vigilance has increased. But are a series of one-size-fits-all rules going to provide full protection until nationwide cross-verification becomes a reality? Probably not. In the meantime, the best security blanket is one that’s become rather old-fashioned in modern banking – getting to know your customers and deciding whom you can trust.