Mobile check deposit, once a low priority technology for banks, has become one of the most sought out mobile banking app features. But along with popularity and increased use, the potential for fraud is emerging for smartphone check deposits.
A recent report from ath Power Consulting identifies remote deposit capture as mobile banking users' most desired app feature.
Banks are responding. Research from Celent shows that in 2009, 72% of surveyed financial institutions had no plans to offer mobile remote deposit capture (RDC). By 2012, only 18% were holdouts.
The high demand has challenged vendors of the technology. "There's a waiting list," says Bob Meara, senior analyst in the banking group of Celent. "At the end of the day, it will be commonplace."
To date, fraudsters have largely left mobile RDC alone. One reason could be the lack of a big payoff: banks often set daily deposit limits at $3,000 or less. Furthermore, Celent's 2012 data shows that about 90% of RDC deploying banks reported zero losses. Most that have suffered some loss have been larger institutions.
Still, evidence of crime committed through mobile RDC is slowly emerging. "There are some examples of customers double depositing," says John Leekley, founder and chief executive of remoteDepositCapture.com, an informational services company. "As is always the case with criminals, they are looking for new and different ways to exploit and game money from banks and consumers."
The Check 21 Act of 2004, which made it okay to create digital versions of paper checks for processing, spells out the rules required of check imaging, regardless of which channel the payment comes through. However, in mobile there is one notable difference that paves the way for new threats: the consumer holds onto the check, which gives them the power to serial deposit, by design or chance.
A recent example of a similar type of fraud serves as a reminder to banks to continue to enhance their fraud-fighting technology and policies. The crime was carried out when a man purchased a money orders at a grocery store, left the store to deposit the money order into his bank account via mobile deposit, then re-entered the grocery store to cash the same money order.
That could happen again.
"In mobile remote deposit capture, there is a risk that someone could intentionally deposit the check more than once," says Shirley Inscoe, a senior analyst at Aite Group.
A bad guy could open accounts at several banks and make multiple deposits with the same check. Or it could be an accidental crime: A customer could deposit a check from his mobile phone, and his spouse could spot the physical check on the counter and deposit the funds at a branch.
"In a world where anyone can deposit a check and keep the paper check, the risk multiplies," Inscoe says.
The risks are waking up companies to the importance of the check endorsement.
"The back of the check plays a critical role in the payment," says Leekley. "Endorsement hasn't been enforced like it should be."
Most banks' policies require a John Hancock, and Celent's Meara says it's normative for mobile RDC technology to detect whether the back of the check is endorsed (it doesn't commonly analyze handwritten signatures for authenticity).
There are potential vulnerabilities with that approach. A customer could hypothetically save the back of a check so he could image two different checks on his smartphone to commit fraud through mobile RDC.
Some financial institutions like USAA require depositors to endorse the item as a deposit only and provide the bank with an account number.
Such restrictive endorsements could help mitigate risk of double deposits, especially as the technology matures to detect and verify the handwritten scribble on the back of the check, according to Leekley.
The Federal Financial Institutions Examination Council issued security guidance on mobile RDC in 2009. To mitigate risk, banks generally place limits on what customers can deposit, place a hold on the funds, and take other precautions that take into account, such as how long a person has been a customer and what kind of relationship he has with the bank.
"Risk management starts with knowing your customer and establishing appropriate risk policies with limits," says Jim Ballagh, vice president of business development at Ensenta, a company that sells mobile deposit technology with added risk management tools.
With regulators taking a renewed look at vendor due diligence and consumers clamoring for more functionality in mobile, banks are looking to keep fraud at bay.
"Just about everyone is working on doing something," says Leekley.
Meanwhile, the industry collectively has been working on ways to prevent check double dipping by sharing deposit data among one another. Early Warning Services is building a database that will let bank participants receive real-time notice of duplicate checks.
"A slow and growing ability to detect duplicate items is emerging," says Meara.
The leader in imaging software for mobile check deposit, Mitek Systems, is one of many vendors taking note of the demand for features that are designed to help banks stay ahead of the bad guy.