The growth in electronic payments and a distressed economy together have created an environment ripe for new payment fraud opportunities, according to the Association for Financial Professionals' 2009 Payments Fraud and Control Survey. But while the report notes that more than 70 percent of firms surveyed were the victims of attempted or actual fraud during 2008, no increase was reported in attempted fraud associated with the adoption of remote deposit capture (RDC) services. While nearly half of the respondents indicated that their organizations had offered services to customers to transmit check images using remote deposit, only 1 percent reported that they experienced payment fraud as a result.

Fraud as a Result of Remote Deposit Capture Service
(Percentage Distribution of Organizations That Use Remote Deposit)
  All
Respondents
Revenues over $1 billion Revenues under $1 billion
Experienced fraud 1%   2%   1% 
Did not experience fraud 99%   98%   99% 
Source: AFPonline.org

Does nascence explain lack of reported fraud?
While RDC adoption has been rapid, it remains at an early stage in the technology adoption lifecycle. Anecdotal evidence suggests that some financial institutions and their customers have initiated service offerings judiciously to known business customers and thereby mitigated the inherent risk exposure from RDC. However, less sophisticated adopters may lack the operational systems and control processes to identify fraud when it happens or are otherwise not forthcoming to admitting when they are victimized. Time will tell if fraud trends emerge or become more transparent as RDC grows into a more mature service offering by financial institutions.

Risk management and regulatory oversight
We spoke with examiners in the Atlanta Fed and learned that they've had RDC on their radar for some time and have promoted sound risk management practices during bank examinations in advance of formalized interagency guidance. In January, the Federal Financial Institutions Examination Council (FFIEC) published its official guidance for banks' risk management of RDC services. This guidance provides a comprehensive summary of the risks inherent in this service and the necessary elements of an effective risk management program. As prescribed in the FFIEC guidance, the same disciplines that apply to the risk management of other bank products and services apply to RDC. First and foremost, it is critical to have proper due diligence in the selection and monitoring of third-party service providers to whom certain operational functions are outsourced, along with accurate and ongoing self-risk assessments of the financial institution's internal and external business environments.

Conclusion
No one can be sure why firms that offer RDC aren't experiencing fraud as they are from other payment services, particularly those that are check-related. It could be the way that information is captured and reported within an organization. One thing we know for sure is that RDC adoption is expected to continue to grow as businesses and consumers convert paper checks to more cost-effective electronic payments. Will fraudsters find vulnerabilities to exploit in the risk management efforts on behalf of product vendors, bank regulators, third-party servicers, and the financial institutions themselves? We would like to hear from you. Feel free to share your thoughts with us.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed