Technology benefits both the capacity to perpetuate and the ability to detect or prevent fraud. By Raymond Jeffords, Greg Thibadoux, and Marsha Scheidt
Fighting Fire with Fire
The unflagging popularity of paper checks together with the ready availability of desktop publishing software and laser printers have resulted in an alarming increase in check fraud. A variety of tools are available for preventing and detecting check fraud perpetrated by insiders who work for a business or financial institution. Check fraud by independent perpetrators, however, is more problematic. New technologies are available to combat the most common types of external check fraud--check alteration, counterfeiting, and forgery. Innovative technologies such as ultraviolet imaging, high-capacity barcodes, glyphs, and biometrics are turning paper documents into machine-readable files that can be processed and analyzed by automated equipment. As these new technologies become more widely used, banks and businesses can work together to curb the most common forms of external check fraud before losses are incurred.
Banks have worked hard to wean customers away from paper checks. Checks are expensive to print, mail, and process. Nevertheless, bank customers continue to use them in record numbers. In fact, the volume of paper check transactions in the United States grew from $42.5 billion in 1980 to $56.8 billion in 1990 and is anticipated to grow to $67.7 billion by the year 2005, according to The Nilson Report, a financial services newsletter. The much heralded checkless banking system remains stubbornly in the future. Banks have discovered that many customers prefer paper checks to debit cards, automatic bill payments, electronic banking, and other alternatives devised by banks to reduce the volume of paper checks. One reason commonly cited for the ongoing popularity of paper checks is the benefit provided by the float period; the time required to clear checks through the banking system provides additional time for bank customers to deposit funds or earn interest on account balances. Paper checks also provide a reassuring tangible record of cash disbursements.
Unfortunately, the growing volume of paper check transactions has certainly contributed to mounting losses from check fraud. It's no exaggeration to say that check fraud in the United States has reached alarming proportions. A 1995 study by the Federal Reserve estimated bank losses due to check fraud at $615 million a year with an additional $421 million spent on prevention, detection, and prosecution. Since banks are often reluctant to disclose the full impact of check fraud on their bottom lines, the Federal Reserve estimates probably understate actual losses. Independent estimates of check fraud losses range from $1050 billion a year. Prior to 1993 these losses were mostly the concern of financial institutions, but changes in the Uniform Commercial Code have resulted in additional responsibilities for bank customers who rely on paper checks to pay bills and meet payrolls.
Advances in computer hardware and software underlie most of the increase in check fraud--primarily the development of low-cost, high-quality color printers and scanners, along with desktop publishing software that makes it relatively easy to alter legitimate documents or create counterfeit checks virtually indistinguishable from the real thing. Fortunately, computer technology is now beginning to provide some new tools to help combat the opportunities for check fraud it helped to create.
Controls to Reduce the Risk of Internal Check Fraud
There are a variety of ways to categorize check fraud. One broad distinction is "internal" versus "external." Internal check fraud refers to schemes devised by insiders--i.e., employees responsible for creating, authorizing, or processing checks. The risk of internal fraud can be minimized through time-honored controls such as segregation of duties, independent reconciliation of cash accounts, and safeguarding check stocks and signature protocols.
Firms that use in-house check-printing software also have access to a variety of automated internal controls. These software programs begin with totally blank paper stock (making check stock security less critical) and print all check information simultaneously, including logos, border designs, graphics, and the MICR (magnetic ink character recognition) data required by banks to read, process, and sort checks with high-speed processors. Such checks can be produced on standard laser printers equipped with magnetic ink cartridges.
In-house software streamlines the check-printing process and provides a variety of internal controls that differ from program to program. Typical program security features include encrypted security passwords to prevent unauthorized use, program-specified signature limits on dollar amounts, audit logging and reporting, program-controlled access to required accounting data, and removable signature files and fonts for separate storage. Some systems also encode each printed check with information about the operator, date of printing, and serial number to help assign responsibility in the event of a breach in security.
Controls to Reduce the Risk of External Fraud
External check fraud refers to schemes created by independent operators or by organized gangs. These types of schemes usually require control procedures and techniques beyond those directed toward internal fraud. The most common forms of external check fraud involve--
* alteration of check details (amount or payee)
* creation of counterfeit checks
* forgery (signature or endorsement).
Altering, counterfeiting, and forging paper checks have always been sources of risk for those engaged in check transactions. In the past, however, these types of fraud generally required considerable artistic ability or expensive printing equipment beyond the reach of most fraud artists. The proliferation of personal computers has changed all that. Today, all the tools needed for check fraud--scanners, color printers, and desktop publishing software--are widely available and easily affordable. To combat this new threat, a variety of physical controls have been developed to make it more difficult to alter or counterfeit checks (see Exhibit 1). Despite these physical controls, however, determined criminals have always been able to pass altered or counterfeit checks. The con artist knows that a bogus check does not have to be a perfect replica to be accepted by a cashier. Furthermore, those who cash bogus checks are often unfamiliar with the various physical control features that a particular firm chooses to use.
The most common form of check fraud in the United States involves counterfeiting checks for relatively small amounts ($300500), which stay within the check-cashing guidelines of local merchants. These checks are often drawn against well-known local firms and major employers. Criminals with phony personal identification present such checks to pay for modest purchases while collecting the remainder in cash. Merchants succumb to this type of fraud because of their natural desire to complete a sale and accommodate the customer. Their familiarity with the name and logo on the bogus check contributes to a false sense of security.
Check fraud has taken on greater importance to businesses following fairly recent changes in the Uniform Commercial Code. Section 3-406 of the code has modified bank customer liability for check fraud by introducing the concepts of comparative negligence and ordinary care. In essence, businesses that make it too easy for criminals to perpetrate check fraud can be held partly or wholly responsible for the resulting losses. Check fraud is no longer the exclusive concern of financial institutions. Businesses must now be familiar with their bank's requirements for ordinary care to prevent check fraud. Indicators of ordinary care are summarized in Exhibit 2. A written copy of specific procedures should be obtained directly from the bank, together with the bank's own policies and procedures for ensuring ordinary care.
One way to minimize potential liability under the revised UCC provisions is to participate in a positive pay program. This involves providing the bank with a daily list of checks written by a bank customer. The list is usually transferred to the bank electronically and identifies every check by account number, check number, amount, and payee. During the bank's clearing process, checks are matched to the listing. Details of checks not found on the listing are forwarded to the customer for verification and approval. Some banks forward scanned images of the fronts and backs of unlisted checks to make it easier for a customer to investigate bogus checks.
While banks usually charge a fee for positive pay services, they also assume greater responsibility for check fraud. There are a number of variations on the positive pay arrangement. Reverse positive pay, for example, requires banks to initiate a list of checks presented for payment. The bank's list is then forwarded to the customer for verification and approval before the payment is released. This arrangement, however, places greater responsibility for check fraud detection in the hands of the bank customer and therefore increases the customer's liability.
New Technologies to Combat External Check Fraud
Ultraviolet Imaging. To reduce the cost of paper handling, banks and businesses have long relied on microfilm copies of paid checks. Retrieving a single check image from a microfilm file, however, can be a tedious and time-consuming process. With the introduction of scanning and electronic imaging software, banks are now able to deliver paid check images to large commercial customers using CD-ROM technology. This medium reduces customer storage costs and makes it much easier to search for and retrieve a given check for verification purposes. In addition, CD-ROM images can be copied directly into electronic documents, transmitted on computer networks, or faxed over telephone lines.
The major constraint for check imaging using CD-ROM technology has been storage size. As much as 15kB to 20kB of memory is needed to record the front and back of a single check. Much of that expensive memory space is "wasted" on things like corporate logos and extraneous items such as check borders and graphic designs.
A newly developed technology offers the possibility of greatly reducing the amount of memory needed to store check images while providing additional protection against check fraud. U.S. Check Company, Inc., has developed a patented technology that highlights the essential elements of a check--e.g., check number, account number, payee, and amount--through the use of a non-visible ink overlay. When viewed or scanned under ultraviolet light, these data fields (called "snippets") become visible and are machine readable with suitably equipped check imaging platforms.
Check snippets can be custom-tailored by a business to highlight any type of data field on any type of check. Using snippet technology, data fields can be captured and stored without the need for XY coordinates and the related account find tables that tell high-speed check readers where to find specific information. And only essential data is retained--not logos and border designs. This greatly reduces storage costs and makes it possible for customers to retrieve and view a single data field (such as payee or amount) independently of any other stored data.
In addition to its cost-saving potential, snippet technology provides new controls for check fraud. First, snippet fields are invisible to the naked eye, making them less obvious to counterfeiters. High-speed imaging platforms with the proper software, however, can immediately detect missing or altered snippet data fields during the check clearing process. Each snippet, in addition to its visible data content, is also invisibly marked with a universal code that identifies the nature of the snippet's contents as well as the total number of snippets that appear on a given check. These universal codes can also be used to deliver special handling instructions to banks, such as expiration dates after which checks should not be paid. Any attempt to alter or eradicate encoded snippets is detectable using automated imaging equipment.
Two-Dimensional Barcodes. Although snippet technology delivers a solid first punch in the battle against check fraud, it can be even more effective when used in conjunction with 2-D barcode technology. Most people are familiar with the type of barcode used to identify and price retail merchandise. These simple barcodes generally contain about 75 ASCII characters or about 150 numeric characters. This provides enough flexibility to identify and track simple business information.
Today, however, high-capacity 2-D barcodes (see Exhibit 3) can capture vast amounts of data in a small amount of space. Current barcode technology can capture text, binary code instructions, digitized signatures, graphics (including photo IDs), fingerprints, and even audio (voice) data--all in a space about the size of a postage stamp. This technology is just now being applied to financial documents such as paper checks to automate the verification processes.
For example, with existing check-printing software, business enterprises can add barcodes to company checks as part of their standard check printing procedures. These barcodes can be read by anyone with a laser scanner. Such checks become self-validating: That is, the same information appears twice on the same check--first as visible data that can be read by the human eye and again in barcode format that can be read only with a scanner. Anyone with appropriate software (such as banks, retailers, or check-cashing services) can immediately verify that the information printed on the check agrees with the information contained in the barcode. Like snippets, barcodes cannot be altered or photocopied without immediate detection and cannot be counterfeited without access to protected software and imaging technology. Best of all, these controls permit fraud detection at any of the following stages in the check handling process:
* When a check is first presented for payment,
* During the check clearing process, or
* During routine customer verification procedures after a check has been paid.
DataGlyphs. DataGlyph is the name used for a new technology developed by Xerox to encode machine-readable data (text, numbers, and graphics) on paper documents. The glyphs are a series of slashes (e.g., /\\/\\///). Each slash represents a 1 or 0 in binary code. The glyphs can be as small as 1/100 of an inch and grouped together so tightly that they appear to the naked eye as nothing more than a light gray background on a document.
Xerox claims that, at a given level of resolution and error-correction capability, the glyphs require only 60% of the space required by traditional barcodes. In addition, the glyphs are more pleasing to the eye and are less likely to attract the attention of potential counterfeiters. Like 2-D barcodes, information encoded in glyphs is randomly scattered in such a way that the entire message can be reconstructed and read even if portions of the document are destroyed or obliterated. Logos and visible data can be printed on top of the glyphs without destroying their informational content.
Xerox DataGlyph software also includes a scripting language that can be used to launch specific computer applications. For example, if a document contained a box to be checked for a change of address, glyph instructions could be encoded to read the box for the presence of a check mark and segregate the document for updating company records. Like high-capacity barcodes, glyphs have the potential to make paper checks self-validating and machine readable.
Biometrics. Biometrics refers to technology used to determine whether a person is who he or she claims to be. As the term suggests, biometrics deals with measuring, storing, and comparing biologically based information about a person to provide unique identification. Fingerprints, for example, are a well-known source of biometric identification used in criminal investigations. Until recently, the stigma of taking someone's fingerprints has prevented banks and retailers from using this type of control, but growing check fraud has caused many banks and retailers to reconsider their policies. Today, some banks require fingerprints from non-bank customers who wish to cash a check. Those who object are refused payment. Those who consent usually apply a single fingerprint to the face of the check using an inkless process. Banks that have adopted fingerprinting claim significant declines in check fraud.
Less obtrusive biometric identification is currently available through the use of electronic signature equipment. Customers are asked to sign paper documents against a flat pad that senses the pattern, speed, and pressure of the electronic pen used to produce the signature. By comparing this information against authenticated signature data, forgeries can be immediately detected. Still in development are biometric identification procedures based on the physical features of the iris or retina, various facial dimensions, and analysis of speech patterns. Automatic teller machines are currently being developed that can identify bank customers based upon iris scans. In less than two seconds, a camera is able to locate and scan the iris, record distinct features in a barcode format, and compare the results against stored bank files. *
Raymond Jeffords, PhD, CPA, and Greg Thibadoux, PhD, are professors, and Marsha Scheidt, DBA, CMA, a U.C. Foundation Associate Professor, all at the University of Tennessee at Chattanooga.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.