The recent growth in check fraud has reached epidemic proportions, leaving no individual, company, or municipality immune. More than 1.2 million worthless checks enter the banking system each day. The Nilson Report advises that annual check fraud losses now exceed $20 billion, which is up from $12 billion in 1996 and $5 billion in 1993. The American Bankers Association reports that check fraud is growing 25 percent per year.
Banks, companies, and municipalities face a substantial shared risk from check fraud. Financial executives must answer the following questions:
- How do we assess our risk?
- How much financial exposure are we willing to assume?
- What real and hidden costs will we bear if we become victims of check fraud?
- How might our image and reputation be damaged?
- How much are we willing to spend to reduce our risk?
The legal basis for liability in check fraud losses is found in the Uniform Commercial Code (UCC). Recent changes in the UCC distribute the problem by taking sole responsibility for check fraud from the bank and directing that it be shared with both banks and their customers. Losses and related expenses from check fraud will continue to increase the cost of doing business for banks and their customers, unless banks and customers form a strong partnership to prevent and control the problem.
The revised UCC outlines specific responsibilities for banks and corporations, and recent court cases are providing clarification and establishing legal precedent. Failure to adhere to these new responsibilities may cause the negligent party to suffer a loss.
UCC revisions define responsibilities for check issuers and paying banks under the term “ordinary care.” Under Sections 3-403(a) and 4-401(a), a bank can charge items against a customer’s account only if they are “properly payable” and the check is signed by an authorized person. If a signature is forged, the issuer may be liable if one of the following exceptions applies.
According to UCC Section 3-406, if account holders fail to exercise “ordinary care,” they may be restricted from seeking restitution from the payee bank if their own failures contributed to a forged or altered check. Under 3-103(7), ordinary care requires account holders to follow “reasonable commercial standards” prevailing in their area and for their industry or business.
Section 4-406 requires customers to reconcile their bank statements within a reasonable time and report unauthorized checks immediately. Typically this means reconciling bank statements as soon as they are received, and always within 30 days of its mailing.
The concept of comparative negligence in Sections 3-406(b) and 4- 406(e) can also shift liability from the bank to the check issuer. If both the bank and the account holder have failed to exercise ordinary care, a loss may be allocated based on the extent that each party’s failure contributed to the loss.
The internal procedures used by a company when issuing checks will be questioned to determine negligence. Since banks are not required to physically examine every check, companies may be held liable for all or a substantial portion of a loss even if the bank did not review the signature on the fraudulent check.
Liability for counterfeit items that are virtually identical to original checks will be addressed on a case-by-case basis.
Read Bank Contracts
Carefully read your bank contracts to understand your company’s liability for fraud losses under the revised Uniform Commercial Code. This specifically includes the small print on signature cards and disclosure statements. It is abundantly clear from recent court cases involving fraudulent checks that a bank’s intentions must be stated clearly and without ambiguity in order to win a check fraud case against a customer. Accordingly, banks are rewriting their signature card agreements and are including new provisions and requirements in their disclosure statements. For a summary of the changes in the UCC, visit www.FraudTips.net.
Impact of Regulation CC
In 1992, the Federal Reserve Regulation CC reduced the time a bank was allowed to hold deposited funds as uncollected items. The new regulation provides bank customers access to their funds in a shorter period of time…local checks within two days and non-local checks within five days–even if the actual check has not paid.
The regulation’s intent was to speed the availability of deposited funds to consumers. But the change has significantly increased fraud losses by shortening the time that banks can return checks paying against uncollected funds. Shortening the time has expanded the window available for criminals to perpetrate a fraud. Criminals often alter a check’s routing and transit numbers, redirecting checks to an incorrect Federal Reserve District. When the fraudulent checks ultimately are returned to the correct bank, the deposited funds have been withdrawn.
Banks are also required to follow strict guidelines regarding new accounts. Any account that has been open for thirty days may no longer be considered a new account, with its extended “hold” period on deposited funds.
Check Fraud Prevention Best Practices
When fighting check fraud, nothing is 100 percent. No feature or program can completely eliminate check fraud, and no prevention system is foolproof. However, specific practices can complicate a criminal’s counterfeiting efforts. Following are some best practices for reducing risk.
The most effective check fraud prevention tool is called positive pay or match pay, an automated check-matching service that is unparalleled in detecting bogus checks. It is offered through the cash management department of many banks. To use this service, the check issuer transmits a file of issued checks to the bank. Positive pay is extremely effective when the customer sends issued-check information to the bank the same day checks are issued.
Positive pay compares the account number, check number, and dollar amount of checks presented for payment against the list of checks authorized and issued by the company. All three components of the check must match exactly or it becomes an “exception item.” When an exception item is identified, the bank contacts the customer to determine its authenticity. If the check is fraudulent or the dollar amount was altered, the bank will return the check unpaid, and the forger is foiled.
Reverse Positive Pay
For organizations or individuals with relatively small check volume, reverse positive pay should be considered. This service allows an account holder to conduct a daily check matching to identify unauthorized checks. The account holder downloads from the bank the list of paid checks and compares them to the issued check file. Suspect checks must be researched and the bank advised of items to be returned. While reverse positive pay provides timely and manageable information on a small scale, for larger operations it is not a good substitute for positive pay.
Payee Name Verification
Positive pay and reverse positive pay monitor the check number and dollar amount, but not the payee name. Neither will catch added or altered payees, or counterfeit checks using legitimate check numbers and dollar amounts with new payees. Several banks are developing positive pay systems that compare the payee name, called payee name verification (PNV). PNV identifies the payee line through X,Y coordinates on the face of the check, and uses optical character recognition software to interpret and match the characters. Matching the payee name, check number, and dollar amount will stop most check fraud attempts, but it is still not 100 percent effective. It will not prevent added payee names inserted above or below the authentic payee name line.
Preventing Added Payees
Altering or adding a new payee name is the latest scam of sophisticated forgery rings. They fully understand the limitations of positive pay and simply add a new payee name above or below the original name after removing the address. To help prevent added payee names, insert a string of asterisks above and after the payee name. You should also use a secure name font, which is a font that creates a unique image or screened dot pattern when printing the payee’s name. A large font size of 12 point or larger is also recommended because removing large letters are more difficult to accomplish without leaving telltale signs.
ACH Filter or Block
Forgers have learned that positive pay cannot monitor electronic checks, also known as automated clearing house (ACH) debits. Files containing ACH debits are created by a company or municipality and submitted to its bank. The bank processes the file through the Federal Reserve System and posts the ACH debit against the designated account. Because paperless transactions pose substantial financial risk, banks are careful to thoroughly screen any company that wants to send ACH debits. However, some dishonest individuals get through the screening process and victimize others. To prevent electronic check fraud, ask your bank to place an ACH filter or block on your account. An ACH block rejects all ACH debits. For many organizations, a block is not feasible because legitimate ACH debits would be rejected. In this case, use an ACH filter. In the electronic debit world, each ACH originator has a unique identifying number. An ACH filter posts debits only from preauthorized originators or in preauthorized dollar amounts. If your bank does not offer a filter, open up a new account exclusively for authorized ACH debits and restrict who has knowledge of that account number. Put a block on all other accounts.
Using highly secure checks is a critical component in check fraud prevention. One cannot discuss check fraud and ignore this important tool. A highly secure check provides the only deterrent to altered names and dollar amounts by making alterations and replications more difficult. There is substantial evidence that highly secure checks motivate criminals to seek easier targets.
This tool is easy to implement. Simply ask your check printer to add safety features to your checks on your next order. For a list of safety features, see the sidebar “Check Security Features.” Highly secure checks should contain at least eight safety features, and more is better. Many check manufacturers sell checks that include a printed padlock icon, suggesting the check is secure. However, the padlock icon does not make a check secure, since only three safety features are required to use it.
Some legal experts suggest that a strong argument can be made that the failure by a business to use adequate security features to protect its checks constitutes negligence. By using highly secure checks, a company can legally demonstrate that care has been taken to protect their checks.
Reconcile Bank Statements Promptly
The revised UCC requires an organization to exercise “reasonable promptness” in examining its monthly statements, and specifically cites thirty days from the date of mailing from the bank. Carefully read your bank’s current disclosure agreement that details the length of time you have to report discrepancies on the bank statement. Some banks have shortened the timeframe to less than thirty days. Failure to reconcile promptly is an invitation for employees to embezzle because they know their actions will not be discovered for a long time. The people issuing checks should not be the same people who reconcile the accounts.
If you are unable to reconcile on time, hire an outside reconciliation service provider and have the bank statements mailed to them directly. Independent reconciliation service providers, CPA firms, and many banks offer this valuable service.
The repeater rule limits a bank’s liability. If a bank customer does not report a forged signature, and the same thief forges a signature on additional checks paid more than thirty days after the first statement containing the forged check was made available to the customer, the bank has no liability on the subsequent forged checks so long as it acted in good faith and was not negligent.
The one-year rule is another important guide. Bank customers are obligated to discover and report a forged signature on a check within one year, or less if the bank has amended the one-year rule. If the customer fails to make the discovery and report it to the bank within one year, they are barred from making any claim for recovery against the bank. This applies even if the bank was negligent.
Multiple Check Colors
Some companies with multiple divisions or branches use a single bank account against which all checks pay. To differentiate locations, they often use different check colors for each branch. This is not a good practice. When many different colors of checks routinely pay against an account, spotting counterfeit checks by color becomes an impossible task. A bank’s sight review department cannot be expected to identify a fraudulent or chemically washed item when so many colors are used. Use a maximum of two colors in the same account.
Manually Issued Checks
Every organization occasionally issues manual checks. They are often typed on a self-correcting typewriter. These typewriters use ribbons that are black and shiny. This black shiny ribbon is made of polymer, a form of plastic. Plastic, not ink, is typed onto a check. The white correcting tape is a very durable form of coated transparent tape that lifts the plastic off when errors occur.
Forgers can alter manually issued checks with ordinary transparent tape. They simply lay tape over the letters to be removed, rub the tape lightly with a pen or pencil and lift off the tape. The typed letters are now on the tape, not on the check. Then they type in another payee name and dollar amount and cash the check, which has the original signature.
When issuing manual checks, use a single-strike fabric ribbon, which can be found in the catalog of major office supply stores. Single-strike ribbons ensure that the maximum amount of ink is driven into the fibers of the paper.
Check Stock Controls
Check stock must be kept in a secure, locked area. Change locks or combinations frequently to ensure they have not been compromised by unauthorized individuals. Keep check boxes sealed until they are needed. Inspect the checks upon receipt to confirm accuracy, and then re-tape the boxes. Write or sign across the tape and the box to provide evidence of tampering. Conduct physical inventory audits to account for every check. Audits should be conducted on a regular and frequent basis by two persons, including someone not directly responsible for the actual check printing. When checks are printed, every check should be accounted for, including voided, jammed, and canceled checks, and those required to align the printer.
Annual Reports and Correspondence
Annual reports should not contain the actual signatures of the executive officers. Forgers scan and reproduce those signatures on checks, purchase orders, letters of credit, and other negotiable documents.
When possible, do not include account numbers in correspondence. Credit applications sent to a new supplier should include the name and phone number of the company’s account officer at the bank, but not the bank account number. Nor should an authorized signer on the account sign the correspondence. You have no control over who handles this information once it is mailed or faxed, and it could be used to commit check fraud.
Forgers obtain bank account information by posing as customers requesting wiring instructions. These instructions contain all the information necessary to draft against a bank account. To avoid giving out primary account numbers, open a separate account that is used exclusively for incoming credits, such as ACH credits and wire transfers. Place the new account on “no check activity” status and make it a “zero balance account. These two parameters will automatically route incoming funds into the appropriate operating account at the end of the business day, while preventing checks from paying against the account.