As the U.S. payments system continues to transition from a paper to electronic process, it is important to understand some key terminology and differences that exist. The movement of checks from paper to an electronic process is commonly referred to as check electronification and can be categorized two ways -- check truncation and check conversion. For any party involved in the transaction, there are important differences to understand between truncation and conversion from a regulatory, operational and risk perspective.
The Check Clearing for the 21st Century Act (Check 21) grants banks the authority to create substitute checks and process check information electronically. Check truncation occurs when the paper check is removed from the collection or return process and replaced by a substitute check. Truncation also allows for the check information to be presented electronically (i.e. image). The substitute check becomes the legal equivalent of the original check and is governed by check law, Uniform Commercial Code and Regulation CC.
Check conversion is the process where a check is used as the source document to obtain the necessary data to initiate an electronic debit to the checking account (i.e. bank routing and transit number, account number, check number). The check or substitute check is not used as the method of settling payment; therefore, check conversion is governed by electronic banking law (Regulation E). Usually, the electronic debit is settled through the ACH network, but settlement can also occur through the ATM network infrastructure.
If a converted check is processed through the ACH network, the following Standard Entry Class (SEC) codes are used: POP (point of purchase), WEB (Internet-initiated), TEL (telephone-initiated), and ARC (accounts receivable). These SEC codes, along with RCK (re-presented check entry), are commonly referred to in the industry as eCheck transactions. RCK is an example of check truncation rather than check conversion (i.e. the original payment was a paper check that the paying bank returned and that the bank of first deposit resubmits through the ACH for payment).
There were over two billion electronic check conversions processed through the ACH network in 2004, more than double the 2003 volume. This explosive growth is indicative of the benefits experienced by merchants, billers and their financial institutions when checks are converted to electronic transactions, not to mention growing consumer acceptance. However, the adoption of electronic check conversion has been accompanied by some migration of fraud risks from the paper check world into the electronic environment, as well as the advent of new risks inherent in these transactions.
In some cases, there is an underlying shift of liability between the involved parties relative to losses incurred if the paper check has been processed. Also, the shift in governing regulations from check to electronic banking law imposes different risk considerations and timeframes for exposure. As a result, thoughtful strategies need to be implemented to mitigate fraud risk when converting or receiving electronic checks. These strategies vary not only by the role of the party in the transaction, but also by the type of eCheck.
According to the 2004 ABA Deposit Account Fraud Survey Report, nearly one-fourth of all bank check fraud losses are the result of forged signatures when someone who is not the true account owner negotiates a check. In the paper check world, the paying bank is in the best position to verify the account owner’s signature on the document and is generally liable for losses incurred if the account owner disputes the authenticity once the check has been paid.
Conversely, when a check is converted to an ACH transaction, the bank originating the transaction (ODFI) warrants to the paying bank (RDFI) that the transaction has been properly authorized since there is no longer a signed check document for the paying bank to examine. The originating bank is now responsible for ensuring that the merchant or biller has taken reasonable steps to verify the identity of the person negotiating the item because it will bear any losses from unauthorized transactions (although it may pass these losses back to the originator). Since Regulation E provides a much longer window for disputed items to be returned than check law, the ODFI is exposed to potential losses from returns for an extended period of time.
As a result, it is imperative that the ODFI truly know its customer when they originate transactions. In order to adequately protect the bank, they must understand the nature of their clients’ business and the processes utilized. This requires both qualitative assessment of client practices and ongoing automated monitoring of their activity to generate alerts when exposure limits are approached or out of pattern activity occurs. Monitoring should include file activity and dollar volume, file composition, return rates by SEC code with particular attention to unauthorized returns and position relative to exposure limits.
For the merchant or biller, verifying the customer’s identity and their authority on the account is challenging even when they are face-to-face with the consumer because the verification tools available are limited. The paying bank is in the best position to validate information about who has authority on the account and authenticate the account-holder, but this vital information is typically not shared with originators. The challenges of authentication become even more daunting when the consumer is not present, as in a WEB or TEL transaction. These transactions involve a greater degree of risk because fraudulent transactions can more easily be created and entered into the ACH network without detection.
For WEB transactions in particular, the Internet provides fraudsters with anonymity, reach and speed that is unmatched in the paper check world. As a result, authentication and other risk management tools, such as internal negative files and manual review of suspect transactions, are necessary components of every e-commerce infrastructure to balance tolerable risk with acceptance of the consumer’s desired payment method. TEL transactions also offer anonymity and pose high risk because, unlike WEB transactions that may be used for recurring transactions, TEL is only utilized for single-entry payments.
Typically, first-time, single-entry payments represent the highest exposure risk because originators can maintain positive experience databases and rely, to some extent, on previously provided personal information and account history to authenticate and validate recurring or repeat single-entry payments. However, caution should be applied to relying solely on previously provided information. Fraudsters setup what appear to be legitimate accounts to get by the screening process and generate good transactions for a period of time before perpetrating fraud. In addition, stolen identity, compromised account information and changes to the account status can turn a previously low risk transaction into a loss. As a result, authentication and account validation should be performed with each transaction.
Strong consumer authentication combines at least two of the following factors: 1) something the consumer has, such as a driver’s license, ATM card or physical key; 2) something the consumer knows, such as a shared secret or out-of-wallet information; or 3) something unique to the consumer, such as a signature or biometric. In most cases, WEB and TEL originators are forced to rely solely on the second method, which creates an inherent weakness in the process.
In addition to authenticating the information provided, it is important to validate the payment account information. In a recurring payment environment (WEB or ARC), the merchant or biller can verify information against prior payment history, although this method is not without risk as highlighted above. For first-time or single-entry payments (commonly POP, TEL and WEB), originators may access real-time tools such as financial institution national shared databases. Inquiring into these databases at the time of transaction provides significant value by identifying unintentional keying errors or misreads of the MICR line, which can be corrected by re-prompting the consumer (WEB), telephone representative (TEL) or cashier (POP). It may also identify a deliberate attempt to create a fraudulent account number with a valid bank routing and transit number or transact against a closed account. In either event, an administrative return, the associated collection cost and a potential loss are avoided by this preventative screening.
The Accounts Receivable Conversion (ARC) transaction, where the consumer tenders a paper check that is imaged and converted at a lockbox site, typically has the lowest associated risk of all the eCheck transactions due to the recurring nature of the transaction. ARC is the fastest growing ACH transaction and accounted for nearly 50% of all eCheck transactions in 2004. Nevertheless, ARC is not without its own unique set of challenges and risks.
Consumer authorization of the ARC transaction is more passive than in other eCheck applications. The biller discloses intent to convert the check on the periodic statement, and the tendering of the check by the consumer constitutes authorization. A valid authorization is required for each check conversion. If the consumer submits multiple payments during the billing cycle, is there valid authorization to convert each one? If multiple roommates submit checks to settle one bill, is there valid authorization from each consumer? The Federal Reserve Board is expected later this year to publish changes to its staff commentary on Regulation E to clarify some of these questions.
For the ODFI that warrants the ARC transaction, it is often difficult to ensure that proper authorization has occurred. Since most ODFIs reserve the right in their customer agreements to pass losses for unauthorized transactions onto the merchant or biller that originated the transaction, it is imperative that the originator has clear authorization from the consumer to protect itself. Additionally, the ODFI must put procedures in place to monitor business practices so that it can confidently represent that an ARC originator has followed the rules in terms of proper and secure imaging, archiving and destruction of the source document.
The final party to the eCheck transaction is the paying bank, or RDFI. The RDFI plays a relatively passive role in receiving and posting the ACH transaction to the checking account and enjoys some benefits from the shift in ultimate liability for unauthorized transactions to the ODFI in contrast to the paper check world. However, they also bear the burden of some significant risks that they do not fully control. In the event that the consumer’s account is compromised, it is the RDFI’s reputation that is at stake for permitting unauthorized access, and its relationship with the customer that is most at risk.
Integration of fraud detection and problem resolution tools across check and ACH systems is a key to mitigating RDFI risk and improving customer satisfaction when an issue arises. Educating customers about the importance of monitoring their own account activity and the training of service staff to help customers distinguish authorized from unauthorized ACH transactions, which are often challenging to recognize by statement descriptors, are also critical components to a comprehensive risk mitigation strategy. Implementing ACH positive pay and automated debit reviews can provide RDFIs with additional tools for the arsenal, particularly on corporate accounts.
The management of fraud risk by financial institutions and the merchant community requires blending various prevention measures such as operating rules, technology and sound business practices and procedures. Balancing effective risk management with exceptional customer service in an eCheck environment can be a daunting task. Nevertheless, taking steps to effectively strike the appropriate balance can have significant payback in terms of product differentiation, market expansion, profitability growth, customer satisfaction and retention.