| Booklet:
Retail
Payment Systems Section: Payment Instruments, Clearing, and Settlement Subsection: Check-Based Payments |
|||||||||||||||||||||||||||
Checks are the traditional method that consumers can use to access their accounts. A check contains the names of the payer and the payee, the payer’s account number, amount of the check, and the name and routing number of the paying financial institution. The magnetic ink character recognition (MICR) line at the bottom of the check enables high-speed reader/sorter equipment to process checks. Before financial institutions process checks, they encode the amount of the check in magnetic ink at the bottom of the check. Check formats are governed by standards developed by the Accredited Standards Committee (ASC) on Financial Services, X9B Committee, which works under procedures sanctioned by the American National Standards Institute (ANSI).
Check processing has undergone a transformation during the past five years; a trend that is expected to continue for the next several years. Until recently, consumers in the United States used checks more often than any other retail payment instrument other than cash. However, in an increasing number of payment situations, checks are no longer the most convenient payment instruments for consumers, or the most cost-effective payment method for financial institutions and merchants. Checks comprise a decreasing percentage of the total noncash payment volume in the United States. Many consumers use checks merely for person-to-person transactions that are not conducive to electronic payments, and have shifted to electronic payments for POS transactions and bill payment. In addition, a significant volume of checks are converted to ACH debits at POS and at lock-box operations.
Legal developments have affected the processing of checks as well. Check 21, which became effective on October 28, 2004, has succeeded in reducing check processing times as well as the float period previously associated with physical processing. By authorizing the use of a new negotiable instrument called a substitute check, Check 21 facilitates the broader use of electronic check processing.
A properly-prepared substitute check is the legal equivalent of the original check and includes all the information contained on the original check. The law does not require financial institutions to accept checks in electronic form, nor does it require financial institutions to use the new authority granted by the act to create substitute checks. The law permits financial institutions to truncate
original checks, process the check information electronically, and deliver substitute checks to financial institutions that wish to receive paper checks in lieu of electronic alternatives.
For many financial institutions, implementing a Check 21 strategy involves a significant investment in new hardware and software as well as the reengineering of check processing routines. Consequently, financial institutions should deploy Check 21 with appropriate risk management, including strategic planning, project management, and vendor management. Check 21 requires the bank
that creates a substitute check, the reconverting bank, to warrant that there will not be duplicate presentments of the check (or copy or representation thereof) and that the substitute check is an accurate representation of the original check as of the time the original check was truncated. Such substitute checks must meet specific requirements to be treated as a legal equivalent, and the bank that creates a substitute check must indemnify other parties for losses that result from their receipt of a substitute check instead of the original check.
Financial institutions implementing a Check 21 strategy must consider new processes for imaging checks, transferring files of imaged checks, and archiving and retrieving imaged checks. For example, a number of financial institutions are implementing remote check capture systems in their branches and processing centers as a means of significantly reducing check transit costs. Some financial institutions are providing selected customers with remote check capture devices. Examiners are encouraged to review the FFIEC’s guidance for Check 21
and Risk Management of Remote Deposit Capture.
Another important catalyst for the changes taking place in payment systems is electronic check conversion, a process in which information from a check is used to create an ACH debit. The conversion may occur at a retailer’s POS, or at lock-box processing centers to which a consumer mails checks. Electronic check conversion is similar to, but separate from, the check substitution process authorized by Check 21. Instead of using the image of a paper check, as in the Check 21 process, the recipient uses the account and financial institution information contained on the consumer’s check to create a new electronic payment through either the ACH or debit card networks.
ACH electronic fund transfers between financial institutions are not considered check transactions; thus, they are not subject to laws governing check processing. Rather, they are governed by the rules of the ACH that processes the electronic fund transfer. ACH transactions to or from consumer accounts also are subject to the provisions of the Federal Reserve Board’s Regulation E, Electronic Fund Transfers.
Evolution of Electronic Check Collection
Two general models of electronic check collection are emerging as a result of the passage of Check 21. Each model has its advantages and disadvantages. In one model, check images including the MICR payment information are transmitted to the paying financial institution. These institutions do not have to rely on multiple image archive providers (with whom they may have no direct contractual relationship) to obtain check images for customer online banking services and back-room operations.
In a second model, only the MICR information is transmitted to the paying financial institution while the check images are stored in remote archives that can be accessed on demand. The MICR information on a check could be transmitted through a dedicated network or possibly the ACH network. A small number of centralized check-image archives could be more cost-effective and might not increase risk appreciably or degrade customer service.
As electronic check collection methods evolve, efficiencies may develop to make one method superior to the other. Notwithstanding, electronic check collection methods will continue to pose certain risks. Frequently-used services that utilize both image and ACH technologies are remotely created checks (RCCs), electronically created payment orders, and remote deposit capture (RDC). Each of these is discussed in the sections that follow.
REMOTELY CREATED CHECKS
A closely related transaction to electronic check conversion, in that there is an authorization to debit an account, is the RCC.
An RCC does not bear the signature of a person on whose account the check is drawn. In place of the signature, the RCC bears the account holder’s printed or typed name or a statement that the account holder authorized the check.
The account holder can authorize the creation of an RCC by telephone by providing the appropriate information, including the MICR data. Common examples of RCCs are those created by a credit card company, utility company, or telemarketer. RCCs may be processed through the check clearing networks or converted and processed as an ACH debit.
The risk of fraud associated with RCCs is similar to the risk associated with other kinds of debits that post to bank accounts. A fraudster might obtain an account holder’s account number by copying that information from one of the account holder’s authorized checks, or by tricking the account holder into providing the information over the telephone or the Internet. Once a fraudster obtains the account information, he or she has the data necessary to originate unauthorized RCC transactions through the check collection system or the ACH network. As with all payment systems and mechanisms, a financial institution must also assume responsibility for an effective system of internal controls and ongoing account monitoring related to RCCs.
For RCCs, the check and ACH rules differ as to how an accountholder receives a re credit for an unauthorized transaction and how the loss is allocated among the participating financial institutions. ACH debits to consumer accounts are governed by applicable ACH rules and by the Electronic Fund Transfer Act and Regulation E. Unauthorized checks posted to consumer accounts are governed by check law, which includes the Uniform Commercial Code (UCC), as enacted in the applicable state, as well as the Expedited Funds Availability Act, as implemented by the Federal Reserve Board’s Regulation CC. In instances when checks are converted to ACH entries, applicable ACH rules apply.
If an unauthorized ACH debit is posted to a consumer’s account, Regulation E gives the consumer 60 days after an institution transmits to the consumer a periodic account statement to report that the ACH debit was unauthorized. Regulation E imposes obligations on the consumer’s financial institution with respect to error resolution procedures and refunds of unauthorized payments. When a consumer receives a refund for an unauthorized ACH debit, ACH rules permit the consumer’s financial institution to recover the amount of the unauthorized payment by returning the debit item to the originating financial institution within the time permitted.
In the case of checks, a financial institution may not charge a customer’s account for a check that is not properly payable from that account. The customer has a right to a re-credit for an unauthorized check so long as the customer makes the claim within the time frame permitted by the UCC and the account agreement. Unlike Regulation E, the UCC does not contain specific re-credit procedures that a financial institution must follow. With respect to the allocation of losses for unauthorized checks between financial institutions, the risk of loss falls generally on the paying financial institution, which historically has been in the best position to determine the validity of the drawer’s signature. Under the UCC, a paying financial institution becomes accountable for a check unless it returns the check by its midnight deadline.
With the exception of an RCC, if a paying financial institution re-credits a customer’s account for an unauthorized check, generally it cannot make a claim against a previous financial institution for an unauthorized drawer’s signature after the midnight deadline has passed.
In response to the perceived risk of fraud, legal initiatives have shifted the risk related to unauthorized RCCs from the paying financial institution to the bank of first deposit. This shift is based on the theory that, for unauthorized RCCs, the bank of first deposit is in the best position to know its customer (the creator of the RCC) and to determine the legitimacy of its customer’s deposits. A UCC revision that reallocates this risk for RCCs has not yet been widely adopted by the states. Among the states that have enacted amendments to the UCC, the definitions and warranties are not uniform in their scope or requirements. Under the pre-existing provisions of the UCC, the paying financial institution, not its customer, is responsible for unauthorized checks. Providing the paying financial institution with the ability to recover against the financial institution that presented the unauthorized RCC can make it easier for customers to obtain re-credits.
The Federal Reserve Board amended Regulation CC effective July 1, 2006, to reallocate the risk of loss resulting from unauthorized RCCs. Under the amendments, any financial institution that transfers or presents an RCC warrants that the person on whose account the check is drawn authorized the issuance of the check in the amount and to the payee stated on the RCC. The warranty applies only to financial institutions and does not directly create any new rights for checking account customers. Also, any financial institution that received an RCC from another financial institution has up to a year to make a claim against the transferring financial institution for an unauthorized RCC. Similarly, the Board amended Collection of Checks and Other Items by Federal Reserve Banks and Funds Transfers Through Fedwire (Regulation J) in 2006 to clarify that the new warranties apply to RCCs collected through the Reserve Banks. In conjunction with Regulation CC, Regulation J shifted the liability for losses attributable to unauthorized RCCs to the depository financial institution where the check is first cashed or deposited.
Because RCCs are cleared in the same manner as traditional checks, and because nothing unique identifies a check as an RCC unless the signature block on the check is examined, there is currently no efficient way of measuring the volume or use of RCCs.
ELECTRONICALLY CREATED PAYMENT ORDERS
An electronically created payment is a new retail payment practice in which a merchant takes payment instructions for goods and services and places them in an electronic template that creates an electronic file for processing through the check clearing networks. Unlike traditional checks or RCCs, electronically created payment orders do not begin with a paper item. However, they are similar to RCCs in that they are typically initiated with Internet or telephone instructions from the consumer and bear no direct evidence of the customer’s authorization. Because these transactions are not originally captured from paper check items, the laws and regulations pertaining to check collection do not apply.
Ordinarily, electronic debits that a consumer uses to acquire goods or services are cleared through the ACH network, which includes a transaction code that clearly indicates the nature and source of the transaction. When a financial institution permits the creation of electronic payment orders, substantial risk-management oversight for unauthorized returns and other unlawful activity is lost because the check-clearing networks do not provide the level of technological and organizational controls of those in the ACH network. This lack of systemized monitoring of the electronically created payment orders increases the susceptibility to fraud by Web-based vendors and telemarketers.
The Federal Reserve Banks handle electronic check images only if they were created from an original paper check. On June 15, 2008, the Federal Reserve Banks revised Federal Reserve Bank Operating Circular 3 (Circular 3)
to clarify that a depository institution that sends an electronic check file to the Reserve Banks is liable for the legitimacy of the items in that file. Reserve Banks only accept applicable liability and offer certain warranties for Check 21 transactions that begin with an original paper check item. Because electronically created payment orders generally are indistinguishable from electronic images of paper checks, collecting banks, such as the Reserve Banks, may not be able to avoid accepting the electronically created payment orders. However, pursuant to the revised Circular 3, the bank that sends the item to the Reserve Bank ultimately assumes liabilities and provides warranties for its legitimacy.
REMOTE DEPOSIT CAPTURE
Remote Deposit Capture (RDC), the digital processing of paper checks and monetary instruments at remote locations for deposit and clearing through the check (image) or ACH networks, has expanded rapidly in recent years and is being used at financial institutions and at customer locations.
Although remote deposit-taking is not a new activity, RDC should be viewed as a new delivery system and not simply as a new service. Prior to implementing RDC, senior management should identify and assess the legal, compliance, reputation, and operational risks associated with the new system. They should ensure that RDC is compatible with the institution’s business strategies and should understand the return on investment and management’s ability to manage the risks inherent in RDC. Management should incorporate their assessments of RDC systems, including products and services, into existing risk assessment processes.
With RDC, the depositary and collecting financial institutions may choose either to send or accept a substitute check or to engage in electronic check presentment (ECP) where data and images captured from the original checks are used to complete payment transactions. RDC includes deposit capture at the financial institution’s teller line and backroom processing, at ATMs, and at customer locations. RDC at customer locations allows the customer to make deposits by scanning items on its own premises and sending either the image of the deposit item for processing through the check clearing networks or merely the deposit data for processing and clearing through the ACH network. RDC also may include the electronic capture of deposit information comprised of cash or other items such as electronic deposits made through a remote safekeeping arrangement at the customer location or through another intermediary.
Financial institutions have a greater degree of control over RDC activities deployed at wholly owned or controlled locations. Based on the RDC configuration used and on the customer’s operations, RDC at a customer location increases the financial institution’s legal, compliance, and operational risks to varying degrees. Legal and compliance risks could be significant depending on the effectiveness of controls and legal agreements that are in place. The use of RDC by international correspondents’ customers is increasing. RDC is effectively replacing correspondent cash letter pouch activity. BSA/AML controls over RDC pouch activity should also cover RDC and should be commensurate with the increased volumes. Operational risks at the customer location include unauthorized access to technology systems and electronic data images, an inability to maintain system compatibility with financial institution systems, ineffective controls over physical deposit handling and storage procedures, inadequate record retention programs, and exposure to money laundering and fraud.
The Management Booklet of the IT Handbook and the FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual
provide additional descriptions of risk management processes.