One day a man walked into a bank and tried to cash a bogus check for $300,000, but this fraudster just didn't have his act together. Checks of this size are seldom cashed, but are normally deposited into a bank account and then the cash is withdrawn. And banks and businesses must prepare a Cash Transaction Report for every currency transaction of $10,000 or more plus normally contact the issuing organization to verify that the negotiable instrument is valid. The fraud perpetrator had to wait in the customer service area for the transaction to be completed. The bank contacted the check's organization, quickly realized it had a check fraud case, and immediately contacted a local law enforcement agency. The fraudster got nervous and bolted from the bank without the money from the check. When the police arrived they had no one to arrest.
The police's investigation included a copy of the bogus check with the perpetrator's name as the payee, a driver's license and credit card in the name of the perpetrator, and the bank surveillance videotape for the day. They quickly determined that the driver's license and credit card were fictitious, that the perpetrator's picture and fingerprints weren't in any law enforcement computer database, and that this was one of several bogus checks this person was circulating in the area. As with many other bogus check cases, the police knew the perpetrator - they had his picture, fingerprints, and identity card information, but they didn't know who he really was. Everything was false and there were no further leads. To my knowledge, this case remains unsolved - a common fate for check fraud investigations.
CHECK FRAUD RISK
I discussed check fraud risk in a column I wrote for the Sept./Oct. 2002 issue of The White Paper (now Fraud Magazine) entitled "Cut off Check Fraud at the Knees." At that time, experts estimated that check fraud was growing at the rate of about $1 billion per year. To my knowledge, this crime is living up to or exceeding its expectations. Using that column as a base line, check fraud could now easily exceed $20 billion per year. This statistic is alarming, and certainly makes check fraud a candidate for one of the fastest-growing financial crimes in the United States today even with the growth of electronic banking and bill paying.
It's a rather simple and unsophisticated process for an outsider to produce bogus checks. Anyone with a few thousand dollars can produce high-quality fake documents with a computer and peripheral equipment. Fraudsters recover this initial investment quickly. They only need your organization's routing and bank account numbers, and this information is printed on every issued check. Their target is the banking industry, but they might also affect your organization.
To understand this fraud we need to study how fraudsters can obtain an organization's bank information. Every check that an organization issues - general disbursement checks issued to vendors, refund checks issued to customers, and payroll checks issued to employees - provides all the information unscrupulous individuals need to prepare bogus checks. Fraudsters can find discarded checks or bank deposit forms in dumpsters or garbage bins. And some crooks even pay people to allow them to optically scan their checks with hand-held devices at or near check-cashing facilities. Opportunities abound.
Check fraud will occur in your organization - it's not a matter of if but when. So make sure your organization not only has excellent internal controls but a companion program to monitor those controls to deter and detect fraud. If those actions don't stop fraud, hopefully, they will identify fraud in its infancy when losses are relatively small - your overall objective.
Uniform Commercial Code Section 3-103(7) requires each organization to follow reasonable prevailing commercial standards in a given area of the United States and the standards of care practiced in the organization's industry or business.
Make sure your organization properly designs and prints its check stock to meet industry and banking standards and incorporates sufficient security features to deter counterfeiting depending on your organization's size and budget. Check security isn't one size fits all.
Uniform Commercial Code Sections 3-406(b) and 4-406(3) also discuss the concept of "comparative negligence." When both an organization and its bank fail to exercise ordinary care, any resulting losses are allocated on a percentage basis to each party based upon the extent their failure contributed to a loss. If the organization fails to exercise ordinary care, it might be prohibited from making a claim against the bank for the loss.
Many financial managers have grown accustomed to focusing on the threat from insiders when they establish internal controls for protecting the organization's assets. (We'll discuss this more in future columns.) But many managers might not have switched gears fast enough to deal with the threat of check fraud from outsiders. More organizations have experienced check fraud as a result of changes that have been made in the Uniform Commercial Code over the past decade. What can be done?
LET'S BEGIN WHERE WE ENDED
We began our discussion of cash disbursement fraud concepts in the May/June 2008 column by covering an organization's authorization and approval process. I call this the "front door." It's the first line of defense against fraud in the cash disbursement system but also grants direct access to an organization's treasury. In the last column, I wrote that accounts payable clerks, an auditing officer, and the governing body all perform various gatekeeper duties to ensure an organization's funds are used only for authorized purposes.
However, I also believe the bank reconciliation process and a review of redeemed checks are equally important internal controls. They are the "back-door" procedures - the last line of defense against fraud in the cash disbursement system.
These front-door and back-door controls must complement each other to effectively deter and detect fraud instigated by outsiders and insiders. Both are needed because a cash disbursement fraud often occurs after the authorization and approval process. Employees simply alter the checks before they distribute them to vendors or deposit them into their personal bank accounts. These falsifications only can be detected through additional controls after a bank has returned checks to an organization for further processing and filing. If an organization has only limited resources and has to make difficult choices about which controls to implement, it might rely less on the front-door controls and emphasize the back-door controls to help ensure that it pays only legitimate transactions through the organization's cash disbursement system.
BANK ACCOUNT RECONCILIATION PROCEDURES
Of course, fraud can occur in any checking account regardless of its size or purpose. Checking accounts are primarily used for an organization's general disbursements, but they also can be used for petty cash funds, advance travel funds, trust funds, purchasing funds, and other uses. Many managers neglect bank reconciliation because they believe it's dull, mundane, and boring. This tragic mistake places the organization's treasury funds at risk.
An independent party (someone other than the bank account custodian or person responsible for financial transactions in the account) should ensure the cash balances of the bank's financial activity agree with the organization's accounting records. Reconciling items primarily include deposits in transit (for example, deposits made by an organization that haven't yet been posted on the bank's records) and outstanding checks (such as checks issued by the organization that haven't yet cleared the bank) as of the bank statement cut-off date.
In the past, the person reconciling bank statements usually compared the check numbers and amounts for all redeemed checks shown on the statements with the organization's check register. Except for the dates the redeemed checks cleared the bank, these were the only two elements about the checks that were shown on the bank statement and in the organization's accounting records. But effective bank reconciliations must now include a third element - the payee on the check. While this data element isn't currently shown on bank statements, banks eventually will offer it, probably for a relatively small charge per item. But it will be worth the extra cost especially for those organizations that don't receive redeemed checks with their bank statements. One of the most critical steps in the bank reconciliation process is to review all redeemed checks for check fraud such as bogus checks an organization didn't issue. An organization should never omit this step.
An organization can perform bank reconciliations in at least three ways:
- Doing all the work itself, either by manually verifying the information or using the bank's on-line system
- Entering into an agreement with the bank to participate in an electronic positive pay system
- Entering into an agreement with the bank to participate in an electronic reverse positive pay system
The first method is the traditional way organizations use to perform bank reconciliations. It's also the most commonly used way for checking accounts in large or even small organizations and the least costly method because the organization performs all the work.
The second way is an automated service provided by banks to promptly detect bogus checks. Here's how it works. The organization first sends an electronic file to the bank containing specific data elements - such as check numbers and amounts - from all the checks it issues each day. The bank then compares the check number and amount of each negotiable instrument it plans to redeem each day to the organization's electronic file of issued checks. All matched checks clear the bank normally. However, a bank notifies an organization about any unmatched checks. If the checks are authentic, an organization notifies its bank to process them. If the checks are invalid, an organization notifies its bank to reject them.
Banks usually allow customers two days to complete the verification process on questioned items. However, this system works best when the organization reacts immediately to ascertain the authenticity of any questioned check. Once the bank receives instructions from an organization, it processes valid checks normally and declines bogus checks by returning them through the banking system to the holder - the individual or organization who will ultimately suffer the loss on the transaction if fraud is involved. This is the most costly bank reconciliation method because the bank performs most of the work.
The third method is another automated service provided by banks to detect bogus checks. This is the way it works. The bank first sends an electronic file to the organization containing specific data elements - such as check numbers and amounts - from all the checks it intends to redeem each day. An organization then compares the number and amount of these checks to its electronic file of issued checks.
After verifying the authenticity of each check, an organization gives its bank instructions on how to process the checks to be redeemed. The bank clears all matched checks normally and rejects any unmatched checks. The bank then returns any bogus checks through the banking system to the holders - the individual or organization that will ultimately suffer the loss on the transaction if fraud is involved. The cost of this bank reconciliation method falls somewhere between the other two methods described here because the organization performs most of the work with assistance from the bank.
LESSONS LEARNED
Let's review some of the finer points of fraud in the bank reconciliation process:
- Check fraud is one of the fastest growing financial crimes in America today, with losses estimated to exceed $20 billion per year. No individual or organization is immune from this menace.
- Check fraud losses now will be shared by organizations and banks based on the concept of comparative negligence. Every organization should ensure its check stock meets industry and banking standards by incorporating a sufficient number of security features in the checks and in the check-printing process to deter fraud.
- An independent party should receive the unopened bank statement directly from the bank and promptly perform the bank reconciliation. This individual should first review the redeemed checks for fraud perpetrated by outsiders. (We'll discuss several case examples of this type of fraud in the next column as we continue this discussion about the threat from outsiders.) Next, this individual should focus on fraud committed by insiders. (We'll discuss that in a number of upcoming columns.)
- The organization can perform a bank reconciliation itself or enter into an agreement with a bank to participate in electronic positive pay or reverse positive pay programs.
- The organization should also implement appropriate storage and issuance controls over blank check stock and facsimile signature plates as well as redeemed checks. Blank checks are basically the same as cash, and the signature plate grants access to the treasury.
OUTSIDERS' THREATS CONTINUE
The next column continues our discussion about the bank reconciliation process and the threat from outsiders. We'll cover some of the most common procedures and controls organizations use to perform bank reconciliations. You probably thought this was going to be an easy subject, but be prepared because there's much more to come.
Regent Emeritus Joseph R. Dervaes, CFE, CIA, ACFE Fellow, is retired after more than 42 years of government service. He remains the vice chair of the ACFE Foundation Board of Directors.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.
