Fighting Corporate Check Fraud

Can Positive Pay Stem the Rising Tide?


Desktop publishing may have made producing company newsletters quick and easy, but the same inexpensive technology has also given rise to low-cost, high-caliber check fraud. These days, anyone with access to a personal computer, a scanner and off-the-shelf software can create doctored checks that even a seasoned CFO would have trouble spotting.

Industry estimates of total check fraud losses (including those absorbed by banks, businesses and individuals) range from $10 billion to as high as $50 billion annually. The problem has been further compounded by increased competitive and regulatory pressure on banks to accelerate the availability of funds (causing banks to make funds available before checks have actually cleared). Experts estimate that the banking industry faces more than 1.2 million worthless checks in the banking system each day.

What's Being Done About It?

Unfortunately, check fraud is a relatively low-risk crime that goes unreported or unprosecuted much of the time. Because of demands on law enforcement, prosecutors fail to pursue 75% of bank check fraud cases. And according to the U.S. General Accounting Office, in major cities where there is greater emphasis on using resources to prosecute violent crime, the number often exceeds 90%.

Driven by growing bad debt check fraud write-offs, banks and large businesses are protecting themselves and are promoting a technique called positive pay as a method of fighting check fraud artists. Generally speaking, positive pay works like this:

  1. Using accounting and database software, a company regularly sends its bank a positive pay file that lists all the checks written against that company's account(s). That file includes a record of each check's issue date, amount, check number/account and payee name.
  2. When a check reaches the bank for payment, the bank compares the check against the positive pay file. Any discrepancies in a check's information trigger a flag that the check in question may have been altered.
  3. The bank notifies its corporate customer that the discrepancy has been noted and asks the company to verify the authenticity of that check.

The Positive Pay/Check Clearing Process

The issuing company (maker) sends checks to its suppliers and transmits an electronic positive pay file to its bank (paying bank). The positive pay file sent to the paying bank must include records of all checks written & must be regularly transmitted to effectively detect potential fraud. Since checks are paper-based documents, they are inherently subject to theft, forgery and alteration, from both internal and external sources. The recipients of the checks deposit those checks with their respective banks (depository bank), which then submit them for payment to the paying bank. If the paying bank finds that a check does not match the electronic file previously received from the issuing company, the paying bank notifies the company of the discrepancy. According to FBI statistics, most check fraud occurs externally. The potential for the largest dollar losses comes from forged (never issued) checks that are presented for deposit. The issuing company (maker) reviews the check and either OKs it for payment or notifies the paying bank not to pay the check.If upon review the check is not authorized for payment, the paying bank returns the check to the depository bank and the altered check is either not paid or is now the responsibility of the depository bank. By adopting a positive pay strategy, companies can substantially limit their exposure and potential liability for fraudulent checks.

A Caveat to Corporate CFO's: Your Liability Due to Check Fraud May Be Greater Than You Think

When you weren't looking..

In 1990, revisions in the Uniform Commercial Code (UCC) introduced the concepts of comparative negligence and relative standards of care related to whether a bank or its customers would be liable for check fraud losses. All but two states ratified the revisions by 1993, the goal of which was to make banks and disbursing corporations allies in the war against check fraud. But the actual consequence of the 1990 changes has been to make banks and corporate treasurers adversaries in finger-pointing battles (and sometimes court cases) over whom is to blame when check fraud occurs.

Between a bank and its corporate customer, liability for losses resulting from a counterfeit or forged check is governed by Articles 3 and 4 of the UCC. When a paying bank pays a counterfeit or forged check, ordinarily it will bear the loss resulting from the payment. However, the UCC revisions have incorporated subtle (but important) changes in language and in definitions that can act to shift liability for check fraud back to the companies that initially wrote the check in question.

The rules of the game have changed

According to UCC Section 3-103 (7), "ordinary care" now requires corporate customers to follow "reasonable commercial standards" prevailing in their area for their industry or business. Under 3-406, if they fail to exercise "ordinary care", companies may be restricted from seeking restitution from their bank if their own failures contributed to a forged check or alteration. Additionally, Section 4-406 requires that customers exercise timeliness in reconciling bank statements and promptly notifying the bank if payment has been made on a counterfeit or forged check.

Unfortunately for many corporate customers, the banks' duty to provide "ordinary care" no longer necessarily extends to inspecting signatures. According to industry sources, over 64 billion checks are cleared in the U.S. each year, a task that is performed by high-speed reader-sorters that process up to 2,400 items per minute. With the number of checks being processed, "sight examination" is many times impractical and is not an automatic reason for a claim of bank negligence if a bogus check slips through the system.

To encourage corporate customers to utilize special check security measures such as positive pay, banks have begun to insert statements into their deposit agreements that absolve them from liability when those measures are offered to their customers, but are not utilized. Under such an agreement, a bank would be protected in paying a check that had been verified using positive pay and would be justified in refusing to pay checks that do not pass the security screens. Although the UCC prohibits a bank from disclaiming its responsibility (or limiting its damages) for lack of good faith or for failing to exercise ordinary care, the UCC rules don't prevent parties from agreeing to shift more liability from the bank to the account holder.

Positive Pay - A "Real Solution" or Just Another "Interesting Idea?"

"Sure, it sounds great but..."

To date, positive pay has been primarily adopted by large companies left vulnerable to check fraud by virtue of their high-volume check-writing needs. Each of these companies has spent literally tens of thousands of dollars to integrate their accounting systems with their banks' individual positive pay applications. The complexity of positive pay implementation has been further compounded by a lack of industry standardization and has resulted in a plethora of file transmission requirements based upon individual bank specifications.

Due to the high implementation costs, only a small percentage of small and mid-size businesses (90% of corporate America) has been able to adopt a positive pay strategy. Despite aggressive efforts by many banks to enroll their corporate accounts in positive pay programs, most companies have a difficult time converting check data into the format required by their bank. They lack the necessary financial and/or technical resources and must rely on expensive outside sources for custom programming to perform this daunting task.

"It's certainly not as easy as it might first appear..."

Alternatively, some companies have attempted manual entry of data into the bank-required format every time checks are issued. Overwhelmingly, these organizations have found such procedures to be extremely labor-intensive, prone to data entry errors and therefore generally unworkable. Banks themselves have been unable to develop a comprehensive integration solution to assist their customers primarily because of the tremendous variety of accounting programs being used by their customer bases.

Companies manage their financial information using one or more of the hundreds of accounting software programs available on the market today. These programs are designed for a vast array of business types operating across a myriad of industries, each one driven by its own complexity or industry-specific financial reporting requirements. It also should come as no surprise to learn that because of their proprietary nature, these programs all use different check form layouts, data field sizes, characteristics and printer control commands to print checks.

With all the aforementioned conflicting elements taken into account, the unfortunate reality is that organizations do not make positive pay implementation projects a priority until they are directly affected by check fraud (ie: after it's too late). In all practicality, until these companies are offered a solution that can easily and seamlessly mesh with their accounting systems, they will be unable and/or unwilling to partner with their banks to make positive pay part of their standard account reconciliation procedures.

The net result of this integration nightmare has been frustrating delays with a widespread industry acceptance of positive pay as a means of preventing check fraud. As such, positive pay has been only marginally effective in meeting the industry need.

A Low Cost, Easy-to-Use Positive Pay Solution: Just Wishful Thinking?

Taking into account the system integration issues in combination with the end-users demands for ease of use, a positive pay solution would have to exhibit the following functionality to be considered a "real" and viable solution:

  1. It must be able to locate and identify various key data fields within each accounting program's check form layout.
  2. It must automatically capture that data as the checks are printed.
  3. It must be capable of automatically configuring that data in a format that can be accepted by any number of banks with varying file transmission specifications.
  4. Finally, to be truly seamless, it must be able to automatically dial up the bank, log onto the bank's computers with appropriate passwords and send records of the issued checks without user intervention at least once each day.

From the foregoing analysis, the entire positive pay issue would seem nearly impossible to address with any kind of a universal solution that could enable widespread usage. But as with many problems in today's modern world, innovative technology is supplying an answer.

Never Say "Never" -- Finally, a Positive Pay Solution for the Masses

After nearly two years in development, AP Technology, Inc. of Carlsbad, California has introduced what has become the de facto standard for positive pay check fraud protection. Dubbed "SecurePay," this unique positive pay software combines the elements of ease of implementation, security and automation to create the industry's first and only universal positive pay solution.

SecurePay is a Windows-based software program with the ability to interact with a multitude of platforms including Windows, Unix, AS/400 and others. The program includes a straightforward setup utility that allows users to quickly and easily enter bank account information into the program. Also included is a library of popular bank positive pay formats that eliminates the need for individual bank file configuration.

As its name implies, a primary feature of SecurePay is "security." The system is a true client application that is password-protected and that can be accessed only by authorized users. Data produced by the host accounting system is automatically encrypted at the precise moment of capture and is not deciphered until it is ready to be transmitted to the bank.

Users outside of a Windows environment use a proprietary import utility that automatically converts and encrypts check records as positive pay records are being created. When the user is ready to transmit the positive pay records to the bank, he/she simply chooses the list of checks to be processed, reviews those checks (if desired) and begins the transmission. Users may also choose to purchase the optional SecurePay Scheduler feature that is used to automatically transmit positive pay records at user-defined times during the day or week without the need for supervisor intervention.

If the initial market reaction is any indication, SecurePay is exactly what the banking industry has been looking for.

Back to the top of the page