At the end of this month, a new law designed to improve the efficiency of the nation's payment system by allowing banks to process checks more quickly will go into effect. And that's likely to set in motion another law--that of unintended consequences--which, in this case, is likely to result in more fraud.The Check Clearing for the 21st Century Act, known simply as Check 21, improves bank efficiency by allowing "substitute checks," including digital images of checks, to be used so that paper checks do not have to be moved from institution to institution. The bank on which the check was drawn then treats the check as a debit instrument, instantly charging the amount against the account. Customers will no longer receive cancelled checks; instead, they'll have to log into their bank accounts to see the image of the cancelled check.

Whatever the benefits of reducing the "float" time between when a check is presented and when the account is debited, creating the digital check images and making them available through the Web sets up a risky scenario that criminals are likely to exploit, says Elazar Katz, director of the Active Risk Monitoring Practice of Unisys Global Financial (Unisys processes half of the world's checks).

He says there have already been cases where criminals have started with a phishing scam--such as a realistic-looking but fake e-mail purporting to be from a bank asking a consumer for password information--then used the password to get the online bank statements and images of checks.

This information is gold for criminals. Monthly statements are valuable to crooks because they provide what Katz calls a "behavioral profile" of the user, including how many checks are written, to whom, and for what amounts. Images are useful because they provide the type of check stock used, a copy of the signature, and recent check numbers. "When you put it all together, a criminal has quite a bit of information to create the perfect counterfeit check," Katz says.

How can banks head off the potential for such scams? One thing banks need to be doing, Katz says, is correlating different kinds of events. For example, if 30 separate IDs are noted as originating from a single computer, it's naturally odd and should trigger a bank to look more deeply at the situation. Banks also need to be aware of inconsistencies of online user behavior. If a customer lives in Florida and his or her IP address is always the same, but that customer suddenly accesses the account from the Ukraine, a flag should go up.

The technology is in place already to do these kinds of correlations, Katz says, but he points out that it still doesn't happen often enough. And even when some type of monitoring is done, it may not be correctly implemented. For example, many fraud-detection systems consist of multiple tests but give out a single score, and that type of output can hide a problem. He says that Unisys contacted the makers of its software tests and said, "We're not interested only in risk scores at the end, we'd like to access the specific tests that underlie these scores" and mine them for more relevant information.

@ Unisys has released a list of top-10 risk mitigation techniques for Check 21 risks. Find them at SM Online.Unisys_Tech1004.pdf​