Criminals use remote deposit capture (RDC) technology to electronically submit checks, money orders, or other negotiable instruments from remote locations without physically presenting them at a branch. This capability gained traction after the 2008 financial crisis, when shifting oversight resources facilitated broader adoption. By bypassing in-person deposit requirements, illicit actors can deposit sequentially numbered or physically altered checks into multiple accounts, rapidly cycling funds to evade direct scrutiny. Fraudsters often exploit RDC’s automated workflows by depositing the same or near-identical instruments across accounts within compressed timeframes. In some banks, a limited volume of suspicious activity reporting tied to RDC means irregular deposit patterns may go undetected. Once funds clear, criminals swiftly transfer or withdraw them, further obscuring their source. These repeated, non-face-to-face deposit methods complicate pattern recognition for compliance teams and heighten the risk of counterfeit or stolen instruments entering the financial system undetected.
Remote Deposit Capture
Remote Deposit Capture Exploitation
Tactics
Remote deposit capture primarily facilitates the initial introduction of illicit funds into financial channels by allowing criminals to deposit checks or money orders from remote locations. This bypasses physical branch scrutiny and merges proceeds with legitimate transactions.
Risks
Remote deposit capture exploits a non-face-to-face channel, bypassing in-person oversight and enabling fraudulent or illicit instruments to be deposited from remote locations without branch-level scrutiny. The ability to submit checks, money orders, or bank drafts electronically—often in rapid, repeated sequences—removes critical human verification, making it the primary vulnerability exploited by this technique.
Some financial institutions have insufficient or delayed suspicious activity reporting specific to remote deposit capture. Criminals exploit these internal oversight gaps and automated workflows, repeatedly depositing identical or altered instruments without triggering timely scrutiny, thereby undermining the institution’s ability to detect and prevent ongoing fraud.
Indicators
Frequent deposit of physically altered or suspicious checks via remote deposit capture with mismatched payee or endorsement details.
Rapid withdrawal or onward transfer of remotely deposited funds immediately after clearing, leaving minimal balances in the account.
Repeated remote deposit capture submissions of the same or near-identical checks into multiple accounts within short timeframes.
Sudden or significant shift to exclusively using remote deposit capture for high-value checks, deviating from the customer’s usual deposit methods.
Elevated number of checks deposited via remote capture that are subsequently returned or flagged as invalid compared to in-person deposits.
Use of the same IP address or device to submit remote deposits into multiple accounts under different names without a clear relationship between them.
High volume of remote deposits inconsistent with the customer's stated business or income sources, with no verifiable explanation for the check issuers.
Data Sources
Captures IP addresses, device fingerprints, and session details for online banking, helping identify the repeated use of the same device or IP to deposit checks into multiple accounts under different names. This supports AML investigations of remote deposit capture abuse and potential collusive activity.
Tracks customer usage patterns across financial products, including remote deposit capture, detailing sudden shifts in deposit channel preferences or high-value check deposits. Such data aids AML detection by identifying anomalous RDC usage and deviations from expected customer behavior.
Capture deposit timestamps, transaction amounts, account identifiers, and subsequent fund movements to reveal repeated submissions of the same or near-identical checks and rapid outflow patterns. These logs directly aid in the AML detection of suspicious remote deposits and quick withdrawals.
Stores scanned check images and related metadata, enabling the clear detection of physically altered or suspicious checks, such as mismatched payee or endorsement details, when deposited via remote capture. This directly supports AML investigations by flagging unusually modified instruments before they clear.
Provides aggregated records on known or suspected fraudulent checks, forged or altered instruments, and repeated deposit scams. By cross-referencing newly deposited checks with these fraud databases, institutions can identify potential matches or suspicious patterns associated with remote deposit capture more quickly.
Provides comprehensive customer profiles, including stated income or business models, beneficial ownership details, and typical transaction behaviors. Comparing remote deposit capture volumes and check issuers against these records helps detect unexplained deposit activity and anomalies.
Mitigations
During onboarding, collect and verify information about the customer's need to use RDC, their typical check amounts, and expected counterparties. Corroborate the legitimacy of payees and endorsees, especially where large or frequent checks are deposited remotely, to detect inconsistencies that may indicate fraudulent deposit practices.
Implement specific detection rules to flag repeat or near-identical remote check deposits across different customer accounts or devices within short timeframes. Monitor subsequent rapid transfers or withdrawals that may indicate layering. Investigate mismatches in payee or endorsement details, and escalate for further review when patterns deviate from expected customer behavior.
Require multi-factor authentication for accessing RDC tools and track user credentials, device fingerprints, and IP addresses for each deposit. Alert compliance teams when the same device logs deposits into multiple unrelated accounts or when deposit activity originates from high-risk or previously unknown locations.
Provide specialized training for frontline and back-office teams on unique RDC red flags, including physically altered checks, deposit patterns that cycle through various accounts, and mismatched payee endorsements. Instruct staff to promptly escalate recurring or unexplained anomalies for compliance review.
Retain clear, high-resolution images of deposited items along with precise timestamps, device IDs, and user session logs. Preserve detailed audit trails to trace repeated deposit attempts of the same instrument or significant anomalies in check endorsement and payee information. These records support timely investigation and forensic analysis.
Require prompt SAR filing when discovering repeated or near-identical check submissions across multiple accounts, physically altered checks, or mismatches in endorsements via RDC. Provide detailed deposit timelines, account connections, and check images to authorities for a thorough investigation.
Impose daily or per-transaction limits on remote deposit capture for new or higher-risk accounts. Enforce extended hold periods on deposited checks flagged for potential anomalies, such as sequentially numbered checks or mismatched endorsements, to allow for a more thorough review before funds are made available.
Continuously review RDC deposit behavior against the customer’s stated usage and risk profile. Investigate unexpected spikes in remote deposit volumes, higher-than-usual returned checks, or shifts to exclusively using RDC for high-value items. Escalate to enhanced monitoring where repeated anomalies surface.
Instruments
- Criminals leverage remote deposit capture to submit physically altered or stolen checks from locations away from a branch, sidestepping face-to-face scrutiny.
- They often deposit near-identical checks sequentially into multiple accounts, quickly moving funds before financial institutions detect discrepancies.
- The automated, non-face-to-face nature of remote deposit simplifies introducing counterfeit or duplicated checks into the system.
- Criminals exploit bank drafts through remote deposit capture by scanning official-looking drafts, which may be forged or altered, to bypass in-person verification.
- The perceived legitimacy of a bank draft can reduce scrutiny, enabling swift deposits and subsequent fund transfers to obscure the transaction trail.
- Remote submission workflows allow repeated deposits of nearly identical drafts before detection occurs.
- Similar to checks, money orders can be scanned or photographed for remote deposit, allowing repeated submission across several accounts.
- Criminals may alter payee information or forge endorsements to conceal the true owners and sources of funds.
- Once cleared, the illicit proceeds are withdrawn or transferred, compounding the difficulty for financial institutions to trace the transactions.
Service & Products
- Enables the electronic submission of checks and other negotiable instruments without in-person verification, allowing criminals to deposit physically altered or sequentially numbered checks from remote locations.
- Automated workflows can be exploited to deposit the same or near-identical instruments across multiple accounts in short intervals, minimizing immediate detection.
- Once cleared, illicit funds are swiftly transferred or withdrawn, further obscuring their origin and challenging AML monitoring.
Actors
Illicit operators take advantage of remote deposit capture by:
- Depositing physically altered or stolen checks from remote locations, evading face-to-face scrutiny.
- Submitting the same or near-identical checks into multiple accounts in rapid succession.
This enables them to introduce illicit funds, then quickly withdraw or transfer proceeds once cleared, creating additional hurdles for financial institutions attempting to detect fraudulent or high-risk deposits.
Document forgers support remote deposit capture abuse by:
- Producing altered or counterfeit checks with manipulated payee or endorsement details.
- Facilitating the creation of fraudulent instruments for repeated or high-volume remote deposits.
By enabling the submission of fake checks, they amplify the risk that financial institutions may unwittingly process invalid deposits, incurring potential losses and impeding transaction monitoring.
Financial institutions offering remote deposit capture can be unknowingly exploited when:
- Automated workflows allow remote submission of high volumes of suspicious checks without in-person verification.
- Limited monitoring or delayed suspicious activity reporting overlooks sequential or duplicate deposits.
Once fraudulent deposits clear, subsequent rapid transfers increase challenges in tracing and preventing further illicit transactions.
References
The Wolfsberg Group. (2023).CBDDQ Glossary. The Wolfsberg Group. https://wolfsberg-group.org/resources/
Byrne, J. J., Pasley, B., Anderson, K., Stoeckert, B., Osborne, P., Wild, P., Keller, B., Dang, H., Sheen, S., Small, R., Saur, N., Clark, D., Chrisos, V., Rentschler, A., Lormel, D., Bou Diab, A., Nguyen, A., Vitale, B., Miller, B. K., Bagnall, C., Randle, C., Dekkers, D., Hitzeroth, D., Davidek, D., Beemer, E., Wathen, E., Bagliebter, G., Smith, I., Castro, I. S., Sonnenschein, J., Brierley, J., Vilker, J., Conaty, J., Egberink, J., Simmons, K., Leong, K. C., Kohr, L., Dastrup, L., Silvers, M., Dilly, M., Lake, N., Warrack, P., Byrne, R., McCrossan, S., McCullough, S., Gurdak, S., Cannon, S., Ong, S. W. Y., Turculet, T., Edano, V., Chapman, W. A., Balyasna-Hooghiemstra, Y., Miller, Z., Storelli, G. (2018). Study guide CAMS certification exam (6th ed.). Association of Certified Anti-Money Laundering Specialists (ACAMS).