9 Julai 2004

Tuan / Puan,

Guideline on Minimum Security Standards for Cheques

To ensure that banks put in place measures that are effective in

combating cheque fraud and that banks continuously educate customers on how to
avoid cheque fraud being perpetrated on their accounts, Bank Negara Malaysia
issued a Draft Guideline on Minimum Security Standards for Cheques in October
2003 and in January this year. Bank Negara Malaysia has made some modification
to the proposed Guideline in the light of the comments received from the banking
industry.

2. We attach herewith the finalised “Guideline on Minimum Security

Standards for Cheques” issued pursuant to Section 70 of the Payment Systems Act
2003. The Guideline will be effective from 1 October 2004, except for Part III on
Infrastructure Standards which will be effective from 1 January 2005, so as to
provide banks with sufficient time to evaluate and implement the required systems.

3. Any questions concerning this guideline may be directed to Encik

Hisamuddin bin Mohd. Sah, Jabatan Sistem Pembayaran, at 03-26988044 extension
8196 or hisam@bnm.gov.my.

Sekian, harap maklum.

Yang benar,
 GUIDELINE ON MINIMUM SECURITY STANDARDS FOR CHEQUES

I. INTRODUCTION

1. Purpose and Scope of Guideline

1.1 The Guideline on Minimum Security Standards for Cheques (the Guideline)
is issued pursuant to section 70 of the Payment Systems Act 2003.

1.2 The Guideline shall apply to all licensed banks under the Banking and
Financial Institutions Act 1989 and all licensed Islamic banks under the
Islamic Banking Act 1983 (hereinafter referred to as “banks”).

1.3 The purpose of the Guideline is to maintain the confidence of the public in
using cheques as a payment instrument and specifically address the need
for banks to undertake measures that are effective in preventing and
detecting cheque frauds. The Guideline specify the minimum requirements
on banks in relation to their role in paying or collecting cheques drawn by or
paid in by customer, specifically on governance arrangements, security
features on cheques, cheque fraud detection facilities, security
management in cheque printing and consumer protection.

1.4 The Skim Penjelasan Imej Cek Kebangsaan User Manual shall continue to
apply in respect of the banks’ duties and responsibilities as collecting banks
or paying banks.

2. Effective Date

2.1 This Guideline, except for Part III on Infrastructure Standards, shall take
effect on 1 October 2004. Part III of this Guideline shall take effect on 1
January 2005.

Page 1
3. Types of Cheque Fraud

3.1 Cheque frauds can be categorised broadly into three types:

i. cheque fraud that is perpetrated before a cheque is presented to a

collecting bank such as stolen cheque (including forged signatures),
altered, cloned or counterfeit cheque;
ii. cheque fraud that is perpetrated after the cheque is presented to a
collecting bank such as switching a genuine cheque with a
fraudulent one; and
iii. cheque fraud that is perpetrated by the movement of funds between
bank accounts (also known as ‘kiting’). In the case of ‘kiting’, money
is withdrawn from one bank on the strength of the deposit of a
cheque from another bank. The cheque is “covered” by another
cheque drawn on a third bank, and so on.

3.2 Cheque frauds committed by way of theft, alteration or switching of genuine

cheques and ‘kiting’ are notably common, and must be dealt with in an
effective manner. The risks of these frauds should be mitigated by the
banks through the implementation of strong internal controls and
counterchecking procedures, the imposition of controls in the distribution
and clearing of cheques, and the adoption of stringent controls in the
opening of accounts. The banks should establish a proper accountability
structure through the segregation of functions or having dual control
measures in place to safeguard security documents and sensitive customer
information.

3.3 Cheque frauds committed by way of cloning and counterfeiting are

becoming rampant in recent years, as printing technology has evolved to a
point where cheque frauds can be perpetrated easily. In order to arrest
such frauds, the measures that have been put in place by the banks should
be enhanced or upgraded to effectively prevent and detect cheque frauds
perpetrated through more sophisticated means. In addition, the banks
should ensure that their cheques are printed in a secure environment by
responsible cheque printers.

Page 2
3.4 Trained and vigilant staff plays an important part in preventing cheque
frauds. The banks should train their relevant staff to ensure that they are
able to detect fraudulent attempts on the bank’s own cheques and to also
assist in curbing fraudulent attempts on other banks’ cheques. With
respect to cheque processing arrangements that the banks have
outsourced to external service providers, the banks remain accountable to
its customers and should ensure that the external service providers have
effective fraud detection and prevention measures.

4. Responsible Parties

4.1 The board of directors (“Board”) and senior management of the banks shall
be responsible in ensuring that appropriate steps are taken to comply with
this Guideline.

4.2 The Board shall:

i. review and approve appropriate policies to ensure that the risks in

cheques operations are adequately mitigated; and
ii. ensure that the senior management puts in place the necessary
mechanism and internal controls for prevention and detection of
cheque fraud.

4.3 The senior management shall:

i. implement the policies approved by the Board in respect of cheques

operations;
ii. continuously review and ensure that adequate operating policies
and procedures, auditing standards and effective risk monitoring
processes in respect of cheques operations are put in place;
iii. ensure that there are adequate resources, including trained and
competent staff who are effective in detecting fraudulent attempts on
cheques;

Page 3
 iv. establish systems and tools that are capable of monitoring and
detecting cheque fraud; and
v. report to the Board any significant loss suffered by the bank arising
from cheque fraud and report to Bank Negara Malaysia all attempted
and perpetrated cheque fraud.

II. MINIMUM SECURITY FEATURES ON CHEQUES

5.1 Adequate cheque security features can facilitate protection against cheque
fraud. In this regard, the banks shall adopt the following minimum security
requirements with respect to the printing of cheques:

i. Sensitised and watermarked paper which is UV (Ultra Violet) dull as

specified in paragraph 5.2;
ii. One primary ink security feature;
iii. One secondary ink security feature;
iv. One design security feature; and
v. Cheque printer security identification as specified in paragraph 5.6.

The eligible security features for 5.1 ii to iv are provided in paragraphs 5.3
to 5.5 below.

5.2 Paper Security Features

i Sensitisation – the paper is chemically sensitized to react against

tampering by solvents, bleaches and acids, and reacts with a colour
‘flash-up’.

ii Watermark – a three dimensional watermark is produced at the

paper making stage, providing a finely detailed design which is
readily identified when held against the light yet difficult to reproduce
via scanning devices.

Page 4
5.3 Primary Ink Security Features

Aqueous Fugitive – provides a visual alert of tampering where the ink

printed on the cheque reacts by completely dissolving or the design
smudging if water or water based chemicals are applied.

i Solvent Sensitive – provides a visual alert of tampering where the

ink printed on the cheque reacts by dissolving and the design
smudging if an organic solvent is applied.

ii Chemical Sensitive – provides a visual alert of tampering where the

ink printed on the cheque reacts by changing colour if solvents,
bleaches or acids are applied. This feature is only suitable where
laser printers are not used in the printing of the cheque.

5.4 Secondary Ink Security Features

i. Visible and Invisible Fluorescent – these inks turn fluorescent

under UV light.

ii. Metallic – these inks provide a defence against colour scanning,

usually by reproducing a darker image. The use of these inks should
be restricted to small areas such as company logos.

iii. Transparentising Ink – these inks may be used to simulate a

watermark, which can be viewed when the cheque is held against
the light. The ink must be printed on the reverse of the cheque.

iv. Metameric – these inks are printed in two colours that appear in the
same colour when viewed under a standard light source, but appear
different when viewed under a different light source.

v. Intaglio – these inks, which undergo part of the intaglio printing

process, remain on the surface of the substrate so as to provide a

Page 5
 tactile or ‘raised’ effect. A latent image (hidden wording) may be
used in larger formats.

vi. Thermochromatic – these inks change colour or disappear when

the temperature is raised. The colour change will not be a
permanent effect.

vii. Photochromatic – these colourless inks develop colour when

exposed to UV or strong light. The colour change will not be a
permanent effect.

5.5 Design Security Features

For purposes of this paragraph, fine lines are lines that are difficult to copy
or scan and should be printed in lighter or pastel shades. A line weight of
0.05mm to 0.30mm is recommended, i.e. lines are to be printed as fine as
possible and are to be non-readable by scanners.

i. Fine Line Security Patterns – these are to be printed as patterns of

intertwining lines.

ii. Guilloche – this is a free standing fine line design which can be
printed over existing security patterns and may be visible or invisible.

iii. Rosette – this is a free standing fine line design similar to guilloche,
except it is more symmetrical.

iv. Micro Printing – test set in very small letters (usually 0.20mm to
0.30mm in height) that can be easily read by using a magnifying
glass but will appear to the unaided eye to be dashes or lines.

v. Rainbow or Split Duct – this method of design relies on a subtle

merging of images from one colour to another, which can be
achieved reprographically or mechanically on the press. This design
creates difficulty in all methods of counterfeiting.

Page 6
 vi. Security Pantograph – a design feature whereby a hidden word
appears when the document is photocopied. This design security
feature may not be compatible with Image Capture technology. The
design must not intrude into important data fields.

vii. Optically Variable Devices (OVD) – features with multiple reflective

images usually on a silver metallic backing. The feature can be a 3D
(three dimensional) or 2D (two dimensional) image where the image
or colour changes when viewing angle varies. Holograms are one
type of OVD. Another type of OVD is Datafoil that permits the
viewing of text through the device. If the device is to be applied over
the payee’s name, amount in words or amount in figures in the
cheque, such information should be duplicated, for example, in
smaller type and the Datafoil should be placed over the duplicated
text.

Cheque Printer Security Identification

5.6 The ”printer’s code” shall be printed on the cheque (in small font but
readable) in a vertical position, along the left edge, above the clear band
area of the cheque. The “printer’s code” is a unique reference number or
identifier from which the banks will be able to identify the cheque printer.

Cheque operations manual and trained staff

5.7 In detecting any irregularity on a cheque, physical examination of the

cheque for purposes of comparing against the security features specified in
paragraphs 5.1 to 5.6 above must be carried out by the staff of the banks.
Hence, the banks are required to specify the type and method of physical
examination that has to be carried out in the cheque operations manual.
The banks must ensure that its cheque processing staff are adequately
trained and are familiar with the security features of a cheque in order to be
able to detect any irregularities.

Page 7
Coverage

5.8 Where banks are examining the cheques processed on a random sampling
basis, the sampling criteria and methodology must be specified in its
cheque operations manual and reviewed from time to time to ensure that
the coverage is adequate. The senior management is responsible to
ensure that the sampling criteria and methodology is sufficient to mitigate
the risk of cheque fraud.

III. INFRASTRUCTURE STANDARDS

6.1 The banks shall establish control mechanisms that facilitate the detection of
cheque fraud. The banks shall implement appropriate systems to
complement or assist the staff in detecting cheque fraud by highlighting
suspicious cheques so as to enable the staff to undertake further
verification.

6.2 With respect to high volume cheque issuing customers, the banks shall
implement an automated checking facility that is able to detect differences
or discrepancies in the payee’s name, cheque number and amount
presented for payment against such information on the actual cheque
issued by the customer. For purposes of this paragraph, each individual
bank shall determine what constitutes a “high volume cheque issuing
customer”.

6.3 The banks should consider including in their cheques, machine readable
security features that can be easily detected through devices deployed at
the bank’s cheques processing centers. Such machine readable security
features include-.

i Digital encryption on cheques/ Embedded data - an encrypted

matrix is affixed on a cheque which prevents any alteration to the
name of the payee and acts as fraud detection; or

Page 8
 ii Seal encoding on cheques – seal encoding ‘invisibly’ stores data
such as the name of the payee, amount, account number and
cheque number, which are encoded within the bank’s logo on the
cheque or in another area on the cheque. If someone alters any of
those data on the cheque, such data would no longer match the
data contained within the seal.

6.4 In addition to the measures described in paragraph 6.3, the banks should
consider implementing an Artificial Intelligence System to undertake
“pattern recognition routines”, which can identify cheques that fall outside a
customer’s normal pattern of issuance of cheques to detect potential
attempts of cheque fraud.

6.5 Without prejudice to the above requirements, the banks are required to
conduct verification on the account number and cheque number for all
cheques.

IV. REVIEW OF CHEQUE PRINTERS AND COURIER SERVICE PROVIDERS

7.1 The banks, through their internal auditors, external auditors or security
consultants are required to undertake an annual review of the appointed
cheque printers and courier service providers, including the review of their
business processes. The annual review of cheque printers shall be based
on the standards specified in paragraph 8.1 below.

7.2 Notwithstanding the requirement in paragraph 7.1, the banks may carry out
the annual review of cheque printers on a collaborative basis through an
accreditation scheme administered by the Association of Banks in Malaysia
(ABM) or amongst interested banks. The annual review of cheque printers
on such collaborative basis (either via the ABM or amongst interested
banks) shall be based on agreed standards set by the participating banks,
which should include the standards specified in paragraph 8.1 below.

Page 9
7.3 The banks shall only appoint cheque printers that are licensed by the
Ministry of Home Affairs. The banks should check on the status of the
cheque printers with the Ministry of Home Affairs from time to time. The
banks shall only appoint or renew the appointment of the cheque printer if it
is satisfied that the cheque printer has put in place adequate internal
control procedures and security measures.

7.4 The banks shall ensure that any cheque printer or courier service provider
that is appointed is given a contract for a maximum of two years.

7.5 The banks, through their internal auditors, shall carry out audits of the
supplies and inventory of cheques that are kept at the banks and at the
appointed cheque printers on a regular basis.

V. CHEQUE PRINTING SECURITY

8.1 In carrying the annual review of cheque printers as specified under

paragraphs 7.1 or 7.2, the banks shall ensure that cheques are printed in a
controlled environment and that the cheque printers have adequate internal
control procedures and security measures in place in accordance with the
following standards:

i. Premises security – the cheque printer’s buildings should be

installed with an alarm system and have secure entrances, exits and
windows. Visitors should be controlled through a formal reception
procedure. Delivery staff should not have access to the cheque
printing areas. There should be adequate internal control procedures
in confidential areas. The attendance of staff and visitors on the
premises should be recorded at all times.

ii. Destruction of materials – production waste and materials should

be securely stored prior to destruction. During the destruction
process (i.e. burning, shredding), it must be ensured that account

Page 10
 details of any customer or the cheque itself cannot be readily re-
constructed.

iii. Secure storage – operations materials for cheques and finished

product must be kept in secure areas, which has limited access and
are locked when not in use.

iv. Confidentiality – the cheque printers’ contracts with their staff

should contain a confidentiality clause. Steps must be taken by the
cheque printers to ensure that any confidential information is not
disclosed in an unauthorised manner or by accident.

v. Transport/Dispatch – auditable dispatch records (i.e. records of

orders, deliveries, details of the courier and receipt by the banks)
should be maintained for inspection.

VI. CONSUMER EDUCATION AND CONSUMER LIABILITY

9.1 The banks shall ensure that their customers are aware of the risks involved
in the use of cheques and the proper control and handling of cheques that
should be practised by the customers. As some cheque frauds are
perpetrated before they are presented to a collecting bank, the banks
should advise their customers on the best practices to safeguard their
cheques and the measures to prevent cheque fraud. In this regard, the
banks shall provide, either in the monthly current account statements or on
the cheque book cover, reminders to their customers on the following
practices:

i. Customers should ensure that cheques are kept in a safe and

locked place and should never leave cheques whether signed or
unsigned unattended;

Page 11
ii. Customers should not use laser printers, felt tip pens, erasable pens
or pencils or other non-impact printing techniques to write details on
a cheque. Where a typewriter is used, customers should not use
correctable ribbons. Customers should always use permanent ink
pen such as a ball point pen;

iii. Customers should not permit anyone to take their blank cheques
and should preferably refrain from signing a blank cheque;

iv. Customers should check against the possibility of individual cheques

being removed from the cheque books without their knowledge and
should ensure that spoiled cheques are completely destroyed;

v. Customers should undertake regular review of unused cheque stock

and conduct regular reconciliation of cheques paid with the
customer’s bank statement. Customers should report to the banks
immediately if there are cheques missing from the cheque book or
discrepancies are found in the customer’s bank statement;

vi. Customers should ensure that in writing a cheque, the payee’s

name, amount in figures and words should be left-justified and any
unused space should be ruled through with a pair of parallel lines.
The amount payable that is written in words should end with the
word ‘only’;

vii. When sending cheques by mail, customers should ensure that the
window envelopes used do not reveal the cheque and that any
envelope used is of good quality so that the content of the envelope
would not be revealed when being held against any light; and

viii. With respect to users of company cheques, customers should inform

their banks immediately of any change in the signing mandate,
particularly when authorised signatories have left the customer’s
company.

Page 12
9.2 The banks shall print the reminders stated in paragraph 9.1 i to viii above in
Bahasa Malaysia on the back of a monthly bank statement (with a
reference made to the reminders at the front of the monthly bank
statement) or on a separate piece of paper which shall be inserted into
each new cheque book to be distributed to a customer.

9.3 The banks shall continuously educate its customers of the importance of
safeguarding cheques and provide advice on fraud prevention measures.

VII. ACCOUNT PAYEE CHEQUES AND CHEQUE BOOKS

10.1 The banks shall only distribute cheques with a crossing and the words
“account payee” or “a/c payee” pre-printed on the cheque itself.

10.2 Notwithstanding paragraph 10.1, the banks may wish to allow the
uncrossing of cheques (or “opening of the crossing”) under the following
circumstances only:

i. Encashment of the cheque over the counter by the payee in person.

The banks shall verify the identity of the payee and record the
particulars of the payee. In addition, with respect to ‘high value
cheques’ the banks shall confirm with the drawer that the
encashment is in order. For purposes of this paragraph, each
individual bank shall determine what constitutes a ‘high value
cheque’.

ii. Encashment over the counter of the accountholders’ cheques with

the words “Pay Cash” by the accountholder in person. The banks
shall verify the identity of the accountholder and record the
particulars of the accountholder.

10.3 The banks shall ensure that all cheque books distributed to their customers
from 1 October 2004 comply with the requirements of Part II (Minimum
Security Features on Cheques) and paragraph 10.1. With respect to

Page 13
 cheque books that have been distributed to the customers prior to 1
October 2004, the banks should strongly advise their customers to replace
such cheque books with cheque books that meet with the requirements of
Part II (Minimum Security Features on Cheques) and paragraph 10.1.

Bank Negara Malaysia

9 Julai 2004

Page 14