Last month, a major regional bank filed suit against a New York entrepreneur, alleging a check-kiting scheme that processed more than $72 million in fraudulent checks, resulting in $27 million in direct losses. While payment technologies
have evolved dramatically, traditional fraud methods continue to exploit fundamental processes, resulting in losses. Check kiting may not generate the headlines of cyber-enabled crimes, but it remains a material risk for institutions.
In 2023, payroll executive Najeeb Khan was sentenced for running a scheme that ultimately cost banks nearly $150 million. For years, he deposited enormous volumes of checks across multiple institutions, often hand-delivered by
courier, with daily totals exceeding $100 million by the end. The transactions bore little resemblance to the legitimate cash flows of a payroll company, yet the pattern continued until one bank finally refused to honor the deposits. The red flags were evident:
repetitive high-volume deposits, persistent discrepancies between collected and ledger balances, and a pattern of activity timed to coincide with posting deadlines. But they were not connected into a coherent picture until it was too late.
Earlier this year, Andrew Blassie, an executive vice president at a community bank, admitted to a different variation of the same tactic. Over the course of a year, he used four personal accounts across multiple banks to funnel
checks into his institution, withdrawing nearly $2.7 million in funds he knew did not exist. What made this case particularly damaging was the inside role he played in concealing it. By removing his own name from suspect-account reports, he turned off the
very safeguards designed to expose the scheme. Unusual overdrafts, repeated inflows from accounts with insufficient funds, and tampered fraud reports all pointed to misconduct, but insider access allowed him to override the controls.
These cases illustrate that check kiting is not confined to a particular era or type of perpetrator. It has ensnared small business owners, senior bank executives, and even large financial institutions. Each episode reinforces
the same reality: when gaps exist in detection and oversight, fraudsters will find a way to exploit them.
The lesson is clear. Technology has advanced, payments have accelerated, and analytics have matured, but check fraud still finds its way in.
Why Check Kiting Persists
Check kiting works because it exploits the gap between when deposited funds are shown as available and when the check is finally paid. Under Regulation CC, at least $275 of most check deposits must be available the next business
day, and most remaining funds are generally available by day two. Deposits at non-proprietary ATMs can be held until the fifth business day. Exception holds apply to large deposits and new accounts, with current dollar thresholds set at $6,725, and availability
that can extend to about seven business days for large deposits and up to nine for certain new-account items. Availability is not settlement. The paying bank generally has until midnight of the next banking day after presentment to pay or return an item under
the UCC. That return window is the float fraudsters try to ride, moving checks among accounts and across banks so each ledger looks healthy long enough to pull out real money.
At scale, the tactic creates layers of liquidity that are not cash. Many banks choose to release funds faster than the regulatory minimums as a matter of policy and customer service. That is permitted, and it is common. A coordinated series of deposits across
several accounts, repeated over a few days, can produce very large “available” balances while the collected balance lags. Weekends and holidays lengthen the practical risk window. Cross-bank presentment and return cycles add more delay. The pattern is simple
to describe, yet it is sustained by velocity, symmetry, and repetition until the numbers balloon and the returns arrive.
The Stakes for Banks
Despite its long history, check kiting remains difficult to detect, especially in its early stages. It is rarely one suspicious transaction, rather it’s a pattern of behavior that unfolds across time and accounts. Fraudsters rely on cross-entity complexity,
moving funds across multiple banks and account types to obscure the view. They manipulate timing, taking advantage of the float period between deposit and clearing. The signals can be subtle like rounded amounts, repeated use of counterparty accounts, or deposits
timed just right to avoid attention.
Each institution implements its policies in slightly different ways, which makes coordinated detection more challenging. Traditional monitoring systems, designed to flag single anomalies, often miss the bigger picture. The result is that schemes can grow
until the losses are significant to ignore.
Best Practices for Detecting Check Kiting
To counter this, banks are adopting behavior-based approaches that cut across channels and accounts. Instead of treating each deposit or withdrawal as a stand-alone event, advanced systems consolidate information from ATM, branch, mobile, and check posting
activity to build a unified picture of account behavior. This makes it possible to detect circular fund flows, deposits and withdrawals that mirror each other too neatly, or account activity whose velocity no longer matches its normal profile.
Had such account-level visibility been applied in the Khan case, the persistent mismatch between collected and ledger balances, coupled with repeated high-value deposits from the same sources, would have stood out far earlier.
Detection also depends on looking for the right behavioral signals. Institutions are monitoring transaction velocity, repeated use of the same counterparties, rounded dollar amounts that suggest synthetic fund movement, and sequences of deposits timed within
hours of each other. On their own, these patterns may appear harmless, but together they are predictive indicators of check kiting. In Blassie’s case, a model tuned to flag repeated overdrafts linked to cross-bank deposits could have raised concerns, particularly
when the same names and accounts reappeared in multiple cycles.
To strengthen accuracy and reduce noise, effective programs use fraud enrichment techniques. They tag suspicious time windows, apply inspection rules such as “three deposits and three withdrawals within three days,” and weight alerts so that recurring patterns
are prioritized. In best-in-class programs, related transactions are consolidated into a single account-level alert, giving investigators the complete picture without overwhelming them. This is exactly the kind of narrative-level view that could have connected
the dots in the Khan matter before losses escalated.
The objective is early detection, sometimes within the first month of activity. Well-tuned systems keep alert rates manageable while surfacing the cases that matter most. They also suppress alerts for trusted accounts, ensuring investigators focus attention
where it counts. These are not just theoretical concepts. At NICE Actimize, we have seen leading institutions apply these practices to strengthen defenses, reduce losses, and give their fraud teams the confidence to act earlier.
Regulatory and Compliance Considerations
Check Kiting is not just a fraud loss number, but it creates a regulatory exposure. Under BSA/AML requirements, institutions must file a Suspicious Activity Report (SAR) within 30 days of detecting potential fraud, extendable to 60 days if no suspect is
identified.
The thresholds are clear: any amount if insider abuse (as in the Blassie case) is involved, $5,000 or more if a suspect can be identified, and $25,000 or more if no suspect is known. Most kiting events easily exceed these thresholds, making SAR filings unavoidable.
Examiners also look to see that SAR narratives clearly describe the behavioral pattern, not just isolated items.
While modern data does not break out kiting specifically, earlier FDIC reviews showed that from 1996 to 2000, nearly 18,400 SARs were filed citing check kiting — about 4% of all check-fraud related filings. Today, FinCEN reports that over 680,000 SARs related
to check fraud were filed in 2024 alone, a number that shows the scale of ongoing risk even if the kiting subset is not separately tracked.
FFIEC guidance on retail payment systems reinforces this expectation. Examiners emphasize that effective check fraud programs must identify patterns of behavior—repeated deposits, persistent collected-versus-ledger balance gaps, and unusual velocity—not
just single transactions. Institutions are also expected to apply risk-based exception holds under Reg CC, balancing customer service with safety and soundness. Overly liberal availability policies without compensating monitoring can be flagged during exams.
Finally, kiting activity often overlaps with AML typologies. Structuring deposits to manage availability, circular fund flows with no economic purpose, and insider manipulation of reports can all surface in both fraud and AML monitoring. Increasingly, regulators
expect fraud and AML teams to share intelligence and coordinate responses. Treating kiting as both a fraud and a compliance risk positions institutions to meet their regulatory obligations while protecting their balance sheets.
From Reactive to Proactive
The regulatory picture makes clear that kiting is more than a fraud operations issue. It is a compliance responsibility, a reporting obligation, and an examination focus. When tens of thousands of SARs have historically cited kiting, and hundreds of thousands
more reference check fraud each year, the signal is unmistakable: this is a systemic risk that demands sustained attention.
According to the Actimize Fraud Insights Report, US Retail 2025 edition, check fraud now represents 52 percent of all fraud in retail banking. That figure alone shows why institutions cannot afford to downplay the threat. The recent kiting cases
illustrate how quickly exposure can escalate when timing gaps and policy choices are exploited.
For banks, the message is clear: fraud does not disappear simply because payment systems modernize. It adapts, it scales, and it tests the seams of oversight. The imperative now is to act, review funds availability policies, strengthen behavioral monitoring,
and ensure fraud and AML teams share intelligence rather than operate in silos.
Institutions that take these steps can close the gaps before they are exploited. Those that delay will not just face financial losses, they will face regulators, examiners, and customers asking why old schemes were allowed to succeed again.
