Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
July 8, 2013
Money Mules: Unwitting Accomplices?
Recent news articles about the two major ATM cash-out frauds that yielded $45 million for the perpetrators have noted a critical element of the global crime—the extensive network of criminals that performed thousands of cash withdrawals over a few hours at ATMs in approximately 24 countries. Known as "money mules," these individuals help transport or launder stolen money and merchandise in exchange for a small share of the ill-gotten gains.
The mules in the ATM cash-out scheme were willing participants, but in many cases, individuals serving the role of a money mule may not be aware of their criminal involvement and may even themselves become victims of fraud. The most common tactics for enlisting the help of unknowing money mules are posting work-at-home advertisements on major legitimate employment websites, purchasing pop-up ads, or sending e-mails.
Earlier recruiting efforts were easy to spot because they often used poor grammar or spelling, were not specific in describing the job, and usually based the hiring company outside the United States. More recently, recruitment efforts have used well-written ads with high-quality graphics. These ads often stress the convenience of the position for the worker and the significant earnings potential. When hired, the individual is sometimes engaged as a mystery shopper or in some similar function to make the transfer of money or goods seem normal to the business operation. Some schemes initially engage the person in conducting legitimate transactions with the goal of developing a level of comfort for the individual with the process and the promise of bigger, more lucrative transactions to come in the future.
As with many crimes involving multi-level organizations, it is not the masterminds but the money mules who are most often apprehended. They are the ones whom law enforcement officers can locate relatively easily because they are the ones who provide their financial account information or shipping address as part of the transaction. Unknowing money mules risk criminal prosecution, financial loss, and smearing of their reputations. It’s also possible that they will themselves experience identity theft or fraud against their financial accounts because they may have provided sensitive personal information during the recruitment process.
As cybercrimes continue to spread, the mule recruitment efforts will expand and probably become more sophisticated. Individuals must exercise safer computer security practices, and financial institutions, consumer protection agencies, and law enforcement must continue to provide education about this type of scheme to help increase everyone’s ability to detect such fraud. Not only will early detection help prevent individuals from becoming unwilling victims, but also it will aid in the investigation of these criminal efforts by law enforcement.
Brian Krebs (KrebsonSecurity) has a good article, which includes a money-mule training video, providing more information about this type of crime to help individuals avoid getting caught up in one of these schemes. We welcome your suggestions on how the educational effort can be strengthened.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 3, 2013
Do Digital Currencies Need Bank Secrecy Act Regulations?
Nearly two years ago, a Portals and Rails post looked at digital currencies and posed the question, "Will the use of alternative currencies gain popularity in the criminal world?" It appears that the answer to the question is "yes." According to the recent indictment of a digital currency provider, the currency under question "was designed to give criminals a way to move money earned from credit card fraud, online Ponzi schemes, child pornography and other crimes without being detected by law enforcement," ultimately building up a $6 billion money laundering operation.
At the heart of the issue with this particular digital currency is its anonymous nature. Payment instruments that provide anonymity do attract the criminal element. Anonymity is a major reason cash remains king when it comes to payments for illicit activities. The anonymity that prepaid cards provided in their earlier years attracted the criminal element, which ultimately resulted in regulators attaching Bank Secrecy Act/anti-money laundering (BSA/AML) regulations to these instruments.
There is no doubt that digital currency has benefits over paper and coins. The convenience of not having to lug around paper and coins is appealing to me, as is the fact that I wouldn't feel the need to scrub my hands after handling digital currency since it's no secret that paper money and coins are dirty. I am all for the success of digital currencies and can't wait for them to become more mainstream. But I believe that as long as any digital currency continues to support anonymity, it will be difficult for that to happen.
While regulation can stifle innovation, I believe that BSA/AML regulation of digital currencies could help increase the adoption of this type of payment instrument by the mainstream. One need look no further than the prepaid card industry to understand the potential impact. Many factors have played into that industry’s phenomenal growth rate, but the BSA/AML regulatory requirements also played a role by providing a credibility to prepaid cards that did not exist in their infancy.
What are your thoughts on the need for BSA/AML regulation of digital currencies?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 28, 2013
Do GPR Prepaid Cards Pose Significant Money Laundering Threats?
When it comes to laundering proceeds from illicit activities, criminals have historically had a number of financial instruments and methodologies at their disposal. These choices have ranged from payment products tied to demand deposit accounts such as checks, wires, and debit/ATM card transactions to money transfers via money transmitters. The birth of general purpose reloadable (GPR) prepaid cards in the early 1990s created yet another payment instrument that could potentially be used to clean dirty money.
Although no payment instrument—GPR prepaid cards included—is completely immune to money laundering, the payments industry can adopt risk measures to mitigate the attractiveness of these cards to criminals. But what makes a payment choice attractive to money launderers? Criminals generally seek the fastest method to move their ill-gotten proceeds the furthest away from their illegal activities. Ultimately, they want to distance themselves and their financial gain from the crime in the quickest way possible. Anonymity, accessibility, immediate liquidity, and transportability of funds are all payment characteristics that a money launderer finds attractive.
The Retail Payments Risk Forum dove into the regulatory environment and risk management practice of the GPR prepaid card industry, and wrote up findings in a paper available on the Atlanta Fed's website. Among the paper's findings is that, as GPR prepaid cards have grown in popularity and come under increased scrutiny by regulators, significant regulatory measures and industry-wide adopted practices have greatly reduced, but not eliminated, their money laundering risks. And while U.S. regulators and the card industry have made great strides with anti-money laundering measures, GPR prepaid cards issued internationally do not necessarily face the same stringent risk environment, so they pose significant money laundering risks.
For more details on the money laundering risk environment for GPR prepaid cards, read the paper.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 21, 2011
FinCEN proposed new rule addresses money-laundering risks in prepaid products
While prepaid payment products still represent a small percentage of today's electronic payments, their use is rapidly growing. According to the 2010 Federal Reserve Payments Study, the number of prepaid card transactions increased 21.5 percent each year from 2006 to 2009. Most prepaid payments are enabled by plastic cards, but today's technology can enable the same payment functionality in other form factors, including mobile phones.
As the market for these prepaid products continues to develop and grow, the Financial Crimes Enforcement Network (FinCEN) has been watchful of their potential money-laundering risk exposure and issued a proposed rule addressing various kinds of prepaid access devices. In its proposed rulemaking notice, FinCEN announced that the rule would cover not only cards but also such access devices as mobile phones, key fobs, and any other device that can serve as a portal to funds paid for in advance and allow a consumer to retrieve or transfer these funds.
Prepaid access devices and money laundering risks
Many of the same factors that make prepaid access devices attractive to consumers can make them vulnerable to criminal activity. For instance, the ease with which these devices can be obtained along with the potential for anonymity—which is the case with nonreloadable open-loop cards, for example—as well as the ease with which money can be loaded onto them can make them potential money-laundering vehicles.
To help identify potential risks related to prepaid access devices, FinCEN formed a subcommittee within their Bank Secrecy Act Advisory Group (BSAAG). The subcommittee has identified numerous risks, such as funding with cash from stolen credit cards and virtual money cards that allow individuals without a bank account to access illicit cash via ATMs globally. Some high-profile criminal activities have also surfaced, exposing some of these potential risks.
Because some products are perceived to be less likely than others to be used for money laundering, FinCEN has excluded certain prepaid access devices from its rulemaking, including payroll cards, government benefit cards, heath care access cards, closed-loop cards, and products that allow access amounts less than $1,000.
Disrupting, detecting, and deterring the illicit flow of funds
Disrupting the flow of funds can create a less-than-ideal environment for criminals attempting to conceal the sources of their illicit funds. FinCEN's proposed rule is one way to accomplish this disruption. By implementing additional systemic safeguards and filling gaps in the prepaid environment with stronger regulatory controls, the agency hopes to make it more difficult for criminals to use prepaid payments products for illicit purposes.
Ultimately, the goal of the proposed rule is to enhance the regulatory framework for prepaid access devices while finding ways to promote development and growth in the prepaid industry and discourage wrongdoers from misusing prepaid products. For now, FinCEN's final rule is pending release, but if it is adopted as proposed, it would expand Bank Secrecy Act compliance obligations to prepaid access devices beyond plastic prepaid cards to include emerging prepaid products.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed