THE NEW AGE OF MONEY LAUNDERING

At the European Payment Summit held on 8th and 9th of March 2017 in the Hague, the Netherlands, I had the pleasure to discuss one of the new concepts of cybercrime (and money laundering) together with EverCompliant. The presentation was somewhat an eye-opener for many participants in the room, being amazed by what criminals can do in today’s world to launder money. This 2-part blog series outlines what was discussed. Part 1 will familiarize you with the current (regulatory) views of money laundering and explain what transaction laundering entails. Part 2 will discuss whether the most recent changes to the 4th AML Directive (and the upcoming 5th AML Directive) will in fact prevent the newest forms of money laundering.

1. Stages of Money Laundering Outdated?

When you are doing your yearly mandatory compliance training, which is often off-the-shelf, you are being taught about the three forms of money laundering: placement, layering and integration. In the following Breaking Bad episode, money laundering and these different stages are easily explained with nail polish accessories and the purchase of a nail salon: https://www.youtube.com/watch?v=ez6xH-su2xI. However, this explanation is a traditional approach to money laundering. With the recent amendments to the AML Directive, you would expect that new ways of money laundering are fully captured.

The 4th AML Directive provides for the following definition under article 1 par 3:

For the purposes of this Directive, the following conduct, when committed intentionally, shall be regarded as money laundering: a)     the conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s action; b)     the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or from an act of participation in such an activity; c)     the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation in such an activity; d)     participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions referred to in points (a), (b) and (c).

To summarize, it involves the conversion of illegally obtained property (assets of any kind), concealment of where it comes from and the use thereof. The key words are property derived from criminal activity. Does this cover also the new ways criminals explore?

2. New Ways Explored

I would argue that this definition is also a bit traditional and perhaps outdated, not fully covering the actual risks involved in the e-commerce business. Would money laundering always involve money derived from criminal activity? What about ways to evade taxes for legally obtained revenue? What about all these new forms of cybercrime? Let me clarify.

Cybercrime has been and still is very much upcoming. With hundreds of companies involved in the payment process, there are thousands of different possible combinations for criminals to use, making the task of finding laundered transactions almost like fighting a losing battle. Where one route is shut down (for example the introduction of EMV for POS transactions), another 100 new criminal ways are found. One of them is transaction laundering. Not a lot is known about this concept. Only a few articles can be found online on transaction laundering.

Transaction laundering occurs when legitimate merchant accounts are used to process unknown transactions for another website with other products/services, which can be illegal or for instance high risk (websites that would not be able to get their own merchant account). This can occur with or without the merchant itself knowing (and the PSP/acquirer not knowing), which expose involved payment companies to a substantial amount of risk. MasterCard makes it even more simple and defines transaction laundering as “The action whereby a merchant processes payment card transactions on behalf of another merchant.” (source EverCompliant, MasterCards’s Global Ops Bulletin, 7 July 2015). EverCompliant has shared more insights on how transaction laundering in practice during our presentation, with examples such as the Charlie Hebdo terrorist attack in 2016. Did you even know that the terrorists involved used transaction laundering methods for terrorist funding? And this while the EU legislator has attempted to respond to these attacks with making the accessibility to (anonymous) prepaid cards more difficult under the AMLD (see further AMLD changes in paragraph 4 below). The question is whether the 4 and 5 AMLD would have prevented the attack. I will touch upon that again below.

In a picture transaction laundering looks like this (source: EverCompliant©):

3. Increased Risk due to Uprise PF Model

While transaction laundering constitutes the newest form of fraud and (even though not many realize yet) it does in fact constitute money laundering. The rise of Payment Facilitators results in increased risks of transaction laundering as well. Many acquirers do not have full insight in Sub-Merchants’ processing websites under a Payment Facilitator or only find out later that a boarded merchant is in fact acting as Payment Facilitator. A PF’s merchant aggregation model enables criminals to create an ecosystem of illicit transaction processing. While the PF model is considered disclosed aggregation, transaction laundering is undisclosed aggregation and therefore closely related to merchant aggregation conducted by PFs (but then the dark side of it). Acquirers that support PFs are voicing concern over the increasing risk of transaction laundering.

An article on pymnts.com presented some shocking numbers: “More than 25 percent of terminated accounts find their way back into the payment system with operations mostly intact. Many more resurface in disguised form. A full 50 percent of violating websites exploit the payment system without registering for merchant accounts. A wide variety of businesses can serve as transaction launderers. Beliefs about high- and low-risk business types can negatively bias risk professionals from performing meaningful investigations. Successful transaction launderers are skilled at hiding illicit transactions in the midst of real transactions.” (http://www.pymnts.com/exclusive-series/2015/what-banks-and-processors-must-know-about-transaction-laundering/)

In terms of an acquirer portfolio and screening undertaken over the last years, EverCompliant has reached the conclusion that that on average, the size of the unknown merchant portfolio is 6% to 10% of the known client base. In other words, for every 10,000 known merchants there are 600 to 1,000 unknown merchants transacting through the MSPs’ payment networks without their consent or knowledge. Of that number 3% of these unknown merchants conduct illegal activity (source: EverCompliant ©)

Transaction laundering happens more than you think. In 2016 in the USA only, 155 billion USD of revenue was generated from online sales via transaction laundering. Add to that the ease nowadays for just about anyone to open an online shop and the impact of the instability of the economy has had to people starting their own business. Small merchant websites have exploded, resulting in even better opportunities for transaction laundering scammers. These numbers will only increase even further.

Let us remind ourselves that regardless of whether a processor was aware of what was happening, as far as card schemes and regulators are concerned, they are responsible and held financially liable – and, possibly, criminally responsible.

And the scariest part is that the known merchant accounts used for these purposes are the least expected. EverCompliant made a top 10 of MCC codes used by launderers and it is frightening (source: EverCompliant ©):

1.    Book Stores

2.    Miscellaneous Food Stores – Convenience Stores and Specialty Markets

3.    Household Appliance Stores

4.    Men’s and Boy’s Clothing and Accessories Stores

5.    Variety Stores

6.    Cosmetic Stores

7.    Gift, Card, Novelty, and Souvenir Shops

8.    Hobby, Toy, and Game Shops

9.    Direct Marketing – Other

10.  Sporting Goods Stores

And these merchant accounts are used to process payments for not only illegal transactions, but also high-risk or dodgy businesses, including negative option marketing, nutraceuticals, pharmaceuticals, gambling, gift cards, adult content, firearms, webcams, electronic cigarettes, tobacco and others. Now that we are aware of what transaction laundering entails and what the true risks are for online payment processors, wouldn’t you agree that the 4th AML Directive definition might not fully cover these laundering activities. Let’s also review whether the current regulatory framework overall is sufficient to mitigate these risks.

4. Key Changes 4 and 5 AMLD

The 4th AML Directive has brought upon some concern in the industry as certainly some of the changes seem to have unintended consequences. The 4th AML Directive was still very new to many, when talks already began of a 5th version. The EU Commission argued that the 4th AML Directive still leaves gaps in the oversight of many financial means used by terrorists, for instance cash, trade in cultural artefacts, virtual currencies and anonymous prepaid cards. The question is whether these further redrafts and redesigns of the text will actually help companies fight money launder better and not just makes the lives of proper payment companies and the market as a whole harder. Even though the EC claims to avoid unnecessary obstacles for those companies, it is not clear that those aims are fulfilled with the changes.

Some of the AML Changes include:

• Extension of AMLD scope to cover providers engaged in virtual currency exchange services and wallet providers;
• Restrictions to simplified CDD for prepaid cards (e-money products): under the 5th AMLD issuing anonymous e-money products may become even more restrictive: no simplified due diligence may be applied – regardless of the value and regardless whether they are reloadable – on e-money products that can be used for online payment, standard or enhanced CDD will be required;
• Requirements around more transparency on anonymous prepaid products holders;
• Acceptance of prepaid cards issued in third countries (that do not meet equivalent requirements) is prohibited;
• Requirements around enhanced CDD measures to be applied to manage (and mitigate) cases of high risk and where persons are established in high-risk jurisdictions;
• Requirements around more transparency on the beneficial ownership for companies and trusts;

5. AMLD Changes Effective?

Apart from the concerns around unintended impact on the ordinary functioning of the payment industry, coming back to the subject, are the envisioned changes under the 4th and 5th AML Directive even addressing the right risks that the industry faces?

The changes fail to put sufficient focus on how measures are to be implemented, while there seems to be a clear need for the industry (see further on this paragraph 6). For example, one of the ways to detect transaction laundering is through transaction monitoring (another way would be checks as part of the CDD/ onboarding process). However, the provisions around transaction monitoring under both versions of the AMLD are still very light (there is a summary at the end of this paragraph). CDD measures include:

New article 13 paragraph 1 sub d:
“conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity’s knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.”

This provision has not been altered much under the 4th AMLD, and neither in the now-current draft of the 5th AMLD. What has changed, is the more prominent requirement to perform transaction and business relationship monitoring, even in cases of simplified and even more in cases of enhanced CDD. The 4th AMLD does include an explicit requirement to perform sufficient transaction and business relationship monitoring (to enable the detection of unusual or suspicious transactions) even if simplified CDD may be applied (article 15 par 3).

The same is introduced under the 4th AMLD for the limited cases when SDD may be undertaken for non-anonymous, non-reloadable, under 250 EUR (under 5th AMLD under 150 EUR). SDD is subject to the condition of “the issuer carries out sufficient monitoring of the transactions or business relationship to enable the detection of unusual or suspicious transactions.” (article 12 par 1). Current proposed amendments under the 5th AMLD require the issuer to not only monitor sufficiently, but also ensure the traceability of the transactions or business relationship.

If enhanced CDD is required, new article 18 further specifies the following:
“Member States shall require obliged entities to examine, as far as reasonably possible, the background and purpose of all complex and unusually large transactions, and all unusual patterns of transactions, which have no apparent economic or lawful purpose. In particular, obliged entities shall increase the degree and nature of monitoring of the business relationship, in order to determine whether those transactions or activities appear suspicious.”

The 5th AML draft further includes a new provision with respect to transactions involving high risk third countries (article 18a). There is a meet-all-requirements list of enhanced CDD measures to be undertaken, which include the conducting of enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination. There is still uncertainty about this blacklist of high risk countries as the EU Commission’s proposal was rejected and sent back by the EU Parliament in January of this year. It was deemed too limited and needed to be extended (see link below).

In short summary:
Monitoring:

• CDD: includes ongoing monitoring incl. scrutiny txn’s – Are they consistent with knowledge?
• SDD: sufficient txn / relationship monitoring under SDD – Are txns unusual/ suspicious?
• SDD E-Money: sufficient monitoring (ensure traceability) – Are txns unusual/ suspicious?
• EDD: examine purpose / background complex/ unusual txns – Do they have no apparent purpose?
• 5th AMLD on high risk countries: enhanced monitoring – Increase # / timing controls and select patterns for further examination

Nothing is said about how these measures should be implemented. And further, if you look at these requirements, it would not necessarily and directly require obliged entities to screen for transaction laundering does it? Most focus is put on unusual, complex transactions with no apparent purpose or high risk countries. As the numbers have shown, the risk of transaction laundering is much greater than just those type of transactions. And it typically involves the transactions that do not appear unusual or unlawful at first sight. Would you ever consider classifying book store merchants as high risk for money laundering?

6. Joint Opinion ESAS

If we are to conclude that the traditional explanation and definition of money laundering needs re-defining and that the even most-recent regulatory framework is insufficient to combat the new age of money laundering, would we have any support? Very recently (20 February 2017) the European Supervisory Authorities (ESAS) issued a joint opinion on the risks of money laundering and terrorist financing (affecting the EU’s financial sector. Rightfully so, “the Joint Opinion finds that problems exist in key areas such as a company’s understanding of the ML/TF risk to which they are exposed and the effective implementation, of customer due diligence policies and procedures. It also points to difficulties associated with the lack of timely access to intelligence that might help identify and prevent terrorist financing….”

Read the full opinion here:https://www.eba.europa.eu/documents/10180/1759750/ESAS+Joint+Opinion+on+the+risks+of+money+laundering+and+terrorist+financing+affecting+the+Union%E2%80%99s+financial+sector+(JC-2017-07).pdf

The financial sector is exposed to ML/TF risks arising from for instance ineffective systems and controls and high risk transactions being driven underground (“as firms withdraw from offering services to less profitable customers that are associated with higher ML/TF risk”). The ESAS seem to understand the risks around online payments and the need for guidance on how to implement measures. As it states: “…more has to be done to ensure that the Union’s AML/CFT defences are effective.”

7. Conclusion

As the ESAS opinion concludes, the problem areas identified result in great risk of diminishing the robustness of Europe’s AML/CFT defences. There is still work that needs to be done. The new regulatory framework with both the 4th and 5th AML changes will not be sufficient. Cyber criminals are ahead of the game.The legislator will need to gain further understanding of the true ML/FT risks in the online payment industry. The same goes for many industry players. Transaction laundering is still often seen as fraud in the industry, but the players, including the legislators and card schemes, need to become aware that it is in fact a new way of money laundering. The definition of money laundering under the new and upcoming Directive is not fully equipped to cover the continuing evolution of the risks and methods of money laundering and terrorist financing. More guidance is required on which measures need to be implemented to perform transaction monitoring. Needless to say that the new age of money laundering (through digital means) still needs to be properly addressed by the market and regulators.