FACING UP TO FINANCIAL CRIME - Analysis of payments-related financial crime and how to minimise its impact on the UK - Midas Alliance
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
FACING UP TO
FINANCIAL
CRIME
Analysis of
payments-related
financial crime and
how to minimise its
impact on the UK
In association with Barclays,
Refinitiv and a syndicate of
EPA members
Sponsored by
Financial Crime Matters
inancial crime concerns every company in the what’s really going on, by whom and at what cost. And
F payments industry. Because it affects everyone we have developed a set of recommendations for action
involved in moving money, whether consumers, that are clear, timely and impactful.
businesses or governments. And it funds the activities of
organised crime groups that seriously affect wider Thank you to Barclays, Refinitiv and the other five syndicate
society, such as human trafficking, drug trafficking and members for investing time and resource to make this
terrorist financing. paper possible. It will enable the emerging payments
industry to address the underlying causes of financial crime
But while there have been several coordinated attempts and protect everyone from the criminals behind it.
to decide what should be done about it, none have been
on behalf of the emerging payments sector.
So the Emerging Payments Association has assembled
a syndicate to address this. We have commissioned a Tony Craddock
specialist in payments and financial crime to carry out Director General
extensive research and analysis. We have identified Emerging Payments Association
About the EPA About Huntswood
The Emerging Payments Huntswood, the commissioned
Association (EPA), established in producer of this white paper, aims
2008, connects the payments ecosystem, encourages innovation to drive better outcomes - for its clients and their customers.
and drives profitable business growth for payments companies. Huntswood achieves this by combining people, process and
Its goals are to strengthen and expand the payments industry to technology to deliver practical solutions that help regulated
the benefit of all stakeholders. firms deliver high quality services in a cost-efficient way, all while
effectively mitigating business risk.
It achieves this by delivering a comprehensive programme of
activities for members with help from an independent Advisory Huntswood is the partner of choice for:
Board, which addresses key issues impacting the industry.
• Resourcing - of the quality and level to get the job done
These activities include: • Solutions - where they take responsibility for the outcome created
• A programme of 70 events annually With centres of excellence in Reading and Liverpool, Huntswood
• Annual Black-Tie award ceremony is able to take on large-scale projects in-house or otherwise
• Leading industry change projects provide robust and tailored outsourced solutions.
• Lobbying activities
• Training and development This support is provided to firms within financial services,
• Research, reports and white papers payments, utilities, travel, pharmaceuticals and gaming.
The EPA has over 130 members and is growing at 30% annually. Its Payments subject matter experts bring with them a wealth
Its members come from across the payments value chain; of industry experience and in-depth knowledge of policies and
including payments schemes, banks and issuers, merchant regulation within the payments and financial services sectors.
acquirers, PSPs, retailers, and more. These companies have come Huntswood is able to provide advice and support to firms on
together, from across the UK and internationally, to join our topics as wide-ranging as legislative change, PSD2, Open Banking,
association, collaborate, and speak with a unified voice. affordability, SM&CR and financial crime.
Firms of all sizes choose Huntswood because of its successful
track record of balancing regulatory expertise with end-to-
end operational support, backed by technology and service
innovation. They value Huntswood’s clear view of best practice
and execution, drawn from their wide-ranging client exposure.
Executive Summary
Ref Theme(s) Recommendations for EPA to progress
he Emerging
T Payments Association Promote training and awareness for financial crime staff across
1 Training and Awareness EPA membership to strengthen understanding of the importance
has produced this white
of their role in tackling serious detriments in society.
paper to explain the nature
of payments-related Collaborate with other trade associations to promote the adoption
of best practice among PSPs for risk management to comply with
financial crime and to 2 Access to Banking
financial crime legislation and thereby enable necessary access to
identify actions that should banking.
be taken, collectively by
Engage with the wider payments industry, innovation hubs,
industry players or together 3 Digital Identity government and regulators to play a part in creating a world-
with regulators and policy leading digital identity solution for the UK.
makers, in order to reduce Support and facilitate approaches within the industry for
the ability of criminals to 4 Transaction Analytics transaction monitoring analytics, extended across payment types
and using a wider range of data sources and analytic techniques.
exploit payments services
and systems as part of their Support sector-wide activity to determine the level and extent of
illegal activities. Information Sharing & Reporting of information that can be shared by government, law enforcement,
5
Financial Crime and payments companies for mutual benefit, through the use of a
common platform and commercial model.
Sponsored by a syndicate
Engage with EPA members to create a shared position on
of EPA members led by 6 Know Your Customer
developing the case for a global approach to KYC standards.
Refinitiv and Barclays, the
white paper addresses Support and facilitate a collaborative member-wide programme to
7 Know Your Customer create minimum standards for due diligence on suppliers of data
the ways that payments services.
services and accounts
are abused in order Support and facilitate a collaborative member-wide programme
8 Know Your Customer to share models and learnings from analysing customer behaviour
to carry out fraud and that members can use with their own data.
money laundering. From
Promote a shared, industry-wide voice, through collaborative
this understanding of 9 Open Banking training and education, to ensure the public is receiving coherent
the current situation, messages on the security of open banking.
the white paper sets out
Engage with National Economic Crime Centre and government to
proposed policy positions facilitate and reward reporting of financial crime by all parties via
10 Reporting of Financial Crime
for the EPA to advocate appropriate groups and channels, and to educate victims about
how reporting helps reduce criminal activity.
for the payments industry
and identifies areas for Provide education and awareness to align firms’ technology
investment programmes with the concentrated programme
collective action by 11 Effective deployment of technology
of industry-wide regulatory, infrastructure and standardisation
EPA members and the changes scheduled for 2019 and the following 3-5 years.
wider industry. These are
Provide education and awareness on specialist technology
summarised in Table 1. 12
Effective deployment of technology,
areas through showcasing and collaborating with EPA members
KYC & Digital Identity
involved in those fields.
Understanding The EPA has set up a Financial Crime Working Group which is already addressing some of these
payments-related recommendations, and which will track and advocate progress of those identified within this report throughout
2019–2022. The EPA can only do this with the active support and engagement of its existing members, and the
financial crime and wider industry.
how it’s changing
Table 1: Recommended actions for EPA to progress
The white paper analyses in
detail the way that criminals
use payment accounts in Laundering is carried of money laundering the UK, and 2.0% of the
the UK for fraud and money out through payments through UK banks and their financial services industry’s
laundering, explaining how including bank transfers, subsidiaries could be “in total revenues. Methods
payments are compromised cash and cheques, and the hundreds of billions of of payments fraud include
across different payment transaction laundering pounds” each year. push payments by taking
types and channels, leading via card payments. While control of another person’s
to a definition of eleven estimates are difficult to Fraud in payments costs account (£150m), tricking
main clusters of the ways produce, the National the UK economy over a genuine payer to send a
criminals exploit payments Crime Agency (NCA) £2.4bn annually. This is £45 payment to a fraudster’s
for crime. recognises that the scale annually for every adult in account (which could
emergingpayments.org 1
be over £1bn per annum, the points of attack. This alongside a payment which
allowing for current under- fragmentation is also will assist institutions in a
reporting), and card-not- occurring in the card number of areas including
present fraud for remote acquiring and issuing fighting financial crime.
“The payments purchases (£310m) in 2017. market. Criminals will
industry needs to attempt to exploit any The EPA sees it has
use technology Criminals continue to perceived weakness, an important role in
evolve their techniques so industry must find providing know-how
collaboratively to in the fast-changing limitations in systems on these changes to
strengthen its fight payments landscape, before they do. emerging payments service
against financial targeting the areas which providers to ensure they
crime, including are perceived to be Payments industry are involved in these
weakest. In some cases, structural changes initiatives. The EPA views
a common digital these weak links may be that all payment providers
and recommended
identity solution, technologies, procedures, have an obligation to
industry response
and large- new businesses, outsourced maintain the integrity
scale analytics services, or simply the Based on the analysis, of the payment industry
customers. Financial the white paper makes a through compliance
of payments crime as a whole changes set of proposals across with relevant financial
transactions” slowly and tactics which areas the EPA considers crime legislation, and this
Tony Craddock, are successful continue to vital for strengthening compliance is critical for
Director General, be used and optimised; the payments industry’s payments providers to
Emerging Payments completely new methods approach to tackling fraud continue to have full access
Association appear rarely. and money laundering, and to banking facilities (see
the important role that the recommendation 2). The
Many current trends EPA can play in this. EPA also considers that
use social engineering. payment providers and
Deceiving customers into The UK payments industry operators need to deploy
making seemingly valid is moving through a period up-to-date technology
payments or tricking of structural change as more extensively and
them into disclosing a result of PSD2 which collaboratively in defence
card or security details came into effect in January of their services and
account for two thirds 2018. Open banking customers, aligned with the
of payment fraud. To presents opportunity for judgment and knowledge
conceal proceeds of crime, further innovation through of skilled staff. The EPA is
money is laundered using the introduction of new going to be an advocate
multiple instruments for market entrants, but also for members through this
concealment including presents challenges as period of unprecedented
by mobile app, card and market participants assess change.
alternative payments. To changing financial crime
further hide transactions, risks associated with Digital Identity: Managing
increasingly complicated the new environment. the authentication of
company structures are Furthermore, the Bank of users’ identity is critical
set up using professional England has announced its for electronic and digital
enabler and unverified timeframes for adoption payments, exploiting
persons, both in the UK and of international payment developments in biometrics
abroad. standard ISO20022 as part and behavioural analytics.
of its renewal of the UK A digital identity in the
The short-term outlook Real Time Gross Settlement UK is a core enabler
is unclear. On one hand service (RTGS). RTGS for ongoing take-up of
the EU’s revised Payment renewal and the adoption digital services, facilitating
Services Directive (PSD2) of the ISO standard across both convenience and
brings in stronger systems the UK payment schemes security for users. The EPA
of authentication for represent a significant advocates that the financial
customers at the point opportunity to ensure the services industry could
1 National Strategic of payment and account UK is adhering to latest work collaboratively to
Assessment of Serious and access. On the other, the global standards, offering drive a broad consortium of
Organised Crime 2018 -
[NCA] 2018 opening up of payment enhanced interoperability banks, payments providers
2 Directive (EU) 2015/2366 of services will introduce a which will assist in more and operators, innovation
the European Parliament and number of other parties efficient payment transfers, hubs, government and
of the Council – [European
Parliament and Council] 2015 to the payments supply as well as increased regulators to create a
chain, thereby increasing capacity to transfer data world-leading digital
2 emergingpayments.org
identity solution. The EPA providers to ensure a level education, to ensure the strategic advice that
will look to engage its playing field. The EPA can public is receiving coherent companies require. The
members in developing a engage its members in messages on the security EPA can also provide
standardised approach that advising on requirements, of open banking. (See training and awareness on
is pragmatic for all players. and on practical recommendation 9) the capabilities of specialist
(See recommendations 3, operating principles and anti-crime technologies
12) business models. (See Improved Reporting of through showcasing
recommendation 5) Financial Crime: The and collaborating with
Transaction Analytics: reporting of cases of EPA members involved
Machine learning and Really knowing your payment fraud is uneven in those fields. (See
artificial intelligence customer: To really know and poorly enforced, recommendations 11,12)
techniques are increasingly your customer, companies resulting in a reduced
being applied to payments need to go beyond and distorted picture Enhanced technology
systems to identify document checking and of the impact on UK capabilities need to be
networks of criminals analyse their behaviour. citizens, businesses and complemented by human
and suspicious payments By preventing bad actors government. The newly experience and judgement
or account behaviour. at account opening and formed National Economic to have the greatest
Initiatives are under performing ongoing Crime Centre will require impact on crime. In this
way for analytics across monitoring of customers, good case information, way, payments companies
central clearing systems, payment companies data and statistics to fight have a vital role in society
for example with Pay.UK will be better placed to financial crime effectively in tackling financial
targeting money-mule prevent payments financial and the EPA believes this crime and the organised
accounts for laundering. crime. Machine learning & is critical to the correct crime it funds. The EPA
The EPA is supportive behavioural analytics build focus and allocation should engage with the
of the Pay.UK initiative up a model of expected of resources. It should industry to promote
and will engage with patterns of legitimate be the responsibility of training and awareness for
industry in developing payment behaviours every PSP to encourage financial crime teams to
opportunities where the and can uncover the their customers to strengthen understanding
analytical capability could increasingly complex report fraud back to of the importance of their
be extended and diversified networks where criminals them and the correct role in tackling serious
across payments types and hide. The EPA can help authorities. Removal detriments in society. (See
analytical methods. (See promote the appropriate of the disincentives recommendation 1). n
recommendation 4) use of their members’ from reporting financial
specialised technologies, crime is also strongly
Financial crime and their members could recommended. This will Call to Action
information sharing: collaborate to create a ensure a comprehensive
In recognition of the
Enhanced information network of trusted data view of the problem
work already under way
sharing on known and sources, shared behaviour and enable a swift across the industry, the
suspected financial crime models and broadcast response to changes in EPA, through its Financial
across the industry, and events. A drive to develop criminal behaviour. (See Crime working group,
with Refinitiv as the
with law enforcement, the case for a global recommendations 5,10)
benefactor, will prioritise
would deliver benefits in approach to KYC standards the recommendations that
enabling greater detection, is also encouraged. (See Effective deployment need EPA leadership to
prevention and prosecution recommendations 6,7,8,11) of technology to fight progress, and collaborate
and engage with other
of financial crime. The financial crime: In
initiatives which benefit the
EPA supports initiatives to Addressing the threats emphasising the role of industry and customers
share information to tackle in open banking: The technology, the report by addressing challenges
financial crime, where new environment of open considers aspects of identified in this paper.
the sharing is inclusive of banking offers potential how technology can be
To find out more
all regulated payments targets for criminals. We effectively deployed. information on the
companies. The EPA also highlight social engineering Companies need to invest EPA Financial Crime
encourages its members against consumers smartly in technology, fully Working Group and
how to get involved,
to engage in the public/ unfamiliar with 3rd-party understanding the busy
contact Thomas Connelly
private partnership initiated providers (TPPs), and schedule of regulatory, (thomas.connelly@
by the Home Office with targeting of TPPs as legislative and industry- emergingpayments.org)
the industry as part of aggregators of payments programme changes
the SARs (suspicious services, for hacking or flowing over the next
activity reports) reform mule accounts. The EPA’s 3-5 years. The EPA could
programme under way. policy approach is to work with its members
Shared information services promote a shared, industry- to provide training and
need to be cost-effective wide voice through support to promote that
for smaller payments collaborative training and longer-term vision and
emergingpayments.org 3
2. Contents
1 Executive Summary.............................................................1
2 Table of Contents................................................................ 4
3 Syndicate Leads...................................................................5
4 Syndicate Associates.........................................................6
5 Introduction............................................................................8
6 Understanding payments-related financial
crime and how it’s changing....................................... 10
6.1 Analysis: “Follow the Money”............................. 10
6.2 Counting the Cost of Financial Crime..............11
6.3 Scale of Payments-related
Financial Crime.......................................................13
6.4 Comparison with global rates of losses
to financial crime...................................................14
6.5 The changing nature of payment-related
financial crime.........................................................14
7 Payments industry policies /
recommendations to tackle financial crime.........20
7.1 Introduction................................................................20
7.2 Digital Identity: an industry approach........... 22
7.3 Transaction Analytics.............................................24
7.4 Financial Crime Information Sharing.............. 25
7.5 Really knowing who the customer is.............. 27
7.6 Addressing Threats in the Open
Banking environment............................................30
7.7 Improved Reporting of Financial Crime.........31
7.8 Effective deployment of technology to fight
financial crime.................................................................... 33
8 Conclusions............................................................................ 35
4 emergingpayments.org
3. Syndicate Leads
Barclays - Syndicate Lead Refinitiv - Syndicate Lead
It has never been more important for industry bodies such Welcome to this pivotal whitepaper on the changing nature of
as the EPA to assist their members in navigating this period financial crime, delivered at a critical time of significant structural
of unprecedented regulatory and structural change for the and regulatory change in the European payments market. In a
payments industry. I am encouraged to see the EPA’s focus global economy where less than 1% of the proceeds of financial
on delivery of education, collaboration, and adoption of best crime are being identified and seized by law enforcement, it is
practice for its members; all of which help to detect and prevent very clear that the current approach to tackling financial crime
financial crime and to promote access to banking and the good needs to be more effective.
functioning of the market.
While banks and payment players continue to invest in
The EPA’s call for targeted investment in technology, supported
technology to deliver groundbreaking digital products, services
by collaborative, member-wide, programmes that will share
and channels, so are the criminals. They circumvent controls,
analytical models and will provide members with awareness
defeat siloed defenses, and exploit vulnerabilities at an
of specialist technology areas is to be welcomed. Technology,
unprecedented scale. The problem is that the criminals don’t sit
supported and delivered through effective public-private
through committees, governance processes, regulatory reviews
partnership, is increasingly important in the fight against
financial crime. More broadly the Home Office’s review of the and compliance reviews before they move. They innovate, adapt,
SAR regime, for example, will harness analytical technology replicate and scale at pace, behind (digital) masks, and profit
to enhance the quality of financial intelligence available to from their actions very quickly, across borders and at massive
competent authorities and the private sector. The launch of Pay. scale. The aim of this paper is to highlight some of the traits of
UK’s Mule Insights Tactical Solution brings together payments these digital criminals, and identify opportunities for the industry
data from multiple banks and overlays it with cutting-edge to work together to take meaningful action to tackle these
proprietary analytics and algorithms to build networks of changing patterns of behavior in an effort to tackle financial
suspected illegal activities, whilst the Bank of England’s initiative crime.
to adopt international payment standard ISO20022 will deliver
new opportunities to assess financial crime risk through by Refinitiv is leading the way in delivering solutions which help
providing PSPs with improved structured payment data. financial institutions to tackle money laundering, and financial
crime, and we are passionate and vocal about the need for
Barclays believes that Government and regulators should create the industry to work together to tackle this abhorrent crime.
a policy framework that incentivises all those in the economic Through global forums like the Coalition to Fight Financial
crime ecosystem to work together, incentivising firms in the Crime, launched with WEF and Europol at Davos in 2018,
economic crime ecosystem to invest in solutions that protect Refinitiv will continue to raise awareness of this issue, and will
their consumers from fraud by stopping the fraud occurring
partner with the industry to solve it.
in the first place. Industry bodies such as the EPA will play a
critical role in this policy effort, by firstly providing clear and
We hope you find value in reading this whitepaper and remain
consistent communications on the threat of financial crime to
here to support you in your efforts to address this issue.
PSPs and consumers, and secondly by engaging their members
in the successful delivery of initiatives such as the Contingent
James Mirfin
Reimbursement Model which will further incentivise Payment
Global Head of Digital Identity & Financial Crime Propositions
Service Providers to better protect consumers from Authorised
Push Payment Scams. These strategic changes present
significant opportunities for industry bodies to collaboratively Che Sidanius
drive effectiveness and to strengthen the UK’s defences against Global Head of Financial Crime & Industry Affairs
economic crime. Barclays is, therefore, pleased to support this
paper and the EPA’s policy recommendations. www.refinitiv.com/en
Geraldine Lawlor
Global Head of Financial Crime
www.barclayscorporate.com
emergingpayments.org 5
4. Syndicate Associates AimBrain AimBrain is an award-winning Biometric Identity as-a-Service (BIDaaS) platform comprising five invisible and visible user authentication modules; 100% biometric, 100% proprietary. Our authentication engine is server-side and based on deep learning, which means that in just a few weeks, we capture 60% more manual fraud at the onboarding stage than an organisation can alone, all with zero changes to the user interface. Our multi-modal approach allows for unique configurations of our passive modules (AimAnomaly Detection and AimBehaviour) and active modules (AimFace, AimVoice and AimFace//LipSync) across any device and any channel. Authenticate the user, not the device. www.aimbrain.com Banking Circle – Global Banking Services Banking Circle is a next-generation provider of mission-critical financial services infrastructure leading the rise of a super- correspondent banking network. Banking Circle empowers financial institutions to support customers’ trading ambitions – domestic and global - whilst reducing risk and the operational cost of transactions. By becoming a member of the Banking Circle, financial institutions can offer their customers banking services – from payments to loans – to help them trade domestically and globally, efficiently and at low cost. Importantly they can help their customers improve cash flow through enhanced speed of settlement whilst remaining fully compliant with financial regulation. www.bankingcircle.com Entersekt Entersekt is an innovator of mobile-first fintech solutions. Its goal is two-fold. Firstly, to help financial institutions and other large enterprises secure their customers’ digital identities, so that end-users can make the most of the service channels available to them. Secondly, to confer on its customers a competitive edge as their industries transform. With Entersekt’s platform in place, organizations can respond to change with agility by confidently launching exciting new digital experiences. www.entersekt.com 6 emergingpayments.org
Napier We are specialists in building Intelligent Compliance Solutions that make it easier and more cost effective for organisations to meet their regulatory requirements. Our cutting-edge solutions for Anti-Money Laundering (AML) and Trade Compliance are used by both financial services firms, and the broader industry sectors. We use AI and Machine Learning (ML) developed in conjunction with academic research that focuses solely on the compliance problems that our applications solve. Using ML in conjunction with user definable rules give the best of both worlds in detection rates, whilst satisfying regulatory requirements. Using both AI and rule based system means that we can significantly reduce false positives whilst increasing the detection rates of false negatives, all in a way that is fully auditable and transparent to the regulator. We provide an Out of the Box end-to-end AML Solution that can be used to augment or completely replace legacy systems. www.napier.ai Paysafe Paysafe is a leading global provider of end-to-end payment solutions. Its core purpose is to enable businesses and consumers to connect and transact seamlessly through industry-leading capabilities in payment processing, digital wallet and online cash solutions. Delivered through an integrated platform, Paysafe solutions are geared toward mobile-initiated transactions, real-time analytics and the convergence between brick-and-mortar and online payments. With over 20 years of online payment experience, a combined transactional volume of US $56 billion in 2017 and approximately 3,000 employees located in 12+ global locations. Paysafe connects businesses and consumers across 200 payment types in over 40 currencies around the world. www.paysafe.com PXP Financial PXP Financial is a complete, omni-channel payment provider that helps businesses to accept payments online and on-premise globally. It offers an online and POS solution, alternative payments, collection services, card acquiring, risk management as well as variety of value-added services: payment pages, reporting, conversion improvement, tokenisation, dynamic currency conversion, instalments and recurring payments across multiple channels. PXP Financial has many years of experience in the payment business and holds an FCA license in the UK, passported to all EU countries, a Money Transmitter license in the US as well as Mastercard and Visa acquiring licenses. The company processes transactions worth €16bn for more than 1000 merchants annually. PXP Financial has offices in the UK, Austria, Bulgaria, India, Australia and in the US with 250 employees from 25 nations www.pxpfinancial.com emergingpayments.org 7
5. Introduction
The Emerging Payments trillion is the estimated for criminals by stealing are targeted by criminals
Association has produced aggregate lost turnover money from the victim. and the current scale and
this white paper to set out as a result of financial Money laundering across level of impact. The analysis
the nature of payments- crimes, according to the the payment systems, highlights particular areas
related financial crime in organizations surveyed together with breaches of where the nature of criminal
the UK and to identify around the world, sanctions or ignoring the threats to payment services
actions that should be representing 3.5% of their risks of PEPs (Politically is changing in the current
taken, collectively by global turnover.”3 Exposed Persons), enables timeframe.
industry players or together the movement of illicit
with regulators and policy According to the funds. The report also The impacts and
makers, to reduce criminals’ International Compliance addresses customer due implications for tackling
ability to exploit payments Association4, financial crime diligence activities that these threats are addressed
services and systems as can be divided into two should give companies for providers and operators
part of their illegal activities. distinct, though related, high confidence they of payments services and
areas of activity. Firstly, understand the nature of payments accounts, firms
Definition of there are activities that their customers’ activities who provide services to
financial crime dishonestly generate wealth and payments. payments institutions to
for those engaged in the combat financial crime,
Why are we addressing financial crime. Secondly, Section 6 of the report and for the end users of
financial crime and what there are the crimes that addresses how payment payments.
do we mean by financial protect illegal wealth services and operations
crime overall? Financial once it has been acquired, Section 7 presents the
crime over the last two to for example through key findings of the white
three decades has become laundering. paper, across seven key
a significant concern to areas of activity vital for
governments across world. Aims and scope strengthening the payments
This stems from the direct for the report industry’s approach
losses incurred, the serious approach to tackling
detriments for individuals Addressing the payments payments financial crime.
and society for example environment, this report
“The serious types In these findings the white
through human trafficking focuses in on the ways that of detriment paper sets out proposed
or terrorist financing, and payments services and include terrorist policy positions for the
the impact on economic systems can be abused in financing EPA to advocate for the
development of societies order to carry out fraud payments industry and
and on the rule of law. and money laundering.
and drug, sex identifies areas for collective
According to a survey in Payments fraud enables and human action by EPA members and
2018 by Refinitiv, “$1.45 the generation of wealth trafficking.” the wider industry.
8 emergingpayments.orgOther important society that run opposite to Within the wider financial providers and system
considerations in respect of anyone’s idea of a just world services industry, payments operators, payment scheme,
scope for the white for all people. These include providers and operators can regulators, government and
paper are: terrorist financing, drug play a vital role in making law enforcement. Ongoing
trafficking, sex trafficking, financial crime harder to training and awareness-
• It addresses retail and human trafficking. (In carry out. This mission raising of the impact of
and small-to-medium a worst kind of example, should be set out clearly this activity, done well,
business payment children are being separated and reinforced frequently is essential across these
services, meaning all from their families and sold to within payments companies. players. n
transactions involving other parties who carry out Hard work to prevent
consumers or SMEs and persistent abuse of them). financial crime is not driven
the corporates that they primarily by regulatory
transact with compliance or by managing
• The analysis includes to a commercially-driven
card-based payments, ‘fraud loss’ budget. It should
bank transfer payments, be driven by payments
and electronic money providers’ responsibility to
(e-money) services. In “Payments disrupt, reduce or prevent
these we consider the providers and the fraud and laundering
roles for criminals acting activity that funds serious Footnotes:
either as end-users or
operators can and organised crime. In 3 The true cost of financial
as intermediaries (for play a vital role in the payments industry, this crime - a global report
[Refinitiv] 2018
example as merchants) in making financial mission can be achieved
4 What is financial crime? -
the payments journey crime harder to by co-ordinated activity [International Compliance
• We approach this from across payment service Association]
the perspective of
carry out.”
UK payments service
providers, primarily
addressing payments
which start and/or end in
the UK. Nevertheless, as
organised crime activity
ICA (International Compliance
spans countries, we
consider where actions Association) definition of
on some issues need to ‘Financial Crime’
be co-ordinated with
other jurisdictions “First, there are those activities that
• This report focuses dishonestly generate wealth for those
only on fiat currency, engaged in the conduct in question.
not crypto-currencies For example, the exploitation of insider
or other unregulated information or the acquisition of
electronic funds (such another person’s property by deceit will
as Linden dollars or ISK invariably be done with the intention of
in Eve Online). We note securing a material benefit. Alternatively,
that further work on a person may engage in deceit to secure
payments financial crime material benefit for another.
could address these
stores of value which Second, there are also financial crimes
are not related to fiat that do not involve the dishonest taking of
currency. a benefit, but that protect a benefit that
has already been obtained or to facilitate
Importance to society the taking of such benefit. An example of
of tackling financial such conduct is where someone attempts
crime to launder criminal proceeds of another
offence in order to place the proceeds
Organised crime groups use beyond the reach of the law.”
fraud and money laundering
Source: ‘What is financial crime?’ International
to fund and facilitate activities Compliance Association
which create the most
serious types of detriment for
emergingpayments.org 9Broadly, financial fraud of payments by exploiting
generates proceeds one of the elements of trust
of crime, and money about a given transaction.
6. Understanding
laundering conceals, moves These assumptions are that
and manages them. This a payment is:
report focusses on the
payments- financial crimes where
payments services are
a) authorised by the payer
b) initiated from the correct
related financial
abused in order to carry out payer to the correct
fraud and money laundering. recipient
c) for a legal purpose
crime and how Conceptually there are
three processes of financial
d) not modified after
initiation
it’s changing
crime related to payments: e) not subject to an
generation and capture incorrect refund or return
of the proceeds of crime, request and in addition,
management of criminal that systems are secure
funds, and extraction or and operate reliably.
re-investment. Figure 1
below shows that, just like Criminals can attack
many businesses, cash payment accounts across
management is important multiple payment initiation
for criminal organisations channels, some which are
not in the control of any
6.1 Analysis: payment provider such as
retailer websites and apps.
“Follow the By analysing payment
Money” initiation channels, payment
instruments and types
Using the investigative of attack (see Table 2),
principle of tracing money it is then possible to see
movements, the analysis patterns of common
here focusses on obtaining attacks across channels
or moving money in support and similar attacks across
of financial crime, with payment instruments.
transactions which start Grouping these
and/or ends in the UK, in a combinations by similarity
recognised fiat currency. results in eleven clusters
Criminals take advantage shown in (see Table 3). For
Money Laundering
Generate Manage Extract
Payment- Disperse Cash-out
related
Crime Obtain assets
Obtain services
Other Crime
Conceal Launder Re-invest
Figure 1: The cycle of financial crime
10 emergingpayments.orgexample, money laundering Attack When Examples
by credit transfers, cheques
and cash is broadly similar The identity associated with Fake account, synthetic identities,
Before authorisation
across all channels. We the payment account is false fraudulent account opening
have therefore grouped
these together as “money
The payment account has Hacking online banking, phishing via
laundering”, whereas illegal Before authorisation
been taken over email and SMS
payments by payment
card is classified as
“transaction laundering” as The payment instrument has Online card fraud, counterfeit cards,
At authorisation
it uses a different method. been abused direct debit fraud, subscription fraud
These eleven clusters of
payments-related financial
crime are unrelated to any The payment is intentionally Invoice or supplier fraud, director or
At authorisation
technical considerations. misdirected CEO fraud
6.2 Counting The payment is illegal At authorisation
Money laundering, terrorist financing,
sanctions-breaches, sales of illegal
the Cost of goods
Financial The payment details have
After authorisation Cheque interception or modification
Crime
been modified
Re-charge fraud, direct debit
With many types of crime, The payment account
After authorisation indemnity fraud, cash withdrawal
facilities have been abused
it is difficult to estimate fraud
the impact, however with
payment-related crime Table 2: Examining seven potential routes for attack
there is always a value
associated with each
payment. This analysis And if only two of those for bribes and making other
focusses on totalling these transactions are identified corrupt payments, and
transaction values. as money laundering, the breaching sanctions.
reported figure might be
While it is worth noting £200. These groups are subject
that fraud is not generally to a requirement on PSPs
disclosed, nor extensively Better and more consistent at least to report any
reported to the police, reporting will make statistics suspicious activity, however
“There is no
some estimates do exist. like these more reliable and it is unclear how the total reliable estimate
This subsection uses data ensure that any changes value of suspicious activity of the total value
from a number of sources, year-on-year are not reports (SARs) raised relates of laundered funds
subsequently verified with merely consequences of to the total value of illegal
financial crime prevention improvement in the process payments. The National
that impacts on
and payment practitioners. In of capturing data. Crime Agency recognises the UK. However,
some cases, data sources are the problem of estimating given the volume
unavailable, incomplete or Money laundering and money laundering: of financial
are known to be inaccurate. illegal payments
“There is no reliable
transactions
In addition, where funds are The category of illegal estimate of the total transiting the UK,
transferred through multiple payments covers two value of laundered funds there is a realistic
transactions, as happens distinct clusters: transaction that impacts on the UK. possibility the
in money laundering and laundering (which uses a card However, given the volume
especially money mule payment to clean money of financial transactions
scale of money
networks, it is difficult paid from a card account transiting the UK, there is laundering
to understand the figure to a merchant, both under a realistic possibility the impacting the
reported. For example, if criminal control) and other scale of money laundering UK annually is
£100 is laundered through money laundering. These impacting the UK annually is
six sequential payment clusters will include payments in the hundreds of billions of
in the hundreds
transactions, is that £100 or made from the proceeds of pounds” - National Strategic of billions of
£600 of money laundering? crime to support terrorists, Assessment, NCA, 2018 pounds.”
emergingpayments.org 11Cluster Method NCA recognised in 2017 always clear. An example
that its previous estimate is merchant fraud, where
from 2016 of up to £90 an individual sets up a
Illegal dealing with
the proceeds of crime billion is a “significant merchant account to
including making payments underestimate”5. receive payment for goods
Money Laundering and services they do not
using credit transfer, cash,
direct debit, cheques and Transaction laundering6 7 8, deliver. In these cases, the
transaction laundering the use of card payments merchant acquirer may be
to handle payments for a left with a debt10. These
third party or to transfer figures are generally not
Abuse payment card, card and wash the proceeds of published by the merchant
Abuse of payment card data or counterfeit cards to crime, is estimated9 to have acquirers and are invisible
make payments
been $159 billion in the US to card schemes.
in 2016 of total card spend
of $3,340billion. Furthermore, some
Convince payer to pay an disputes are brought by
Push payment fraud account under criminal
Assuming that proportion cardholders fraudulently
control
is also correct for the UK, and in some cases may
that would relate to almost be successful in obtaining
Criminal merchant and £46 billion of transaction refunds to which they are
cardholder transactions to laundering; this is likely to not entitled. This is known
Transaction laundering
wash proceeds of crime or be a high estimate for the as first-party card fraud.
conceal seller real figure but is the only
estimate available. Push Payment Fraud
Takeover account to make Generally, there are two
a credit transfer (e.g. Card Payments types of crime related to
Takeover of bank account
Direct Credit/SEPA Credit In addition to general push payments:
Transfer)
cybersecurity
improvements, payment • Hacking into or taking
Dispute payment cards have broadly been control of an account,
fraudulently (aka ‘friendly the focus of industry effort then initiating payments
First-party payment fraud
fraud’) via card, credit
for over 25 years. The • Using social engineering
transfer, direct debit
Chip and PIN programme or other mechanisms to
was introduced to stem persuade a real payer to
Abuse a 3rd party account counterfeit card and some make a payment to an
Direct debit fraud to make a direct debit lost/stolen card crime, account in the control of
payment the cards industry has the fraudster
progressively introduced
security measures such
Accept card payments as the code printed on
Merchant fraud fraudulently (merchant the reverse of the card
fraud) to crack down on online
card fraud. However, since
payment cards can be used
ATM skimming, intercept globally, these initiatives
Cash cash in post, dispute ATM
are partially dependent on
withdrawal
the speed of the slowest
region. For this reason
counterfeit card crime
Abuse e-Wallet (stored Counterfeit Goods.........................48%
against UK-issued cards was
e-Wallet payment fraud value, not card) for criminal
still being undertaken ten Illegal Pharmaceutical Sales....32%
purposes
years after the Chip and PIN Illegal Tobacco.....................................1%
programme had successfully Offensive Adult..................................9%
Modify cheque, intercept completed in the UK.
cheque, issue cheque, Gambling................................................6%
Cheque fraud
takeover account to issue Whilst the card schemes Other.........................................................4%
chequebook, kite cheque record disputes
Figure 3: Breakdown of
about transactions goods sold via transaction
Table 3: Eleven clusters of payments-related financial crime as “chargebacks”, the laundering [Mastercard] 2015
underlying cause is not
12 emergingpayments.orgTRANSACTION LAUNDERING
In addition, the point of
1. 2. Illegal/ transfer from electronic
fake goods payment systems to
physical notes is critical.
This area is targeted
by criminals who use
technology to copy or
intercept card information
Customer Criminal
at ATMs. This is also the
merchant
point where physical
attacks on the ATM itself
are increasing, such as
Criminal Money “Front” violent attacks on the
Launderer Merchant machine using explosives or
cutting torches11.
Figure 2: The two main types of transaction laundering
6.3 Scale of
Whether the payment
is authorised by the
The most recent research
was a survey conducted
due to its anonymity. There
are a number of cash-
Payments-
account-holder or someone back in 2010 by CEBR payment-related crimes related
purporting to be them, the which estimated the annual including ATM skimming,
account-holder is the victim losses at £40m. With better false claims of notes not Financial
and may be unwilling to
report the fraud, especially
reporting, as required of
PSPs by PSD2 from January
dispensed, recording of a
PIN followed by retention
Crime
if it is a business. 2019, the industry could or acquisition of the related
soon know the actual card, and interception Financial crime is widely
For this reason, the scale of losses. of cash payments made unreported and undetected;
this type of attack has gone in the post. Cash is still as such, metrics for loss
unrecognised for many Cash used frequently for and incidence are generally
years Despite the move of money laundering despite inaccurate and unreliable. The
consumers to electronic being bulky, and large- following Table 4 summarises
Direct Debit Fraud payments, cash remains denomination notes estimates based on the
The strengths of the Bacs important in financial crime facilitate this. financial crime clusters.
Direct Debit scheme are
that it’s both easy to use
and protects payers in
the case of error or fraud.
A typical fraud would be
for a criminal to obtain a
new smartphone handset
contract backed by a 0.08%
direct debit for which the 0.07%
fraudster gives a victim’s Fraud share from a card issuer’s perspective
account number and 0.06%
Fraud share from an acquirer’s perspective
possibly name. 0.05%
0.04%
Losses for this fraud
are not counted by the 0.03%
industry and the Direct
0.02%
Debit scheme does not
measure the volume or 0.01%
value of losses. In financial
institutions these claims
DK
GB
FR
IE
MT
SEPA
LU
FI
AT
BE
SE
EA-19
ES
CY
DE
PT
BG
NL
IT
LV
EE
SI
CZ
HR
SK
HU
RO
GR
LT
PL
under the direct debit
indemnity are, in general,
not handled or reviewed by
Figure 4: The UK has one of the highest loss rates to card fraud in the EU, driven by online
the financial crime or fraud fraud. Source: Fifth report on card fraud – [European Central Bank] 2018
teams.
emergingpayments.org 13Cluster Estimated size £million Growth indications12 Refinitiv global estimates,
Money laundering (including
see Table 5 suggests the UK
90,000-200,00013 may be doing a little better
transaction laundering)
Money
Laundering (as much as 20% smaller
Transaction laundering up to 44,10014 losses). However, tackling
incompleteness and
Push payment fraud 1,200-1,50015 inconsistency of detection
and reporting is required
Payment card abuse 63016 for better and more robust
statistics.
First-party payment fraud c16317
Takeover of payment account 15018
6.5 The
changing
Fraud Merchant fraud 7419
nature of
Direct debit fraud c4020 payment-
Cash 1921 related
e-Wallet payment fraud n/a22 n/a
financial crime
Criminals are strongly
Cheque fraud 9.623 motivated to adapt their
methods and targets
Table 4: Estimated scale of payments financial crime for fraud and money
laundering. This section
considers these changes in
Type of addition to the impact of
Refinitiv Global Estimate UK estimated loss as payment industry initiatives,
Financial UK estimates £ billion
for Loss as % of turnover % of turnover
Crime with further analysis and
recommended actions
Fraud 2.5% 1.9% 8727 outlined in section 7.
Bribery and Industry experts and
3.2%
Corruption practitioners are clear
2.9 - 5.3% 136 - 24628 on two points: criminals
Money
3% exploit what is perceived
laundering
as the easiest to exploit
Table 5: Losses due to financial crime extrapolated from Refinitiv’s report - the “path of least
‘The True Cost of Financial Crime’ resistance” - and never
stop creating new ways to
develop current methods.
6.4 survey establishes general Social engineering, one
loss rates as a percentage of of the techniques used
Comparison turnover globally for fraud, to circumvent security,
with global bribery/corruption and
money laundering which are
“The total turnover is used to bypass
technological measures,
for businesses in
rates of losses given below.
the UK is £3,861
educating customers and
staff on whom to trust is
to financial The total turnover for billion and public therefore vital. Regulation
crime
businesses in the UK is has a role to play in
£3,861 billion25 and public
sector spending driving up standards and
sector spending is estimated is estimated at mandating good practice,
Payments-related financial at £800.4 billion26, giving £800.4 billion, but industry-originated
crime is a proportion of all an estimate of £4,661 billion giving an estimate initiatives are important,
financial crime and there total UK turnover. built on consensus and
are variable estimates. In
of £4,661 billion collaboration. The EPA can
Refinitiv’s study24 “The True Comparing these UK total UK turnover.” play a vital role in lobbying
Cost of Financial Crime”, the estimates of loss with the for, shaping and delivering
14 emergingpayments.orgsome of these proposals, Authorised push at £236 million per annum Debit, Pay.UK is developing
which are described and payment scams in 2017, the first year for a new Confirmation of
listed in section 7. One disturbing trend is which a figure was reported. Payee service to tackle the
the growth of fraud by Because banking providers problem. This is intended
A number of significant persuading consumers or typically report only fraud for launch in mid-2019 and
trends are explored in the businesses to make payments which is compensated, these should have an almost
rest of the section. directly to criminal accounts. figures are widely believed immediate effect on this
This has existed for at least to be an underestimate type of fraud. However,
• Authorised push ten years, certainly since a and may not contain some industry professionals
payment scams fraudster convinced Condé unreported fraud affecting believe that the protection
Nast to pay bills of $8m from some consumers, SME and the new service offers
• Mobile app-based their printer to an unrelated corporate customers. It is may be only short-lived
laundering
account in 201129. This set widely believed that the as criminals could work
of scams may be known as true figure is over £1 billion, out how to avoid being
• Social engineering
invoice fraud, CEO fraud, with a sizeable proportion detected and further
• Threats in the Open supplier fraud and many lost in the corporate or measures may need to
Banking environment others, and is frequently government sector. be taken. In a further
enabled by social engineering measure to tackle push
• PSD2 Strong Customer across mainstream digital Indications are that this payment fraud, the FCA
Authentication communications platforms crime is increasing, but the and industry have been
and financial services industry is taking action. working via the PSR’s
• Ultimate Beneficial channels (see social An operational code of ‘Authorised Push Payment
Owner Concealment engineering section, below). practice31 which has been (APP) Scams Steering
The problem was becoming developed has stopped at Group’ to introduce a
• Fragmentation in the
sufficiently acute that the least £25m of fraud losses contingent reimbursement
payment card value
chain consumer association Which? according to the City of model to aid in resolving
raised a super-complaint London Police, but there cases where customers
with the Payment Systems is a way to go yet. Similar have been victims of push
Regulator (PSR) in 2016. to commercial solutions32 payment scams, which will
launched over eleven years exist alongside the dispute
Industry reports30 put losses ago to tackle an almost resolution approach set up
to this second type of crime identical problem in Direct for open banking.
Breakdown of losses
to payments financial
crime not related to
money laundering
Push payment fraud.....................59%
Payment card adbuse.................25%
Takeover of payment account.. 7%
Merchant fraud...................................3%
First-party payment fraud..........2%
Direct debit fraud..............................2%
Cash...........................................................2%
emergingpayments.org 15push payment scams, includes major technology
Increasingly sophisticated attacks on PSPs the technique is also providers. The industry
being used in increasingly along with government and
• A digital bank described a recent fraud attack it had sophisticated ways regulators could explore
suffered, demonstrating the high level of organisation to take over payment further how technology
and capability of the financial crime group. accounts, obtain bank providers might be included
account credentials and in activities and regulatory
• The fraudsters set up a copy of the bank’s website abuse payment cards. requirements for tackling
and online banking login screen, using a website Paradoxically, the increase payments crime.
name very similar to the bank’s genuine name. This of payment card security
required them to set up a web site with an Internet in the US, which has meant Threats in the Open
Service Provider with a domain name from a registrar. the decrease in counterfeit Banking environment
card fraud, has resulted in
• A user’s login credentials were recorded on their site, increased online card fraud The UK’s open banking
before the user was redirected seamlessly to the in both the US and the UK. environment35 has a
genuine bank website. central aim to open up the
Social engineering is market for new payment
• The fraudsters could then login to the user’s account also increasingly used services and a wider
minutes or hours later, and initiate payments to to compromise security range of providers. New
accounts in their control. For security, these payments measures introduced to categories of regulated
triggered a one-time password to the user’s phone; keep payment accounts payment providers (AISP
the criminals phoned the user and duped them into safe. One-Time Passwords & PISP36) allow fintechs,
revealing the password on the pretext of verifying sent via mobile devices established banks and other
their identity. are a major target and it is players to create new value
not just payment providers propositions for customers.
• To drive traffic to their site, the criminal group paid for that criminals attack. Social They do this by combining
key-word search results for the bank’s name, which engineering is used with their own technology with
required the group to operate an AdWords account mobile operators’ customer customer data and payment
with Google. support systems online, in- services from existing
store and over the telephone current account providers.
• Sophisticated criminal projects, such as this one to perform a “SIM swap”34
utilising multiple service providers to deliver or account takeover in order It is up to the payments
seemingly genuine services, are on the rise. to intercept SMS messages industry to ensure that
sent by banks. This is forecast criminals do not exploit
to increase even further as the open nature of the
these security measures platform, by considering
become more prevalent. both regulatory and
One aggravating factor is technology aspects.
that consumers are poorly Even if open banking
educated on security and and its rails may have
tend to trust without thinking. the necessary protection,
Mobile app-based
from users of genuine A number of social external vulnerabilities
laundering
apps. The weak link is engineering methods may move across to open
Transaction laundering, the ability to obtain a require the credibility or banking as it provides
used to launder the merchant facility, directly access that large-scale access to existing services.
proceeds of crime or or indirectly, which calls for social media firms, search Consumers may also be
conceal the seller, has good implementation of firms, and telecoms more easily exploited
been in existence for many merchant due diligence33 providers can provide. This because the facility is new
years. The emerging trend which is addressed in enables fraudsters to make and unfamiliar.
is for this to be done via section 7.5. their scam convincing
criminally developed apps enough that it will dupe One potential example of
on mobile devices where in- Social engineering a majority of customers. this is social engineering
app purchases, purporting Persuading people to This might include setting consumers’ account
to be additional content, bypass processes or up close copies of a bank’s credentials. Consumers
options or functionality, disclose information is website, accessing data who have been conditioned
are used instead of goods. not new but the term via social media accounts, to share sensitive account
The increased difficulty for social engineering is or diverting online search information only with their
fraud prevention is that the recent. In addition to the results to a fraudulent bank, are now being allowed
criminal behaviour may be social engineering used website. The ecosystem for to disclose it to some third
almost indistinguishable to facilitate authorised payments financial crime parties.
16 emergingpayments.orgYou can also read
