Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

February 10, 2020

Slowing Down the Mule Train

Slowing down the money mule train, that is. Money mules are those individuals who transfer money or goods received through fraudulent schemes on behalf of or at the direction of a criminal enterprise, often based outside the United States. It's a form of money laundering.

In December 2019, the FBI announced it was collaborating with other domestic and international law enforcement agencies to identify, stop, and prosecute major money mule networks. Two months later, it claimed that the operation had stopped the illegal actions of more than 600 domestic money mules—a 50 percent increase in their success rate over the entire previous year. (The U.S. efforts coincided with the European Money Mule Action, led by Europol, the European Union's agency that combats crime and terrorism.)

So who are these money mules and how are they recruited? The money mules fall into two main groups: innocent participants and those people who are as criminal as the leaders of the fraud schemes. It's the money mules who take the greatest risk; the leaders of the schemes use them to insulate themselves from arrest and prosecution.

The first group, the naïve participants, are generally recruited through online ads, résumés submitted to mainstream job search sites, or emails promising work-from-home employment as a "payment processing" or "money transfer" agent. Upon being "hired," these people must provide their bank account information so that deposits can be made to their accounts. If the victims say they want to open a new account to process these transactions, the contact dissuades them from doing so because new accounts face additional scrutiny and restrictions. When a deposit is made, a mule has to transfer those funds, minus the "commission," to another bank account. That account is usually outside the United States so the transfer occurs through an international money transfer service. The mule might also be asked to purchase gift cards, load funds onto them, and then provide the card numbers and PINs to the contact. Individual transactions are generally under $10,000 to avoid the filing of currency transaction reports or suspicious activity reports.

Sometimes truly innocent participants are caught in a "cuckoo smurfing" scheme. In this scenario, someone's bank account credentials are compromised without that person's knowledge. The criminal deposits or transfers money into the account and quickly moves it over to another account. The innocent participant isn't aware of this transaction until he or she checks the account.

However, the vast majority of money mules are people who clearly know they are acting illegally. They are often part of local, national, or international gangs, and use the proceeds of money mule activities to fund other criminal activities.

While there have been a number of enforcement successes, including the effort announced by the FBI, the constant attention being given to this problem indicates it persists. Hats off to all the various law enforcement agencies involved in this money mule crackdown. Hopefully, the increased publicity will prevent individuals from unknowingly becoming part of these networks as well as highlight the scams used to victimize others. What other actions do you think will help curb this type of crime?

September 10, 2018

The Case of the Disappearing ATM

The longtime distribution goal of a major soft drink company is to have their product "within an arm's reach of desire." This goal might also be applied to ATMs—the United States has one of the highest concentration of ATMs per adult. In a recent post, I highlighted some of the findings from an ATM locational study conducted by a team of economics professors from the University of North Florida. Among their findings, for example, was that of the approximately 470,000 ATMs and cash dispensers in the United States, about 59 percent have been placed and are operated by independent entrepreneurs. Further, these independently owned ATMs "tend to be located in areas with less population, lower population density, lower median and average income (household and disposable), lower labor force participation rate, less college-educated population, higher unemployment rate, and lower home values."

This finding directly relates to the issue of financial inclusion, an issue that is a concern of the Federal Reserve's. A 2016 study by Accenture pointed "to the ATM as one of the most important channels, which can be leveraged for the provision of basic financial services to the underserved." I think most would agree that the majority of the unbanked and underbanked population is likely to reside in the demographic areas described above. One could conclude that the independent ATM operators are fulfilling a demand of people in these areas for access to cash, their primary method of payment.

Unfortunately for these communities, a number of independent operators are having to shut down and remove their ATMs because their banking relationships are being terminated. These closures started in late 2014, but a larger wave of account closures has been occurring over the last several months. In many cases, the operators are given no reason for the sudden termination. Some operators believe their settlement bank views them as a high-risk business related to money laundering, since the primary product of the ATM is cash. Financial institutions may incorrectly group these operators with money service businesses (MSB), even though state regulators do not consider them to be MSBs. Earlier this year, the U.S. House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing over concerns that this de-risking could be blocking consumers' (and small businesses') access to financial products and services. You can watch the hearing on video (the hearing actually begins at 16:40).

While a financial institution should certainly monitor its customer accounts to ensure compliance with its risk tolerance and compliance policies, we have to ask if the independent ATM operators are being painted with a risk brush that is too broad. The reality is that it is extremely difficult for an ATM operator to funnel "dirty money" through an ATM. First, to gain access to the various ATM networks, the operator has to be sponsored by a financial institution (FI). In the sponsorship process, the FI rigorously reviews the operator's financial stability and other business operations as well as compliance with BSA/AML because the FI sponsor is ultimately responsible for any network violations. Second, the networks handling the transaction are completely independent from the ATM owners. They produce financial reports that show the amount of funds that an ATM dispenses in any given period and generate the settlement transactions. These networks maintain controls that clearly document the funds flowing through the ATM, and a review of the settlement account activity would quickly identify any suspicious activity.

The industry groups representing the independent ATM operators appear to have gained a sympathetic ear from legislators and, to some degree, regulators. But the sympathy hasn't extended to those financial institutions that are accelerating account closures in some areas. We will continue to monitor this issue and report any major developments. Please let us know your thoughts.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 18, 2016

The 411 on Banning the RCC

Are you proficient in recognizing phone scams? One that I've frequently experienced is when the caller tells me I've won a cruise and all I have to do is pay the taxes. To help combat phone fraud, the Federal Trade Commission (FTC) amended the Telemarketing Sales Rule. Part of the amendment prohibits payment types commonly used in deceptive and abusive telemarketing practices. Effective June 13, 2016, telemarketers can't ask for payment by cash-to-cash money transfers, PINs from cash reload cards, or bank account information, which would allow them to create a remotely created check (RCC). Fraudsters prefer RCCs because reversals are more difficult, notes the FTC. In particular, RCCs sail quickly through the clearing and settlement process making for easy collection by fraudsters and clunky adjustment processes for financial institutions.

Financial institutions (FIs) are the gatekeepers to payment systems and, with the amendment to the rule, have a new risk for what their customers do. FIs have always had the compliance risk of understanding their customer's business. As an FI, how would you know if you had a telemarketing customer already on board or one attempting to apply today? Further, how would you know if a current customer is accepting payment via RCC, since RCCs look like traditional checks? If you have third-party processors as customers, these questions become more difficult. Then, the risk is to identify if your customer's customer is a telemarketer processing banned payments through your bank.

Most agreements between FIs and business customers typically include a clause binding their customers to process payments in compliance with applicable laws of the United States. What additional steps should FIs take to manage the risks that apply to different industries and different payment types?

There are limited ways to identify RCCs because such items are cleared like traditional checks. Effective November 2015, the standards for the MICR (magnetic ink character recognition) line were changed to include a "6" in a certain position in the line to indicate an RCC. This is a standard and not a requirement. But if the 6 is used, that is one way to identify an RCC. If the standard is not used, nothing uniquely identifies an item as an RCC unless one examines the signature block on the check, since RCCs have no signature. An FI or a processor may not have the ability to look at every item included in every deposit, but could have random testing in place to attempt to identify the illegal use of RCCs.

Another indicator of deceptive practices by a business customer is anomalies in return rates. A large number of adjustments may signal that abuses are taking place. An RCC is often confused with an ACH entry and some telemarketers may convert their RCCs to ACH to spread out alarming return rates.

It will be all hands on deck to stop abusive RCC practices, but the FTC has charted the course with its new rulemaking.

Photo of Jessica Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 6, 2015

What Can Parenting Teach Us about Data Security?

My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.

As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.

However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.

In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed