.svg)
As instant payment systems open up new opportunities for money mules, regulators from Singapore to the UK have called for greater use of data analytics, and ultimately data sharing, to detect unusual activity.
In the UK, following the launch of the Faster Payment System (FPS) in 2008, fraudsters began to move away from card fraud towards other types.
Since banks had already invested heavily in protecting against card fraud, fraudsters quickly learned that the FPS had its own vulnerabilities that could be easily exploited.
Mike Nathan, head of global solutions consulting at Feedzai, a financial crime risk ops platform, has described this process as a catalyst for the explosion of scams now associated with the internet age.
“Fraudsters realised the biggest vulnerability was no longer the bank itself – it was the customer,” said Nathan. “Hence, they moved to tricking legitimate customers into using scams.”
But being able to defraud a customer of their funds did not necessarily amount to a successful scam. A second step was needed to launder the stolen funds –– which is where "money mules" come in.
FPS and other similar payment systems allow fraudsters to move money between accounts instantly, making the origin of stolen funds harder to trace with each new transfer.
“Once fraudsters have received an instant transfer from their victim, they’ll use the same system to transfer funds to a different mule account, a tactic known as 'layering',” `Nathan said.
“They’ll repeat the process multiple times, to second- and third-generation mules, making it harder for banks to track where the payment ultimately wound up.”
In major jurisdictions, such as the UK and Singapore, money mule activity is an area of increased concern for regulators, which can see that current data protection laws do not lend themselves to quickly identifying this type of fraud.
Similarly, in Denmark last month, local bank association Finans Denmark called on lawmakers to give banks authorisation to share data in the fight against rising fraud.
"We have good cooperation with the authorities, but it's just not enough, because the legislation stands in the way if the problems are to be seriously solved,” said Kjeld Gosvig-Jensen, legal director at Finans Danmark.
Currently, there is a cat-and-mouse game between fraudsters and financial service firms, which the fraudsters appear to be winning.
In the UK, in the first half of 2022, criminals stole £609m through authorised and unauthorised fraud and scams. This was a slight decrease from the record-high of H1 2021 during the COVID-19 pandemic, but is still comfortably higher than in H1 2020.
In Singapore, scam cases reported to the police increased over 30 percent in the past year, rising from 23,933 cases in 2021 to 31,728 cases in 2022. In total, victims in Singapore lost $660m to scams in 2022, up from $632m in 2021.
In response, Singapore police launched an Anti-Scam Command (ASCom) in March 2022. By the end of the year, ASCom had coordinated 12 operations, resulting in the arrest of more than 3,900 scammers and money mules.
Taking the fight to the mules
In September last year, the UK’s Payments System Regulator (PSR), hosted an APP Fraud TechSprint, where firms were invited to showcase new and existing technologies that can help identify fraud at source and prevent money mule activity.
Last week, speaking at a Payments Association (PA) event, PSR technical specialist Nick Davey said that most firms showcased enhanced data sharing solutions using a cross-sector approach.
Following the launch of Confirmation of Payee (COP) and the Contingent Reimbursement Model (CRM) Code in 2019, Davey said that banks and PSPs are now comfortable with sharing certain basic data with each other.
But to catch money mules that facilitate this type of fraud, he said more data needs to be shared across sectors.
“Based on anecdotal data, we know a lot of these frauds are driven by false adverts on social media platforms or mules that are recruited through those,” he said.
“There should be information moving both ways between the banking sector and those sectors like telcos and social media.”
However, as Davey noted, there is currently no standardised system for collecting or sharing such data, and there is no consensus as to whether this kind of sharing is permitted under the General Protection of Data Regulation (GDPR).
Personally, Davey believes that the GDPR does permit this kind of data sharing, since it’s in the interests of the customer that they are not defrauded, if it can be prevented.
Similarly, in Singapore last week, central bank minister Tharman Shanmugaratnam responded to a parliamentary question on bank due diligence in the detection and prevention of money mule activity.
Shanmugaratnam noted that in March 2022, an amended version of MAS Notice 626 on the prevention of money laundering and countering the financing of terrorism came into effect for banks.
Alongside it, an advisory was published reminding banks that they are “under a duty” to determine whether an account has a beneficial owner other than the person or entity dealing ex facie with the bank.
Shanmugaratnam added that MAS has encouraged banks to use data analytics to improve their ability to detect money mules and has promoted the sharing of emerging mule typologies across the industry.
“These efforts have led to greater industry awareness and action, and contributed to credible intelligence being shared with law enforcement agencies for their investigations,” he said.
Data sharing and analytics solutions
In 2018, in partnership with Pay.UK, Mastercard launched Mule Insights Tactical Solution (MITS), a product that uses network-level transaction data to trace money through the real-time payments system.
MITS alerts financial institutions to suspected money laundering accounts and enables institutions to work together at an industry level to shut down mule networks.
Jonathan Anastasia, executive vice president of cyber and intelligence at Mastercard, told VIXIO PaymentsCompliance that banks’ ability to mitigate this type of fraud is often limited to what they can see within “their own four walls”.
But, by working together using network-level data, they can better understand the flow of funds or suspicion of activities.
“In the UK, tackling these issues collaboratively has been proven to increase detection of money mules and the ability to mitigate scams and frauds,” he said.
“This has been achieved through co-operation and the use of network-level data principles to ‘stitch together’ the insights.”
Feedzai, which claims to power 80 percent of Fortune500 companies via its risk-ops platform, uses an event stream processing engine that allows banks, PSPs and acquirers to control their fraud risk by analysing entire volumes of transaction data in real time.
As Nathan told VIXIO, Feedzai works by assigning a wide range of behavioural markers to individual users, accounts, devices, locations and IP addresses to detect unusual activity.
Feedzai can then look back across the entire history of a user’s transaction data, and can create a baseline for what constitutes “normal” behaviour.
“If you think about how humans operate in the world, they tend to be creatures of habit, and they interact with their devices in a similar way,” said Nathan.
“By understanding the users and creating these behavioural elements, we're then able to use models and machine learning to create risk scores.”
