What we have discovered is that there are an additional 6,000-10,000 merchants that are out there online accepting cards and sending transaction data through one or more of the acquirer’s portfolios. The acquirer is processing 10,000 more merchants and they don’t know who they are. They can be anyone. The acquirer is completely unaware of the significance of these transactions.That’s from Ron Teicher, CEO of Evercompliant, an Israeli company that focused on transaction laundering detection and prevention.It is a startling statistic. Notably it suggests anti-money laundering (AML) and know-your-customer (KYC) regulations brought in post-crisis may have been entirely ineffective. And, of course, that criminals have an endless capacity to adapt.The scam is simple. Rather than setting up
Izabella Kaminska considers the following as important: Uncategorised
This could be interesting, too:
Matthew C Klein writes Blue-state Americans should worry less about the state and local deduction
Alexandra Scaggs writes Now Wall Street thinks tax reform will pass?
Paul Murphy writes Snap AV: Was this reckless bravado or just messing with market bots?
Siona Jenkins writes FT Opening Quote: Lloyds – a boring, non-state-backed profitable bank
What we have discovered is that there are an additional 6,000-10,000 merchants that are out there online accepting cards and sending transaction data through one or more of the acquirer’s portfolios. The acquirer is processing 10,000 more merchants and they don’t know who they are. They can be anyone. The acquirer is completely unaware of the significance of these transactions.
That’s from Ron Teicher, CEO of Evercompliant, an Israeli company that focused on transaction laundering detection and prevention.
It is a startling statistic. Notably it suggests anti-money laundering (AML) and know-your-customer (KYC) regulations brought in post-crisis may have been entirely ineffective. And, of course, that criminals have an endless capacity to adapt.
The scam is simple. Rather than setting up bricks and mortar front businesses to launder profits from illicit activities, those who peddle illegal goods — from drugs to weapons and gambling services — set up fake web stores that appear to sell legitimate goods instead. (The more virtual those fake goods are, the better and easier for them.) These fake stores are then onboarded onto merchant processor systems and used as fronts to process entirely illegal transactions through. Technically, customers provide credit card authorisation details to the illegal stores, but these are transferred over to the fake sites for processing.
Worryingly, Teicher says regulators are entirely behind the curve on this. Most don’t even know about it. Even worse, banks and processors don’t seem to care about the problem either.
To the contrary, most banks are so busy spending $$$ applying AML and KYC procedures to conventional client accounts — and areas they know regulators will be watching — they’re entirely unmotivated to do the same on the merchant side. Until threatened with penalties of course.
The vulnerabilities, as ever, relate to complexity and scale, as well as pressure to open up banking to new entrants.
In their desperation to onboard as many new customers as possible, as well as to outsource as much of the high-cost retail customer acquisition work to fintechs as possible, banks have inadvertently created a blindspot in their own networks.
Teicher told us:
In the last few years we have had a new layer added to the payment chain. We are talking about payment service providers and facilitators, the [xxxxx] and [xxxxx] of the world, who all talk about frictionless onboarding. It’s very quick and they take everybody. And we’ve created very good access facilities to payments for free lancers, taxi drivers, small entrepreneurs… all these people have access. The banks would not have gone through the hassle of onboarding all of them. But while this is really great for them, what is missing is that the risk management level is not the same as you would have in a bank. Meanwhile the lack of visibility of the end merchant to the bank, means the bank does not see who is underneath, and so it becomes more complex to understand where the transaction really stars and end.
This is a glaring admission.
As it stands most fintechs outsource third-party verification to other fintech specialists — adding additional layers of complexity and vulnerability to the process. One need only look at the data sharing T&Cs of some of the major fintech processors to marvel at the sheer volume of third-party authenticators customer data is currently shared with. If they were charged with the responsibility of having to continuously watch the watchers too this would be entirely non-economical and defy the point of outsourcing in the first place.
The crooks, of course, know this. They also know they need only exploit real identities (stolen or their own) and a near limitless amount of merchant accounts is potentially within their reach. If for some reason barriers do emerge, meanwhile, they can still partner up with legitimate cleared entities on a commission sharing basis to gain access into the system. There’s also always the option of dazzling authenticators and verifiers with the sheer volume of application requests, something Tiecher calls the micro-merchant phenomenon, facilitated by the hugely reduced cost of setting up, hosting and running merchant websites.
And if all that fails there’s still something called affiliate fraud: a growing problem in an e-commerce world where content producers have an incentive to engage in revenue sharing deals with those who can further their reach into new markets. As Teicher notes, talking from the perspective of a fraudster:
I can become an affiliate in the high risk industry – so think forex, adult entertainment and nutraceuticals. This is a legitimate way to promote goods. For the merchant it’s a great situation, as he is willing to pay a commission on success and is just enjoying the revenue. The affiliate is able to sell and the merchant doesn’t have to pay anything. However in the high risk industry the commissions are very high. So say, I (as a merchant) am running a website… and there are other people setting up who use my content, I can pay them 70 per cent of the sale because they are spreading my product.
In that set up, the fraudster passes on 30 per cent of his proceeds to the primary merchant, which simply turns into the cost of doing business.
In all, what seems to have happened is that the desire to grow quickly and at any cost has reduced the due diligence process at the core of banking to an entirely game-able box-ticking exercise. Real banks could never get away with such shoddy practices. Moreover, they know it would never be cost effective to apply proper processes to such a small-scale enterprises.
True due diligence requires detective work and highly bespoke processes which often require the need to scour merchant balance sheets and p&ls; ask difficult questions about the sources of income; seek testimonials from those willing to endorse them and so forth. And, most importantly of all, human instinct and judgement.
But in a world where e-commerce constitutes almost anything, and where clicks equal currency, how can an acquirer ever really be sure revenues are being received in exchange for legitimate content? Proper due diligence would require merchant site visits, behavioural monitoring, user surveys, click origination investigations and so forth. Most of the time, if there’s any doubt, it’s just easier to say no. Which of course is why banks weren’t doing the business in the first place.
Fintechs, ever confident, are convinced that machine learning and AI processes will solve these problems soon enough. But this is naive. Even if AI was able to faithfully detect fraudulent activity, what exactly would be the consequence for the perpetrators? Jail time? Clearly not when it’s happening at this scale. Jail-time would bankrupt the system. Fines? Who exactly would pay for the legal costs of imposing them fairly? Behavioural reconditioning? That’s the same problem as jail time.
The primary consequence would have to be financial exclusion — which of course would bring us back to square one or encourage the emergence of rival black-market financial networks (like bitcoin) that aim to challenge the “cleared” ones.
The truth, sadly, is that the rise of transaction laundering is only the symptom of a much graver social ailment. One that fintech is unlikely ever to be able to cure. That is the evisceration of society’s shared collective interest not to cheat the system at somebody else’s expense.
Innovative criminals embrace online opportunities – FT
When financial inclusion stands for financial intrusion – FT Alphaville
The security/access paradox and digital lenders – FT Alphaville
Fintech paradoxes, blacklist edition – FT Alphaville
On the economic power of ransom – FT Alphaville
The Paradox of Civilization: Pre-Institutional Sources of Security and Prosperity – NBER