Historically, when a customer requested a payment to an account with another bank, it was possible for the sending bank to check with the receiving bank that all is well BEFORE the payment was released. Or, immediately after a fraud was detected, the sending bank could "recall" the payment.
This level of interbank-cooperation for fraud prevention and loss recovery purposes has always taken place in the UK particularly between those firms that were CIFAS members, but it often relied on a phone call by the sending bank and someone answering that phone at the recieving bank.
Even then, it wasn’t guaranteed that a fraud would be stopped or the receiving account frozen.
Unbelievably, for many years after the introduction of the UK Faster Payments Scheme in 2007, such calls at weekends and after 5pm wouldn’t get answered unitl the next business day, despite it being possible for customers to make 24/7/365 faster payments up to £100,000.
By the time the victims bank began chasing the money, the fraudsters were usually several steps ahead.
On one invoice redirection fraud I saw for involved a £1.2m CHAPS authorised push payment , the proceeds were moved on via over 200 mule accounts. This all happened within a matter of hours, long before the customer noticed, never mind the banks talking to each other. Virtually no money was recovered.
.
There have been recent attempts to by payment providers to take a “network view” and profile beneficiary accounts, for example to provide a real-time beneficiary account mule risk score to the sending bank before the payment is made.
Such cross-industry schemes have fantastic potential, but banks don't need to wait for them to be developed.
Instead of waiting for an induatry solution, individual fraud teams can get to work now.
Simple solutions can be built quickly and at low cost.
For example: An incoming large payment to a relatively new account of yours; one with few direct debits for bills, minimal spend and no regular salary is a no-brainer. It’s high risk. DO NOT ALLOW THE HOLDER TO WITHDRAW THOSE FUNDS UNTIL YOU’VE INVESTIGATED THEIR SOURCE.
Taking such an approach is simple, highly effective and has minimal impact on genuine customers. There will be a handful of payments each day that warrant your attention. Even though you are potentially freezing an account after it's had the money sitting in it for half an hour, it's surprising how often the cash is still there.
This may be as simple as the fraud team getting given a plain text file of incoming faster payments from their IT department every 10 minutes or so. It's a relatively simple IT job to schedule this to happen automatically.
The payment file can be imported to XL, perhaps along with other information, such as customer DOB, date of account opening, previous credit turnover, CIFAS markers, occupation if you've got a talented analyst in your fraud team.
A half-decent fraud investigator will be able to spot the mules on this XL list from a mile away and it's then a simple job of freezing the account quickly and moving on to the next one.
Hand off the frozen accounts elsewhere for further investigation. Afterall, there's reasonable grounds to suspect the account may have received the proceeds of crime and your firm probably has established processes for handling it from then on.
Many banks have also begun to feed real-time incoming payment data into their outbound payment fraud defence systems.
This allows a more complete risk assessment to be undertaken....if a customer has reqested a £10k payment to be made to a new beneficiary, it is helpful for your fraud defence system to know that the customer received £11k into their account 20 minutes earlier. If this is the largest such transaction the customer has ever made then alarm bells should start ringing.
If your bank isn't yet doing this, you need to find out why.
When the above approach yields results, it's worth expanding your data set and your operating hours. It's also worth speaking to your colleagues in the AML Transaction Monitoring team.
If the fraud team are spotting money laundering in near real-time, then you'd hope that the same accounts would be triggering AML TM rules to fire at some point down the track...if not, why not? And if the AML TM rules did fire, great...the fraud team has probably already done the work and filed a suspicious activity report, so the AML Team can move on - no need to duplicate effort.
In this way, the fraud teams work can be cost neutral - you're simply working AML TM cases earlier in the lifecycle - with a much better chance of actually preventing money laundering as opposed to just reporting on it after the fact.
Those payment processing firms with “thin” KYC files and minimal knowledge of their customers really need to decide whether they are correctly equipped to assess the mule opportunity their model provides to organised crime and whether something more simple (like a daily/weekly/monthly maximum credit turnover limit) is required if they aren’t in a position to identify/investigate such payments effectively.
Know Your Customer - if not, don't let them rapidly move large amounts of cash.
It’s approaches such as those outlined above which are leading to the differences in the APP fraud receiving values (published by the Payments Systems Regulator https://www.psr.org.uk/information-for-consumers/app-fraud-performance-data/) being processed through some firms - those firms that aren’t joining these simple dots are being targeted by organised crime and are a conduit for large scale money laundering.
Jason Costain
Jason has worked in banking fraud prevention for 25 years, running fraud and financial crime defence teams at some of the UK’s best-known firms. He first began tackling APP fraud cases over 15 years ago and has been leading UK firms to improve their APP fraud detection and prevention ever since.
Organisations can contact Jason via LinkedIn for a free fraud health check
Further resources at Javloc.com
Comments