The FCA has published some key findings from its review on the systems and controls used by payment account providers to tackle money mule activities. These findings come before the publication of a money mules action plan by the Home Office which is due in the coming weeks.
What are money mules and how do they operate?
Money mules are individuals who assist fraudsters in their criminal activities. They willingly agree, or are unconsciously exploited by criminals, to provide their bank account details to store illicit funds. Money mules often have no prior criminal record and are able to bypass the anti-fraud systems and controls that payment account providers use to impede any illicit activity on their platforms. They represent an important cog in the money laundering machine that fraudsters use to conceal the proceeds of their crimes.
The focus of the review
The review conducted by the FCA focused on the systems and controls put in place by payments service providers, including e-money institutions, to detect and prevent money mule activities. It evaluated the controls firms use during onboarding, monitoring, and reporting.
Lessons to be learned
The FCA shared these key findings “so that others can learn from it”.
The review identifies good practices adopted by financial services firms and, most importantly, areas where firms are expected to do more to prevent money mules from exploiting unaddressed weaknesses and vulnerabilities.
So, what can firms learn from these findings?
Implement new technologies…
- The FCA found that firms are making a wider use of new technologies to minimise the risks deriving from rule-based systems which lack the flexibility needed to tackle the everchanging tactics employed by fraudsters.
- Money mule-type activities are often perpetrated using one device for multiple accounts. The FCA found that incorporating device profiling, geo-location and behavioural biometrics into onboarding controls increases the likelihood of detecting unlawful activities.
… be aware that those tools will be used by humans…
- The regulator observed that firms are increasingly using machine learning models to detect suspicious customer’s behaviour. However, these models require a large amount of data which is often not available and takes considerable time to train. Most importantly, firms need to be able to explain how these tools work and how to effectively use them to detect frauds.
- The FCA found that analysts at some firms were uncertain about the criteria that triggered the alerts in the machine learning tools. Firms need to address the “black box problem” and understand the reasons behind these alerts.
…and don’t forget to report!
- The FCA observed that in some cases Suspicious Activity Reports (SARs) were not raised or firms were too slow to raise them, seriously hindering the ability of law enforcement to investigate and prosecute these criminal activities.
- The FCA found that collaboration between firms can help to disrupt mule activities and stop the mule networks. According to the FCA, using reporting systems to first analyse and detect suspicious flow of funds between firms and later notify and alert other firms “can help to combat this prevalent issue”.
With thanks to Elton Qemali for writing this post.