ECommerce has produced a multitude of new payment methods, including e-wallets, virtual currency, mobile and wearables. Unfortunately, it has also yielded a horde of new fraud categories.
One form, transaction laundering, allows prohibited merchants to find safe passage into the payment system by exploiting valid merchant accounts. The payments industry is staring down the barrel, with no limits to the fraud and brand damaging activity.
1. It breaks laws
Transaction laundering violates the merchant’s agreement with its acquirer and may flout anti-money-laundering (AML) laws. The Federal Trade Commission (FTC) and the Department of Justice (DOJ) expect the financial industry to keep fraud out of payment systems. The Federal Financial Institutions Examination Council (FFIEC), Financial Crimes Enforcement Network (FinCEN), and the Consumer Financial Protection Bureau (CFPB) all have supervisory and examination authority that extends to acquiring banks, payment processors, and financial institutions involved in consumer financial products and services. Criminals can peddle illegal drugs, counterfeit goods, unlawful pornography, and unlicensed gambling, funneling the payments from other undisclosed websites.
"Unfortunately for the card industry, the Financial Crimes Enforcement Network sees transaction laundering as variations on well-documented AML themes,” points out Ed Wilson, Partner at Venable, LLP. “In view of this, the payments industry should expect little patience from FinCEN."
2. It can lead to card fines, penalties and loss of bank sponsorship
Transaction laundering is being taken seriously by card networks. On July 1, 2015, MasterCard announced a formalized program with incentives to monitor and detect transaction laundering. Some acquirers and processors have been caught off guard in recent years by card-brand fines and penalties for transaction laundering activity. An increasing number of FFIEC examinations of payment processors and merchant acquirers further demonstrate that all participants in the payment services industry are being held accountable. Substantial penalties, loss of sponsorship, and industry-wide bans are impacting financial participants who fail to prevent uninvited (or unknown) guests from gaining access to the payments system. “The threat of fines and regulatory interest was enough that we took action. We implemented additional measures to thwart transaction laundering by first ensuring our current portfolio is clear,” stated Marcus Smith, SVP of Risk for iPayment.
3. It is difficult to detect
Violating transactions can enter in multiple places along the payments chain. Life would be easier if all transactions flowed through the payment system in a consistent way, such as eCommerce authorization and settlement traveling from shopping cart to gateway to processor to bank. But it’s not so easy. A shopping cart may go directly to a bank. Or two gateways may have a relationship. Or a gateway may funnel through a processor sometimes and a bank sometimes. The answer is never obvious.
There are hundreds of companies and thousands of permutations. The key challenge is separating laundered transactions from legitimate transactions.
Merchants may be victims. Some may be exploited by dishonest employees or by fraudsters registered for their affiliate program specifically to deliver transactions that originated on illicit sites. In one case identified by G2 Web Services, a pornographic site committed affiliate fraud by entering their customer’s payment information onto a software download site and earning an affiliate commission. But the vast majority of merchants involved in transaction laundering are complicit. They often create “front” businesses or allow lawbreaking acquaintances to use their merchant accounts.
"Transaction laundering continues to be a growing problem for the acquiring industry. The culprits are shrewd, skillful and global,” says Deana Rich, president of Rich Consulting, a specialist in risk management and compliance for acquirers.
4. It comes in many forms
The first question concerns business legitimacy. Is it real or a façade? Can you go to the store or site, purchase a product and have it delivered? Is there a coherent consumer experience? Or is the checkout process broken or otherwise incomplete?
The second question concerns the character of the business principals. Are they honest or malicious? Are merchants making understandable mistakes or intentionally taking advantage of acquirers? The little lies hide big lies—the use of illegitimate or semi-legitimate front companies hides activities behind the laundering. Fraudsters are not just small-time shadowy figures hiding in the Internet. Ex-NBA All-Star Chris Gatling was arrested in May after he laundered credit card transactions through a fitness studio. His actions caused the owner to lose her business.
With an impending widespread shift to EMV (Europay, MasterCard, and Visa) standards, there is a liability change pushing more fraud to CNP (Card Not Present) environments. The agreed-upon prediction is that EMV cards and hardware will boost security for POS systems. This is good news. But in reality, fraud won’t disappear, as fraudsters will merely transfer their criminal activity online.
Bad actors have evolved, broadening their capabilities to make it harder for financial and legal establishments to detect. Rather than openly using monitored merchant accounts because they are scrutinized by acquirers, the perpetrators behind the merchant seek more covert methods of processing payments. And they don’t give up easily. More than 25 percent of terminated accounts find their way back into the payment system with operations mostly intact. Many more resurface in disguised form. A full 50 percent of violating websites exploit the payment system without registering for merchant accounts.
"The merchant acquiring industry has gotten pretty good at monitoring traditional merchant websites for brand damaging and illegal content,” says Allison Guidette, CEO of G2 Web Services. “Now fraudsters — think of them as the mole in the carnival game whack-a-mole — are increasingly turning to transaction laundering as a way to gain access to payments and perpetuate crimes as we close off their avenues through traditional monitoring websites."
A wide variety of businesses can serve as transaction launderers. Beliefs about high- and low-risk business types can negatively bias risk professionals from performing meaningful investigations. Successful transaction launderers are skilled at hiding illicit transactions in the midst of real transactions. Through the last 11 years of monitoring merchant content, G2 Web Services has found that, on average, 1.5 percent of a client’s portfolio contains offending websites.
Working with a partner
Financial institutions don’t need to face transaction launderers alone. Vendors have produced new products and services to help detect probable cases and assist in confirming and eliminating offenders. Transaction laundering detection is more collaborative than traditional monitoring. Finding and taking action against transaction laundering is not the same as content monitoring, where risk managers take action based largely on reports. With transaction laundering, collaboration between firms and service providers is very important.
"There is absolutely no one-size-fits-all solution to detect transaction laundering,” says Guidette. “The solution to this problem isn’t just technology, it’s a combination of technology, internal monitoring by the acquirer and best practices. It’s never obvious and it is not easy."
To download the white paper, click here.