The growing threat of
transaction laundering

Introduction

With federal regulators levying $400 million in penalties for anti-money laundering (AML) compliance violations in 2015 alone, detecting and preventing transaction laundering has become a pressing concern for the payments industry.¹

A type of money laundering also known as factoring and unauthorized aggregation, transaction laundering takes place when one business – frequently a website – processes payments for another. This gives the sellers of illicit goods and services a way to hide their transactions and wash “dirty” money by clandestinely entering their sales receipts into the payment system.

Spurred by the growth of online commerce and the anonymity afforded by the Web, the use of transaction laundering is surging worldwide. In response, regulators and credit card networks have launched a campaign to derail these efforts by holding acquirers and payment processors accountable for the actions of their merchants.

Below we will describe the different forms of transaction laundering, the scope and scale of the problem, and the legal and financial risks to financial institutions that fail to address it. Best practices for detecting and preventing this type of criminal activity will also be summarized.

Definitions and statistics

What is transaction laundering?

Money laundering is used by criminals to hide the source of their cash. Traditionally, this was done by siphoning funds from an illegal enterprise through a legitimate business like a store or restaurant.

Transaction laundering is a streamlined form of money laundering used to surreptitiously process credit card payments. A transaction is laundered when one merchant submits credit card charges under another merchant’s account, and while the front or pass-through business can still be a brick and mortar store, today it is more commonly a website.

The biggest transaction launderers are the purveyors of counterfeit merchandise, illegal drugs, and sex services, as well as Internet casino operators who operate without a license. But even when the goods or services in question are sold legally, falsely representing the nature of a credit card payment violates the processing merchant’s agreement with its acquiring bank. Using such a scheme to sell products illegally may also violate a number of state, federal, and AML laws depending on the nature of the transaction.

There are three principal forms of transaction laundering:

1. Front companies use legitimate businesses as a cover for criminal activities. An example would be a nutritional supplements seller that launders drug money by inflating its receipts or that sells counterfeit pharmaceuticals under the vitamin and supplement Merchant Category Code. Front companies may operate out of a physical storefront or, more commonly, online.
2. Pass-through companies allow illegal businesses to process their credit card receipts by giving them access to the legitimate company’s payments processing account. Often this is done by embedding a payment link on the illegitimate company’s website and then manually entering the illicit sales into the payment system to make them harder to detect.
3. Similar to pass-through companies, funnel accounts are legal businesses that accept credit card charges from multiple companies that do not have their own merchant payment account because they are either too small or they engage in illicit transactions. The funnel company then enters these payments as legitimate transactions into the card payment processing system.

A growing problem

While the scale of the problem is difficult to quantify, payments industry experts universally agree that it is both extensive and growing. About 50%-70% of online sales for illicit drugs, counterfeit goods, and unlawful adult content involve some form of transaction laundering, according to the Electronic Transactions Association (ETA), a trade association for the payments industry. Unlicensed online gambling is even more dependent on this type of money laundering: More than 90% of illegal gambling sites make use of transaction laundering to move their credit card receipts into the payment system.

These are enormous markets that account for hundreds of billions of dollars in annual sales. For example, ETA experts say there are between 35,000 and 45,000 rogue Internet pharmacies online at any one time. Dollar estimates for the counterfeit drug market range from as little as $10 billion to as much as $300 billion a year, but most knowledgeable sources peg it at $100 billion to $150 billion. Assuming that Web fronts and online pass-through companies launder just half of these transactions, these sites would be siphoning between $50 billion and $75 billion of dirty money into the payment system on an annual basis. And that’s just for illicit pharmaceuticals, which are only one segment of the much larger $450 billion counterfeit goods market.

“It’s a big problem,” observes Deana Rich, president of Los Angeles-based Rich Consulting, a provider of payments, risk management, and underwriting expertise. “This sort of activity has always gone on, but now the bad guys are learning how to open a merchant account for a fake site, and through trial and error they are getting much better at it.”

Attracted by the growth of the Internet and online commerce, the number of websites selling unlawful goods and services has mushroomed. Abetting this, until the past few years, underwriting standards were less strict, making it relatively easy for an online purveyor of illegal merchandise to open a merchant account. But with the volume of laundered payments rapidly escalating, Rich says that regulators and the payments industry are becoming more diligent.

“This sort of activity has always gone on, but now the bad guys are learning how to open a merchant account for a fake site, and through trial and error they are getting much better at it.”

In response, Rich explains, sellers of contraband “have been forced to become more sophisticated and are learning how to use a legitimate merchant account to pass through sales” from a Web front or pass-through site.

Regulations and fines

A new focus for regulators

These developments, Rich says, have led the Financial Crimes Enforcement Network (FinCEN) and other bank regulators like the Office of the Comptroller of the Currency (OCC) “to come down harder on banks that make use of third-party payment processors. The banks, in turn, are pressuring their independent service organizations (ISOs) and payment facilitators to underwrite their accounts more diligently and make distinctions between the nominee and the beneficial owners” of a site. The former may be only owners in name, and may not actually control the site or reap most of the benefits; the latter are the person or persons who actually run the site and profit from it.

To help establish beneficial ownership, FinCEN now requires financial institutions to determine and verify the identities of all nominees with a 25% or greater ownership stake in any company for which they open an account. They are also required to identify the principal decision maker for the site, which in many cases turns out to be the beneficial owner, not the nominees. While the rule was formally adopted in May of 2016, banks and processors have until May 2018 to comply.³

FinCEN’s beneficial ownership rule is only one of several legal requirements for banks to know their customers, notes Scott Talbott, senior vice president for government affairs at the ETA. Others include section 5 of the 1914 Federal Trade Commission Act, entitled “Unfair or Deceptive Acts or Practices,” and the 1970 Bank Secrecy Act, also known as the Currency and Foreign Transactions Reporting Act.

Talbott says what’s new on the regulatory front is that the FTC, the Department of Justice, the Consumer Finance Protection Bureau, and other regulatory bodies are focusing on the new forms of transaction laundering – such as funnels and pass-through accounts – as a way to fight fraud.

“Some of these efforts are directed at the merchants,” Talbott says. “But increasingly there is a concerted effort to hold the payments industry responsible for acts committed by bad merchants.”

Talbott points to the DOJ’s Operation Choke Point to illustrate his point. Undertaken in 2013, this was an investigation into U.S. banks and third-party processors associated with commercial activities at high risk of money laundering. These included dating and escort services, Web-based sellers of ammunition and pharmaceuticals, and home-based charities. As a result of the initiative, substantial fines and penalties in excess of $1 million were levied against at least two U.S. banks.^{4, 5}

“But increasingly there is a concerted effort to hold the payments industry responsible for acts committed by bad merchants.”

Currently, this type of regulatory pressure is most likely to come from FinCEN, reports Ed Wilson, a business and regulatory attorney and partner at Venable, a Washington, D.C.-based law firm.

“Unfortunately for the card industry,” Wilson says, “FinCEN sees transaction laundering as variations on well-documented anti-money laundering themes.” In view of this, he says, the payments industry should expect little tolerance from FinCEN and would be well advised to quickly adhere to the agency’s electronic payments guidelines. Failure to do so, he says, “will subject financial industry participants to substantial fines and penalties, including restrictions on participating in the payments industry and bans from the business.”

In October 2016, FinCEN issued an advisory to financial institutions on cyber-enabled crime.⁶ In it, the agency states, “The proliferation of cyber-events and cyber-enabled crime represents a significant threat to consumers and the U.S. financial system.” The advisory also cites an example of how monitoring and reporting by financial institutions “played an important role in the investigation of an Internet-based company, its cofounders, and other collaborators. This company acted as an unregistered online money-transmitting business and offered digital currency services specifically designed to provide anonymity to facilitate international crime and money laundering.

The advisory then goes on to detail how financial institutions should monitor for and report suspicious cyber events. (For access to the full report, click here.)

Big fines for a midsize bank

On Feb. 27, 2017, the U.S. Treasury’s (FinCEN) slapped a $7 million fine on a midsize California bank for violations of the Bank Secrecy Act related to transaction laundering. The bank was fined another $1 million by the OCC for these same infractions.²

The penalties were levied for failing “to establish and implement an adequate anti-money laundering program,” according to FinCEN, and for allowing “billions of dollars to flow through the U.S. financial system without effective monitoring.”

Owing to this failure, FinCEN said that in one instance the bank processed $192 million from high-risk foreign customers during a three-month period.

While many of the particulars were unique to the bank and its customer base, the incident is indicative of the threat posed by transaction processing to financial institutions that don’t recognize the risk and take steps to mitigate it.

Challenges and best practices

The challenge for payment processors

Yet despite the stepped-up enforcement by regulators and the increased due diligence on the part of banks and their ISOs, the use of transaction laundering continues to spread. This is in no small part due to the criminal element’s growing sophistication with the payment system.

The ETA’s Talbott says: “The payments industry is constantly deploying new fraud detection techniques, such as chip cards and tokenization (where a meaningless electronic code is substituted for a credit card number when it’s transmitted via the Web).” The challenge, however, is that whenever “the payments industry builds a ten-foot wall” to discourage transaction laundering, “the thieves build an eleven-foot ladder.”

The Web’s inherent anonymity complicates the problem. Wilson estimates that the true identities of as many as 6%-10% of online merchants remain hidden from their payment processor. Corrupt sites fail to draw the attention of their ISO because most laundered transactions are relatively small. “They add up over time,” Wilson says, “but unless you’ve got good analytics or a site is pretty ham-handed with how it conducts business, they’re not that easy to detect.”

So how should banks and ISOs comply with FinCEN’s requirements and optimize their ability to detect and prevent laundered transactions?

Wilson, Talbott, Rich, and other industry experts suggest several best practices:

Monitoring and detecting

To detect transaction laundering, good underwriting is the key. “To make sure you aren’t scammed,” says Wilson, “look at the numbers.” That starts with some relatively simple, manual steps:

1. Examine the merchant’s website. Does it add up? Would a consumer be inclined to purchase its products? Many fraudulent websites don’t meet this simple standard and can be ferreted out simply by taking a close look at the site’s offerings and how they’re presented.
2. Compare the site’s content with its volume of business. Often, when something is amiss, these do not align. A merchant, for instance, might tell its ISO that it anticipates bringing in $175,000 a month in sales. But if the site offers only two products, then either the sales projection is way off, or the revenue will be coming from someplace else.
3. Consider the age of the website. Sites typically don’t sell a large quantity of merchandise when they’re first launched. Flags should be thrown for any site that claims robust sales out of the gate.
4. Compare the site’s products with its average sale price and the merchant codes that it uses. Other telltale signs that a site may be laundering transactions include a sudden and unexplained spike in sales transactions or a jump in the size of each sale. Why would an apparel site with an average sale of $175 suddenly start posting routine sales of $450? If the ISO doesn’t know, it should inquire.

Another giveaway is the type of merchant codes the site uses to enter its sales slips. If these don’t conform to the types of goods that the site is supposedly selling, then it’s a good bet that something is wrong.

Merchant Monitoring Service Providers

But not every bank and ISO has the wherewithal to conduct its own due diligence, and there are other important steps that require special expertise and technology. These capabilities are available through third parties known as Merchant Monitoring Service Providers (MMSPs), which use computer algorithms and other techniques to examine merchant sites electronically.

Most MMSPs have an extensive database of merchants with a history of fraud and other questionable behaviors. This allows the service provider to examine the “who is” information provided by a merchant’s site and compare it with its database, making it easier to identify launderers.

MMSPs also look for suspicious site elements that the human eye might not readily detect. Based on what they find, they score the site and then inform the ISO of the probability that the site is engaged in some sort of money laundering activity. Since a clean site can become a dirty one over time, the service provider will keep tabs on the site on an ongoing basis.

Performing continuous monitoring is critical to ensure that a website is performing in the way that the ISO expected. A front site may try to fly beneath the radar by opening a merchant account with a very low volume of business. If a site significantly ramps up its sales over time, it behooves the processor to track the changes and ensure that the additional sales are credible and originate with the site in question.

Transaction laundering paves the way for illicit goods and services to enter the payment system, violating the merchant’s agreement with its acquirer, flouting AML laws, and attracting unwanted attention from regulators. To protect themselves from fraud, brand damage, and legal sanctions, acquirers should address the problem through diligent underwriting, sophisticated technology, and partnerships with service providers that can provide both.

How Thomson Reuters Can Help

CLEAR online investigations software provides a solution to your compliance and investigative needs. By providing consistent, comprehensive, and defensible investigative results, CLEAR can uncover weak links in a customer or vendor's history in the form of politically exposed persons, criminals, bankruptcy, high-risk business officials, and other dubious entities. With CLEAR you can:

• Access key proprietary and public records in one intuitive environment
• Enable batch alerting to run one search for a large number of people and businesses
• Receive real-time records such as arrests, watch lists, and social media
• Instantaneously analyze search results to shorten investigation time and uncover hidden unknowns

ABOUT THOMSON REUTERS

Thomson Reuters is the world’s leading source of intelligent information for businesses and professionals. We combine industry expertise with innovative technology to deliver critical information to leading decision makers in the financial and risk, legal, tax and accounting, and media markets, powered by the world’s most trusted news organization. Thomson Reuters shares are listed on the Toronto and New York Stock Exchanges (symbol: TRI).

For more information, go to legalsolutions.com/CLEAR.

References

¹http://info.moneylaundering.com/enforcement-action-survey.asp

²https://www.fincen.gov/news/news-releases/fincen-penalizes-california-bank-egregious-violations-anti-money-laundering-laws

³https://www.federalregister.gov/documents/2016/05/11/2016-10567/customer-due-diligence-requirements-for-financial-institutions

⁴https://www.justice.gov/usao-ednc/pr/united-states-attorney-announces-settlement-bank-accused-consumer-fraud

⁵https://www.justice.gov/opa/pr/commercewest-bank-admits-bank-secrecy-act-violation-and-reaches-49-million-settlement-justice

⁶FinCEN Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, October 2016:
https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a005