On October 19, 2023, the UK’s Financial Conduct Authority (FCA) came out with research on how UK financial institutions (Payment Service Providers and Electronic Money Institutions) are dealing with the detection and elimination of money mules. The FCA states that “money mules are integral to moving proceeds of fraud and other crime types, and there should be focus on disrupting mule activity and protecting the public.” The report noted that in 2022, more than 39,000 accounts linked to money mule activity were reported to the UK’s National Fraud Database.
The FCA further states that financial services firms “should have a proportionate and risk-based approach to help make sure their platforms are not being exploited and their customers are not being put at risk by criminal groups.” The UK Home Office is expected to soon publish a money mule action plan.
Clearly, the UK is putting a serious focus on the elimination of financial fraud and scams. Also this month, the Reserve Bank of India published an update to its Master Direction on Know Your Customer. The amendments contained within the latest guidance focus on account opening and monitoring of transactions to restrict money mule operations, thus preventing fraudsters from laundering stolen proceeds from successful attacks. As an aside, other countries should take notice and execute their own money mule action plans.
Summary of findings
According to the FCA, “this evaluation included firms’ controls during (account) onboarding, monitoring (of open accounts) and reporting.” The FCA found that although some firms are taking this problem quite seriously, not all firms are paying sufficient and proportionate attention to this serious issue. Firms that have implemented an actionable plan to address the money mule issue are using innovative solutions such as:
- Stronger customer checks at onboarding to minimize money mule accounts from being established.
- Calibrating systems according to risk (risked-based approach).
- Use of facial recognition systems and device profiling/geolocation.
- Stronger risk assessment of outbound and inbound transactions to include investing in machine learning and behavioral biometrics to help reduce the risks inherent in rules-based only solutions.
- Firms using reporting systems to analyze flow of funds between firms to identify and disrupt mule activity.
- Using lawful data sharing to combat mule mules.
- Most effective firms are engaging/sharing with UK groups including CIFAS, UK Finance, NECC and the Fintech FinCrime Exchange.
The FCA says all firms “need to ensure that their monitoring systems are set up to detect common mule behaviors and do more to monitor inbound transactions as well as outbound.”
Kathryn Westmore, Senior Research Fellow at the Centre for Financial Crime and Security Studies (CFCS) at RUSI, made an interesting point on LinkedIn on October 19: “A lot of the smaller players/payment firms do not have the resources or access to take part in some of the industry-led initiatives. And yet, there is clear evidence of bad actors targeting those smaller firms.”
Kathryn’s point was specifically about fraud data sharing, but I think her comment can be applicable to how smaller firms respond to the general detection/elimination of money mule accounts. This is as true in the UK as it would be in the US, India, Australia or any other country. Regional banks, credit unions, neobanks, and other small firms have the potential to be the weak link in money mule detection/elimination.
Areas that need improvement
The FCA reported several common issues with financial services firms not as focused on the money mule problem:
- Firms with more reported money mules than their peers usually had a lack of senior management oversight and a lack of reporting.
- Firms undertaking too few checks at onboarding and capturing insufficient data that can be helpful in the ongoing account/transaction monitoring. Weaker firms had inadequate device profiling/geolocation and behavior biometrics at onboarding. These controls done well can immediately halt onboarding of bad accounts (and saving future operational expenses).
- Firms need to do a better job at onboarding of identifying red flags that may indicate money mules.
- Firms are not properly analyzing customer virtual addresses at onboarding. An example of a virtual address is a mailing address provided by a virtual office provider or a mail forwarding service.
- Firms allowing multiple account onboardings from the same device or using the same physical address (or phone number).
- Firms have inadequate or non-existent inbound transaction controls. This precludes meaningful mule detection, until after the money has left the mule account (the non-existent barn door control)
- Firms not detecting high value inbound transactions into new or dormant accounts with rapid exfiltration.
- Firms not using device profiling, geolocation, behavioral biometrics and machine learning on post-onboarding account transactions. Or using machine learning without historical data, or without sound explanations of the machine learning models and without alert reason codes to help fraud analysts understand what is happening. The FCA found that machine learning with robust behavioral biometrics can be quite effective in detecting money mules.
- Some firms were taking too long to make changes to their controls when new threats were identified.
- Some firms do not have clear explanations of alerts in their case managers. A clear audit trail with appropriate alert narrative is essential.
- “Receiving” firms are not responding fast enough to alerts from “sending” firms. This can cause scam victims to lose their money. As an aside, this poor response from receiving firms may make it easier for scam victims to get reimbursed.
- Some firms are failing to prepare and send SARs in a timely way, if at all.
- Some firms do not have dedicated resources to address proper onboarding and money mule controls.
- Some firms are not involved in data sharing initiatives.
- Some firms have poorly trained their fraud alert and investigation staff. In some cases, clearly suspicious activities are simply ignored.
The FCA expects firms to take a ‘proactive and proportionate” approach to:
- Strengthen controls during onboarding
- Improve transaction monitoring to detect suspicious activity involving money mules
- Optimize reporting mechanisms for swift action
- Raise consumer awareness about the risks of acting as a money mule in order to protect them
The FCA will use its full regulatory tools, including enforcement actions, if the FCA identifies a firm “failing to maintain proportionate and adequate systems and controls” for money mule accounts.
The FCA has really highlighted what is working with onboarding and money mule detection in the UK and what is not. Way to go FCA! I think the FCA findings are as applicable in the UK as in any other country and serve as a blueprint any bank can follow and implement in their sending or receiving operations.
My personal opinion is that the FCA’s expectation that UK firms establish “proportionate and risk-based systems and controls to manage the problem of money mule accounts” should be the same expectation/requirement of every banking regulator in every country. We need to aggressively eliminate money mule accounts.
Coming from the US, I would really hope the FFIEC, the Federal Reserve and the Consumer Financial Protection Bureau (CFPB) would immediately issue regulation to this effect. Although many in the US are hoping for changes to Reg E (not a quick effort), guidance to online security with specific direction for controls to help prevent scams by a laser focus on account opening controls and money mule detection/elimination would be a very effective first step. And, like the FCA, follow up with enforcement actions for those financial institutions that fail to properly address these serious risks.