Tackling Ticking Time Bombs: How Receiving Banks Can Mitigate the PSRs Proposed Liability Shift with Proactive Mule Account Detection

Shutting the door on criminals trying to create fraudulent accounts is an effective way to combat money laundering and avoid potential fines. Under the proposal by the Payment Systems Regulator (PSR) to change reimbursement for victims of authorised push payment (APP) scams, financial institutions that have fewer illegitimate accounts will have less chance of being in the liability mix.

If a bank already has fraudulent accounts sitting in the background, (this can happen in a number of ways), the next best thing is proactive detection of the money laundering accounts. When fraudulent accounts go undetected, financial institutions, both traditional and challenger, remain exposed to the proposed liability. In essence, these fraudulent accounts are ticking time bombs. While it is hard to quantify and there are not reliable numbers to show the scale of the problem, a recent report by Lloyds Bank might put the economic impact into perspective. After hiring a dedicated team to combat money mule accounts in 2018, they uncovered over 130,000 fraudulent accounts and prevented over £91 million from being stolen by criminals.

Putting Yourself in the Strongest Position to Combat Mule Accounts

A lot of financial institutions have a great foundation with device and network-based AML controls. However, the challenge with just looking at device and network insights is there is often a plausible explanation for what you are seeing in an online banking session.

The key to winning the battle against money laundering is tripling down on protection. More specifically, looking at 1) pure device insight, 2) device-based behaviour, and 3) pure behaviour. Here are some examples that help explain what I mean with these three layers:

Strong Insight: Pure Device

Logins from different IP addresses that are far apart
Geographically it seems unlikely, so any fraud manager will want to know about this small alarm bell, but it is possible the customer could be travelling, or they could work for a company with internet access points in multiple countries. This insight is important to know but it is not enough to base a fraud decision on.

Logging into an account with a new device
It is possible an impostor is logging into the account. Or it could be that the legitimate account holder is simply logging in from a new device or phone for the first time. These indications can be quite telling, but again, they are not completely conclusive in terms of whether it is fraud.

Stronger Insight: Pure Device + Device Behaviour

On top of the pure device insight, you can look at device-related behaviour. Here are a couple of examples:

Change in Balance Monitoring Habits
It's plausible that the user is suddenly more active on the account due to a change in lifestyle and is suddenly waiting for regular deposits to arrive from a family member. Think of a university student waiting for money from a parent. These regular payments and movement of funds could be driven by education or accommodation fees. Once again, a very plausible explanation for the change in habits.

Change in Payment Frequency
A change in payment frequency could be down to the user starting a new business and receiving an injection of sales and revenue off the back of a promotional period. Or it could be a tell-tale sign that someone has got control of the account and is using it for fraudulent purposes.

As I mentioned before, device indicators raise an important red flag. But if you add on top device-based behaviour and become alerted to changes with things like balance monitoring and spending, it begins to paint a bigger picture of what’s going on. There could be simple explanations as per the above, but it could also be the single fraudster, or group of fraudsters are making sure the account is primed and ready for the fraudulent activity.

Strongest Insight: Pure Device + Device Behaviour + Pure Behaviour

On top of pure device and device-related behaviour, you can look at pure behavioural insight as well. One way to describe what pure behaviour brings is if you think of fraud detection like a CCTV camera. Without pure behaviour, you get a slightly grainy view of what’s going on. By adding pure behavioural insight you’ll suddenly start seeing things in 4K high definition. For example:

Expert User Activity
Looking at how a user interacts with the account can be telling. Do they typically use shortcuts or special keys? Do they import information from other applications on the device? This type of insight immediately drives the risk score upwards because genuine users do not typically behave like this. They don’t log in to their account this way and rarely use advanced keyboard actions to do basic account management.

Identifying Multiple Users
It becomes almost impossible not to classify a session as fraudulent when you can see there are multiple users logging into the same account. How can you tell there are multiple users? With pure behavioural insight, you can establish whether a person is more likely left or right-handed and whether their previous swiping patterns are consistent with a current session. In other words, ask the question - is this likely to be the person who logged in last time?

Also, when it comes to detecting and shutting down money laundering accounts it helps to know what kind of money mule you are looking for. Depending on where they sit on the complicit scale, or more specifically, are they less complicit or more complicit with the fraudulent transfer of money? Depending on the level of complicity, the way the user interacts with the account will be very different. This is what pure behaviour does above and beyond the other types of fraud controls.

Where is Your Business on the Dial: Strong, Stronger, or Strongest?

MicrosoftTeams-image (5)

The key to avoiding liability for being the recipient bank is putting yourself in the STRONGEST position to identify money laundering accounts before they become active. If you have effective device intelligence, that is a solid foundation. And better still, if you have device-related behavioural insights, that’s an even stronger defensive position to take. The combination of these insights is what makes them more powerful and telling.

Why add pure behavioural insight as well? Because criminals continuously find ways to navigate around traditional fraud controls. If your financial institution has an objective to drive down the cost of fraud in 2023, you probably will have close eyes on the proposals from the PSR. To help mitigate potential liability, financial institutions should consider adding pure behavioural insight on top of what they have, because it can be the difference between detecting mule accounts proactively rather than identifying them after the damage is done. Taking a more proactive approach will lead to huge savings on their 2023 fraud bill.