|July 9, 2013|
Mitigating prepaid risk and fraud successfully
* Understanding the potential risks and fraud associated with prepaid cards: Money laundering throughout the world - How big is it?
* Examining and monitoring the transaction process and identifying potential risks
* Reviewing payment fraud prevention strategies and practices for minimal risk
- Anita Ghazi Rahman*
Pre-paid Card Risk
Prepaid cards represent one of the fastest growing segments of card-based payments and hold tremendous potential to continue the transformation of payments from traditional, inefficient, labour-intensive paper-based methods to electronic systems. The success of prepaid cards is attributable to value propositions such as convenience, cost savings and security for businesses, governments and consumers, but the strengths of the prepaid card category also represent many of its inherent challenges. Unlike credit and debit cards, which are largely homogeneous products commercialized primarily through financial institutions, prepaid cards present tremendous complexities such as the breadth and range of card products, the variety of marketing strategies and distribution channels, diversity of value chain participants, which include both financial institutions and non-financial institutions of various kinds (including networks, processors, program managers and distributors), divergent business models, value propositions and risks for each stakeholder, differing technology infrastructure and operational support requirements by product and distribution method and the rapid ongoing change and evolution of pre-paid cards due to the early stage of the market.
Pre-paid payment instruments are generally of four types viz. (i) Closed System payment instruments e.g. gift voucher, telephone calling cards, (ii) Semi-Closed System payment instruments, (iii) Semi-Open System payment instruments and (iv) Open System payment instruments. Some of the most significant money laundering risks identified by LexisNexis in its white paper on ‘Emerging Anti-Money Laundering Risks to Financial Institutions’ (2007) are identified in funds transfers, including stored value cards, mobile payments and internet payments. The ambit of this white paper, aligned to and in keeping with the scope of the presentation to be placed by the author on 23rd April 2010 at “Prepaid Cards Asia 2010”, Singapore, only deals with pre-paid fraud risk inherent to Open System stored value pre-paid cards at present.
Open system stored value cards are connected to the global funds networks (such as Cirrus or Plus) and generally allow access to worldwide ATM funds and purchases with almost all merchants. They are often co-branded by financial institutions and may carry the ‘VISA’ or ‘MasterCard’ logo with their associated benefits. They may be geographically restricted, but are frequently available for use internationally and are marketed as a safer and convenient alternative to carrying cash. Pre-paid instruments may be used by anyone, including a non-purchaser and are typically reloadable with varying restrictions. The usual means of obtaining such a card begins with an individual registering for, prepaying funds into, and receiving a card. This part of the process may occur at a financial institution, a retailer, the postal service, money service business, or similar companies and may also be obtained over the internet.
Stored value cards are vulnerable to money laundering for a number of reasons: Unlike debit cards, stored value cards may be issued without the obligation of a depository account. Frequently, a financial institution will have little direct contact with a purchaser and may not be required or obliged to perform customer identification procedures on individual purchasers when a pooled account is utilized to process payments on the cards. There also appears to be some ambiguity of where the responsibility lies for KYC and Customer Identification Program (CIP) provisions between banks, processors, and other entities involved in the issuance and redemption process. Moreover, although cards issued within a jurisdiction may be subject to preventive legislation e.g. pre-paid cards in the United States are subject to the Bank Secrecy Act, this may not be the same for cards issued outside the United States, although they may still be used within its borders.
Money Laundering through the Use of Pre-paid Cards:
Technological products such as pre-paid cards, amongst others, have introduced a number of opportunities for money-launderers to conceal their identity and/or criminally misuse another’s identity to complete a transaction before drawing the attention of the card-issuing institution or regulatory/law enforcing agency and have also offered means to convert illegitimate wealth into legal assets.
Money laundering through the use of pre-paid cards is mostly accomplished through cyber-laundering. Cyber-laundering is conducted through implementation of a three-stage process of placement, layering and integrity/integration. ‘Placement’ is the process through which electronic cash is used to buy goods to be resold through use of smart cards thereby negating the need of an intermediary while providing the advantage of anonymity. ‘Layering’ is the stage where the launderer tries to separate the money from its origin by transferring the money through a number of accounts in different banks in the disguise of purchase of goods for re-sale or through off-shore companies located in different jurisdictions. ‘Integrity’ is the process through which the owner ensures that the accumulation of illegal wealth (money laundering) appears legitimate. With the introduction of pre-paid cards, money-launderers have capitalized the anonymity feature of such cards to help the layering and integrity stage of cyber-laundering.
The problem of the increasing rise of money-laundering through the use of pre-paid cards lies with the regulation of online banks accounts in that the jurisdiction of the website where an online bank account is registered may not require following any international standard of regulation to run the bank. A lot of the countries are yet to co-operate with the international forum to share intelligence and suspicious transaction records/Suspicious Activity Reports with the member countries to monitor and control cyber-laundering.
Further, due to the wide difference in the regulation, policies, standards and opinion regarding cyber-laundering between different jurisdictions it is still an undecided issue as to under which jurisdiction a money-launderer will be prosecuted if, for example the online banking account is based in China and you live in Bangladesh and your main banking relationships are in the India, Pakistan and Malaysia.
Launderers often buy cheaply available fake identities from hackers to use these identities to open accounts with electronic banking websites to accomplish the placement and layering stages of cyber-laundering. They can host scam website to spoof the users of this website and use the details of the users to hide their identities while requesting a prepaid card or a smart card and deposit the criminal gains to these cards to achieve the layering and integrity stages of cyber-laundering.
The processing speed of the technology used is upgrading every six months while it takes years to investigate and prosecute any case of money laundering. Legislation are in place in every country except a few but the phenomena of investigation from jurisdiction to jurisdiction takes a lot of time and manpower.
Fraud prevention strategies to prevent cyber-laundering have to be worked on at different levels.
Every financial institution is charged with the responsibility of developing policies and procedures to combat money laundering, which includes the duty to be aware of trends and adaptations in the methods by which money laundering is carried out.
Governments of the world are working together to prevent cyber-laundering and have developed a standard of 40 recommendations in order to provide some form of control to prevent money laundering both traditionally and electronically. The preventive measures by government institutions such as Financial Crimes Enforcement Network or FinCEN (US) and Financial Action Task Force or FATF established by the G-7 Summit in 1989 (updated in 2003) has established a global reporting system to report Suspicious Activity, foreign transactions and have set standards to control and investigate any such case of money laundering and also to provide relevant information to law enforcement agencies. The United States Department of Justice has also provided legislation such as the USA Patriot Act to monitor internet activity and keep records of transactions for 12 months of all the users in the United States and its Allies.
After reviewing the 40 recommendations developed by FATF the central idea can be described as that - all countries should criminalize money laundering and apply serious penalties to the criminals partaking in money-laundering; countries should adopt procedures to confiscate the criminal proceeds or property; financial institutions should not maintain anonymous accounts and know their customers by requiring mandatory KYC (Know Your Customer) forms and practice; develop policy and procedure to address risk in non-face-to-face business transactions; and monitor transactions that have no apparent lawful and economic purpose.
The nine goals set by the FBI in the National Money Laundering Strategy, 2007 to control money laundering should also be kept in mind while addressing the issue:
(1) Safeguard the Banking System, (2) Enhance Financial Transparency in Money Services Businesses, (3) Stem the flow of illicit bulk cash out of the United States, (4) Attack Trade-based Money Laundering at home and abroad, (5) Promote Transparency in the ownership of Legal Entities, (6) Examine Anti-Money Laundering Regulatory oversight and enforcement at Casinos, (7) Implement and Enforce Anti-Money Laundering Regulations for the Insurance Industry, (8) Support Global Anti-Money Laundering Capacity Building and (9) Enforcement Efforts and Improve how we measure progress.
The UK’s system of reporting suspicious transactions through Suspicious Activity Report is also an effective policy to deter money laundering in traditional financial institutions. However, cross-border flows of cash are one of the areas mentioned above where the launderer is less vulnerable to detection. Australia, Canada, UK, EU and U.S have implemented a likewise policy to log and monitor activity of internet users for five years before an internet service provider can use a clearing utility to clear the servers of information that can assist in finding the source of an electronic payment sender.
Authorities need to make sure that laws are made before the technology is introduced to prevent abuse of any new techniques that professional money launderers can use to transfer ill-gotten proceeds.
Therefore, a combined action to enforce preventive measures is required in partnership with financial institutions, law enforcement agencies and government of the nations in order to avert money laundering through the use of pre-paid instruments. A solution would be that all countries should approve the UN Convention against Corruption, 2003 and to implement effective anti-money laundering laws in their financial sector. Above all, there must be a development of awareness and training programmers for employees of related institutions and general public to identify the points where this crime is most vulnerable and identify what can be done to separate the money launderers from the misappropriated criminal proceeds.
Internet policing is required both locally and globally to prevent cyber-laundering and to share information of suspicious activity with relevant law enforcement agencies.
Whether new or increasing, these risks require financial institutions to adapt and adopt new policies and procedures to mitigate the effects of cyber-laundering through the use of pre-paid instruments on their business and the financial industry as a whole. The most obvious means of combating these trends relies heavily on already implemented procedures, particularly customer identification and effectively managing high-risk customers. This may be difficult when dealing with customers who present minimal information, as with shell corporations. Due diligence procedures should be well crafted and applied in all cases unless their relaxation is justifiable and documented. Policies should be put in place to restrict account opening in situations where the risk to the institution outweighs the benefits of doing business. In all situations, reputational and operational risk should weigh heavily in the minds of policy makers and institutions.
Finally, a summary of key strategies/suggestions/practices, as discussed above, to reduce and prevent payment fraud may include, inter alia:
- Implementation of guidelines for pre-paid instruments covering both financial and non-financial institutions;
- institutions issuing pre-paid instruments should be required to submit Suspicious Activity Report to the financial monitoring agency of a country;
- institutions issuing pre-paid cards should conduct customer due diligence also called “know your customer” or “KYC”;
- institutions issuing pre-paid instruments should keep records of all transactions for a fixed period of time e.g. 5 years;
- designing products to make them unattractive to money launderers, such as establishing limits on amounts loaded on the card, limiting cash access or high currency amounts to products with “known” customers and monitoring use, as well as cancelling the network branded prepaid card if activity is suspicious;
- implementation of encryption key recovery program;
- use of digital signature holding details such as the identification of the user, location of the teller machine where it was used, amount of transaction and date/time stamp;
- telecommunication operators and internet service providers (ISPs) should be required to monitor and record user data for a fixed period e.g. at least 1 year to assist government and law enforcement agencies in investigations pertaining to money laundering through cyber-crime.
- proof of identity should be sought where pre-paid cards are used at retail outlets.
* The Author is an Advocate of the Supreme Court of Bangladesh and the Founder and Counsel of The Legal Circle, Dhaka.
1. Bhandari, L (2007), Inclusion, E-Payments and the Payments and Settlement Systems Bill.
2. Bochicchio, M and Rinearson, J. (2007), Sometimes Fraud is “Just” Fraud.
3. CyberSource (2007), CyberSource 8th Online Fraud Report.
4. Choo, K-K. R. (2008), Money laundering risks of prepaid stored value cards, Australian Institute of Criminology, ISBN - 978 1 921185 92 2.
5. Department of Communication, Reserve Bank of India (2008), RBI invites Comments on Approach Paper on Guidelines for Pre-paid Payment Instruments.
6. Ticon UK Limited (2008), Personalising Care - Using Prepaid in Social Services.
7. Choo, K-K R (2009), Money Laundering and Terrorism Risks of Financing Prepaid Cards Instruments? Asian Criminology.
8. Jamali, M. S. (2009), Cyber Laundering.
9. Leyden, J (2009), Notorious hacker Analyzer pleads guilty on credit card scam, The Register published on 26th August 2009.
10. Mosher, Donald J. (2009), Prepaid Cards - Federal Law Issues and Developments.
11. Assuring Business (2009-2010), Pre-paid Communications Risks - Understanding and dealing with pre-paid service risks in the Telecommunications, Media and Entertainment sectors.