How can banks and regulators address emerging mobile transaction fraud risks?
An October 2015 report from British market research firm, Juniper Research, estimates that the mobile banking ecosystem exceeds 1 billion users worldwide. By 2020, Juniper forecasts that mobile banking users will double. In the United States alone, a March 2016 Federal Reserve Consumer and Mobile Financial Services report found that 43 percent of all cell phone owners had used mobile banking in the previous 12 months. According to a 2014 Community Banking Connections article, mobile banking is a service that enables clients of an insured depository institution to check their account balances, transfer funds, receive alerts, or pay bills through a smartphone or tablet device. But, mobile apps multiply fraud risk because institutions almost never design these platforms in-house.
Instead, banks rely on outside vendors to build and deploy their mobile apps, thus absorbing the fraud, anti-money laundering and know-your-customer risks of multiple third parties. Typically, these risks are segmented between the data transmission and data-storage phases of mobile banking activity. This segmentation reflects the binary nature of vendor risk management areas, namely the mobile application provider and the mobile banking hosting service, according to a 2012 report from accounting firm CliftonLarsonAllen.
Further disrupting bank risk management models are new mobile Internet payment systems, or MIPS. MIPS “disintermediate,” or remove, traditional bank processing mechanisms and, in some use-cases, enable senders to transfer funds with nothing more than the recipient’s email addresses. Some examples of MIPS include: digital wallets, peer-to-peer payment applications, online bill payments, digital lenders and virtual currencies. While MIPS offer convenience, accelerated settlement, reduced fees and 24-hour accessibility in the developed world, and are often the only bank infrastructure in frontier markets, they are also ripe for criminal exploitation. In fact, during a February 2015 Foreign Affairs Forum on cryptocurrency policy, Washington-based lawyer and panelist Carol Van Cleef said, “the first adopters of new payment systems, without a doubt, are the criminals.”
If Ms. Van Cleef’s warning is accurate, the proliferation of mobile transactions leaves banks and regulators at a disadvantage in the fight against fraud, confined to a perpetual game of catch-up with launderers and terrorist-financing networks. Look no further than online startup website, AngelList, where a basic search reveals a list of over 100 peer-to-peer (P2P) money transfer startups. P2P is a distributed online network that allows users to share information directly without having to communicate through an intermediary. For financial transactions, this intermediary is the bank or settlement agency, which verify credits and debits. PayPal, Venmo, Dwolla, Square and Popmoney are some of the more popular options among P2P mobile transaction services today.
For international transactions, P2P accelerates cross-border payments through its shared network of accounts, pooling funds from the entire user base to reconcile money transfers around the world. Through its distributed network of global user accounts, P2P matches cash inflows and outflows between geographies, wiring funds to recipients without the remitter’s native currency ever crossing jurisdictions or authenticating through bank processors. Thus, P2P payment and loan services offer criminals the strategic benefits of transactional anonymity, funding velocity and geographic fluidity. Recent money laundering conspiracies involving Liberty Reserve’s digital payment service and the Silk Road online drug bazaar, along with the terrorist attack in San Bernardino, all speak to P2P’s enhanced AML, KYC and TF risks.
In the midst of a fintech revolution, primed to make banking a mobile-first or mobile-only platform, banks and regulators must anticipate unprecedented compliance challenges. For banks, compliance personnel must educate themselves about emerging financial technologies and accompanying mobile transaction fraud risks, with a close eye on fraudulent accounts. Institutions should view mobile application and data-hosting vendors as their most glaring vulnerabilities. Meanwhile, regulators must enact data-driven reforms that hold digital payment services more accountable by enforcing monitoring schemes optimized to detect the new logistics of illicit finance.
Bank response to mobile banking fraud
Rising KYC compliance costs and the expanding scope of Bank Secrecy Act reforms, combined with a modern customer base that demands the latest mobile innovation, squeeze banks between a rock and a hard place. On one hand, banks have to expend significant resources developing compliance personnel and upgrading IT assets to comply with the Electronic Fund Transfer Act and Regulation E, among other monitoring and reporting demands.
Meanwhile, digital disruption, along with pressure from customers and from venture capitalists - vested in the mass adoption of their fintech platforms by the finance industry - push banks to launch mobile solutions at speeds that relegate AML to an afterthought. Banks are accelerating the deployment of mobile banking apps by sub-contracting vendors that specialize in mobile transactions and messaging. According to a Community Banking Connections piece, the three most common mobile banking delivery channels include:
- Text messaging/short message service (SMS)
- Mobile-enabled Internet browser
- Mobile applications
In a BSA regime that assigns banks increasing culpability for the KYC and AML deficiencies of their vendors, mobile banking only aggravates compliance risks. Perhaps no vendor business unit exposes banks to fraud and AML risks as much as data security. Indeed, beyond the cyber-theft of customer funds, stolen user credentials are leveraged by transnational organized crime to open fraudulent accounts, integrate illicit funds into the banking system and perpetuate criminal enterprises. With the average financial institution losing $13 million a year due to cyberattacks, it’s easy to see why banks are such desirable cybercrime targets. As such, banks must conduct enhanced due diligence and employ continuous monitoring of vendors’ data-transfer and data-hosting networks.
The CliftonLarsonAllen report highlights these key mobile-vendor risk considerations:
- Server-side risk
- Transmission risk
- Mobile device risk
- Mobile app risk
- End-user risk
A January 2016 statement issued by the Office of the Comptroller of the Currency indicates that the cybersecurity controls of outside vendors will be a heightened bank examination priority this year. Here are some additional considerations for effective mobile-vendor risk management:
- Ensure vendor compliance with The Interagency Final Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (70 Fed. Reg. 15736)
- Ensure vendor compliance with Section 5 of the Gramm-Leach-Bliley Act (12 C.F.R. Part 30, Appendix B “Interagency Guidelines Establishing Information Security Standards”)
- Heighten vendor user-verification standards
- Encrypt data in all phases of delivery and storage
- Make multi-signature security standard for vendor platforms
- Periodical stress-testing and auditing
- Discover all previous vendor breaches in onboarding stage
- Notify customers immediately after breach identification
- Periodically audit vendor personnel & mitigate risks of malicious insiders
- Incorporate fraudulent account rules into AML risk scoring (how many times has this user been hacked?)
- It goes beyond preparing for attack, assume you have already been breached*
Mobile banking regulatory reforms
Regulators face the daunting challenge of keeping step with the rapid proliferation of mobile transactions and VC pressures, accelerating MIPS adoption. The institutional investment ecosystem, chasing the heat behind a $1 trillion-plus global P2P transfer and remittance market, according to a 2015 ACAMS paper, only widens the regulatory gap. Furthermore, P2P’s application as a borderless and anonymous transactional network reshapes the conventional migratory patterns of illicit capital flows.
Still, under the current BSA regime, digital wallets, mobile payments, and P2P transfer systems are all designated as money service businesses and most comply with standard KYC and AML conventions. Despite these regulatory provisions and strict reporting demands, which require every fintech MSB to document every transaction of $3,000 or more, money launderers can adapt by employing more creative smurfing schemes. Smurfing is a money-laundering tactic based on structuring, or the fragmentation of a large transaction into many smaller transfers, in order to evade currency transaction reports and other disclosures. With MSB’s, launderers employ more money mules or accounts to microstructure and further disguise the origins of rogue capital.
As regulators introduce new reforms to govern mobile banking innovation, the ACAMS paper notes several likely threat scenarios. Consider a mobile app that enables users to load balances with cash at automated loading stations with no bank intermediary, a system that converts cash payments to merchants into digital currency and a P2P application for international remittances that pools funds on a virtual currency platform. This disruption alters money-laundering logistics in key ways.
Instead of depositing cash into an account at branch locations in multiple cities, so it can be withdrawn in bulk in a high-risk, cross-border area, criminals and terrorists can now fund multiple co-conspirator accounts via digital wallets and mobile P2P apps. From these accounts smurfs can then funnel cash to other user accounts, which are all funding vehicles for the same conspiracy. Additionally, services with international payment capabilities may also be compromised by terrorist organizations like ISIS and others.
Regulatory guidance must adapt to these emerging mobile banking fraud threat patterns. For MIPS risk can no longer be scored solely on dollar amount and transaction type. Suspicious activity reporting needs to adapt to reflect the increased fragmentation and diversified transfer vehicles of smurfing schemes. Compliance reforms must emphasize the transparency of customer segmentation, and design new parameters around account activity with a clear focus on the transactional universe of mobile remitters. The latter entails verifying every user account, along with monitoring the quantity of remittance counterparties and frequency of payment interactions, respectively. Emerging fintech legislation should factor these best practices into their regulatory reforms:
- MIPS should have operational AML programs before launch
- Compliance scale must precede expansion of MIPS operations and markets
- Anonymous transactions should be prohibited, irrespective of dollar amount
- BSA regime should expand to hold P2P lenders accountable (per the San Bernardino shooting)
Regtech is the future
In an era that lacks a precedent for transnational organized crime prosperity and terrorist-financing savvy, banks cannot put profit before security. Bank compliance personnel must dedicate themselves to learning about emerging fintech and mobile banking fraud risks. Vendors in the form of app developers and data-hosting services must be thoroughly vetted for network integrity and viewed as the bank’s Achilles heel.
Meanwhile regulatory reform should reflect the evolving profile of P2P smurfing, and expand BSA oversight over P2P lenders. Regulators can help reduce MIPS transactional anonymity by enacting standard regulatory technology policies for user onboarding. An MSB reform that imposes the mandatory deployment of investigative software to verify accounts is a good starting point. As fintech ushers in a brave new world of banking innovation, regtech is needed to contain the Pandora’s box of deviant globalization.
Thomson Reuters CLEAR
CLEAR online investigation software makes it easier to locate people, businesses, assets and affiliations, and other critical information. With its vast collection of public and proprietary records, investigators can dive deep into their research and uncover hard-to-find data.
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.