Fintech: Preventing Payment Platforms from Becoming Conduits...
Transcript of Fintech: Preventing Payment Platforms from Becoming Conduits...
Fintech: Preventing Payment Platforms From Becoming Conduits for Illicit Activity Encouraging Innovation While Protecting Consumers and Business From Risk
Blanca Rojas, CAMS CAMS FCI Candidate, October 2019
The views and opinions expressed in this paper are largely that of the author and do not necessarily represent that of RealPage
Payments Services LLC. The content is not to be relied upon as legal advice or in lieu of counsel.
BLANCA ROJAS 1
Table of Contents Executive Summary ....................................................................................................................................... 2
Introduction .................................................................................................................................................. 2
Building Technology for AML and Fraud Risk ............................................................................................... 4
Carding Fraud ........................................................................................................................................ 5
Controls to Mitigate Carding Fraud ...................................................................................................... 6
Tools for BSA/AML Monitoring ..................................................................................................................... 8
AML Transaction Monitoring Software ..................................................................................................... 8
Prepaid Cards and Human Trafficking ...................................................................................................... 9
Continuing Education for Talent ................................................................................................................. 11
Synthetic Identity and Credit Privacy Numbers (CPN) ............................................................................ 12
Collaboration With Law Enforcement......................................................................................................... 13
Birthing Tourism and Immigration Fraud ................................................................................................ 14
Recommendation Summary ....................................................................................................................... 15
Conclusion ................................................................................................................................................... 16
References .................................................................................................................................................. 17
Articles, Reports, and Presentations ....................................................................................................... 17
Statutes and Guidance ............................................................................................................................ 18
International Agency Publications .......................................................................................................... 18
Online Resources .................................................................................................................................... 19
BLANCA ROJAS 2
Executive Summary “Technology knows no borders. Neither does financial misconduct” (Tao Zhang, IMF deputy
managing director).1 As a tech-savvy society, we are eager to purchase the next new phone
application to make our lives easier. With consumer trust and demand for technology comes
the rise of financial technology companies or “Fintech.” Competition to bring forth the next big
thing is great as it fosters innovation and inclusion; however, it is the rapid pace to get the
product to market that is concerning as anti-money laundering (AML) and fraud risk is
potentially overlooked. The purpose of this paper is to discuss some of the challenges seen in
Fintech, specifically in payments. This paper will highlight considerations that need to be made
prior to releasing a new payments product. The main focus will be on payment system
vulnerabilities and tools needed to monitor fraud and comply with regulatory obligations, to
ensure a successful business in the rapidly changing world of Fintech.
Introduction The advent of digital technology was first received with skepticism from traditional financial
institutions designed to service the needs of the traditional check-cashing business or money
transmitters. Suddenly, a different kind of financial service provider needed banking services.
Banks at the time were also seeing an increase in regulatory fines and penalties for violations in
AML programs, resulting from failure to place appropriate risk scores and controls on these
inherently high-risk customers. Fears of being penalized and fined for violations led to the wave
of de-risking or exiting high-risk customer relationships in order to control institutions’ risk.
Banks were terminating existing money services business (MSB) clients and were refusing to
onboard new clients with nontraditional business models, assuming that they were an even
higher risk than their traditional peers. These new clients were also moving money much like a
bank, only faster, hence the name “Fintech” was born. Fintech, or the Wikipedia’s definition of
Fintech, is “new applications, processes, products, or business models in the financial services
industry, composed of one or more complementary financial services and provided as an end-
to-end process via the Internet.”2
While Fintech companies were having a tough time obtaining access to banking services, the
need for financial inclusion of the unbanked consumer was a global problem as well. National
governments began to adopt policies in which financial technology companies could have a
clear understanding and framework in which to operate in order to bring financial services to
consumers who had no access to traditional financial institutions. The importance of financial
inclusion led the World Bank to create the Global Findex Database to increase financial
inclusion worldwide.
1 Tao Zhang Vilinus, “Balancing Fintech Opportunities and Risks.” (remarks by IMF deputy managing director, presented at IMF conference, Lithuania, June 10, 2019.) 2 “Fintech.” Accessed July 19, 2019. Retrieved from https://en.wikipedia.org/wiki/Financial_technology
BLANCA ROJAS 3
According to the World Bank in its 2017 Global Findex data report, recent progress has been
made in financial inclusion that has been driven by payments, government policies, and a new
generation of financial services that can be accessed through mobile phones and the Internet.
The World Bank goes on to list Africa as an example of the power of financial technology by mentioning how expanded access has allowed 21 percent of Sub-Saharan Africa to now have a mobile money account, which is nearly twice the amount since 2014. The use of digital payments is increasing for the banked as well, globally, 52 percent of adults have also sent or received digital payments in the past year.3
In a recent survey conducted by PYMNTS.com in February 2019, 57.5 percent of consumers expressed an interest in getting some of its banking services from nonbanks.4 The Financial Stability Board (FSB), a financial watchdog organization composed of the G-20’s central banks, also recently stated, “Fintech firms and large, established technology companies (‘BigTech’), could materially alter the universe of financial services providers.”5 However, in FSB’s recent publication, the focus is not on the direction in which Fintech is heading but rather the way in which Fintech will operate and comply with regulatory standards. The payments industry and specifically those registered as MSBs with FinCEN also require
licensing in the state in which they operate. However, many payments companies operate in
more than one state or jurisdiction, and the burden of licensing in multiple states is an added
stressor for compliance departments. Compliance departments unable to balance state
licensing and AML program requirements have begun to outsource the administrative burden
of managing state licenses with items such as renewals, invoicing, and reporting. Even with the
administrative part of licensing outsourced, compliance departments are faced with evolving
AML and fraud concerns. In the area of BSA/AML and fraud, compliance professionals need to
be aware of system gaps that make it easier for fraudsters to exploit payment platforms. If a
state regulator perceives that there is a recurring fraud pattern occurring in a payment
platform, then the question begs to be answered regarding what the licensed MSB is doing to
solve the issue and mitigate risk for the consumer as well as the business.
As part of the ever changing and emerging Fintech climate, the Conference of State Bank
Supervisors (CSBS) started the Emerging Payments and Innovation Task Force to study the
changing payments systems and the impact on consumer protection, state law, banks, and
nonbank entities chartered or licensed by the states. The task force aims “to understand how
new entrants and technologies affect the stability of the payment systems and the broader
3 Asli Demirgüç-Kunt, Leora Klapper, Dorothe Singer, Saniya Ansar, and Jake Hess. 2018. The Global Findex Database 2017: Measuring Financial Inclusion and the Fintech Revolution. Overview booklet. Washington, DC: World Bank. License: Creative Commons Attribution CCBY 3.0 IGO 4 “Where Will We Bank Next: Consumer Choice and Banking Services in The Digital Age.” Pymnts.com. April 2019. Retrieved from https://www.pymnts.com/wp-content/uploads/2019/04/WhereWillWeBankNext-April-2019.pdf 5 Financial Stability Board (February 2019). FinTech and market structure in financial services: Market developments and potential financial stability implications. Retrieved from https://www.fsb.org/wp-content/uploads/P140219.pdf
BLANCA ROJAS 4
financial market place and to develop ideas for connecting the emerging payments landscape to the financial regulatory fabric.”6 The following content will include specific action items for new Fintech companies to implement at the beginning stages of building their technology to prevent payment platforms from being misused. Examples will be provided through case studies on how weak systems can expose consumers to fraud and solutions on how to remediate fraud exposure. Lastly, specific measures will be included to enhance AML monitoring programs and protect the BSA function from regulatory and reputational risk. The following information will not just serve as a resource for CEOs entering into the Fintech space, but it will also be valuable to compliance professionals leaving traditional banking roles to pursue careers in Fintech. The following content will also serve as a tool for banking partners conducting enhanced due diligence reviews of Fintech companies; banks can determine if the Fintech company’s risk and mitigation strategies will allow for a mutually beneficial partnership.
Building Technology for AML and Fraud Risk Internal collaboration is key and the reason why successful Fintech companies have dedicated
data scientists for BSA compliance programs. Timing is essential when releasing innovative
technology, and, in the rush to get product to market, compliance is often overlooked. Early
product development meetings should include compliance in order to identify and control risk.
It is vital for compliance professionals and software developers to work together in building out
payment platforms. Although it may be challenging for BSA professionals to understand a
software developer’s language and vice versa, an understanding of the key regulatory
requirements for BSA compliance must be reached.
When building technology, while counterintuitive, the need for third-party vendors is essential.
While Fintechs pride themselves in having their in-house talent build solutions, it is worth
scoping third-party vendors for those requirements that cannot be met with an in-house build.
Third-party software is needed to help in regulatory compliance efforts. Finding the right
vendor who knows the laws and regulations is vital. Building a payment platform for speed and
ease of use is great for the consumer; however, building a simple product that does not validate
the information entered by the consumer is a risk. Third-party vendors can assist with this
consumer risk by plugging into payment platforms and performing identity verification and
screening data entered in by consumers against government watch lists. Reputable third-party
vendors will have conducted their own security assessments to ensure that their products are
performing as they should, and they should also be able to provide their own third-party testing
results for the Fintech’s own vendor management program.
6 CSBS (March 2017). The Emerging Payments and Innovation Task Force. Retrieved from https://www.csbs.org/emerging-payments-
and-innovation-task-force
BLANCA ROJAS 5
Testing must be conducted to verify that data is being collected properly during the onboarding
process. Know your customer (KYC) is not just a regulatory requirement but a preventative
measure for onboarding fraud. Building a test environment or “sandbox” in which to test data
prior to going live is vital. This practice ensures that the system is working properly prior to the
consumer-facing product’s release.
Regulatory agencies are implementing cybersecurity regulations across the country to
safeguard customer information by requiring companies to protect their systems from
cyberattacks and unauthorized access. It is why New York’s Department of Financial Services
brought forth regulation establishing cybersecurity requirements for financial service
companies, otherwise known as 23 NYCRR 500.7 The following are questions to consider when
putting together a cybersecurity program:
How secure is your payment platform, and are you continually performing updates and
patches on your software?
Are you conducting network penetration tests on a regular and scheduled basis?
How are you managing internal access and third-party vendor access? These decisions need
to be made prior to the release of any financially regulated product, and collaboration
between IT departments and compliance is a must.
Are your developers placing the right controls in place to prevent fraud from occurring in
your payment platform?
Are stop-gaps in place for declines, or can a consumer attempt a payment an unlimited
amount of times?
Building a payment platform with weak controls in place leaves the platform exposed to risk,
such as the following type of cyber-crime.
Carding Fraud
Carding fraud is the process fraudsters use to determine whether stolen credit card numbers are
active and have not yet been reported lost or stolen. To test whether a stolen card number can
be used, fraudsters will visit donation or eCommerce websites and payment portals to initiate
multiple transactions, a process in which the person doing this is known as the “checker.”
Checkers will obtain bundles of cards obtained from the digital underground, which may involve
the dark web or in plain sight of the surface web. Fraudsters will purchase bundles of cards
most likely originating from a data breach from websites referred to as “dump shops.” The
bundles of cards, or “dumps,” are strings of data in a text file that include the card information
for that particular bundle. These dump shops are so sophisticated that fraudsters can pick and
use the credit card’s originating bank as well as the city and state tied to the card. Having the
option to choose what region the stolen card is from makes it easier for the fraudster’s
purchases to appear legitimate when purchasing with stolen credit card information.
7 New York State Department of Financial Services (2017, March 1), 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies.
BLANCA ROJAS 6
The price paid per stolen credit card varies and can be as low as one dollar or up to a couple of
hundred dollars, depending on the date the card was obtained. New cards that are added to
the dump shop are referred to as “fresh sniffs” and are more expensive to purchase. Below is a
screen shot of what web security advisor Brian Krebs from Krebs on Security8 (Krebs 2014)
found when he went behind the scenes at McDumpals to see what black-market payment card
fraud looks like.
Controls to Mitigate Carding Fraud
Red flags for carding fraud can include any of the following:
A single card used repeatedly in quick succession for low or identical dollar amounts Multiple cards used repeatedly in quick succession for low or identical dollar amounts Multiple cards with the same name and/or billing address from the same IP address Multiple cards with different name and/or billing address from the same IP address Multiple cards with different billing addresses but an identical Bank Identification
Number (BIN)
8Brian Krebs (June 2014). Peek Inside a professional carding shop. Krebs on Security. Retrieved from https://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/
Cards advertised at valid rates in
excess of 90 percent typically
demand the highest prices and
are a strong indicator of a
breach that has only just been
discovered by the breached
merchant or some of the larger
financial institutions.
—Brian Krebs
BLANCA ROJAS 7
Payment platforms targeted with this type of activity can use the following measures to mitigate risk:
Velocity checks – Multiple transactions with different account numbers originating from the same IP address can be an indicator that the customer is using software for carding. A transaction velocity threshold can be placed to limit the amount of customer transactions conducted daily.
Address Verification System (AVS) – While this will not help if fraudulent names are
entered, it will validate the numeric components of the address and ZIP code and allow you to confirm the address of cardholder.
Card Verification Value 2 (CVV2) – The three-digit code on the back of card is effective against online fraud. CVVR can be used to prevent account enumeration attacks where the fraudster has generated the account number and is testing accounts with only an expiration date.
IP geolocation checks – Verify that the IP address is not a proxy IP address or originating
from a Tor browser used to disguise the true location of the consumer. Again, as mentioned above, multiple transactions from the same IP address is another fraud indicator.
Device ID – Consider capturing the device ID to identify the cardholder and to verify that the same device is not being used for multiple payment profiles or accounts.
Bank Identification Numbers (BIN) – If your payment platform is receiving several
transactions within a span of days from the same BIN, more than likely your payments portal is being used for carding. Consider monitoring unusual transaction patterns or velocities on a single BIN.
CAPTCHA technology – Consider implementing this technology to verify that the person making the payment through your portal is a human and not an automated software or bot (robot) abusing your system.
The measures listed above are a few of the ways to help prevent your payment platform from being part of a carding attack. There are several third-party vendors that also offer solutions that go beyond basic measures that can create built-in fraud filters on payment platforms. According to third-party software provider Infintech, “Fraud filters will let you accept or reject transactions that seem risky by scoring transactions based on a number of additional factors.” Infintech also adds that another measure for protection from carding would be to set minimum transaction amounts: “Most carders initiate between $0.01 and $15 to verify the authenticity of a stolen card. Be sure to set reasonable limits to detect fraud.”9
9 Infintech (June 2019). Carding Fraud That Impacts Merchants. Retrieved from https://www.infintechllc.com/carding-fraud-that-impacts-merchants/
BLANCA ROJAS 8
Tools for BSA/AML Monitoring The first part of this paper focused on collaboration and technology when building a payment platform. Even with the strongest controls in place, fraud will inevitably find its way through systems. After a payment’s product is launched, it is important to have the right tools outside of the product to monitor activity within the product itself. There are two important tools that can be used to prevent illicit activity from occurring through a payment portal, these tools will also align with some of the requirements under the U.S. Bank Secrecy Act (BSA). Currently, payment platforms that are registered MSBs must have a BSA compliance program in place, per Regulation CFR Chapter X §1022.2103110 A BSA compliance program for a MSB is required at minimum to have the following of what is known as the four pillars: internal controls through policies and procedures; designation of a compliance officer; BSA/AML training program; and independent audit to test program.11 The following tools can help with two of the pillar requirements for internal controls and training.
AML Transaction Monitoring Software AML transaction monitoring software can be rules- or behavior-based or even a hybrid of both. Several third-party vendors offer products created with the typical brick-and-mortar financial institution in mind. However, in the advent of Fintech, software companies are cropping up with product offerings geared toward nonbank financial institutions. Machine-learning and AI technology is also something that existing AML softwares are adding to their suite of solutions. Whether using a company that started out as a bank or credit union, AML software, or one geared toward nonbank financial institutions, such as MSBs, having a robust AML monitoring software is a must. It is important that the following points are considered when choosing software that caters to different types of financial institutions:
Is the AML software flexible in customizing rules or behaviors that can be added to the software? Will you be charged more to customize software in order for it to work for your line of business?
Is the AML software company dedicated to staying up-to-date on regulatory changes
that can impact your MSB operations, and are they willing to make changes in the
software to comply with regulatory requirements?
How often are product releases made, and how invested is the company on upgrades
and enhancements, especially those geared toward the Fintech industry?
Is the AML software company working toward specific AI technologies, or does it offer services currently? Employing AI will help reduce the amount of human effort for routine tasks in order for employees to focus on complex responsibilities.
10 CFR Chapter X §1022.21031 - Anti-money laundering 11 Bank Secrecy Act/Anti-Money Laundering Exam Manual for Money Service Businesses
BLANCA ROJAS 9
Software chosen for a payments business should add value and not be just a box to check on a list of requirements. While the cost to implement AML software is considered a great expense, choosing the most affordable software with fewer bells and whistles can potentially cost more in the long run when it comes to detecting fraud in a constantly evolving landscape. A good software fit for a business should allow detection of fraud while reducing customer friction. As noted in a survey conducted by PWC on global economic crime and fraud, “As a customer, it can be reassuring—at first—to know a company continuously monitors fraud in the services it provides. But if the monitoring leads to frequent or repetitive alerts, that reassurance can quickly turn into irritation. This is known as customer friction and a growing challenge for organizations.”12 The value of your AML software will also be scrutinized by your regulators. Does your software’s output produce quality alerts? Are your employees able to see how transactions with fraud indicators manifest themselves in the software? Failure to identify different types of illicit activity could have dire consequences, as seen in recent regulatory enforcement actions such as in the case of Western Union, which was fined $60 million by the New York DFS. An investigation by DFS found that, for more than a decade, Western Union failed to implement and maintain an anti-money laundering compliance program to deter, detect, and report on criminals’ use of its electronic network to facilitate fraud, money laundering, and the illegal structuring of transactions below amounts that would trigger regulatory reporting requirements. In addition, the DFS investigation discovered that senior Western Union executives and managers willfully ignored, and failed to report to DFS, suspicious transactions to Western Union locations in China by several high-volume agents in New York, other states, and around the world, including money transfers that may have aided human trafficking.13 Having fine-tuned and sophisticated AML software will be your first line of defense in detecting fraud activity. Below is a look into one of the fastest growing global crimes and how your AML software can detect the fraud through the use of analytics and behaviors.
Prepaid Cards and Human Trafficking Despite major progress, human trafficking continues to be a problem, and, according to Polaris, it is a $150 billion global industry that robs 25 million people around the world of their freedom.14 Banks, credit unions, and credit card companies have designed and implemented AML softwares that help identify patterns in transactions for human trafficking. For example, a customer visits several gas stations and hotels in different cities in a short amount of time and, subsequently, withdraws cash from ATMs in close proximity to the hotels. This would potentially trigger an alert in a bank’s AML software. While suspicious transactions can easily be identified in a traditional financial institution, a newly formed MSB may not know how these suspicious transactions may appear in its monitoring systems. 12 PwC (2018). Pulling fraud out of the shadows: Global Economic Crime and Fraud Survey 2018. Retrieved from https://www.pwc.com/fraudsurvey 13 Department of Financial Services Issues Consent Order to Western Union Financial Services, Inc. January 4, 2018. 14 Polaris (July 2018). On-Ramps Intersections and Exit Routes: A Roadmap for Systems and Industries to Prevent and Disrupt Human Trafficking.
BLANCA ROJAS 10
According to Polaris, “Many conversations with survivors on the Hotline, in the Polaris survey, and in Polaris focus groups, prepaid credit cards seem to be the preferred tender used by un-networked sex traffickers. These cards are difficult to trace using normal transactional monitoring because they enable anonymity. Prepaid cards allow traffickers to use illicit funds to purchase the necessities in order to facilitate their businesses without having their true identity linked to these purchases.”15 Looking at transactions initiated through a payment platform, the following suspicious transaction patterns can be a fraud indicator for human trafficking. Below is a hypothetical scenario in which suspicious transaction patterns point to human trafficking, transactions were conducted by use of prepaid cards.
15 Polaris (July 2018). On-Ramps, Intersections, and Exit Routes: A Roadmap for Systems and Industries to Prevent and Disrupt Human Trafficking.
Jane Doe is one of four sex trafficked
victims living in the same apartment
unit. Jane used her personal
information to apply for the lease
and her monthly rent payments are
$1,200.00. Jane Doe and other
victims receive payment from
customers (Johns) in the form of
prepaid debit cards. Prepaid cards
are received in $100.00
denominations.
Victims collectively, all contribute to
paying the rent with prepaid cards;
the remaining cards or profits are
turned over to their trafficker.
Jane Doe logs on to her apartment’s
payment portal and begins to
conduct several transactions all in
the same day using one prepaid card
per transaction.
Proceeds of human trafficking in payments
Transaction Date Status Payment Type Operation Name On Account Transaction Number Amount
7/3/2017 11:43:40 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 11:39:10 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 11:35:12 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 11:10:19 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 11:04:51 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 10:50:27 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 10:44:08 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 10:37:18 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 10:02:51 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 6:42:51 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 6:39:02 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
7/3/2017 6:35:43 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00
Apartment Rent
$1200
Jane Doe Pays
$300
Victim Pays
$300
Victim Pays
$300
Victim Pays
$300
BLANCA ROJAS 11
The example above, which demonstrates how suspicious activity could manifest itself within a payment’s platform, relies on two things. First, does your AML software have scenario rules in place to detect the velocity of transactions occurring with different account numbers in a short time frame? Second, if your software alerts to said scenario rule, will your BSA staff know how to interpret the data? You can use technology to cut out the noise and produce quality alerts; however, in the end, the human element is still needed.
Continuing Education for Talent Emerging technologies continue to change the regulatory landscape, and as technology
changes, so do fraud patterns and behaviors. A valuable BSA professional will have to adapt to
changes and become a cyber detective as fraudsters no longer have a face and are hidden
behind a computer screen. Digital bread-crumb trails must be followed through the use of
software systems and online resources. It is crucial that during the development of a new
payment platform, gaps in systems are identified and not left open to cyber criminals. Simply
put, Fintech companies will need to invest in people not just machines. “Confronted with the
seeming intractability of dealing with fraud, many organizations decide to pour even more
resources into technology. Yet these investments invariably reach a point of diminishing
returns, particularly in combating internal fraud. So, while technology is clearly a vital tool in
the fight against fraud, it can only ever be part of the solution.”16 (Statement from PWC’s fraud
survey)
Continuing education for talent is needed in order to meet regulatory requirements for a BSA
compliance program and should also be used as a second layer of defense. This second layer of
protection can be leveraged during system failures and in detecting new and emerging fraud for
your institution. For Fintech companies, financial institution experience is often a prerequisite
for applicants applying for positions in BSA compliance. However, individuals with BSA
experience in the traditional bank setting must receive training and continue to immerse
themselves in targeted learning opportunities. The targeted learning should be Fintech
centered and geared toward their industry in order to create awareness to the types of fraud
that can intrude on their business operations.
A good example of varying typologies within different lines of business is comparing traditional
identity fraud versus synthetic identity fraud. The following diagram illustrates identity fraud
and how it has evolved from traditional identity fraud to synthetic identity fraud. Typically,
traditional identity fraud occurred at traditional financial institutions, while different forms of
synthetic identity fraud are most often seen in the payments industry. However, synthetic
identity fraud can still occur within traditional banking environments, especially as more banks
adopt online account opening programs.
16 PwC (2018). Pulling Fraud out of the Shadows: Global Economic Crime and Fraud Survey 2018. Retrieved from
https://www.pwc.com/fraudsurvey
BLANCA ROJAS 12
Synthetic Identity and Credit Privacy Numbers (CPN) Synthetic identity in payments fraud is one of the fastest-growing financial crimes in the United
States. Synthetic identity in the United States appears to be more prevalent than in other
countries due to the use of static customer information, such as Social Security numbers (SSNs).
In the payments industry, a common way for someone to create a synthetic identity is through
the use of a Credit Privacy Number (CPN), also referred to as Secondary Credit Numbers (SCN).
Fraudsters oftentimes will use a CPN instead of a Social Security number. CPNs are valid but
unissued Social Security numbers which are not yet assigned by the Social Security
administration. Disreputable credit repair agencies will sell a CPN to an individual who needs to
reestablish credit. However, using a CPN for the purpose of applying for credit is a federal
crime, according to the Federal Trade commission (FTC). In fact, the FTC has put out the
following warning: “Companies promising a ‘new credit identity’ say they can help you hide bad
credit history or bankruptcy for a fee. If you pay them, these companies will provide you with a
nine-digit number that looks like a Social Security number. They may call it a CPN—a credit
profile number or a credit privacy number. They may lie and tell you that this process is legal,
but it is a scam. These companies may be selling stolen Social Security numbers, often those
taken from children. By using a stolen number as your own, the con artists will have involved
you in identity theft.”17
17 Federal Trade Commission: Credit Repair Scams. Retrieved from www.consumer.ftc.gov/articles /0225-credit-repair-scams
“Synthetic Identity Fraud in the U.S. Payment System: A Review of Causes and
Contributing Factors” figure, Federal Reserve, Payments Fraud Insights, July 2019.
BLANCA ROJAS 13
Fabricated SSNs are so common in synthetic identity fraud that ID Analytics estimates that
nearly 40 percent of synthetic identities used a randomized SSN.18
The payments industry is vulnerable to synthetic identity fraud at each phase of the payments
life cycle. The phases include enrollment, transaction processing, and reconciliation. Detecting
at what phase the synthetic identity was used goes back to investing in people and not just
machines. While there is software that can help sift through the CIP information entered to
detect the obvious red flags, it will be employee talent that can take all the information from
each phase to determine where and how the failure occurred.
Collaboration With Law Enforcement Previously, BSA collaboration with information security was mentioned, and although it is great for a BSA department to foster relationships within the company, external relationships are just as important. Oftentimes regulators will ask during an exam about the fraud trends seen in your line of business by geographical area and if trends have been shared with local law enforcement. Collaboration does not necessarily mean picking up the phone or sending an e-mail to your law enforcement contacts. Collaboration can include networking at local industry chapter meetings or joining a local task force. Membership in a local task force or industry groups is not only a benefit to law enforcement and a necessity in carrying forth the mission of the U.S. Bank Secrecy Act, it’s also a great benefit for your payments business. Roundtable discussions and industry presentations can give you clear insight about fraud trends that could be plaguing your industry. Building your contacts list of various branches in law enforcement can help when fraud trends that need to be addressed are identified at your institution. Collaboration between technology companies and law enforcement can help in the mission of BSA to fight crime. A report published by the Center for Strategic and International Studies recently outlined the challenges of law enforcement having access to technology data. In the report, recommendations are made for technology companies and law enforcement to work together in a streamlined process and for the need for technology companies to be engaged. “Continued and increased engagement by tech companies would help ensure that law enforcement knows where to go to request particular data, the range of data available, and how to appropriately tailor their requests. Moreover, there is a clear need for best practices and industry standards that new entrants to the market and smaller-scale providers can adopt as well.”19
18 Id:Analytics (March 2019). All synthetic identities are not created equal: Examining purported synthetic signatures. Retrieved from https://www.idanalytics.com/wp-content/uploads/2019/03/Synthetic-Identities-Are-Not-Created-Equal-Executive-Summary.pdf 19 William A. Carter & Jennifer C. Daskal. July 2018. Low-Hanging Fruit: Evidence-Based Solutions to the Digital Evidence Challenge. A Report of the CSIS Technology Policy Program. Center for Strategic and International Studies, Washington DC.
BLANCA ROJAS 14
Birthing Tourism and Immigration Fraud The following is an example of how BSA collaboration with law enforcement helped to build a
case for illegal activity. In 2015, federal agents raided 37 locations in Southern California in an
attempt to gather evidence for illegal activity related to birthing tourism businesses for wealthy
Chinese families. In the past, only zoning laws were the primary legal tool against maternity
hotels, as it was legal for pregnant foreigners to visit the United States and give birth while
visiting. However, most recently in January 2019, federal prosecutors charged 19 people linked
to Chinese “Birth Tourism” schemes. Three defendants were arrested and charged with
conspiracy to commit immigration fraud, international money laundering, identity theft, and
false tax returns.20 Law enforcement relies on BSA reporting of suspicious activity in order to
identify and investigate crimes through FinCEN, which provides specialized analysis of BSA
information filed by the nation’s financial industries.21
In the payments industry, scenarios that could potentially point to activity related to immigration
fraud can include multiple payments made by one individual for further credit for services
benefiting multiple individuals. Payment platforms used to pay rent, phone bills, and other
service providers are susceptible to this type of activity occurring on their payment platforms.
This type of transaction data is extremely valuable to law enforcement and can help with the
missing pieces of data that traditional financial institutions cannot provide in subpoena requests.
FinCEN continues to recognize
the importance of BSA
reporting through the FinCEN
director’s Law Enforcement
Awards program, in which
cases are recognized where
BSA reporting is used to aid law
enforcement in creating a
financial trail for cases. FinCEN
director, Kenneth Blanco states,
“BSA data is an important part of our national security apparatus and how we protect the people
of our nation from criminals, terrorists, and other bad actors. The successful prosecution of the
cases recognized here today demonstrates that the information that financial institutions report
to us through their BSA filings makes a difference in the lives of many people every day.”22
20 Department of Justice U.S. Attorney’s Office Central District of California. (2019, January 31). Federal Prosecutors Unseal Indictments Naming 19 People Linked to Chinese ‘Birth Tourism’ Schemes that Helped Thousands of Aliens Give Birth in U.S. to Secure Birthright Citizenship for Their Children. 21 FinCEN, Support of Law Enforcement. Retrieved from https://www.fincen.gov/resources/law-enforcement/support-law-enforcement 22 Remarks from Kenneth Blanco. FinCEN, Office of Public Affairs. (2019, May 16) FinCEN Holds Fifth Annual Awards Program to Recognize Importance of Bank Secrecy Act Reporting by Financial Institutions [Press Release].
PUT SIMPLY, UNLESS LAW ENFORCEMENT OFFICIALS ARE
ADEQUATELY INFORMED ABOUT WHAT KIND OF DATA
PROVIDERS HAVE AVAILABLE, THEY ARE NOT IN THE
POSITION TO KNOW WHAT THERE IS TO ASK FOR – LET
ALONE DETERMINE IF IT IS RELEVANT.
T—t-- —CSIS
BLANCA ROJAS 15
Recommendation Summary In the beginning stages of product development, internal collaboration between compliance
and product developers is a must. Compliance should serve as an advisory to development
teams on identifying risks. Product development should include controls in the front end to
mitigate risk at the main point of payment portal entry by the consumer. These controls can
include Velocity checks, address verification controls, IP address geolocation checks, bin
number comparisons, and implementing CAPTCHA technology. Controls at the front end
protect company and consumers from losses. Use reputable third-party vendors with
knowledge of regulatory compliance as it pertains to your industry. Prior to launching product,
validate your data by building a test environment to ensure proper collection of data.
Implement a strong cybersecurity program, and make sure that it is a collaborative effort
between compliance and information security.
Maintain your new payment’s product and stay in compliance with ongoing monitoring of
customer transactions with an automated monitoring software. Find the right AML/fraud
monitoring software for your industry and needs. When choosing your monitoring software,
make sure that the software is flexible in allowing for customization. Choose the right software
provider who will continue to ensure that your business is successful by staying abreast of
regulatory changes in your industry and investing in software enhancements to keep up with
fraud trends and regulatory expectations. Validate information coming into your monitoring
software, and fine tune software to reduce false-positive alerts and capture fraud occurring at
your institution.
Hire experienced talent and provide them with targeted learning opportunities in Fintech and
payments industry. Properly trained staff is an additional step in protecting your product and
company from evolving trends in financial crimes. Collaborate with law enforcement by joining
local industry meetings and local task forces aimed at preventing financial crimes. Work with
law enforcement, and provide data as needed in a streamlined process. Be engaged in
information requests from law enforcement and inform them on how to appropriately tailor
their requests based on the data that is available at your institution.
BLANCA ROJAS 16
Conclusion Recently, at the 2019 International Association of Financial Crimes Investigators conference,
Edmund Moy, who served as director of the United States Mint from 2006–2011, presented his
10 predictions on the future of currency. In the first prediction, regarding whether one form of
currency and payment system will supplant all others, Mr. Moy stated, “Multiple forms of
currency and payment systems will coexist, and consumers will choose the best option for each
transaction.”23 He further explained that cash “is not going away” and that the physical U.S.
dollar will simply decline as electronic and digital transactions’ market shares continue to grow.
According to his eighth prediction, with the growth in electronic transactions, cyber fraud will
also be increasing.
Cyber fraud is here to stay and will be constantly evolving. Businesses will need to continue to
make investments to combat the fraud both in their systems and people. Successful businesses
will have to find the right balance of being innovative while protecting their customers from
risk. Customers want convenience; however, at the end of the day, they want to trust that your
business is keeping their information secure. Experian recently stated, “Industry leaders that
foster consumer trust may be the most well placed to seed more advanced tools.”24
Businesses that protect their consumers are also simultaneously protecting their business.
Although online fraud has become more prevalent as the world moves from traditional financial
products and services to online financial service providers, transparency is key. Businesses need
to be transparent in the type of personal data that is collected and how it is used to foster
customer trust. Protecting the customer will in turn protect the business. Negative news can
hurt the reputation of a business and can also result in regulatory fines for failures in something
like customer data protection. How an institution handles fraud and protecting the consumer is
something that regulatory agencies will be looking at. Placing compliance at the forefront of
product development and implementation will provide strength and stability in an ever-
changing Fintech and regulatory climate.
________________________________________
23 Edmund Moy, “The Future of Currency: 10 Predictions” (speaker, 2019 IAFCI Annual Training Conference, Raleigh, NC).
24 Experian, 2019 Global Identity and Fraud Report. (January 2019). Customer Trust: Building Meaningful Relationships Online.
BLANCA ROJAS 17
References
Articles, Reports, and Presentations
Anthony, B. (lead) (2018). On-ramps, intersections, and exit routes: A roadmap for systems and industries to prevent and disrupt human trafficking. Polaris. Retrieved from https://polarisproject.org/a-roadmap-for-systems-and-industries-to-prevent-and-disrupt-human-trafficking
Blanco, K. (remarks) (2016). FinCEN holds fifth annual awards program to recognize importance of bank secrecy act reporting by financial institutions [press release]. FinCEN, Office of Public Affairs. Retrieved from https://www.fincen.gov/news/news-releases/fincen-holds-fifth-annual-awards-program-recognize-importance-bank-secrecy-act
Carter, W.A. & Daskal, J.C. (2018). Low-hanging fruit: Evidence-based solutions to the digital evidence challenge. Center for Strategic and International Studies (CSIS), Washington DC. Retrieved from https://csis-prod.s3.amazonaws.com/s3fs-public/publication/180725_Carter_DigitalEvidence.pdf
CSBS.org (2017). The emerging payments and innovation task force. CSBS. Retrieved from https://www.csbs.org/emerging-payments-and-innovation-task-force
id:analytics (2019). All synthetic identities are not created equal: Examining purported synthetic signatures. Retrieved from https://www.idanalytics.com/wp-content/uploads/2019/03/Synthetic-Identities-Are-Not-Created-Equal-Executive-Summary.pdf
Moy, E. (2019). The future of currency: 10 predictions. 2019 IAFCI Annual Training Conference, Raleigh, NC, August 26, 2019.
New York Department of Financial Services (2018). Consent order under New York banking law § 39 and 44: Western Union Financial Services, Inc. Retrieved from https://www.dfs.ny.gov/docs/about/ea/ea180104.pdf
Peterson, B. (2019). Fighting fraud in a fintech world. Experian. Retrieved from http://www.experian.com/blogs/insights/2019/02/fighting-fraud-fintech-world/
PwC (2018). Pulling fraud out of the shadows: PwC’s global economic crime and fraud survey 2018. Retrieved from https://www.pwc.com/fraudsurvey
Pymnts.com/Green Dot (2019). Where will we bank next?: Consumer choice and banking services in the digital age. Pymnts.com. Retrieved from https://www.pymnts.com/wp-content/uploads/2019/04/WhereWillWeBankNext-April-2019.pdf
The Federal Reserve (2019). Synthetic identity fraud in the U.S. payment system. Payments Fraud Insights, July 2019.
United States Attorney’s Office: Central District of California (2019). Federal prosecutors unseal indictments naming 19 people linked to Chinese ‘birth tourism’ schemes that helped
BLANCA ROJAS 18
thousands of aliens give birth in U.S. to secure birthright citizenship for their children [press release].
United States Department of Justice. Retrieved from https://www.justice.gov/usao-cdca/pr/federal-prosecutors-unseal-indictments-naming-19-people-linked-chinese-birth-tourism
Vilinus, T.Z. (remarks) (2019). Balancing Fintech opportunities and risks [press release]. EIN Newsdesk. Retrieved from https://www.einnews.com/pr_news/487574479/balancing-fintech-opportunities-and-risks
Statutes and Guidance
Financial Crimes Enforcement Network (FinCEN) and U.S. Department of the Treasury/Internal Revenue Service (2008). Bank secrecy act/anti-money laundering exam manual for money service businesses. Retrieved from https://www.fincen.gov/sites/default/files/shared/MSB_Exam_Manual.pdf
New York State Department of Financial Services (2017). 23 NYCRR 500: Cybersecurity requirements for financial services companies. Retrieved from https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
United States Congress (2019). Bank Secrecy Act (BSA) Regulation: CFR Chapter X §1022.21031 – Anti-money laundering programs for money services businesses. e-CFR. Retrieved from https://www.ecfr.gov/cgi-bin/text-idx?SID=9bd185e43e8c6b2ef75acbb2e228806d&mc=true&node=se31.3.1022_1210&rgn=div8
International Agency Publications
CSBS (2017). The emerging payments and innovation task force. CSBS.org. Retrieved from https://www.csbs.org/emerging-payments-and-innovation-task-force
Demirgüç-Kunt, A., Klapper, L., Singer, D., Ansar, S., & Hess, J. (2018). The global findex database 2017: Measuring financial inclusion and the fintech revolution. The World Bank. Retrieved from http://documents.worldbank.org/curated/en/332881525873182837/The-Global-Findex-Database-2017-Measuring-Financial-Inclusion-and-the-Fintech-Revolution
Financial Stability Board (2019). FinTech and market structure in financial services: Market
developments and potential financial stability implications. FSB.org. Retrieved from https://www.fsb.org/wp-content/uploads/P140219.pdf
BLANCA ROJAS 19
Online Resources
Federal Trade Commission (n.d.). Credit repair scams. Federal Trade Commission Consumer Information. Retrieved from https://www.consumer.ftc.gov/articles/0225-credit-repair-scams
Financial Crimes Enforcement Network (FinCEN) (n.d.). Support of law enforcement. Retrieved from https://www.fincen.gov/resources/law-enforcement/support-law-enforcement
Krebs, B. (2014). Peek inside a professional carding shop. Krebs on Security. Retrieved from https://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/
Infintech (2019). Carding: Fraud that impacts merchants. Innovative Financial Technologies, LLC. Retrieved from https://www.infintechllc.com/carding-fraud-that-impacts-merchants/
Wikipedia (2019). Fintech. Accessed July 19, 2019. Wikipedia.org. Retrieved from https://en.wikipedia.org/wiki/Financial_technology