Fintech: Preventing Payment Platforms From Becoming Conduits for Illicit Activity Encouraging Innovation While Protecting Consumers and Business From Risk

Blanca Rojas, CAMS CAMS FCI Candidate, October 2019

The views and opinions expressed in this paper are largely that of the author and do not necessarily represent that of RealPage

Payments Services LLC. The content is not to be relied upon as legal advice or in lieu of counsel.

BLANCA ROJAS 1

Table of Contents Executive Summary ....................................................................................................................................... 2

Introduction .................................................................................................................................................. 2

Building Technology for AML and Fraud Risk ............................................................................................... 4

Carding Fraud ........................................................................................................................................ 5

Controls to Mitigate Carding Fraud ...................................................................................................... 6

Tools for BSA/AML Monitoring ..................................................................................................................... 8

AML Transaction Monitoring Software ..................................................................................................... 8

Prepaid Cards and Human Trafficking ...................................................................................................... 9

Continuing Education for Talent ................................................................................................................. 11

Synthetic Identity and Credit Privacy Numbers (CPN) ............................................................................ 12

Collaboration With Law Enforcement......................................................................................................... 13

Birthing Tourism and Immigration Fraud ................................................................................................ 14

Recommendation Summary ....................................................................................................................... 15

Conclusion ................................................................................................................................................... 16

References .................................................................................................................................................. 17

Articles, Reports, and Presentations ....................................................................................................... 17

Statutes and Guidance ............................................................................................................................ 18

International Agency Publications .......................................................................................................... 18

Online Resources .................................................................................................................................... 19

BLANCA ROJAS 2

Executive Summary “Technology knows no borders. Neither does financial misconduct” (Tao Zhang, IMF deputy

managing director).1 As a tech-savvy society, we are eager to purchase the next new phone

application to make our lives easier. With consumer trust and demand for technology comes

the rise of financial technology companies or “Fintech.” Competition to bring forth the next big

thing is great as it fosters innovation and inclusion; however, it is the rapid pace to get the

product to market that is concerning as anti-money laundering (AML) and fraud risk is

potentially overlooked. The purpose of this paper is to discuss some of the challenges seen in

Fintech, specifically in payments. This paper will highlight considerations that need to be made

prior to releasing a new payments product. The main focus will be on payment system

vulnerabilities and tools needed to monitor fraud and comply with regulatory obligations, to

ensure a successful business in the rapidly changing world of Fintech.

Introduction The advent of digital technology was first received with skepticism from traditional financial

institutions designed to service the needs of the traditional check-cashing business or money

transmitters. Suddenly, a different kind of financial service provider needed banking services.

Banks at the time were also seeing an increase in regulatory fines and penalties for violations in

AML programs, resulting from failure to place appropriate risk scores and controls on these

inherently high-risk customers. Fears of being penalized and fined for violations led to the wave

of de-risking or exiting high-risk customer relationships in order to control institutions’ risk.

Banks were terminating existing money services business (MSB) clients and were refusing to

onboard new clients with nontraditional business models, assuming that they were an even

higher risk than their traditional peers. These new clients were also moving money much like a

bank, only faster, hence the name “Fintech” was born. Fintech, or the Wikipedia’s definition of

Fintech, is “new applications, processes, products, or business models in the financial services

industry, composed of one or more complementary financial services and provided as an end-

to-end process via the Internet.”2

While Fintech companies were having a tough time obtaining access to banking services, the

need for financial inclusion of the unbanked consumer was a global problem as well. National

governments began to adopt policies in which financial technology companies could have a

clear understanding and framework in which to operate in order to bring financial services to

consumers who had no access to traditional financial institutions. The importance of financial

inclusion led the World Bank to create the Global Findex Database to increase financial

inclusion worldwide.

1 Tao Zhang Vilinus, “Balancing Fintech Opportunities and Risks.” (remarks by IMF deputy managing director, presented at IMF conference, Lithuania, June 10, 2019.) 2 “Fintech.” Accessed July 19, 2019. Retrieved from https://en.wikipedia.org/wiki/Financial_technology

BLANCA ROJAS 3

According to the World Bank in its 2017 Global Findex data report, recent progress has been

made in financial inclusion that has been driven by payments, government policies, and a new

generation of financial services that can be accessed through mobile phones and the Internet.

The World Bank goes on to list Africa as an example of the power of financial technology by mentioning how expanded access has allowed 21 percent of Sub-Saharan Africa to now have a mobile money account, which is nearly twice the amount since 2014. The use of digital payments is increasing for the banked as well, globally, 52 percent of adults have also sent or received digital payments in the past year.3

In a recent survey conducted by PYMNTS.com in February 2019, 57.5 percent of consumers expressed an interest in getting some of its banking services from nonbanks.4 The Financial Stability Board (FSB), a financial watchdog organization composed of the G-20’s central banks, also recently stated, “Fintech firms and large, established technology companies (‘BigTech’), could materially alter the universe of financial services providers.”5 However, in FSB’s recent publication, the focus is not on the direction in which Fintech is heading but rather the way in which Fintech will operate and comply with regulatory standards. The payments industry and specifically those registered as MSBs with FinCEN also require

licensing in the state in which they operate. However, many payments companies operate in

more than one state or jurisdiction, and the burden of licensing in multiple states is an added

stressor for compliance departments. Compliance departments unable to balance state

licensing and AML program requirements have begun to outsource the administrative burden

of managing state licenses with items such as renewals, invoicing, and reporting. Even with the

administrative part of licensing outsourced, compliance departments are faced with evolving

AML and fraud concerns. In the area of BSA/AML and fraud, compliance professionals need to

be aware of system gaps that make it easier for fraudsters to exploit payment platforms. If a

state regulator perceives that there is a recurring fraud pattern occurring in a payment

platform, then the question begs to be answered regarding what the licensed MSB is doing to

solve the issue and mitigate risk for the consumer as well as the business.

As part of the ever changing and emerging Fintech climate, the Conference of State Bank

Supervisors (CSBS) started the Emerging Payments and Innovation Task Force to study the

changing payments systems and the impact on consumer protection, state law, banks, and

nonbank entities chartered or licensed by the states. The task force aims “to understand how

new entrants and technologies affect the stability of the payment systems and the broader

3 Asli Demirgüç-Kunt, Leora Klapper, Dorothe Singer, Saniya Ansar, and Jake Hess. 2018. The Global Findex Database 2017: Measuring Financial Inclusion and the Fintech Revolution. Overview booklet. Washington, DC: World Bank. License: Creative Commons Attribution CCBY 3.0 IGO 4 “Where Will We Bank Next: Consumer Choice and Banking Services in The Digital Age.” Pymnts.com. April 2019. Retrieved from https://www.pymnts.com/wp-content/uploads/2019/04/WhereWillWeBankNext-April-2019.pdf 5 Financial Stability Board (February 2019). FinTech and market structure in financial services: Market developments and potential financial stability implications. Retrieved from https://www.fsb.org/wp-content/uploads/P140219.pdf

BLANCA ROJAS 4

financial market place and to develop ideas for connecting the emerging payments landscape to the financial regulatory fabric.”6 The following content will include specific action items for new Fintech companies to implement at the beginning stages of building their technology to prevent payment platforms from being misused. Examples will be provided through case studies on how weak systems can expose consumers to fraud and solutions on how to remediate fraud exposure. Lastly, specific measures will be included to enhance AML monitoring programs and protect the BSA function from regulatory and reputational risk. The following information will not just serve as a resource for CEOs entering into the Fintech space, but it will also be valuable to compliance professionals leaving traditional banking roles to pursue careers in Fintech. The following content will also serve as a tool for banking partners conducting enhanced due diligence reviews of Fintech companies; banks can determine if the Fintech company’s risk and mitigation strategies will allow for a mutually beneficial partnership.

Building Technology for AML and Fraud Risk Internal collaboration is key and the reason why successful Fintech companies have dedicated

data scientists for BSA compliance programs. Timing is essential when releasing innovative

technology, and, in the rush to get product to market, compliance is often overlooked. Early

product development meetings should include compliance in order to identify and control risk.

It is vital for compliance professionals and software developers to work together in building out

payment platforms. Although it may be challenging for BSA professionals to understand a

software developer’s language and vice versa, an understanding of the key regulatory

requirements for BSA compliance must be reached.

When building technology, while counterintuitive, the need for third-party vendors is essential.

While Fintechs pride themselves in having their in-house talent build solutions, it is worth

scoping third-party vendors for those requirements that cannot be met with an in-house build.

Third-party software is needed to help in regulatory compliance efforts. Finding the right

vendor who knows the laws and regulations is vital. Building a payment platform for speed and

ease of use is great for the consumer; however, building a simple product that does not validate

the information entered by the consumer is a risk. Third-party vendors can assist with this

consumer risk by plugging into payment platforms and performing identity verification and

screening data entered in by consumers against government watch lists. Reputable third-party

vendors will have conducted their own security assessments to ensure that their products are

performing as they should, and they should also be able to provide their own third-party testing

results for the Fintech’s own vendor management program.

6 CSBS (March 2017). The Emerging Payments and Innovation Task Force. Retrieved from https://www.csbs.org/emerging-payments-

and-innovation-task-force

BLANCA ROJAS 5

Testing must be conducted to verify that data is being collected properly during the onboarding

process. Know your customer (KYC) is not just a regulatory requirement but a preventative

measure for onboarding fraud. Building a test environment or “sandbox” in which to test data

prior to going live is vital. This practice ensures that the system is working properly prior to the

consumer-facing product’s release.

Regulatory agencies are implementing cybersecurity regulations across the country to

safeguard customer information by requiring companies to protect their systems from

cyberattacks and unauthorized access. It is why New York’s Department of Financial Services

brought forth regulation establishing cybersecurity requirements for financial service

companies, otherwise known as 23 NYCRR 500.7 The following are questions to consider when

putting together a cybersecurity program:

How secure is your payment platform, and are you continually performing updates and

patches on your software?

Are you conducting network penetration tests on a regular and scheduled basis?

How are you managing internal access and third-party vendor access? These decisions need

to be made prior to the release of any financially regulated product, and collaboration

between IT departments and compliance is a must.

Are your developers placing the right controls in place to prevent fraud from occurring in

your payment platform?

Are stop-gaps in place for declines, or can a consumer attempt a payment an unlimited

amount of times?

Building a payment platform with weak controls in place leaves the platform exposed to risk,

such as the following type of cyber-crime.

Carding Fraud

Carding fraud is the process fraudsters use to determine whether stolen credit card numbers are

active and have not yet been reported lost or stolen. To test whether a stolen card number can

be used, fraudsters will visit donation or eCommerce websites and payment portals to initiate

multiple transactions, a process in which the person doing this is known as the “checker.”

Checkers will obtain bundles of cards obtained from the digital underground, which may involve

the dark web or in plain sight of the surface web. Fraudsters will purchase bundles of cards

most likely originating from a data breach from websites referred to as “dump shops.” The

bundles of cards, or “dumps,” are strings of data in a text file that include the card information

for that particular bundle. These dump shops are so sophisticated that fraudsters can pick and

use the credit card’s originating bank as well as the city and state tied to the card. Having the

option to choose what region the stolen card is from makes it easier for the fraudster’s

purchases to appear legitimate when purchasing with stolen credit card information.

7 New York State Department of Financial Services (2017, March 1), 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies.

BLANCA ROJAS 6

The price paid per stolen credit card varies and can be as low as one dollar or up to a couple of

hundred dollars, depending on the date the card was obtained. New cards that are added to

the dump shop are referred to as “fresh sniffs” and are more expensive to purchase. Below is a

screen shot of what web security advisor Brian Krebs from Krebs on Security8 (Krebs 2014)

found when he went behind the scenes at McDumpals to see what black-market payment card

fraud looks like.

Controls to Mitigate Carding Fraud

Red flags for carding fraud can include any of the following:

A single card used repeatedly in quick succession for low or identical dollar amounts Multiple cards used repeatedly in quick succession for low or identical dollar amounts Multiple cards with the same name and/or billing address from the same IP address Multiple cards with different name and/or billing address from the same IP address Multiple cards with different billing addresses but an identical Bank Identification

Number (BIN)

8Brian Krebs (June 2014). Peek Inside a professional carding shop. Krebs on Security. Retrieved from https://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/

Cards advertised at valid rates in

excess of 90 percent typically

demand the highest prices and

are a strong indicator of a

breach that has only just been

discovered by the breached

merchant or some of the larger

financial institutions.

—Brian Krebs

BLANCA ROJAS 7

Payment platforms targeted with this type of activity can use the following measures to mitigate risk:

Velocity checks – Multiple transactions with different account numbers originating from the same IP address can be an indicator that the customer is using software for carding. A transaction velocity threshold can be placed to limit the amount of customer transactions conducted daily.

Address Verification System (AVS) – While this will not help if fraudulent names are

entered, it will validate the numeric components of the address and ZIP code and allow you to confirm the address of cardholder.

Card Verification Value 2 (CVV2) – The three-digit code on the back of card is effective against online fraud. CVVR can be used to prevent account enumeration attacks where the fraudster has generated the account number and is testing accounts with only an expiration date.

IP geolocation checks – Verify that the IP address is not a proxy IP address or originating

from a Tor browser used to disguise the true location of the consumer. Again, as mentioned above, multiple transactions from the same IP address is another fraud indicator.

Device ID – Consider capturing the device ID to identify the cardholder and to verify that the same device is not being used for multiple payment profiles or accounts.

Bank Identification Numbers (BIN) – If your payment platform is receiving several

transactions within a span of days from the same BIN, more than likely your payments portal is being used for carding. Consider monitoring unusual transaction patterns or velocities on a single BIN.

CAPTCHA technology – Consider implementing this technology to verify that the person making the payment through your portal is a human and not an automated software or bot (robot) abusing your system.

The measures listed above are a few of the ways to help prevent your payment platform from being part of a carding attack. There are several third-party vendors that also offer solutions that go beyond basic measures that can create built-in fraud filters on payment platforms. According to third-party software provider Infintech, “Fraud filters will let you accept or reject transactions that seem risky by scoring transactions based on a number of additional factors.” Infintech also adds that another measure for protection from carding would be to set minimum transaction amounts: “Most carders initiate between $0.01 and $15 to verify the authenticity of a stolen card. Be sure to set reasonable limits to detect fraud.”9

9 Infintech (June 2019). Carding Fraud That Impacts Merchants. Retrieved from https://www.infintechllc.com/carding-fraud-that-impacts-merchants/

BLANCA ROJAS 8

Tools for BSA/AML Monitoring The first part of this paper focused on collaboration and technology when building a payment platform. Even with the strongest controls in place, fraud will inevitably find its way through systems. After a payment’s product is launched, it is important to have the right tools outside of the product to monitor activity within the product itself. There are two important tools that can be used to prevent illicit activity from occurring through a payment portal, these tools will also align with some of the requirements under the U.S. Bank Secrecy Act (BSA). Currently, payment platforms that are registered MSBs must have a BSA compliance program in place, per Regulation CFR Chapter X §1022.2103110 A BSA compliance program for a MSB is required at minimum to have the following of what is known as the four pillars: internal controls through policies and procedures; designation of a compliance officer; BSA/AML training program; and independent audit to test program.11 The following tools can help with two of the pillar requirements for internal controls and training.

AML Transaction Monitoring Software AML transaction monitoring software can be rules- or behavior-based or even a hybrid of both. Several third-party vendors offer products created with the typical brick-and-mortar financial institution in mind. However, in the advent of Fintech, software companies are cropping up with product offerings geared toward nonbank financial institutions. Machine-learning and AI technology is also something that existing AML softwares are adding to their suite of solutions. Whether using a company that started out as a bank or credit union, AML software, or one geared toward nonbank financial institutions, such as MSBs, having a robust AML monitoring software is a must. It is important that the following points are considered when choosing software that caters to different types of financial institutions:

Is the AML software flexible in customizing rules or behaviors that can be added to the software? Will you be charged more to customize software in order for it to work for your line of business?

Is the AML software company dedicated to staying up-to-date on regulatory changes

that can impact your MSB operations, and are they willing to make changes in the

software to comply with regulatory requirements?

How often are product releases made, and how invested is the company on upgrades

and enhancements, especially those geared toward the Fintech industry?

Is the AML software company working toward specific AI technologies, or does it offer services currently? Employing AI will help reduce the amount of human effort for routine tasks in order for employees to focus on complex responsibilities.

10 CFR Chapter X §1022.21031 - Anti-money laundering 11 Bank Secrecy Act/Anti-Money Laundering Exam Manual for Money Service Businesses

BLANCA ROJAS 9

Software chosen for a payments business should add value and not be just a box to check on a list of requirements. While the cost to implement AML software is considered a great expense, choosing the most affordable software with fewer bells and whistles can potentially cost more in the long run when it comes to detecting fraud in a constantly evolving landscape. A good software fit for a business should allow detection of fraud while reducing customer friction. As noted in a survey conducted by PWC on global economic crime and fraud, “As a customer, it can be reassuring—at first—to know a company continuously monitors fraud in the services it provides. But if the monitoring leads to frequent or repetitive alerts, that reassurance can quickly turn into irritation. This is known as customer friction and a growing challenge for organizations.”12 The value of your AML software will also be scrutinized by your regulators. Does your software’s output produce quality alerts? Are your employees able to see how transactions with fraud indicators manifest themselves in the software? Failure to identify different types of illicit activity could have dire consequences, as seen in recent regulatory enforcement actions such as in the case of Western Union, which was fined $60 million by the New York DFS. An investigation by DFS found that, for more than a decade, Western Union failed to implement and maintain an anti-money laundering compliance program to deter, detect, and report on criminals’ use of its electronic network to facilitate fraud, money laundering, and the illegal structuring of transactions below amounts that would trigger regulatory reporting requirements. In addition, the DFS investigation discovered that senior Western Union executives and managers willfully ignored, and failed to report to DFS, suspicious transactions to Western Union locations in China by several high-volume agents in New York, other states, and around the world, including money transfers that may have aided human trafficking.13 Having fine-tuned and sophisticated AML software will be your first line of defense in detecting fraud activity. Below is a look into one of the fastest growing global crimes and how your AML software can detect the fraud through the use of analytics and behaviors.

Prepaid Cards and Human Trafficking Despite major progress, human trafficking continues to be a problem, and, according to Polaris, it is a $150 billion global industry that robs 25 million people around the world of their freedom.14 Banks, credit unions, and credit card companies have designed and implemented AML softwares that help identify patterns in transactions for human trafficking. For example, a customer visits several gas stations and hotels in different cities in a short amount of time and, subsequently, withdraws cash from ATMs in close proximity to the hotels. This would potentially trigger an alert in a bank’s AML software. While suspicious transactions can easily be identified in a traditional financial institution, a newly formed MSB may not know how these suspicious transactions may appear in its monitoring systems. 12 PwC (2018). Pulling fraud out of the shadows: Global Economic Crime and Fraud Survey 2018. Retrieved from https://www.pwc.com/fraudsurvey 13 Department of Financial Services Issues Consent Order to Western Union Financial Services, Inc. January 4, 2018. 14 Polaris (July 2018). On-Ramps Intersections and Exit Routes: A Roadmap for Systems and Industries to Prevent and Disrupt Human Trafficking.

BLANCA ROJAS 10

According to Polaris, “Many conversations with survivors on the Hotline, in the Polaris survey, and in Polaris focus groups, prepaid credit cards seem to be the preferred tender used by un-networked sex traffickers. These cards are difficult to trace using normal transactional monitoring because they enable anonymity. Prepaid cards allow traffickers to use illicit funds to purchase the necessities in order to facilitate their businesses without having their true identity linked to these purchases.”15 Looking at transactions initiated through a payment platform, the following suspicious transaction patterns can be a fraud indicator for human trafficking. Below is a hypothetical scenario in which suspicious transaction patterns point to human trafficking, transactions were conducted by use of prepaid cards.

15 Polaris (July 2018). On-Ramps, Intersections, and Exit Routes: A Roadmap for Systems and Industries to Prevent and Disrupt Human Trafficking.

Jane Doe is one of four sex trafficked

victims living in the same apartment

unit. Jane used her personal

information to apply for the lease

and her monthly rent payments are

$1,200.00. Jane Doe and other

victims receive payment from

customers (Johns) in the form of

prepaid debit cards. Prepaid cards

are received in $100.00

denominations.

Victims collectively, all contribute to

paying the rent with prepaid cards;

the remaining cards or profits are

turned over to their trafficker.

Jane Doe logs on to her apartment’s

payment portal and begins to

conduct several transactions all in

the same day using one prepaid card

per transaction.

Proceeds of human trafficking in payments

Transaction Date Status Payment Type Operation Name On Account Transaction Number Amount

7/3/2017 11:43:40 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 11:39:10 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 11:35:12 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 11:10:19 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 11:04:51 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 10:50:27 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 10:44:08 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 10:37:18 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 10:02:51 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 6:42:51 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 6:39:02 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

7/3/2017 6:35:43 PM CT Processed MasterCard Sale Jane Doe 123456xxxx $100.00

Apartment Rent

$1200

Jane Doe Pays

$300

Victim Pays

$300

Victim Pays

$300

Victim Pays

$300

BLANCA ROJAS 11

The example above, which demonstrates how suspicious activity could manifest itself within a payment’s platform, relies on two things. First, does your AML software have scenario rules in place to detect the velocity of transactions occurring with different account numbers in a short time frame? Second, if your software alerts to said scenario rule, will your BSA staff know how to interpret the data? You can use technology to cut out the noise and produce quality alerts; however, in the end, the human element is still needed.

Continuing Education for Talent Emerging technologies continue to change the regulatory landscape, and as technology

changes, so do fraud patterns and behaviors. A valuable BSA professional will have to adapt to

changes and become a cyber detective as fraudsters no longer have a face and are hidden

behind a computer screen. Digital bread-crumb trails must be followed through the use of

software systems and online resources. It is crucial that during the development of a new

payment platform, gaps in systems are identified and not left open to cyber criminals. Simply

put, Fintech companies will need to invest in people not just machines. “Confronted with the

seeming intractability of dealing with fraud, many organizations decide to pour even more

resources into technology. Yet these investments invariably reach a point of diminishing

returns, particularly in combating internal fraud. So, while technology is clearly a vital tool in

the fight against fraud, it can only ever be part of the solution.”16 (Statement from PWC’s fraud

survey)

Continuing education for talent is needed in order to meet regulatory requirements for a BSA

compliance program and should also be used as a second layer of defense. This second layer of

protection can be leveraged during system failures and in detecting new and emerging fraud for

your institution. For Fintech companies, financial institution experience is often a prerequisite

for applicants applying for positions in BSA compliance. However, individuals with BSA

experience in the traditional bank setting must receive training and continue to immerse

themselves in targeted learning opportunities. The targeted learning should be Fintech

centered and geared toward their industry in order to create awareness to the types of fraud

that can intrude on their business operations.

A good example of varying typologies within different lines of business is comparing traditional

identity fraud versus synthetic identity fraud. The following diagram illustrates identity fraud

and how it has evolved from traditional identity fraud to synthetic identity fraud. Typically,

traditional identity fraud occurred at traditional financial institutions, while different forms of

synthetic identity fraud are most often seen in the payments industry. However, synthetic

identity fraud can still occur within traditional banking environments, especially as more banks

adopt online account opening programs.

16 PwC (2018). Pulling Fraud out of the Shadows: Global Economic Crime and Fraud Survey 2018. Retrieved from

https://www.pwc.com/fraudsurvey

BLANCA ROJAS 12

Synthetic Identity and Credit Privacy Numbers (CPN) Synthetic identity in payments fraud is one of the fastest-growing financial crimes in the United

States. Synthetic identity in the United States appears to be more prevalent than in other

countries due to the use of static customer information, such as Social Security numbers (SSNs).

In the payments industry, a common way for someone to create a synthetic identity is through

the use of a Credit Privacy Number (CPN), also referred to as Secondary Credit Numbers (SCN).

Fraudsters oftentimes will use a CPN instead of a Social Security number. CPNs are valid but

unissued Social Security numbers which are not yet assigned by the Social Security

administration. Disreputable credit repair agencies will sell a CPN to an individual who needs to

reestablish credit. However, using a CPN for the purpose of applying for credit is a federal

crime, according to the Federal Trade commission (FTC). In fact, the FTC has put out the

following warning: “Companies promising a ‘new credit identity’ say they can help you hide bad

credit history or bankruptcy for a fee. If you pay them, these companies will provide you with a

nine-digit number that looks like a Social Security number. They may call it a CPN—a credit

profile number or a credit privacy number. They may lie and tell you that this process is legal,

but it is a scam. These companies may be selling stolen Social Security numbers, often those

taken from children. By using a stolen number as your own, the con artists will have involved

you in identity theft.”17

17 Federal Trade Commission: Credit Repair Scams. Retrieved from www.consumer.ftc.gov/articles /0225-credit-repair-scams

“Synthetic Identity Fraud in the U.S. Payment System: A Review of Causes and

Contributing Factors” figure, Federal Reserve, Payments Fraud Insights, July 2019.

BLANCA ROJAS 13

Fabricated SSNs are so common in synthetic identity fraud that ID Analytics estimates that

nearly 40 percent of synthetic identities used a randomized SSN.18

The payments industry is vulnerable to synthetic identity fraud at each phase of the payments

life cycle. The phases include enrollment, transaction processing, and reconciliation. Detecting

at what phase the synthetic identity was used goes back to investing in people and not just

machines. While there is software that can help sift through the CIP information entered to

detect the obvious red flags, it will be employee talent that can take all the information from

each phase to determine where and how the failure occurred.

Collaboration With Law Enforcement Previously, BSA collaboration with information security was mentioned, and although it is great for a BSA department to foster relationships within the company, external relationships are just as important. Oftentimes regulators will ask during an exam about the fraud trends seen in your line of business by geographical area and if trends have been shared with local law enforcement. Collaboration does not necessarily mean picking up the phone or sending an e-mail to your law enforcement contacts. Collaboration can include networking at local industry chapter meetings or joining a local task force. Membership in a local task force or industry groups is not only a benefit to law enforcement and a necessity in carrying forth the mission of the U.S. Bank Secrecy Act, it’s also a great benefit for your payments business. Roundtable discussions and industry presentations can give you clear insight about fraud trends that could be plaguing your industry. Building your contacts list of various branches in law enforcement can help when fraud trends that need to be addressed are identified at your institution. Collaboration between technology companies and law enforcement can help in the mission of BSA to fight crime. A report published by the Center for Strategic and International Studies recently outlined the challenges of law enforcement having access to technology data. In the report, recommendations are made for technology companies and law enforcement to work together in a streamlined process and for the need for technology companies to be engaged. “Continued and increased engagement by tech companies would help ensure that law enforcement knows where to go to request particular data, the range of data available, and how to appropriately tailor their requests. Moreover, there is a clear need for best practices and industry standards that new entrants to the market and smaller-scale providers can adopt as well.”19

18 Id:Analytics (March 2019). All synthetic identities are not created equal: Examining purported synthetic signatures. Retrieved from https://www.idanalytics.com/wp-content/uploads/2019/03/Synthetic-Identities-Are-Not-Created-Equal-Executive-Summary.pdf 19 William A. Carter & Jennifer C. Daskal. July 2018. Low-Hanging Fruit: Evidence-Based Solutions to the Digital Evidence Challenge. A Report of the CSIS Technology Policy Program. Center for Strategic and International Studies, Washington DC.

BLANCA ROJAS 14

Birthing Tourism and Immigration Fraud The following is an example of how BSA collaboration with law enforcement helped to build a

case for illegal activity. In 2015, federal agents raided 37 locations in Southern California in an

attempt to gather evidence for illegal activity related to birthing tourism businesses for wealthy

Chinese families. In the past, only zoning laws were the primary legal tool against maternity

hotels, as it was legal for pregnant foreigners to visit the United States and give birth while

visiting. However, most recently in January 2019, federal prosecutors charged 19 people linked

to Chinese “Birth Tourism” schemes. Three defendants were arrested and charged with

conspiracy to commit immigration fraud, international money laundering, identity theft, and

false tax returns.20 Law enforcement relies on BSA reporting of suspicious activity in order to

identify and investigate crimes through FinCEN, which provides specialized analysis of BSA

information filed by the nation’s financial industries.21

In the payments industry, scenarios that could potentially point to activity related to immigration

fraud can include multiple payments made by one individual for further credit for services

benefiting multiple individuals. Payment platforms used to pay rent, phone bills, and other

service providers are susceptible to this type of activity occurring on their payment platforms.

This type of transaction data is extremely valuable to law enforcement and can help with the

missing pieces of data that traditional financial institutions cannot provide in subpoena requests.

FinCEN continues to recognize

the importance of BSA

reporting through the FinCEN

director’s Law Enforcement

Awards program, in which

cases are recognized where

BSA reporting is used to aid law

enforcement in creating a

financial trail for cases. FinCEN

director, Kenneth Blanco states,

“BSA data is an important part of our national security apparatus and how we protect the people

of our nation from criminals, terrorists, and other bad actors. The successful prosecution of the

cases recognized here today demonstrates that the information that financial institutions report

to us through their BSA filings makes a difference in the lives of many people every day.”22

20 Department of Justice U.S. Attorney’s Office Central District of California. (2019, January 31). Federal Prosecutors Unseal Indictments Naming 19 People Linked to Chinese ‘Birth Tourism’ Schemes that Helped Thousands of Aliens Give Birth in U.S. to Secure Birthright Citizenship for Their Children. 21 FinCEN, Support of Law Enforcement. Retrieved from https://www.fincen.gov/resources/law-enforcement/support-law-enforcement 22 Remarks from Kenneth Blanco. FinCEN, Office of Public Affairs. (2019, May 16) FinCEN Holds Fifth Annual Awards Program to Recognize Importance of Bank Secrecy Act Reporting by Financial Institutions [Press Release].

PUT SIMPLY, UNLESS LAW ENFORCEMENT OFFICIALS ARE

ADEQUATELY INFORMED ABOUT WHAT KIND OF DATA

PROVIDERS HAVE AVAILABLE, THEY ARE NOT IN THE

POSITION TO KNOW WHAT THERE IS TO ASK FOR – LET

ALONE DETERMINE IF IT IS RELEVANT.

T—t-- —CSIS

BLANCA ROJAS 15

Recommendation Summary In the beginning stages of product development, internal collaboration between compliance

and product developers is a must. Compliance should serve as an advisory to development

teams on identifying risks. Product development should include controls in the front end to

mitigate risk at the main point of payment portal entry by the consumer. These controls can

include Velocity checks, address verification controls, IP address geolocation checks, bin

number comparisons, and implementing CAPTCHA technology. Controls at the front end

protect company and consumers from losses. Use reputable third-party vendors with

knowledge of regulatory compliance as it pertains to your industry. Prior to launching product,

validate your data by building a test environment to ensure proper collection of data.

Implement a strong cybersecurity program, and make sure that it is a collaborative effort

between compliance and information security.

Maintain your new payment’s product and stay in compliance with ongoing monitoring of

customer transactions with an automated monitoring software. Find the right AML/fraud

monitoring software for your industry and needs. When choosing your monitoring software,

make sure that the software is flexible in allowing for customization. Choose the right software

provider who will continue to ensure that your business is successful by staying abreast of

regulatory changes in your industry and investing in software enhancements to keep up with

fraud trends and regulatory expectations. Validate information coming into your monitoring

software, and fine tune software to reduce false-positive alerts and capture fraud occurring at

your institution.

Hire experienced talent and provide them with targeted learning opportunities in Fintech and

payments industry. Properly trained staff is an additional step in protecting your product and

company from evolving trends in financial crimes. Collaborate with law enforcement by joining

local industry meetings and local task forces aimed at preventing financial crimes. Work with

law enforcement, and provide data as needed in a streamlined process. Be engaged in

information requests from law enforcement and inform them on how to appropriately tailor

their requests based on the data that is available at your institution.

BLANCA ROJAS 16

Conclusion Recently, at the 2019 International Association of Financial Crimes Investigators conference,

Edmund Moy, who served as director of the United States Mint from 2006–2011, presented his

10 predictions on the future of currency. In the first prediction, regarding whether one form of

currency and payment system will supplant all others, Mr. Moy stated, “Multiple forms of

currency and payment systems will coexist, and consumers will choose the best option for each

transaction.”23 He further explained that cash “is not going away” and that the physical U.S.

dollar will simply decline as electronic and digital transactions’ market shares continue to grow.

According to his eighth prediction, with the growth in electronic transactions, cyber fraud will

also be increasing.

Cyber fraud is here to stay and will be constantly evolving. Businesses will need to continue to

make investments to combat the fraud both in their systems and people. Successful businesses

will have to find the right balance of being innovative while protecting their customers from

risk. Customers want convenience; however, at the end of the day, they want to trust that your

business is keeping their information secure. Experian recently stated, “Industry leaders that

foster consumer trust may be the most well placed to seed more advanced tools.”24

Businesses that protect their consumers are also simultaneously protecting their business.

Although online fraud has become more prevalent as the world moves from traditional financial

products and services to online financial service providers, transparency is key. Businesses need

to be transparent in the type of personal data that is collected and how it is used to foster

customer trust. Protecting the customer will in turn protect the business. Negative news can

hurt the reputation of a business and can also result in regulatory fines for failures in something

like customer data protection. How an institution handles fraud and protecting the consumer is

something that regulatory agencies will be looking at. Placing compliance at the forefront of

product development and implementation will provide strength and stability in an ever-

changing Fintech and regulatory climate.

________________________________________

23 Edmund Moy, “The Future of Currency: 10 Predictions” (speaker, 2019 IAFCI Annual Training Conference, Raleigh, NC).

24 Experian, 2019 Global Identity and Fraud Report. (January 2019). Customer Trust: Building Meaningful Relationships Online.

BLANCA ROJAS 17

References

Articles, Reports, and Presentations

Anthony, B. (lead) (2018). On-ramps, intersections, and exit routes: A roadmap for systems and industries to prevent and disrupt human trafficking. Polaris. Retrieved from https://polarisproject.org/a-roadmap-for-systems-and-industries-to-prevent-and-disrupt-human-trafficking

Blanco, K. (remarks) (2016). FinCEN holds fifth annual awards program to recognize importance of bank secrecy act reporting by financial institutions [press release]. FinCEN, Office of Public Affairs. Retrieved from https://www.fincen.gov/news/news-releases/fincen-holds-fifth-annual-awards-program-recognize-importance-bank-secrecy-act

Carter, W.A. & Daskal, J.C. (2018). Low-hanging fruit: Evidence-based solutions to the digital evidence challenge. Center for Strategic and International Studies (CSIS), Washington DC. Retrieved from https://csis-prod.s3.amazonaws.com/s3fs-public/publication/180725_Carter_DigitalEvidence.pdf

CSBS.org (2017). The emerging payments and innovation task force. CSBS. Retrieved from https://www.csbs.org/emerging-payments-and-innovation-task-force

id:analytics (2019). All synthetic identities are not created equal: Examining purported synthetic signatures. Retrieved from https://www.idanalytics.com/wp-content/uploads/2019/03/Synthetic-Identities-Are-Not-Created-Equal-Executive-Summary.pdf

Moy, E. (2019). The future of currency: 10 predictions. 2019 IAFCI Annual Training Conference, Raleigh, NC, August 26, 2019.

New York Department of Financial Services (2018). Consent order under New York banking law § 39 and 44: Western Union Financial Services, Inc. Retrieved from https://www.dfs.ny.gov/docs/about/ea/ea180104.pdf

Peterson, B. (2019). Fighting fraud in a fintech world. Experian. Retrieved from http://www.experian.com/blogs/insights/2019/02/fighting-fraud-fintech-world/

PwC (2018). Pulling fraud out of the shadows: PwC’s global economic crime and fraud survey 2018. Retrieved from https://www.pwc.com/fraudsurvey

Pymnts.com/Green Dot (2019). Where will we bank next?: Consumer choice and banking services in the digital age. Pymnts.com. Retrieved from https://www.pymnts.com/wp-content/uploads/2019/04/WhereWillWeBankNext-April-2019.pdf

The Federal Reserve (2019). Synthetic identity fraud in the U.S. payment system. Payments Fraud Insights, July 2019.

United States Attorney’s Office: Central District of California (2019). Federal prosecutors unseal indictments naming 19 people linked to Chinese ‘birth tourism’ schemes that helped

BLANCA ROJAS 18

thousands of aliens give birth in U.S. to secure birthright citizenship for their children [press release].

United States Department of Justice. Retrieved from https://www.justice.gov/usao-cdca/pr/federal-prosecutors-unseal-indictments-naming-19-people-linked-chinese-birth-tourism

Vilinus, T.Z. (remarks) (2019). Balancing Fintech opportunities and risks [press release]. EIN Newsdesk. Retrieved from https://www.einnews.com/pr_news/487574479/balancing-fintech-opportunities-and-risks

Statutes and Guidance

Financial Crimes Enforcement Network (FinCEN) and U.S. Department of the Treasury/Internal Revenue Service (2008). Bank secrecy act/anti-money laundering exam manual for money service businesses. Retrieved from https://www.fincen.gov/sites/default/files/shared/MSB_Exam_Manual.pdf

New York State Department of Financial Services (2017). 23 NYCRR 500: Cybersecurity requirements for financial services companies. Retrieved from https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf

United States Congress (2019). Bank Secrecy Act (BSA) Regulation: CFR Chapter X §1022.21031 – Anti-money laundering programs for money services businesses. e-CFR. Retrieved from https://www.ecfr.gov/cgi-bin/text-idx?SID=9bd185e43e8c6b2ef75acbb2e228806d&mc=true&node=se31.3.1022_1210&rgn=div8

International Agency Publications

CSBS (2017). The emerging payments and innovation task force. CSBS.org. Retrieved from https://www.csbs.org/emerging-payments-and-innovation-task-force

Demirgüç-Kunt, A., Klapper, L., Singer, D., Ansar, S., & Hess, J. (2018). The global findex database 2017: Measuring financial inclusion and the fintech revolution. The World Bank. Retrieved from http://documents.worldbank.org/curated/en/332881525873182837/The-Global-Findex-Database-2017-Measuring-Financial-Inclusion-and-the-Fintech-Revolution

Financial Stability Board (2019). FinTech and market structure in financial services: Market

developments and potential financial stability implications. FSB.org. Retrieved from https://www.fsb.org/wp-content/uploads/P140219.pdf

BLANCA ROJAS 19

Online Resources

Federal Trade Commission (n.d.). Credit repair scams. Federal Trade Commission Consumer Information. Retrieved from https://www.consumer.ftc.gov/articles/0225-credit-repair-scams

Financial Crimes Enforcement Network (FinCEN) (n.d.). Support of law enforcement. Retrieved from https://www.fincen.gov/resources/law-enforcement/support-law-enforcement

Krebs, B. (2014). Peek inside a professional carding shop. Krebs on Security. Retrieved from https://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop/

Infintech (2019). Carding: Fraud that impacts merchants. Innovative Financial Technologies, LLC. Retrieved from https://www.infintechllc.com/carding-fraud-that-impacts-merchants/

Wikipedia (2019). Fintech. Accessed July 19, 2019. Wikipedia.org. Retrieved from https://en.wikipedia.org/wiki/Financial_technology