Instant payments: Enormous Potential versus Financial Crime Risks

Instant payments: Enormous Potential versus Financial Crime Risks

   

The world of banking continues to evolve at a breathtaking pace and is becoming ever more competitive. Once a new technology has come to market, banks are faced with a dilemma: do we embrace it and run with it, or do we let our competitors gain a first-mover advantage? Delay implies a commercial risk. But the operational and compliance risks that you take on as a first mover may be even greater.

Given the harmonisation of national payment systems across regions, the focus has shifted to international payments and to improve the overall user experience like speed, cost, reliability and traceability. Therefore, payment processors today are seeing some major developments, with new tools appearing such as SWIFT’s gpi and SEPA’s instant payment. These instant cross border payment initiatives are a prime example of what will become the norm in payments.  

The rapid pace of digitalisation of payments brought growing market pressure which have led cross-border payments to undergo significant infrastructure modernisation. The overall trend in digital transactions which are increasing at 6% per year alone in Europe. Total number of traceable transactions in Europe increased from 2013 to 2017: from 113B in 2013 to 144B in 2017 (+27,4%; CAGR +6%)

Number of Digital Payments: Global E-Payments increased from 28,6B in 2013 to 56,5B in 2017 (CAGR: 18,6%); Global M-Payments increased from 24,6B in 2013 to 70,4B in 2017 (CAGR: 30,1%)

Banks that offer this service will gain a competitive advantage over banks that don’t provide it. Clients want their payments to be processed quickly because for them it increases efficiency, transparency, convenience, and financial control. For small and medium-sized companies, this form of payment processing helps alleviate liquidity stress and counter party risk. And, in general, people have grown accustomed to things moving fast, so they have little patience and understanding when payment processing is slow.

Instant payment allows sellers and buyers to exchange money and purchase services in seconds. Funds are received in the payee bank account almost immediately, instead of requiring few business days. That can make a significant difference to a small business’s cash flow, in particular, and it means less time spent waiting for money to clear from the buyer’s point of view. Fast transactions are a common requirement in the new economy, especially with increased mobility: the current generations of customers (so-called millennials and beyond) want to be able to make payments anytime, anywhere, using their mobile devices.

So, what’s not to like about instant payment?

Well, quite a lot, actually. Instant payment processing makes it more difficult to detect financial crimes like money laundering and financial fraud. Criminals want to move money as quickly as possible through a number of accounts at different international banks to disguise the origin of funds. There is no faster way to do this than with instant payments. How can a bank possibly detect money laundering activity in a real time world when transaction monitoring is conducted in a batch process needless to mention the more complex criminal activity?

The Bangladesh Bank heist is a perfect illustration of the future complexity involved in monitoring instant payments.

From the $ 81 million stolen from the Bangladesh Bank in February 2016 only $ 15 million has been recovered and there is still no word on who was responsible. Cyber attackers illegally transferred US$ 81 million from the Central Bank of Bangladesh (CBB), to several fictitious bank accounts around the world, by subverting their SWIFT accounts. The hackers used the SWIFT credentials of the CBB to send dozens of fraudulent payments to fake accounts in the Philippines, and other Asian banks. This was without questioned a well-planned attack that used time differences and regional holidays brilliantly.

How will current anti-money laundering systems work in a world of instant payments?

Its difficult enough for financial institutions to monitor against money laundering violations when it takes three to five days for a transaction to be cleared, or at best overnight. With instant payment, the near-impossible becomes totally impossible using conventional methods as transactions clear in a matter of milliseconds. By conventional, we mean here rule-based approaches, where suspicious transactions are put in a queue and investigated in batch mode.

Even in a world operating in batch, traditional AML systems generate too many false positives (typically between two and 15% of all transactions) and therefore imposes a huge workload on banks and investigators.

Number of Suspicious transactions reported to UIF: +51% (’12-16), from 67K in 2012 to 101K in 2016

With instant payment, this problem is greatly increased because banks are under pressure from customers and consumers to clear transactions as quickly as possible in order to meet the agreed level of service.

Transaction monitoring systems built on current technology and based on machine learning offers the only credible answer. By creating algorithms that learn from past results with the expertise and knowledge of AML compliance officers, the system learns to identify false positives, and compliance officers can focus on alerts where there is a higher probability that money laundering is actually occurring.

Another technology-based approach that has been developed recently, called visual mapping, provides insights into how instant payments are moved around. Suspicious payments can be tracked as they move between bank accounts, regardless of whether the payment amount is split between multiple accounts, or those accounts belong to the same or different financial institutions. The software creates a visual map of where and when money has moved, providing new insights and intelligence for fraud and compliance teams to take action.

By bringing together transactional data from multiple financial institutions and running sophisticated algorithms, such solutions can identify the so-called “mule accounts” that are used for money laundering and other illegal activity. Many of these accounts are not set up directly by the criminals themselves but via a number of scams including phishing, spam email, instant messaging etc.

It is worth pointing out that while technology is a necessary condition for successful AML compliance in the new world of instant payment, it is not a sufficient condition. In addition, financial institutions will need to review their compliance procedures and their service offerings to strike the optimum balance between competitiveness and security.

What should be the upper threshold for an instant payment?

Should they give priority to VIP and profitable customers when reviewing suspicious transactions? What about social and political issues? (For example, Muhammad is the world’s most common name, and also appears a lot on sanctions list. But that also means a significantly large number of false positives, which could lead to claims of unfair profiling.) And finally, even with advanced technology and effective redesign of processes and procedures, banks may still need to increase their staffing in order to meet the challenge. They need to ensure that they have enough staff with sufficient knowledge and authority to be available to review transactions quickly.

Some banks have offshored or outsourced simple customer due diligence functions to keep pace. That said, the trend is definitely towards investment in more technology. As a recent article in The Economist put it, “Now, the biggest question for bank controllers is how many humans they can replace with bots without compromising compliance […] Banks are going into partnership with some of the hundreds of ‘Regtechs’ that have sprouted in recent years.” Technology must be a large part of the solution, but banks will just need to take care and seek expert independent advice in reviewing the new Regtech apps: the regulators and the markets will penalize them should their techno-experiments fail.[1]

For more articles on financial crime and Anti-Money Laundering join the AML Knowledge Centre at https://www.linkedin.com/groups/8196279/


[1] “The past decade has brought a compliance boom in banking”, Economist 2 May 2019.

The Cryptoexchange Poloniex implements new KYC rules

The Cryptoexchange Poloniex implements new KYC rules

Over the weekend, Circle-owned Poloniex exchange froze a slew of user accounts in the midst of implementing a new know your customer (KYC) verification process.

Legacy account users, those whose accounts were verified under Poloniex’s old guidelines, reportedly received emails from Poloniex support requesting that they comply with the new verification method. The email asks that each legacy account provides “a verification photo…as well as a photo of a valid government-issued ID card or passport.” Each account holder has 14 days to complete the verification, under which time account functions will be suspended.

Community members took to a variety of social media to vent their frustrations over the change in KYC policy and subsequent account limitations. Many legacy account holders complain that they were blindsided by the developments, further lamenting that, even after complying with the new verification, their accounts were still frozen.

“They are not giving us ANY time to move funds, its [sic] already frozen, and verification is not working for most!”, Reddit user danglingpiledriver complains on the r/Poloniex subreddit. “They said the following in December, yet never gave us the exact date. its [sic] locked NOW without warning: “The exact date for this deadline will be announced in Q1 2018. While you will be given advance notice before this requirement goes into effect, we encourage you to verify your legacy account now…’”, the post continues.

The Reddit user is referring to a press release Poloniex posted at the end of December 2017 that alerts its customers to the KYC change. After an announcement in Q1 of this year, the release states, customers will be expected to comply with the new KYC policy. Among other suspensions, the release indicates that users who fail to verify their accounts by the announced deadline will have their trading privileges revoked and deposit addresses barred. But it also promises that “[withdrawals] will remain enabled at the daily withdrawal limits prior to the deadline.”

Moreover, it claims, “[if] at any point you verify your legacy account, full functionality will be restored and your daily withdrawal limit will be increased to $25K USD equivalent.”

Problem is, some account holders claim that they didn’t receive an email or warning like Poloniex promised, and as the widespread account freezes indicate, Poloniex also failed to uphold its promise to keep accounts and withdrawals fully-functional in the interim.

“Please rest assured that your funds remain safe and accounted for while you complete this process – you can verify your holdings on the Balances page of your account throughout,” the release reads.

“Like all registered money services businesses, Poloniex is committed to compliance with all applicable law requiring identification and verification of its customers. If you have any further questions about the identity verification process and steps required, please reach out to our support team here.” it concludes.

As the last quote reveals, the KYC change is likely Poloniex’s attempt to appear more legitimate to US government officials under existing money services laws. Acquired by Goldman Sachs-backed Circle earlier this year, this could be Poloniex’s attempt to show institutional investors that it’s willing to step up to the regulatory plate.

At press time, Poloniex exchange had not responded to CoinCentral’s request for comment.

 

This article was originally published at Coincentral: https://coincentral.com/poloniex-implements-unannounced-kyc-freezes-legacy-accounts/

 

“Top Misconceptions of Cryptocurrency as a Payment System”

 

Which can be read on Amazon Kindle Unlimited for Free  You can find more interesting articles by visiting us on one of the following platforms: AML Knowledge Centre (LinkedIn) or Anti-Bribery and Compliance at the Front-Lines (LinkedIn)

 

Digital Money – A Perfect Storm is Brewing

Digital Money – A Perfect Storm is Brewing

The new normal

With the rapid advancement of mobile technologies, the internet is now accessible from everywhere. This has had a positive impact on the development and penetration of mobile devices. Today mobile subscriptions already outnumber the world’s population, as underpinned by Statista “Chart of the Day”. The proliferation of mobile devices has spurred the use of mobile banking apps and cryptocurrency. By and large, this innovation in mobile banking and cryptocurrency is altering both the way people want to interact with their financial service providers and the payment industry. With new regulation such as Payment Services Directive (PSD2), the European Union has set the rules for open-banking allowing FinTechs access to systems and customer data of traditional financial institutions. The potential benefits of open banking include enhanced customer service even for underserved markets, new revenue streams, and improved margins. With that said, mobile wallets, open banking, and cryptocurrency offer consumers a lot of choices along with real-time information at every touch point to complete a transaction on the spot 24/7.

Former Harvard Business School professor Theodore Levitt stated, “People don’t want to buy a quarter-inch drill. They want a quarter-inch hole.

While this presents major opportunities for financial institutions, Fintechs, and consumers it places a lot of responsibility on those tasked with keeping a financial institution from being compromised by cyber-attacks or used as a vehicle to launder money, it’s a spawning headache.

There’s a Perfect Storm Brewing

While running through the train station in Frankfurt, Germany, I noticed all the monitors were out causing me and hundreds of passengers to miss our scheduled trains. WannaCry, quickly infected more than 200,000 businesses in 140 countries locking computers until a ransom is paid. Already, Bitcoin exchanges witnessed some devastating cyber attacks, leaving many of these exchanges with no option but to file for bankruptcy. According to a report by Imperva Incapsula titled “Q3 2017 Global DDoS Threat Landscape.” Digital currency operators and Bitcoin exchanges are already the most common targets of distributed denial of service (DDoS) attacks. Also, the report cited that three out of four Bitcoin sites were victim of DDoS attacks in the third quarter of 2017 alone. Since 2011 to December 2017, there have been at least 30 heists at cryptocurrency exchanges. No one would argue that Bitcoin holders have suffered the most, in fact, It is estimated that more than 900,000 Bitcoins have been stolen with a potential value of $ 6.3 billion as of Dec 2017. In all fairness to cryptocurrency exchanges, traditional financial institutions have also been preyed upon by cyber attackers. For example, the Carbanak campaign and Bangladesh Bank are two cases highlighting the sophistication of cyber-criminals and the vulnerability of traditional financial institutions. After the Carbanak malware was installed, it set on the bank’s computer systems for months, sending back vital information about how the bank carried out business critical tasks. This international group of hackers was then able to successfully impersonate bank officers and carry out internal procedures at over 100 banks around the world. With complete control of mission-critical systems, they managed the transfer of millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into fake bank accounts set up in other countries. It might never have been detected if not for a video surveillance camera filming an ATM machine in Kiev. An ATM was filmed as it started dispensing cash, right before the pickup person walked in at midnight, and this was no isolated event. It was reported that over 100 banks around the world compromised to the sum of $900 million USD. 77 percent of the CEOs that participated in a Gartner survey, across the globe, stated that they see digital business bringing new and increased levels of risk to their organizations. Once upon a time, cybercriminals focused their efforts on PCs. However, with the average user spending about 5 hours per day on a mobile device, with roughly 70 % of those smartphone devices not having an anti-virus program installed on them, sensitive data (e.g. contacts, passwords, emails, documents, photos, etc) is exposed to potential cyber threats. Therefore, we have witnessed a sharp increase in new mobile malware, because criminals like to take the path of least resistance.

Risks of the Internet of Things

With that said, the “Internet of Things” is driving the interoperability of physical devices, vehicles, home appliances, and other items such as electronics, software, and sensors, which enables these objects to connect, and exchange data. Online capable devices increased to 8.4 billion in 2017 and by 2020 experts estimate 30 billion objects with a global market value of $7.1 trillion. Nokia Threat Intelligence Report – 2H 2016 believes that more than 100 million devices worldwide have been infected by malware, including mobile phones, laptops, notepads and a broad range of IoT devices. Also, the Nokia Threat Intelligence Report stated that smartphones were more often targeted, accounting for 85 percent of all mobile device infections and smartphone infections increased 83 percent during July through December, compared to the first half of the year. According to Check Point mobile threat researchers, financial institutions the custodians of customer’s money and data are a much sought-after target for cyber attacks. Malware Attacks By Industry:

                                                         Source: Check Point Mobile Cyber Attacks Impact Every Business November 2017. With the number of mobile devices already infected with malware and the connectivity of devices expands cybercriminals will have more routes to target than ever before.   Therefore, it should not be hard to imagine an attack whereby cybercriminals are able to infiltrate a financial institution’s systems or other businesses via the coffee machine, smartphone, refrigerator or through the wearable digital health device of an employee. Written by Paul Hamilton  

“Top Misconceptions of Cryptocurrency as a Payment System”

  Which can be read on Amazon Kindle Unlimited for Free  You can find more interesting articles by visiting us on one of the following platforms: AML Knowledge Centre (LinkedIn) or Anti-Bribery and Compliance at the Front-Lines (LinkedIn)

Follow the Money – Has Cryptocurrency Rendered this Adage Useless?

Follow the Money – Has Cryptocurrency Rendered this Adage Useless?

Cybercriminals predate the use of cryptocurrency

Indeed, editorial stories like this one “Bitcoin Gains Value Due to Criminal Use [Only], writes a Forbes Columnist” has influenced many into believing that cryptocurrency is only used by cybercriminals, organized crime and terrorist on the darknet. Before cryptocurrency, victims were informed to transfer ransom money by mailing cash through a money transfer operator (MTO). The pick-up person using fake documentation would take possession of the victim’s cash, leaving no trace of their real identity.   Victims of the WannaCry ransomware attack, in May 2017, received a simple message informing them to send $300 worth of bitcoin to this address if they want to see their data again.     Criminals continue to evolve by exposing any method or means available to them including technology. However, using cryptocurrency doesn’t put criminals out of law enforcement’s reach. On the contrary, as soon as a cryptocurrency is spent, the forensic trail begins. This is an excerpt from the book Cryptocurrency Modern Day Payment System or Uncalculated Risks? Which can be read on Amazon Kindle Unlimited for Free 

The Forensic Trail Begins

Maybe, law enforcement panicked in the beginning, but they have adapted to cryptocurrency and their blockchain technology. Granted, cryptocurrency transactions themselves are not tied directly to anyone’s identity, but every transaction uses a unique string of letters and numbers 1Ez69nzzmePmZX3WpEzMKTrcBF2gpNQ55, that recognize the destination of both sender and receiver. These unique strings of letters and numbers give law enforcement enough information to follow transactions on a blockchain and eventually to a recipient’s e-wallet. More importantly, than the information itself is that all of a blockchain’s data is traceable, permanent, immutable, reliable and available to everyone who wants to see it.   Therefore, that line “follow the money” made famous in the 1976 motion picture “All the President’s Men” is as true today as it was then. Not only a digital time stamp but a digital witness!

Techniques and Tools

Like criminals, law enforcement has adapted to these new technologies developing new techniques and tools to follow and identify cyber attackers, even on unused addresses. Agents monitor blockchains and the darknet looking for correlations across transactions and their attributes such as:
  • Timelines
  • Amounts
  • Domain names
  • IP and email addresses
  • Pseudonyms
  • Payments
  • Connections
  • etc.
Upon detecting any conspicuous activity or transactions on a blockchain or on the darknet, law enforcement will start investigating. In the hope of finding similarities that will give them vital clues in both new and unsolved cases. Therefore, agents comb through thousands of registered cases at the IC3 (Internet Crime Complaint Center). For example, in cases that involved ransomware, if a ransom was paid by registered victims, law enforcement can search for connections between the recipient’s wallets to generate a list of wallets associated with the same entity that issued the ransom demand. At the same time, new addresses are constantly checked against cases in the FBI’s case management system that are currently being worked on. For example, another agent might have already come across these addresses in association with another crime. For instance, someone who sold remote desktop protocol (RDP) credentials on the darknet for accessing third-party computers from anywhere in the world.   This analysis can lead agents to exchanges, e-wallets, and even gambling sites, on which law enforcement could serve a subpoena to learn more details on the transactions and the account owners. Once the payment recipient is identified, the investigator will have a confirmed IP address, location as well as a criminal profile, potentially linking a suspect to other criminals and crimes.    

Consider this before Going the Extra Mile

For those, individuals willing to go the extra mile to cover their tracks. The market is saturated with unlawful businesses offering alternative entry points and mixing services to help users improve the anonymity of their cryptocurrency transactions. Likewise, there are cryptocurrencies like Monero (XMR), DASH (DASH), and ZCash (ZEC) that offer users an extra layer of privacy by applying zero-knowledge proof or a built-in mixing process as is the case with DASH. Granted, the options for concealing one’s identity are endless and as a result, it makes life harder for law enforcement to follow or tie a transaction to an individual, but not impossible! Before deciding to use an alternative entry point or a coin with zero-knowledge proof to hide one’s identity here are some things to consider:
  • Cyberattacks and insider fraud are not uncommon events at legitimate cryptocurrency businesses. I can’t imagine that an unlawful business would be a better custodian for someone trying to hide the source of their money.
  • A majority of businesses operating unlawfully are already on law enforcements’ radar and a subpoena can be issued at any time.
  • A business offering unlawful services can also be a setup by law enforcement.
  • Mixing is more vulnerable to Sybil attacks.
  • Mixing is not immune to forensic technology so there is always a real chance that investigators can link the coins back to the original address.
  • Mixing needs at least two people, therefore you are helping someone to launder their money
  • What if, after mixing, you receive coins that were involved in a crime and law enforcement traced them to you. Likely outcome these coins will be confiscated and you might require expensive legal counseling to avoid criminal charges.
  • Let’s not take our eyes off the main players in the industry. Miners confirm valid transactions. Also, 50 percent of the hashpower is controlled by a handful of miners. Government agencies can always apply pressure to these miners as witnessed in China.  
  • Coins that claim to offer total privacy all have their own nuances and if not used accordingly can jeopardize any chance of anonymity. For example, take Monero it offers users full anonymity as long as it is used on its blockchain. Also, many are relatively new ICOs, therefore, the bugs haven’t yet been identified.   
  • It’s only a matter of time before the crypto-industry is regulated and it’s probably safe to say that holders of  coins offering total anonymity will be penalized.
  • Unfortunately, for bad actors, the flow of sending and receiving data through these cryptocurrency networks are not well-coordinated events. Therefore, anyone monitoring a network will be able to immediately recognize when a transaction is sent out and map it to that IP address as the owner of that cryptocurrency. Also, when a massive number of transactions are sent from a single source, it’s only a matter of time before the addresses are unwound and mapped to their proper IP addresses.
Furthermore, any serious exchange or wallet service will conduct a thorough Know Your Customer (KYC) on every new account as part of their onboarding process. That means linking personal identity to your wallet and to your bank account. Recently, Circle-owned Poloniex exchange froze a slew of user accounts in the midst of implementing a new know your customer (KYC) verification process. Legacy account users, those whose accounts were verified under Poloniex’s old guidelines, reportedly received emails from Poloniex support requesting that they comply with the new verification method. The email asks that each legacy account provides “a verification photo…as well as a photo of a valid government-issued ID card or passport.” More on the Poloniex exchange story can be found at coincentral or click here Even the smartest criminals get careless and blockchain technology continues to be a bonafide weapon for combating and prosecuting crimes. Written by Paul Hamilton  

“Top Misconceptions of Cryptocurrency as a Payment System”

  Which can be read on Amazon Kindle Unlimited for Free  You can find more interesting articles by visiting us on one of the following platforms: AML Knowledge Centre (LinkedIn) or Anti-Bribery and Compliance at the Front-Lines (LinkedIn)

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close