This interview was originally posted on the goEmerchant Blog
Ron Teicher is founder and CEO of EverCompliant, a cyber intelligence company, and leader in transaction laundering detection and prevention. Today, EverCompliant serves some of the world’s largest financial institutions and has been expanding its operations in Asia and the U.S., after raising an additional $9.5 million dollars from investors in December last year. Before EverCompliant, Ron led the compliance product initiatives at Watchfire, (acquired by IBM). With degrees in law and business, he frequently speaks at payment and fintech events.
Q: Ron, during one of your many lectures, you said that the e-Payments Industry is experiencing what you call “the digital evolution of money laundering.” You estimate the extent of Transaction Laundering to reach $352B worldwide and $159B annually in the US alone. These are alarming figures. Criminals who abuse merchant accounts to process card payments for their illegal products or services are threatening legitimate e-commerce and merchant acquirers. In December 2016, there were over 500,000 illegal shops online. What makes Transaction Laundering (TL) so hard to detect?
Ron Teicher: Transaction Laundering (TL) is the digital evolution of money laundering. This form of fraud is spreading quickly, often undetected by Merchant Service Providers (MSPs), payment processors, acquiring banks, payment facilitators, and market places. Transaction launderers essentially tap into the payment ecosystem by using an e-commerce storefront merchant account to process transactions originating elsewhere. This way, the fraudulent merchants can funnel unauthorized transactions through legitimate payment networks, while avoiding detection. These extended networks of unreported, hidden, and often illegal websites are thus linked to MSPs’ payment networks. These websites may include unlawful content such as illegal pharmaceuticals, gambling, trading in drugs or weapons, and more. At the same time, they can be used as a tool for layering activities and unauthorized cross-border transfers.
The problem is that the expanding digital world isn’t being monitored meticulously. Anti-Money Laundering (AML) and Know-Your-Customer (KYC) procedures are not designed to check the endless stream of data of the digital realm. As such, without the right measures in place, Transaction Laundering can be very hard to detect.
The amazing advance of technology brought the world immense capabilities and created a boom in online commercial activity, made available to millions of online shoppers, yet it left risk management controls behind. This proliferation of payment platforms, combined with the micro merchant movement and the ease of setting up an online business has created a new layer of complexity and an unmanageable data overload that makes it difficult for MSPs to filter out fraudsters. E-Commerce offers fraudsters lucrative opportunities to engage in undetected criminal activity. It has become increasingly complex for MSPs and PSPs to control the transaction flow.
Q: The CNP Payments industry categorizes online merchants into low-risk and high-risk, depending on their type of business, volume of chargebacks, financial stability, and more. What makes low-risk merchants (i.e. bookstores, food stores, household appliance stores) especially vulnerable to transaction laundering?
Ron: MSPs have unique methodologies which include allocating risk scores to the merchants they engage with. The risk score is based on multiple parameters, such as a merchant’s KYC profile, financial background, volume of chargebacks, the Merchant Category Code (MCC), checks against external databases, etc.
The problem is that fraudsters have studied these methodologies. When setting up a shell e-commerce website with the sole intention of using it as a mule for transaction laundering purposes, the fraudster will make sure that the merchant’ s business will be categorized as low risk. By hiding behind low-risk businesses, fraudsters manage to stay under the radar and avoid the monitoring and scrutiny high-risk merchants are subjected to. This makes low-risk businesses especially vulnerable to Transaction Laundering. The MSPs and PSPs don’t suspect them because their business appears legitimate and their customers are happy. As experts in TL, we warn MSPs and advise them to shift their strategy and apply strict Risk Management procedures to analyze and monitor high-risk as well as low-risk business.
Q: Even though merchant acquirers have integrated Enhanced Due Diligence (EDD) and risk management processes as required by compliance rules and regulations, you still estimate that a part of their merchant portfolio may be contaminated by transaction launderers. Could you explain?
Ron: AML/KYC teams apply complex and thorough Enhanced Due Diligence processes and procedures to mitigate risk. However, they’ve been focusing on the physical, offline aspect of their corporate customers, while ignoring the many digital aspects of their clients’ identities. At the same time, their clients have become virtual entities, which handle most of their business in cyberspace. These digital online identities may differ a lot from their physical shadows. The more traditional customers will have a minimal digital profile, possibly consisting of nothing more than a website and an email domain. Other customers’ profiles are almost entirely online. Their offline, physical identity consists only of a minimal connection to the real world. E-merchants and online marketplaces are great examples of such ‘digital-only’ entities.
Current Enhanced Due Diligence procedures are rarely designed to check for endless related information available online – text, email addresses, phone numbers, URL references, content images, payment pages, personal and corporate names, multiple languages, and diverse currencies. Therefore, it’s not difficult for representatives of corporate accounts to hide, inadvertently or on purpose, information that would put their corporate entity at risk. For example, a corporation could present documents proving that it is registered in the United States and yet have a foreign telephone prefix on the Contact Us Page of its website. It may be hosted in a 3rd country, with connections to more countries that aren’t even supposed to do business with the U.S.
Given all these unknown risks that are hiding within the financial services customers’ portfolios, MSPs should be enhancing their processes to include the digital realms of their customers in their onboarding and risk procedures.
Q: In the financial industry, we see a shift from process-driven to data-driven due diligence. In which way is ‘smart-data’ analysis part of EverCompliant’s risk management software solution?
Ron: This is our bread and butter; we are a cyber intelligence firm, first and foremost. The ‘smart data’ analysis of our software is using cyber intelligence techniques, with layers of machine learning based classification, automated processes, and ongoing monitoring. It’s almost impossible for the financial industry to detect TL without such tools, and we believe we are the pioneers in applying these tools to this problem. The amount of data that needs to be constantly gathered and analyzed to uncover hidden merchants is so vast that manual methods are no longer sufficient. EverCompliant’s cyber intelligence tool provides reliable, automated technology that provides a broader picture about MSP’s portfolios and their full online relationships with other activities. MSPs need to start utilizing new, ‘smart’ technologies. Data collection qualification and analysis can complement the MSPs manual effort to make better-informed decisions about their merchants.
Q: Besides criminals, transaction laundering also provides terrorist organizations with a great source of income to finance some of their bloodiest attacks. Could you explain to us why Counter Terrorist Financing (CTF) units are particularly concerned about the rise of transaction laundering?
Ron: According to the FATF report, “Emerging Terrorist Financing Risks,” electronic, online and new payment methods are gaining popularity, as they can be accessed globally to transfer funds quickly. In the case of Transaction Laundering, the washing ‘machine’ is a virtual one — the cyber, e-commerce world itself. Criminals can easily set up websites, through which they sell high-risk items such as diamonds, and then process payments from these sites by routing them to legitimate-looking, registered as low-risk online stores (i.e. marketplaces, restaurants, supermarkets, toy stores, etc.) In other cases, criminals who conduct TL, sell illegal goods on credible, global marketplaces, as described in the case above.
In some cases, they may not sell anything at all. For example, they can use prepaid cards to purchase on e-commerce sites, have the merchant account pay its beneficiary, and by that move money, undetected and cross-border.
There are four ways in which AML regulations can be breached via the usage of TL:
- Selling illegal goods and booking them as legitimate ones. This is textbook ML.
- Selling high-risk goods and booking them as low-risk ones.
- Selling “nothing,” shopping without shipment as means to move money around, so-called layering activities.
- Using the sales of illegal goods to finance terror.
AML officials and institutions need to expand their awareness of this AML ‘blind spot’ and look into the proliferation of Transaction Laundering, the new digital ML. For more information about the connection between Transaction Laundering and Terrorist Financing, I refer to my Finextra interview.
Q: Are international regulators aware enough about the lethal threats posed by transaction laundering and are they taking the proper measures?
Ron: In our view, and we need to be careful here, international regulators may not be fully aware of the extent of this issue, and as a result, are not taking sufficient measures to combat it. TL is a significant and growing problem within the payment industry. This means that it’s urgent for the industry to be more agile and efficient than the fraudsters. We estimate the extent of TL to reach $155B annually in the US alone, i.e. up to 10% of the total ML estimates, and as we speak, these alarming figures are growing.
Q: Do you see any difference between Europe and the USA regarding their regulatory awareness about the urgency of legislation to counter TL threats and do you have some suggestions when it comes to preventive measures?
In the US, the increasing number of FFIEC and CFPB examinations suggests that regulating authorities are taking the problem seriously. The same could be said of EMEA’s release of PSD2 and its enhanced security requirements. However, it is our view that regulators in both regions have not yet developed adequate regulatory frameworks to prevent transaction laundering. We see that existing AML policies and protections largely originate from the most invested players – card schemes and cooperating banks.
With regards to preventative measures, I recommend education, awareness, and training and the use of a dedicated cyber intelligent-based software solution. Furthermore, we advise MSPs including Acquirers, PSPs and Payment Facilitators to expand their focus from high-risk to include low-risk merchants. Pay extra attention to new threats targeting mobile commerce and last but not least; industry collaboration is critical. There shouldn’t be competition in matters that concern compliance.