What Mobile Payment Providers and Regulators need to prevent AML/CTF Risks

Every day, we read about a financial institution being detected by the regulator’s radar. On a weekly basis, we hear about a reporting entity (financial or non-financial institution) being subject to local or international investigations for being misused in a financial crime. We would be in a perfect world not to been notified by a friend or by a monthly newsletter about an institution that has been fined for lack of money laundering preventative measures. What’s confusing is: what about the Mobile Payments Providers? Are they compliant enough with local or international regulations? Or they have a rigorous Know Your Customers policies and Enhanced Due Diligence procedures? Like me, you may think money launderers or terrorist financiers do not target them yet!

For many years this sector was forgotten during the global war against money laundering and terrorist financing. Yes, while we may agree with the priority given to bigger sectors like banks and other financial institutions, we must admit that the launderers are always a step ahead in seeking the new and less regulated sectors to launder their ill-gotten gains.

In 2006, FATF issued its report on the New Payment Methods (NPM) of money laundering which included mobile payment vulnerabilities. In a second initiative in 2010, FATF updated the same report to cover a comprehensive risk-based approach and related risk factors, but the major addition was the money laundering typologies and case studies associated to these types of payment.  The report included three cases related to mobile payment schemes over the last four years. The study also revealed the main reasons for these results as follows:

  • Third party funding (including straw men and nominees).
  • Exploitation of the non-face-to-face nature of NPM accounts.
  • Complicit NPM providers or their employees.

The mobile payment systems may vary from one country to another, based on the laws, financial framework, culture and even the size of the telecom company. According to the World Bank working paper in 2008, they classified the mobile payment services into four categories:

  • Mobile Financial Information Services: This service is where the subscriber has access to request information about his general financial information from his personal account with no actual transactions occuring. Low or no AML/CTF risks associated with this type of services.
  • Mobile Bank and Securities Accounts Services: Here the mobile account will be attached to the bank or security account to make transactions through a mobile device using the SIM card. Thus, the service offered would be similar to Internet banking, but using the mobile device instead of  the Internet. This service poses AML/CTF risks, but it is strictly overseen due to regulations and surveillance deployed by banks and securities companies. Plus, the outsourcing business especially with agents -when mobile operators rely on agents to do KYC or Enhanced Due Diligence for new subscribers-, keeps the door opened for additional risks for non-face-to-face account opening procedures. Worst, when the bank pools the funds into one account held in the name of mobile payment provider since it impedes the audit trail because the money will be deposited into one account by several parties and deducted from this account to unknown entities.
  • Mobile Payment Services: This allows non-bank account holders to make a payment for their purchase, such as utility bills, or services they have been offered using their mobile phones. Therefore mobile payment providers play the role of financial institution. Using the mobile phone as a prepaid card or an electronic purse form a risk for ML/TF.
  • Mobile Money Services: The subscriber has the right to store money in a mobile phone and may make a payment or transfer through his/her phone. This poses extreme risk due to the lack of regulations and oversight.

As made clear above, AML/CTF risks associated with mobile payment/money services threatens the country’s systems, as well as weaken the mobile payment provider’s reputation. Below are some recommended best practices that will help in mitigate the AML/CTF risks associated for both countries and mobile payment providers:

Regulatory Framework and Legislations

Unfortunately, many countries throughout the world, including most Middle Eastern countries, have no regulatory framework to fight money laundering or terrorist financing though mobile money/payment services. Not considering a mobile payment provider as a reporting entity is another big concern. Based on the Methodology of Assessing Compliance with FATF 40 + 9 Special Recommendations, FATF defined Financial Institutions as “any person or entity who conducts as a business one or more of the activities…” these activities include “Acceptance of deposits and other payable funds from public,” “The transfer of money or value” and “Issuing and managing means of payment,” this means the definition also applies to mobile payment providers which act as non-traditional financial institutions. Accordingly, it should be considered as a reporting entity and subject to any AML law, act or decree. Most government officials are not aware that these providers are not classified as a reporting entity.

As an example, in some Middle Eastern countries, mobile payment providers are not permitted or encouraged to file suspicious activity reports (SARs) to local authorities.

Mobile payment providers route the SAR to a local bank with business relationship so the bank can conduct extra due diligence then report it to the government in case of suspicion although the reported person is a non-bank account holder within reporter  bank.

Compliance Program

Like any other reporting entity, mobile payment providers should be more diligent in building up a healthy compliance program that underscores its compliance with local regulations and international standards. This requires the following:

–         Designation of Compliance Officer: Compliance is a brand new term in mobile payment providers’ organizational culture. This would be the minimized task of a compliance officer within. A qualified and certified compliance specialist will be the cornerstone in implementing the required compliance program and ensure that regulations are followed and implemented properly.

–         Clear Policies and Procedures: What would mobile operators do when regulators ask for documents or evidence? To keep the ship cruising the right way, mobile payment providers need to predefine internal policies and procedures, which should cover all daily operations among all related departments. Such policies should include account opening and closing policies, know your customer and customer due diligence procedures, in addition to records keeping requirements. This may include clear preventative measures such as transaction rejection and limits in certain conditions.

–         Training for Employees, Agents and other parties involved: A major challenge for the compliance officer is to provide adequate training to all employees and related parties. Training materials should be designed for a targeted audience, for example, the basics of money laundering red-flags in mobile payment services should be provided to front-line staff, while compliance officers and AML investigators are more interested in advanced and complicated international money laundering typologies and regulations.

–         Independent Audit Testing: This is a very effective tool in measuring the success or failure of the compliance program. Plus, to make sure that previously detected deficiencies were corrected according to the estimates will be a very critical task for external auditors who should not be a part of the compliance program.

The above components create the basic compliance structure, which may expand to other elements to govern the relationships with regulators and financial institutions where the operator maintains an account to run the service(s) on behalf of subscribers.

Risk-Based Approach and Automated Transactions Monitoring

Due to the rapid increase in money laundering trends in the mobile payment industry and the increased number of mobile payment subscribers, it should be crucial for mobile payment providers to have automated transactions monitoring solution that will detect customers’ unusual activities based on international common rules or specified red-flags.

Mobile payment providers have excellent information technologies implemented already; this will pave the way for effective transaction monitoring and reporting system deployment. What would make it more effective is that mobile payment providers has the technological nature and use the most updated information technologies is by technological nature, the electronic transactions can be analyzed according to predefined scenarios that will allow the operators to block or close accounts in which they detect  abnormal transaction patterns.

As minimal requirements, mobile payment providers should require that any transaction monitoring include the following:

  • Customers name screening and checking against local and international lists.
  • Behavioral analysis for accounts and subscribers on both levels to detect unusual transactions based on precise scenario management.
  • Detection management and related analysis tools that present any hidden relationships between subscribers and accounts.
  • False positive and fine tuning management
  • Self-steering workflows that best fit the organization’s hierarchy module.
  • Extensive case management.
  • Risk-based approach inclusion where all applicable risk factors will be calculated for a proper risk weighting.
  • Regulatory and managerial reporting such as STR/SAR and other reports designed for internal use with auditable results.

Like any other industry, mobile payment has specific risks. The main concern remains that this sector increases radically by time and regulators are unfamiliar with AML/CTF risks arising from these services and products. It would be a great starting point for mobile payment providers to assess the risks associated with each kind of services/products offered to the subscriber in comparison with the four major risk factors (Anonymity, Rapidity, Elusiveness, and Poor oversight).

One of the appreciated efforts in this field is the Global System for Mobile communications Association GSMA Discussion Paper titled: “Mobile Money: Methodology for Assessing Money Laundering and Terrorist Financing”.

Now, countries’ Mutual Evaluation Report (MER) by FATF is considering the assessment of mobile payment regulations in cases of such businesses being registered. This makes it imperative for countries to move forward with legislation that should ultimately be harmonized with international standards.

Building up a proper regulatory regime that is compliant with the international standards remains a big challenge for regulators and mobile payment providers due to lack of knowledge of compliance, anti-money laundering, risk management and mitigation factors especially for people who are oriented to Mobile Network Operations only; they are really very new to this area of expertise.

Case Study: Selling stolen phone credits through mobile P2P payments

In April 2010, an individual was sentenced in Cayman Islands for using stolen credit card information to illegally obtain phone credits, which he then sold through the mobile P2P payment services. Although the amount of money was small, the individual was charged for money laundering activity under the Proceeds of Crime Law of Cayman Islands.

Source: Cayman Islands Attorney General´s Office.

You can also contribute contribute to help make others aware! Click here to know how