Proceeds of fraud - Detecting and preventing money mules

• Many firms recognise the risk of money mules and have become increasingly aware that they can be used as an enabler for fraudsters. We have seen firms use technology so that they can properly calibrate their systems according to risk, and make sure that they are taking a risk-based approach. Some innovative solutions include the use of facial recognition systems, device profiling and geolocation. By analysing datasets and transaction patterns, these systems can flag suspicious activities, thus enabling firms to identify potential money mule networks.
• Most firms are embracing new technology to better identify and prevent mules. Investing in machine learning systems helps reduce the inherent risks of static rules-based systems, which fraudsters can bypass as they continuously change their tactics and approach. While static rules are simpler to implement and can be cost effective, they lack adaptability to evolving fraud tactics, often resulting in high false positives, and missing sophisticated fraud schemes. Both types of systems have benefits and shortcomings and we do not propose a prescriptive approach. Firms should consider the most appropriate way to address the risk proportionate to the size and complexity of their business.
• We found that firms using the National Fraud Database as part of onboarding checks were able to access valuable insights and data to detect and prevent mule activity. It also helped identify customers who were higher risk.
• We also found that firms can use reporting systems to analyse the flow of funds between firms to help identify and disrupt mule activity. This also allows firms to identify further account holders who may have received such funds, stopping the mule networks. When a potential money mule is identified, firms can use these systems to notify and alert other firms being used by fraudsters. Collaboration can help to combat this prevalent issue.

• We found most firms have been increasingly using lawful data sharing to combat the issue of money mules. Through data sharing pilots and collaborative efforts, including with law enforcement, firms are better able to detect and prevent these activities. By sharing their data through appropriate mechanisms, they can identify potential money mule networks more effectively and track the movement of funds across multiple accounts.
• We found that most firms engage with various external bodies to discuss intelligence and emerging threats. These external bodies include CIFAS, UK Finance, NECC and Fintech FinCrime Exchange. This allows firms to be able to share their findings and their preventative measures to mitigate a specific fraud typology. This then allows these relevant bodies to share these with others in the sector.

• Some firms have dedicated training for staff on financial crime and specifically fraud. Firms with these dedicated training programmes help ensure relevant staff are kept up to date with new criminal typologies and are therefore better able to detect and prevent money mule activity. Some firms have financial crime training for new joiners as well as refresher training for existing staff. Without this, firms may find it difficult to detect and prevent money mule activity as staff members would not be upskilled to identify such threats.

• We found that where firms are outliers, in that they have more reported mule accounts than their peers, there is a lack of senior management oversight and a lack of MI reporting to ensure that steps are taken to address the risk and assess the impact of interventions. A proactive strategy for tackling money mules helps protect a firm’s regulatory compliance, reputation and customers.

Onboarding

• We found that some firms were undertaking relatively few checks at onboarding and were relying on subsequently monitoring customers’ behaviour to identify suspicious activities related to money mule typologies. Firms should have robust controls and take proactive steps during the customer onboarding process to detect potential red flags and identify potential money mules.
• We observed some firms do not capture information during the onboarding phase such as, salary or turnover details. Failure to capture this information means a potential increase of false positive transaction monitoring alerts and additional investigation for alert handlers that could be avoided. This information helps to better identify transactions that are suspicious and those that are not.
• Incorporating device profiling, geo-location and behavioural biometrics into onboarding controls significantly strengthens detection mechanisms. This enables firms to swiftly halt or reduce mule account creation during the initial stages. Firms should consider adopting these capabilities to enable them to more effectively disrupt mule networks.
• We observed some firms are not always conducting further investigation into the reasons why some of their customers are using virtual addresses. An example of a virtual address is a mailing address provided by virtual office providers or mail forwarding services in the UK. These addresses are not physical office locations but serve as a mailing address for business correspondence. Neglecting further investigation into virtual addresses could enable fraudsters to exploit this vulnerability, leading to financial losses and increased levels of money mule accounts.
• We found some firms are onboarding customers where multiple customers are using the same device with no clear reason. This is a typical mule characteristic where the customer may have sold on their account details to a ‘mule herder’ who now has control of their account. Firms should review customers who are using 1 device to access multiple accounts to verify if their reasoning is genuine, such as being members of the same household.
• We have also found some firms onboarding multiple customers using the same physical address. Firms should be doing further due diligence checks to verify how many account holders are using the same address and whether there is a reasonable and valid explanation for this.
• We have seen some firms sending out cards to their customers but not checking to see if the card has been activated. This is a simple check which enables the firm to confirm if the customer actually lives at the address which they have used to open their account.

Transaction monitoring

• We found that some firms focus on outbound transaction monitoring and do not have adequate inbound transaction monitoring systems or controls. This may lead to firms being unable to detect mule accounts or doing so at a very late stage, most probably after funds have left via the mule account. Inbound transaction monitoring can help firms identify unusual transaction patterns such as rapid turnover and account behaviour changes, for example, a dormant account which is now in receipt of large funds. All these are common characteristics of mule behaviour and cannot be detected using outbound transaction monitoring.
• Common mule characteristics, such as high value payments into a new or (previously) dormant account and similar amounts subsequently debiting the account, are not being detected as often as they should be. Firms should consider systems and controls which will help their ability to identify suspicious funds coming into their accounts as well as funds leaving their accounts.
• As in the case of onboarding, some firms should also look to improve their detection of money mules during the transaction monitoring stage by considering device profiling, geolocation and behavioural biometrics systems. These systems working together will help firms to not only disrupt the mule network but also gather further intelligence on the characteristics of mule networks.
• We observed some firms heavily rely on machine learning models. However, machine learning models require historical data to accurately understand a customer’s normal behaviour. The machine learning period can take time, particularly for new customers or those with limited transaction history. Our review also found that some firms were not able to explain the workings of machine learning tools. It is essential that firms understand how machine learning tools work, i.e. what the inputs and the expected outputs are, for both quality assurance purposes and testing capabilities. Machine learning models with a combination of tactical rules and behavioural biometrics can contribute to a robust and more proactive fraud detection system if firms fully understand and apply these tools appropriately.
• Some of the firms we looked at had transaction monitoring alerts which triggered without the rule parameters having been met. There were also occasions we saw where alerts did not trigger when parameters had been met. Firms should ensure that where they have alerts set up, they are working correctly. We encourage firms to continuously test the alerts that are created, ensuring these are fit for purpose and alerting on customer events as expected.
• In some firms, our review revealed that analysts are often uncertain about the specific criteria that triggered alerts in the machine learning tool. It is essential for analysts to understand the rationale behind these alerts, as this knowledge would guide their investigative efforts, sparing them from the need to conduct comprehensive reviews, which can be time-consuming. This can also help establish a feedback loop on potential revisions to improve the criteria for triggering alerts.
• We found some firms were taking too long to implement changes to their transaction monitoring rules even where they had identified a mule characteristic or emerging risk. Being unable to implement new rules in a timely manner to counter immediate threats could lead to a risk of increased fraud rates.
• Where alerts are investigated, we are seeing some firms recording poor narratives and rationale which do not explain why the alert handler was satisfied that there were no justified suspicions. A clear audit trail is necessary when handling alerts. This also helps if further alerts are raised on the customer and helps the feedback loop into the machine learning models.

Reporting

• Firms should report mule activity quickly and efficiently through relevant reporting systems i.e. the National Fraud Database, allowing other firms to be notified if the same mule is looking to open accounts with them. Not reporting promptly affects the ability to disrupt and close mule networks.
• We found that some firms whose accounts are in receipt of fraudulent funds do not always respond quickly and efficiently to the firms raising the alert. Receiving firms play a huge part in disrupting the mule network as well as protecting their own customers from being affected by fraudsters. Firms must act on requests from other firms promptly, informing them of suspicious and fraudulent funds.
• We also found in some instances that Suspicious Activity Reports (SARs) were not raised at all or were not raised as quickly as we might expect. Raising SARs is extremely important in tackling the mule network. Valuable account information from SARs can help law enforcement investigate and prosecute criminals involved in the proceeds of fraud. 

Resourcing

• Some firms would benefit from having dedicated resource allocated to actively investigating mules. The benefit of this is not only to be able to detect and monitor money mule accounts but also being able to work on notifications from other firms in a timely manner and report to other firms of fraud against their own customers.

• We found a lack of data sharing between some firms that are not part of similar UK reporting or data sharing initiatives.

• While some firms have made progress in informing customers about the impact of fraud, their efforts to educate customers about money mule risks fall short. Given the prevailing cost of living crisis, some customers might find themselves susceptible to providing their account details for money mule activities under influence or pressure. We ask firms to improve their communication strategies and awareness initiatives, keeping customers informed about the latest threats.
• Consumer education and awareness is essential to combat financial crime, protecting consumers, complying with regulations, and maintaining a firm's integrity and reputation.

• We have concerns in relation to the effectiveness of fraud alert investigations within some firms. We saw in some cases alert handlers working alerts and closing them, despite poor narratives and rationale. Also, in some cases we saw instances where clear suspicious activity did not result in the alert handlers raising a SAR. Firms can enhance the effectiveness of their alert investigations by ensuring that staff members have a clear understanding of their roles and responsibilities in combating fraud.