AUSTRAC guidance tackles misuse of payment text fields

The Australian Transaction Reports and Analysis Centre (AUSTRAC) has released a new guide aimed at tackling the increasing misuse of transaction payment text fields by criminals.

The guide, Preventing misuse and criminal communication through payment text fields, aims to raise awareness of how criminals are using payment text to communicate with each other – or to harass, stalk or threaten victims – rather than for the purpose of transferring funds.

The growth of digital-first fintechs, alongside an increasing amount of data and number of payment platforms, has enabled larger character limits to be applied to payment text fields, and criminals are making use of this facility to carry out illegal activities. 

Common themes within payment text fields identified by AUSTRAC include:

• Technology-facilitated abuse
• Threats or extortion attempts
• Criminal communication
• Threats of suicide and self-harm

Additionally, communications involving child abuse, illicit drugs, firearms, ideologically-motivated extremism and outlaw motorcycle gang activity have been spotted. 

Westpac bank research shows that more than half (51%) of Australians have received some form of online abuse, including via email, mobile and social media channels. One in four (26%) admit to having used some form of inappropriate language in payment transactions.

The guide, created in collaboration with public-private partnership the Fintel Alliance, provides financial service providers with insight and examples to help them target, detect and disrupt this practice.

“Financial service providers should use indicators in this report and their own business knowledge to conduct further monitoring and identify if a suspicious matter report (SMR) needs to be submitted to AUSTRAC,” the guide states.

Guidance on identifying the misuse of payment text fields includes how to determine if text is a threat or a joke, the use of abbreviations and slang to hide meanings, references to self-harm and suicide, how emojis can be used to convey threatening or abusive messages, and how criminals can refer to a shipment of illicit goods or planned event in their messaging. 

Potential red flags to look out for include payments below $10, high frequency payments and relationship patterns, along with incorrect spellings and the use of slang. 

A real-world example describes how a 23-year-old man was identified by a financial services provider after sending 10 payments of less than $5 to a female victim. Messages within the payment text field asked the victim to contact him and threats to take his own life. After a report to AUSTRAC, police arrested and charged the man for breaching a Protection Order.

Key Takeaways

This guide highlights the importance of agility in transaction monitoring, which can be challenging for firms – what counts as suspicious activity for one customer may be normal business for another. 

With constantly changing typologies and global regulatory expectations, false positives can be common and the risk of missing illegal behavior increases. For example, slang words and emojis are not fields a firm would traditionally expect to have to screen for, and context can be a challenge. Managing high volumes of false positives and unfamiliar alerts can also impact a firm’s wider operational efficiency.

It also underlines some of the changing demands on transaction monitoring systems. Firms need to  weigh up whether building a transaction monitoring solution in-house is right for them, or whether buying a solution that will push through updates automatically to cover emerging anti-money laundering (AML) risks would be more cost effective and efficient in the long-run.

At 13-pages, the guide provides a quick and easily digestible format for compliance teams and is well worth a read. It should be assessed in the context of the firm’s own business/industry, as part of a wider risk-based approach.