FATF publishes report on illicit financial flows from cyber-enabled fraud

Following October’s plenary, the Financial Action Task Force (FATF) issued new guidance relating to cyber-enabled fraud (CEF). In the report, the global watchdog analyzed how the cyber fraud landscape has evolved, its links to other crimes, and how criminal syndicates launder the proceeds. 

“Our research shows funds are being laundered faster than ever across multiple jurisdictions and sectors, leaving a trail of victims,” said FATF President T. Raja Kumar. “Left unchecked, this threat will only grow further in an increasingly digitalized world.”

The state of cyber-enabled fraud

While the global scale of CEF is difficult to ascertain, it is estimated that 80 percent of all fraud in the UK is cyber-enabled. The report notes that the growth of CEF can be attributed to the increasing use of new technologies, smartphones, and remote financial transactions, which have made users more vulnerable to fraudulent activities. Additionally, anonymity-enhancing technologies like virtual private networks (VPNs) have made it easier for criminals to carry out illicit activities while remaining anonymous.

When highlighting common tactics used in CEF, the FATF highlighted the use of shell companies and individual money mules. In many situations, criminals will recruit money mules via job offers and social media and sometimes instruct them to act as strawmen or open corporate accounts to hide criminal ownership. In cases of online trading fraud, criminals may also use these shell companies to create virtual point-of-sale accounts with merchant services companies to process payments and transfers from victims.

According to the FATF, the following typologies are considered types of CEF: 

• Business email compromise (BEC) fraud.
• Phishing fraud.
• Social media and telecommunication impersonation fraud.
• Online trading/ trading platform fraud.
• Online romance fraud.
• Employment scams.

While illicit financing related to ransomware and other malware-enabled crimes are considered cyber-enabled crimes, these typologies are not within the scope of this report. For more information on these areas, the FATF points to its March 2023 guide on Countering Ransomware Financing.

Risk indicators 

Drawing from experience and data received from jurisdictions across the FATF Global Network, the Egmont Group, and the private sector, the report highlights several risk indicators of CEF, including:

• Transactions that are rapid or high-value, soon after the account opening, which are not consistent with the account’s purpose.
• Large and frequent transactions that do not match the economic profile of the account holder.
• Small initial payments to a beneficiary, followed by larger payments to the same beneficiary in quick succession.
• Transaction requests marked as “Urgent”, “Secret”, or “Confidential”.
• Transactions directed to known beneficiaries but with different account information to what was previously used.
• Transactions with device time zone mismatches.
• Online behavior anomalies such as delays in entering data, hesitation, multiple failed login attempts, and signs of automation.
• Presence of negative news on customers or counterparties, such as being a known or suspected victim of a scam, mule, or identity theft.
• Abnormal activity of virtual assets from peer-to-peer platform-associated wallets with no logical business explanation.

While an indicator may be discovered in relation to a customer account or transaction, the FATF notes that a single red flag may not warrant suspicion of cyber-enabled fraud on its own. Nor will a single indicator necessarily provide a clear indication of such activity. However, should compliance staff identify any additional indicators, teams should undertake further monitoring and examination as appropriate.

Anti-fraud requirements and controls

In light of these risk indicators, the FATF also provided examples of how anti-fraud measures can be adopted in parallel with anti-money laundering and combatting the financing of terrorism (AML/CFT) controls. Useful for financial institutions (FIs), virtual asset service providers (VASPs), and other financial and payment institutions, the ten measures listed by the FATF include:

1. Robust know your customer (KYC) and know your business (KYB) processes: This may include utilizing biometric features during onboarding and identifying a single mobile or secure device for authenticating online banking transactions.
2. Cooling-off periods: By introducing a cooling-off period for first-time enrolment of online banking services or secure devices, the full suite of banking services will not be immediately available on opening, and the number or value of financial transactions for the customer will be limited.
3. Definition of expected transactions: This could include the number of transactions, amounts, types of counterparties, and countries involved. This will help detect suspicious transactions and tighten fraud detection rules and triggers to block illicit transactions pre-emptively.
4. Verification of payee services: These services allow the originator/payer/debtor of a transfer order to check that the beneficiary/payee/creditor mentioned in the payment messages matches the name of the account holder.
5. Reducing communication: By reducing communication via email and social media with clients to general information only, customers should be better equipped to spot fraudulent communications and scam attempts.
6. Voice recognition and artificial intelligence: This could include adding voice recognition software and artificial intelligence support in communication with clients to ensure their true identity.
7. Multi-factor authentication mechanisms: These mechanisms could be used for customer verification and for performing financial transactions.
8. Client identification processes: Improving the reliability of the client identification process through methods like liveness tests can play a vital role in verifying the user’s identity during remote setup. It can also prevent criminals from accessing multiple accounts using the account information of money mules or victims. 
9. Expanding customer data: Additional information may include mobile phone numbers, IP addresses, GPS coordinates, device IDs, etc. As a result, analysts have more data to work from if and when anomalous behavior is detected.
10. Real-time transaction monitoring: By implementing a risk-based real-time transaction monitoring system, firms can ensure that any abnormal activity is swiftly detected, investigated, and, where relevant, reported through the filing of a suspicious transaction report. The sophistication of the monitoring system should be commensurate with the volume and nature of transactions handled by the FI.

Key takeaways: What should compliance staff prioritize?

With cyber-enabled crimes expected to grow, the FATF concludes its report with three strategies to enhance risk mitigation efforts:

• Break down silos within compliance teams.
• Promote collaboration across the public and private sectors on a domestic and international level.
• Enhance detection and prevention measures by promoting awareness and vigilance and facilitating reporting of such crimes. 

To this end, firms should ensure their compliance teams are well-trained in recognizing the risk indicators highlighted in the FATF’s report. Organizations may also consider reviewing their ongoing monitoring measures to ensure their system can detect and prevent fraudulent transactions within specific cybercrime scenarios. This may include creating bespoke rulesets in their transaction monitoring and fraud detection solutions to better detect common patterns of fraudulent behavior they might be particularly exposed to. 

To learn more about the key takeaways from October’s plenary session, read our coverage here.