What is transaction laundering?

Transaction laundering occurs when a merchant selling illegal goods processes payments using the payment service account of a seemingly legitimate merchant, thereby masking the criminal origin of the funds they receive. 

As financial services integrate with e-commerce technologies, criminals find new ways to exploit online payment infrastructures and disguise their illegal funds. Transaction laundering is an emerging trend in online financial crime, which represents a digital evolution of traditional money laundering that has only recently come under significant scrutiny from regulators and financial service businesses. 

While it is among the newer typologies of money laundering, transaction laundering represents a significant threat: its global proceeds reached anywhere from €350–800 billion in 2020 alone, according to one estimate. Financial services businesses must ensure their anti-money laundering (AML) programs are prepared to address the risks it poses. 

How does transaction laundering work?

Transaction laundering has become popular because of the ease with which criminals can set up (or gain access to) a legitimate-looking website and payment service account. This can happen with or without the knowledge of the legitimate merchant. Illegal transactions are then directed through that legitimate account’s payment gateway and laundered unwittingly by the payment service provider (PSP). 

The transaction laundering process typically involves the following steps:

• A criminal posing as a legitimate merchant creates a website where customers can order illicit goods.
• At the same time, they access the website and PSP account of a business selling legitimate goods – or set up a website and account that appears to be legitimate themselves. 
• When a buyer purchases something from the illicit website, the merchant uses this account to process the transaction. 
• The PSP processes the payment and contacts the acquiring bank for funding.
• Laundered funds are deposited in the criminal’s bank account. 

While the criminal might sell drugs, weapons, or other illegal items through their own website, the merchant site that the criminal uses to process their transactions will sell non-illegal goods like clothes or books, which help to mask the illegal sales. 

Examples of transaction laundering

Although the fundamentals of transaction laundering remain consistent, a few specific methods are used. These include: 

• Hacking an existing account: Criminals gain access to the payment account of a legitimate merchant without their knowledge to surreptitiously process illegal transactions. 
• Using shell companies: Criminals set up legitimate-looking but fake businesses to act as ‘front’ companies, using their accounts to process their real, illegitimate transactions. 
• Working with an existing merchant: In some cases, merchants operating a legitimate business are brought into and made complicit in a transaction laundering scheme, allowing their accounts to be used for this purpose.  
• Anonymous laundering through prepaid cards: Some prepaid cards do not require a bank account or identifying information to be used. Criminals can load cards with illegal funds, then make purchases with them to introduce these funds into the financial system. 
• Affiliate fraud: An offshoot of transaction laundering, this involves affiliates paid by businesses to direct new customers to their website making fake purchases or delivering fake website impressions to earn themselves more money. 

What are the regulations around transaction laundering?

Jurisdictions across the world have developed comprehensive anti-money laundering and countering the financing of terrorism (AML/CFT) regulations so firms can mitigate their exposure to transaction laundering and other money laundering typologies. Most jurisdictions derive their regulatory frameworks from the Financial Action Task Force (FATF)’s International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, or ‘40 Recommendations’, and share the key tenets of these. PSPs should make sure they conform to certain principles designed to prevent them from onboarding fraudulent merchants or processing fraudulent transactions, such as: 

• Risk assessments: Firms should adopt a risk-based approach to AML, identifying where their business is likely to encounter the most risk by considering factors such as the locations they operate in, the customers they serve, and the products and services they offer. 
• Due diligence: PSPs should carry out customer due diligence (CDD) measures to establish each customer’s AML risk level. CDD can include verifying customer identities and locations, establishing ultimate beneficial ownership (UBO), and screening for sanctions and watchlists, adverse media, and politically exposed person (PEP) status. 
• Transaction monitoring: Firms should monitor each customer’s transactions to understand their financial behavior and flag any unusual or suspicious patterns or deviations. 
• Reporting: When they detect suspicious behavior, PSPs should report it to the relevant authorities using a Suspicious Activity Report (SAR) or jurisdictional equivalent. 

Despite these shared principles, individual jurisdictions have specific requirements around AML controls and reporting obligations, so firms should consult the relevant legislation in their jurisdiction. Examples include: 

• United States: The Bank Secrecy Act (BSA), the Anti-Money Laundering Act, and the USA Patriot Act form the bedrock of the US’ AML/CFT regime. The Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) are the key regulators US firms should be aware of. 
• United Kingdom: The UK’s AML/CFT framework is centered around the Proceeds of Crime Act (POCA), the Money Laundering, and Transfer of Funds (Information on the Payer) Act, and the Terrorism Act. The Financial Conduct Authority (FCA) is the UK’s primary financial regulator. 
• European Union: The ‘new’ Sixth Anti-Money Laundering Directive (6AMLD) is the EU’s main piece of AML legislation. Implementation has been the responsibility of individual member states, but as part of a new ‘package’ of rules adopted in 2024, an Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA) will be set up. 
• Singapore: The Monetary Authority of Singapore (MAS) is the financial regulator for Singapore, while the Corruption, Drug Trafficking, and Other Serious Crimes Act (CDSA) is the country’s primary AML legislation alongside the Payment Services Act (PSA). 

Non-compliance with these regulations can cause serious problems for PSPs, including reputational damage and financial or even criminal penalties. 

The challenges of detecting transaction laundering

Transaction laundering is a sophisticated form of money laundering with potentially severe consequences if left undetected. In one high-profile case, a senior official in the terror group Islamic State was discovered to be running a network of fake printer sales on online marketplaces to disguise payments that were really being used to transfer money to an Islamic State operative in the US. 

The following are all features of transaction laundering that create challenges in detecting and preventing it:  

• Complexity of payments: Payment chains are often very complex, meaning malicious transactions can pass through many steps and go undetected.
• Multiple web portals and unreported websites: Transactions can be accepted through hidden websites, which banks do not know about and where traditional fraud detection may not be able to flag suspicious activity. 
• Pagejacking: In cases where criminals use websites as ‘shadow sites’, the website owner may never know this has occurred. 
• Small transaction amounts and managed ratios: Where criminals make small transactions, these do not tend to be monitored. For example, additional documentation is not required for gift card transactions under $500 (in the US) and £250 (in the UK). Criminals can also attempt to create transaction patterns that avoid triggering AML alerts. 
• Anonymity: Criminals can avoid banks’ know-your-customer (KYC) checks by taking advantage of prepaid cards that allow anonymous transactions.
• Forged documents: Fake invoices and receipts can be used to help disguise illegal sales as legal. 

How firms can detect and prevent transaction laundering

To overcome the risks posed by transaction laundering, firms should reinforce their AML checks and monitoring processes and adapt to the sophisticated methods used by criminals. When investigating suspect transactions, firms should consider a number of factors:

• Website functionality: Fraudulent websites often do not match competitor sites, have apparently poor functionality, or seem unappealing to potential customers. 
• Site merchandise: Firms can compare the suspected site’s merchandise with its sales projections and figures. In criminal contexts, those figures are often unaligned or unrealistic.
• Unexplained trends: Sites involved in transaction laundering often exhibit unexplained spikes in sales, or ongoing sales volumes that do not match the products they sell.

To maximize their chances of detecting and preventing transaction laundering, firms should also make sure they are using specialist AML/CFT software solutions with the following capabilities: 

• Customer screening and ongoing monitoring: Conducting proper customer due diligence (CDD), both at onboarding and beyond, is an essential step for firms. It allows them to verify the identity of each customer and screen them against risk factors such as location, adverse media alerts, or involvement in previous enforcement actions. Firms should use all available resources to gather information on the merchants involved in the relationship and on the beneficial ownership of their business.
• Transaction monitoring: Robust monitoring, particularly of a firm’s merchant or sub-merchant portfolio, is crucial. Machine learning can be used to accurately and efficiently identify suspicious patterns indicating transaction laundering while adapting to new rules and typologies.