Fraud accounts for atleast 40% of financial crime in the UK. In 2022, UK banks have identified over 39,000 accounts demonstrating behavior indicative of money muling[1]. NCA estimated that over GBP 10 billion is laundered via money mule activity in the UK annually[2]. The global increase in fraudulent activities is a growing concern for businesses and organizations worldwide. In the UK, this concern is further exacerbated, with projected losses of £2.3 billion in 2023, representing a staggering 104% increase from the previous year. The banks and financial institutions are grappling with the challenge of keeping pace with fraudsters, who have become increasingly sophisticated in their methodologies. This situation is further complicated by the widespread adoption of instant payments across Europe, which has added an additional layer of complexity to the problem.

Who is a money mule? A money mule is an individual who acts as an intermediary in transferring illicit funds on behalf of another party. This typically involves the movement of stolen money through a series of bank accounts, obscuring its origins and making it exceedingly difficult to trace back to its source. The use of money mules is a common tactic employed by criminal organizations to facilitate money laundering and other illicit activities. It is essential to know that the act of muling is very common to a specific demographic, such as young people, students, or the elderly.

Money Muling usually happens in two ways:

1. Witting mules: These individuals willingly participate in the process of money laundering. They exhibit a conscious understanding of the illegitimate nature of their actions and may be integral parts of larger criminal networks or schemes. Furthermore, individuals are instructed to deposit cash/funds into their accounts in amounts that are unlikely to be reported, keep a small commission, and then send the remaining funds to another account.

2. Unwitting mules:  These individuals are often targeted through online scams or fake job advertisements, leading them to believe that they are conducting legitimate transactions or working for a genuine business without realizing they are unsuspecting victims. Additionally, money from criminal sources is deposited into the mule's account, and the mule is then instructed on how and where to transfer the money. The funds can be moved to third parties, withdrawn as cash, or converted to cryptocurrency to conceal their origins.

How do you identify mule accounts?

1. KYC (Know Your Customer)

In many instances, the focus is more on the transactional activity than KYC. For example; many a times, we come across investigations focusing heavily on the transactional activity, however the KYC details such as salary, turnover, occupation is missing on the customer’s profile. After the KYC information is sought, in few cases it might turn out to be a false positive or on the other hand, it can be a fraudulent account as well.

As identified by the FCA, it will be useful to make changes at the onboarding stage itself to prevent fraudulent activity before it commences. Asking questions such as;

• Has the National Fraud Database or an internal blacklist been used prior to onboarding?
• How authentic are the documents submitted by the customer? For example; fake Student Id’s
• Is the same residential address used by 50 different people, that is definitely a mule herder?
• Is the customer using a ‘virtual address’ to register the business on the Companies House?
• Is there a change in phone number?
• Are the right tools/resources being deployed?

If the accounts with limited KYC information are triaged and alerted to the AML team, a lot of fraud can be stopped/prevented. In my experience, I have come across multiple accounts being opened on the same day in one bank using one address, and smaller amounts such as £1 or £10 starts to flow . These types of accounts are getting ready for the muling activity and need to be closed. Do not forget to document why the accounts are closed to avoid any further legal implications.

2. Transactional behavior

There is always a strong emphasis on monitoring transactions with unusual volumes, as well as high cash deposits, which is a necessity. However, it is important to pay special attention to high volumes of cash withdrawals at specific locations, inconsistencies in customer explanations, an increase in fraudulent use of credit/debit cards, suspicious tester payments, and payment references.

• Cash withdrawals at specific locations: It is common for students to be recruited as mules to assist in illegal activities such as money laundering. Often, the ATM location used for such transactions is in close proximity to the university or even inside it. To help identify and catch these student mules, implementing a rule on Transaction Monitoring (TM) would be beneficial as it can speed up the process and identify the mules at an early stage.

• Changing customer stories: In my experience in financial crime, I have come across many cases where the customers happen to change their stories often. That does make it easy to identify the mules.

• Increase in fraudulent use of credit/debit cards: This fraudulent activity targets financially struggling individuals by offering to overpay their credit card debts, thus creating a positive balance, however the fraudster transfers this balance to their own account, effectively laundering the illicit funds. Also, inbound transaction monitoring will help here because if the customer has received an inbound payment outside of his appetite, the fraudsters look at immediately transferring it out. Debit card transactions to MSB’s, currency exchanges are the quickest way to move the funds. The fraud prevention team needs to be well-trained in asking specific questions.

• Test payments: Small test payments, usually of around £1, are commonly used by fraudsters to determine the viability of stolen payment credentials. These small transactions are used to validate that the stolen credentials are still active, without alerting the account owner or the payment provider. Once the test payment is successful, the fraudster will then make larger transactions, resulting in significant losses for the victim. TM systems must be designed to identify and flag small test payments as a potential warning sign.

• Payment References: I cannot stress how vital payment references are. Payment references such as ‘squares’, Barks (Barclays), Natty (Natwest), Sants (Santander). For example; cards are known as squares. If the mule has a Barks square, an ‘X’ amount will be deposited and the mule can keep a cut.

3. Device patterns

Accessing an account from high-risk countries or frequently changing the device location could serve as red flags. Similarly, utilizing VPNs or proxies to access multiple accounts from a single IP address may suggest coordinated nefarious activity. Additionally, it is worth noting that a single device linked to multiple accounts could indicate mule herding. According to FCA incorporating device profiling, device location, IP addresses, and facial recognition into onboarding controls can significantly strengthen mule detection.

How does money muling affect your business?

• Training: It is necessary to provide fraud prevention training for all staff members, with a specific focus on 1LOD. Staff members should not be trained only to perform tick-box checks but also to ask customers specific questions when alerted. In my experience with fraud prevention, tick-box approaches are often used. It is necessary to explore new methods of training that encourage meaningful inbound conversations. Introduce the red flags from the ‘Proceeds of fraud - Detecting and preventing money mules’ from the FCA and SARs in Action – Money Mules – Issue 22. Having an internal typology list can also be added to training module.

• Risk Assessment: Does it consist mainly of vulnerable demographics? Identifying mules during onboarding can be challenging since individuals may open an account and become mules later. Therefore, risk assessment plays a vital role in detecting how the KYC process was conducted and how the customer profile was integrated into the systems.

• SAR filing: Are we investigating the actual rationale behind the alert? Are we reporting the reasons as to why we think the alerted account is a mule? Based on my professional experience, I have encountered several alerts that were initially flagged for other reasons but were later identified as mules upon closer examination. Additionally, are we including the new NECC reference on the SAR portal when reporting a mule? And lastly, are we fine-tuning those mule red flags on our TM systems?

• Customer education: With the rise of mule advertisements on social media in this digital age, it has become increasingly necessary to raise awareness and educate people about this issue. It is important to take action to protect potential victims from being unintentionally lured into muling.

Conclusion: In light of the muling activity, there are various considerations to take into account. Notably, understanding the positive impact of stopping this activity, as well as the potential risks if it is left unchecked, is imperative. To prevent this issue from escalating, a multi-faceted approach is necessary. Accordingly, regulatory bodies are taking action to address the rising incidence of fraud. Established measures, such as Strong Customer Authentication (SCA) or Confirmation of Payee (CoP), together with forthcoming regulations, such as the PSR's shift in liability and the Economic Crime and Corporate Transparency Act (ECCTA), are intended to encourage financial institutions to bolster their fraud defenses and enhance customer safeguards. To effectively tackle the increasingly intricate nature of fraud dynamics, financial organizations must confidently shift their approach from detection to prevention.

References

[1] NCA, National Strategic Assessment (NSA) Campaign 2023 - Money Laundering - National Crime Agency https://www.nationalcrimeagency.gov.uk/nsamoney-laundering

[2] CIFAS Fraudscape 2023 https://www.fraudscape.co.uk/

Disclaimer – The views expressed in the content are my own and do not necessarily reflect the views of my employer or other associated parties.