For most Americans, the term "money laundering" conjures an image of boxes of currency flown to the United States via seaplane—or former dictators paying cash for multimillion-dollar homes in swanky communities. Virtually no one would associate money laundering with two men from North Dakota. But in a lawsuit filed by the Consumer Financial Protection Bureau (CFPB) in the Federal District of North Dakota, CFPB v. InterceptEFT, et. al., the agency alleges that Fargo-based owners of a payment processor used the Automated Clearing House (ACH) system to make unauthorized transfers from consumer bank accounts to the accounts of fraudsters. It's the role of the Bank Secrecy/Anti-Money Laundering Act (BSA/AML) to detect such illegal use of our banking system.

In the eight years that InterceptEFT allegedly facilitated the schemes, seven banks terminated the payment processor's accounts, citing high transaction returns and consumer complaints. Those banks' compliance departments did good work. But how was it possible that at least seven banks investigated the same problem involving the same company year after year and each time a bank terminated its relationship, the company found a new depository home?

Fraud is Faster-Paced than FinCEN

The Financial Crimes Enforcement Network, an office in the U.S. Department of Treasury, oversees the BSA/AML laws and helps institutions fulfill their duties by providing tips, guidance, and telephone support. FinCEN has focused away from consumer banking for years, issuing most of its guidance about foreign entities and how banks should properly complete forms. FinCEN last issued regulatory guidance on consumer fraud in 2009, at the height of loan modification scams. But new fraudulent schemes have arisen since.

In the InterceptEFT lawsuit, the CFPB alleges the company transmitted debits and credits via ACH for some companies that never received legal authorization to take money from consumer accounts. It's a tricky situation for depository institutions, as payment processors who meet FinCEN regulatory exemptions have no BSA/AML obligations, thus the bank must detect trouble and enforce the rules for its customer's customers. And at first blush, InterceptEFT looks legitimate. It's a member of reputable associations, has sophisticated software, and attends trade shows. Indeed, many of InterceptEFT's transactions are probably as ordinary as its two North Dakotan owners appear.

But some of the payment processor's clients were crooks. For instance, according to the CFPB’s complaint, InterceptEFT processed payments for a company that was under a federal court injunction. To continue processing for this company, InterceptEFT falsely told bank BSA/AML officers that the beneficial owner of the account was a Native American tribe. In addition to high return rates and consumer complaints about unauthorized transactions, banks noted discrepancies between the dates and amounts debited from consumers’ accounts compared to what the consumer authorized, changes in lender names from the initial loan agreements with the consumer, and missing telephone scripts for ACH transactions authorized by phone.

The CFPB estimates that thousands of consumers were defrauded from 2008 through 2016. It appears from the CFPB complaint that InterceptEFT's clients used several different schemes. One fraud scheme that requires ACH access is unilateral payday lending. A consumer searches the Internet for a payday lender and finds a loan lead generator, instead of an actual capitalized company ready to lend. The consumer enters her information--including a bank account number--and the lead generator's subscribers bid to make the loan. Fraudster companies take the consumer's information and deposit money in the consumer's bank account without first getting agreement. After making the deposit, the fraudster emails a "contract" to the consumer. With its "loan" in place, the fraudster regularly debits the consumers accounts in amounts that sum up to several multiples of the original loan.

This unilateral lending scheme requires a payment processor to facilitate the transactions. Payment processors deposit the original loan amount, as well as customers' later "payments" on the loan. When consumers or their banks catch on, payment processors supply bogus contracts or simply reverse the transaction. Consumers and banks returned so many of these debits that, at times, InterceptEFT had a 20 to 40 percent rate of transaction returns. In comparison, the National Automated Clearing House Association suggests that no bank customer should have more than a 1 percent return rate.

For InterceptEFT to process payments, it needed an originating depository financial institution (ODFI)--a bank, thrift, or credit union--to send instructions to the ACH operator. The BSA/AML laws and regulations govern these entities. And in fact, seven times a compliant ODFI terminated its relationship with InterceptEFT, and seven times the payment processor found a new institution to originate its transactions.

Paperwork at the Expense of Prevention

The Bank Secrecy Act and its implementing regulations require financial institutions to file transaction reports and Suspicious Activity Reports (SAR) when a bank detects a known or suspected violation of federal law or a suspicious activity related to money laundering, terrorist financing, or other illegal activity. The BSA draws some hard lines about what banks should report--and has recently finalized rules that require all institutions to collect information about ultimate "beneficial" account owners. But most complicated BSA issues arise at banks as they try to meet the requirements for reporting "suspicious activity." Bank employees become private investigators and the law gives them stringent timelines to report. Once the SAR is filed, it waits in a database until a government employee stumbles on a pattern or another agency has a reason to review the records. All SARs are kept secret by order of the USA Patriot Act.

BSA/AML documentation burdens on banks are increasing due to pressure from regulators and new rules that take effect in 2018. While anti-terrorism is important, the increased burden has domestic costs. Time spent on forms and document-gathering means less time for preventative policing at banks. Money spent on software upgrades means less money for diligence. Big transfers get more attention than thousands of small payments from consumer fraud. Stopping bad actors from entering the financial system receives lower priority than monitoring ongoing illegal activity. And foreign accounts and transactions receive higher scrutiny than American transactions. The end result is that regulators are stopping planeloads of cash at the border, but two guys from Fargo can slip under the radar for years.