Key takeaways

• Some firms are working to address the challenges of money mules by implementing a range of measures and technologies to detect and deter fraudsters from using their organisation, eg facial recognition systems, device profiling and geolocation.

• However, not all firms are responding with the same focus, and some firms need to do more to tackle the problem.
• The FCA emphasises that a proactive strategy for tackling money mules helps protect a firm’s regulatory compliance, reputation and customers.
• It expects payment account providers to establish proportionate systems and controls to manage the problem of money mules and the associated risks. It will use its full regulatory tools, including enforcement action, if it identifies a firm failing to maintain proportionate and adequate systems and controls.

What do firms need to be thinking about?

• Banks, building societies, other payment service providers and e-money institutions should be looking at ways to:
  • strengthen controls during onboarding with more proportionate checks for indicators and red flags which may identify potential mules;
  • improve transaction monitoring systems to detect common mule behaviours and do more to monitor inbound as well as outbound transactions; and
  • optimise reporting mechanisms for swift action, both when they identify a mule account and when they receive alerts from notifying institutions.
• Controls should be kept proportionate and risk-based through updating as the threat changes, working in partnership with others through industry and law enforcement data sharing initiatives.
• Firms should also be looking to improve their communication strategies and awareness initiatives to keep customers informed about the latest threats. The FCA highlights that this is particularly pertinent in the current cost of living crisis, where some customers might be persuaded or pressurised into providing their account details for money mule activities.
• The FCA is keeping its regulatory spotlight trained on reduction and prevention of financial crime, with failures in this area accounting for a significant proportion of its total fines in recent years. This means that firms in the payments sector – especially rapidly growing new entrants - need to focus not just on increasing their business but also on maintaining systems and controls commensurate with their size and complexity.
• The FCA may be comforted to know that the recently published Payments Manifesto from the Payments Association includes a commitment to ‘tackling any weaknesses identified in payments that enable criminals to commit fraud or other economic crime and launder the proceeds’. This will include promoting the use of: ‘a) effective compliance tools and techniques using the latest technology; and b) artificial intelligence to onboard customers safely, identify and track fraudsters effectively and spot money mules more easily’.

What’s next?

The FCA expects payment account providers to consider their own organisation’s arrangements, systems and controls against its findings.

The Home Office is due to publish a money mules action plan in the coming weeks. According to the FCA, its work is aligned to the focus of the forthcoming action plan.

Read on for a more detailed look at the FCA’s key review findings.

Background to the review

In its review findings, the FCA points out that fraud currently accounts for 40% of all crime, and that the role of money mule networks in enabling fraud is growing with firms reporting more than 39,000 accounts linked to mule activity to the National Fraud Database in 2022.

The national Economic Crime Plan 2 (2023–2026) and Fraud Strategy make it clear that money mules are integral to moving proceeds of fraud and other crime, and there should be a focus on disrupting mule activity and protecting the public. The FCA emphasises that the ease with which fraudsters cash out criminal proceeds through mule accounts continues to be a problem. It refers to its 3-year strategy (2022-2025), in which it sets out that it is taking a range of actions to reduce and prevent financial crime. This includes targeting additional efforts on fraud where it can have the greatest impact.

The FCA explains that financial services firms, particularly payment account providers like banks and e-money institutions, have a role to play in disrupting money mule activities. They should therefore have a proportionate and risk-based approach to help make sure that their platforms are not being exploited and their customers are not being put at risk by criminals.

What was the scope of the review?

The review encompassed both new and established payment service providers and e-money institutions. It focused on the systems and controls for detecting and preventing money mule activity, including firms’ controls during onboarding, monitoring, and reporting.

What are firms doing well, and what could be improved?

The FCA found that, while some firms are working to address the challenges of money mules by implementing a range of measures and technologies to detect and deter fraudsters, some firms need to do more to tackle the problem.

Systems and controls

• Good practice includes:
  • Use of technology to properly calibrate systems according to risk, with some innovative solutions including the use of facial recognition systems, device profiling and geolocation;
  • Investing in machine learning systems to help reduce the inherent risks of static rules-based systems, but the FCA is not proposing a prescriptive approach and states that firms should consider the most appropriate way to address the risk proportionate to the size and complexity of their business. See also under ‘Transaction monitoring’ areas for improvement below for more on machine learning models;
  • Use of the National Fraud Database as part of onboarding checks, allowing firms to access valuable insights and data to detect and prevent mule activity, as well as helping to identify higher risk customers;
  • Use of reporting systems to analyse the flow of funds between firms to help identify and disrupt mule activity, including using these systems to notify and alert other firms being used by fraudsters.
• Areas for improvement include:
  • Onboarding: Firms should have robust controls and take proactive steps during the customer onboarding process to detect potential red flags and identify potential money mules, rather than relying on subsequent monitoring of customers’ behaviour. Firms should consider incorporating device profiling, geo-location and behavioural biometrics into onboarding controls (and transaction monitoring). More rigorous due diligence checks are needed in certain circumstances, eg where customers are using virtual addresses, or where customers are using one device to access multiple accounts.
  • Transaction monitoring: Some firms need to do more to monitor inbound as well as outbound transactions because unusual transaction patterns such as rapid turnover and account behaviour changes, which are common characteristics of mule behaviour, cannot be detected using outbound transaction monitoring. Firms should avoid over-reliance on imperfectly understood machine learning models. Such models used with a combination of tactical rules and behavioural biometrics can contribute to a robust and more proactive fraud detection system if firms fully understand and apply these tools appropriately. Where firms have transaction monitoring alerts, they should continuously test them to ensure they are working correctly. A clear audit trail is also necessary when handling alerts, helping the feedback loop into the machine learning models. Changes to transaction monitoring rules where a mule characteristic or emerging risk is identified should be carried out quickly.
  • Reporting: Mule activity should be reported quickly and efficiently through relevant reporting systems, i.e. the National Fraud Database, to maximise the ability to disrupt and close mule networks. Likewise, receiving firms must act promptly on requests from other firms informing them of suspicious and fraudulent funds. Raising Suspicious Activity Reports (SARs) is also extremely important in tackling the mule network.
  • Resourcing: The FCA found that some firms would benefit from having dedicated resource allocated to actively investigating mules.

Use of intelligence, industry engagement and data sharing

• Most firms have been increasingly using lawful data sharing – including with law enforcement - to combat the issue of money mules. Most firms also engage with various external bodies including CIFAS, UK Finance, NECC and Fintech FinCrime Exchange to discuss intelligence and emerging threats.
• In terms of areas to improve, the FCA found a lack of data sharing between some firms that are not part of similar UK reporting or data sharing initiatives.

Training

• Some firms have dedicated (and updated) staff training programmes on financial crime and specifically fraud.
• However, the FCA expresses concerns in relation to the effectiveness of fraud alert investigations within some firms. It recommends that firms can enhance the effectiveness of their alert investigations by ensuring that staff members have a clear understanding of their roles and responsibilities in combating fraud.

Governance, management information (MI) and risk assessment

• Firms that have more reported mule accounts than their peers also lack senior management oversight and MI reporting to ensure that steps are taken to address the risk and assess the impact of interventions. The FCA emphasises that a proactive strategy for tackling money mules helps protect a firm’s regulatory compliance, reputation and customers.

Communication and awareness

• Firms should be looking to improve their communication strategies and awareness initiatives to keep customers informed about the latest threats. This is particularly pertinent in the current cost of living crisis, where some customers might be persuaded or pressurised into providing their account details for money mule activities.

Next steps

The FCA expects payment account providers to consider their own organisation’s arrangements, systems and controls against its findings to ensure they are proportionate and adequate to mitigate the risk of money mules. It states that it is ‘vital’ that firms have a proactive approach to identifying and swiftly remedying any weaknesses identified in their anti-fraud systems and controls.

The FCA makes it clear that it will use its full regulatory tools, including appropriate enforcement, if it identifies a firm failing to maintain proportionate and adequate controls and as a result allowing its services and customers to be exploited by fraudsters.

As referred to in both the Economic Crime Plan and the Fraud Strategy, the Home Office is due to publish a money mules action plan in the coming weeks. According to the FCA, its work is aligned to the focus of this action plan to help inform how financial services firms play their part.