Money mules find UK fintechs’ weak spots, pivot to debit cards

Criminals continue to exploit UK fintechs’ weak anti-money laundering (AML) systems and controls to move the proceeds of fraud.

They are employing money mules to target newer digital banks, payment firms and banking-as-a-service (BaaS) providers — meaning fintechs receive a disproportionate amount of funds transferred by mule accounts, according to a new paper from the Royal United Services Institute’s (RUSI) Centre for Finance and Security (CFS).

“From a risk perspective, [fintechs and payment firms] are introducing the most financial crime risk into the system. In an ideal world, the [UK Financial Conduct Authority (FCA)] would be taking more significant and timely action,” said Kathryn Westmore, a senior research fellow at CFS in London and one of the paperʼs authors.

Faster payments

The paper, based on payments data provided by Lloyds Banking Group, found 57% of funds in money mule accounts exit via faster payments. The Lloyds data showed 38% of those faster payments transactions went to three banks/payments firms. One of those firms received 20% of those payments, as well as the highest number of payments from money mule accounts.

Fraudsters will have tested the controls at as many financial institutions as possible and many payments will have failed, said Iain Armstrong, regulatory affairs practice lead at ComplyAdvantage in London. “What we’re seeing in this data is the result of fraudsters having repeatedly succeeded in sending funds to these firms. In the mind of the criminal this strengthens the idea that they should really focus on these firms, because every time [they] try it, it works,” he said.

Some 10% of the payments in the Lloyds data set went to three BaaS providers. The report’s findings are bolstered by the Payment Systems Regulator’s (PSR) authorised push payment (APP) fraud performance data.

According to Fraser Mitchell, chief product officer at SmartSearch: “There is a balance between stifling competition and allowing BaaS and digital banks to enter the market. However, unless these challengers are put under the same rigour and scrutiny as the more established institutions — which, granted, are not perfect themselves — the problem will only get worse.

“Criminals are well versed in identifying financial institutions with weak controls and can act at high speed to transact millions of pounds if they manage to find a loophole before it is closed,” he added.

Pivot to debit cards

Nearly 20% of mule transactions in the data set involved debit cards, the RUSI paper observed. This pivot away from faster payments is probably a response to banks and payments firms’ having strengthened their controls on inbound payments. Firms have improved controls now they are subject to reimbursement requirements for funds lost to APP fraud. This trend is likely to continue, the paper said.

The data showed 12,336 debit card transactions from money mule accounts worth £1.33 million over a two-month period. Many payments were made for what looked like general expenses including food, drink and taxis, and one-off purchases to high-value goods retailers. The top recipient of debit cards payments was a global remittance firm enabling crossborder payments. A high number of transactions were made to a crypto exchange (third most popular outlet) and a foreign exchange business (fifth most popular).

Some banks believe most of APP fraud winds up in crypto, but Westmore has not seen evidence to suggest this. Currently there is no need for mules to use crypto because there are plenty of ways to use traditional finance. However, muling could become more prevalent in crypto as more large payment firms offer crypto, and more privacy enhancing tools develop in the crypto asset market, she added.

FCA powers

The FCA has the power to impose limitations or requirements on firms at authorisation “to reduce the potential for harm”.  It has observed in its Dear CEO letters and recent enforcement actions that newer and smaller firms are not scaling up their fincrime compliance as they grow.

The FCA has used its regulation 74c power of direction of the Money Laundering Regulations — which is specifically targeted at cryptos — 45 times since 2020 to put limits on newly authorised crypto asset firms.

The FCA did not respond to a request for comment on whether it planned to use limitations and requirements more frequently to mitigate weak financial crime controls at new fintechs, BaaS providers and payment firms.