By Lin Danwan, CFE
E-payment through third-party channels or platforms — like Venmo, Cash App, Alipay or WeChat Pay — is widely used in our daily life, especially as COVID-19 spread and stay-at-home restrictions fueled precipitous growth of third-party payments. To clarify, I’m not referring to mobile banking apps or payment apps operated by the banks. Let’s focus on apps that function independently yet connect consumers, merchants and banks to mold a payment loop.
Such payment methods bring convenience to individual consumers, making transactions more efficient and flexible. Yet, this model lowers the cost and time to commit crimes and also intensifies fund-flow channels. The associated money laundering risks should not be overlooked.
To understand these risks, let’s take a look at the third-party payment flow and bring out the iterated anti-money laundering (AML) measures as well as the major difficulties to implement them.
Third-party payment flow
Payment processes usually involve five functions:
- Platform telecommunication service
- Customer interface
- Transaction processing
- Account provision
- Settlement
As an example, let’s take a closer look at a third-party payment transaction process. The chart below illustrates the general funds flow of a payment model:
As indicated, an independent third party is involved in the payment loop. It nearly assumes the function of settlement, particularly when the third-party processor establishes a deposit relationship with a financial institution to process payments for its users. Third parties’ deposit account becomes a de facto internal account that financial institutions cannot clearly dissect.
Think about it this way. The whole payment process is divided into separate areas:
- Payment instructions are retained by third parties.
- Financial institutions do not “see” the details of the transactions, only deposits to and withdrawals from the third-party payment service.
- Financial institutions have no knowledge of the individuals or the sellers.
Characteristics and risks
Generally, we may find these common difficulties when attempting to manage AML risks associated with third-party payment vendors:
ANONYMITY
- Customer identity is obfuscated. A perpetrator may be allowed to access these types of payment services, without disclosing their identity to the third party. Or they use a false name to circumvent the KYC screening. It’s even possible that multiple accounts may be controlled by one perpetrator through one third-party platform. In this logic, suspicious names cannot be effectively detected.
- It makes cashing out easier. Transaction parties’ identities are not always known when the transactions initially take place, and those bank account names are not unveiled until settlement is fully completed, which provides a convenient time gap for perpetrators to take advantage of.
- Fund source and beneficiary are disguised. Given that the payment loop is segregated, and that relevant data is separately preserved by different interested parties, perpetrators can take advantage of this segregation model so as to disguise the origin and destination of the funds.
- Transaction due diligence and authenticity is more difficult. Transaction counterparties are rarely accurately recorded, so AML officers encounter more challenges when profiling customers and depicting transaction patterns.
RAPIDITY
Traditional fund transfer is required to go through specific sets of operative steps, which to a certain extent, lowers the fund movement. Third-party payments economize those operations, which means funds are instantly debited and credited, shortening the cycle to perform one criminal transaction. On the other hand, quick fund movement leaves little time to effectively intercept suspicious transactions.
EVASIVENESS
Perpetrators tend to intensively repeat fund transferals, complicating the fund flows, and consequently break the fund trails. Such smurfing also frustrates the transaction monitoring system, hiding suspicious activities beneath massive scale of data.
INEFFECTIVE OVERSIGHT
Over the past few years, money laundering through third-party payment vendors has become more synergic, specialized and standardized, involving different action groups and multiple jurisdictions. Also note that that payment models vary from business to business and from jurisdiction to jurisdiction. Risk control measures also produce varying degrees of effectiveness. In one jurisdiction, reconciling between the regulatory standard, regulated parties’ control effectiveness and customers’ operational convenience is far from easy.
Recommended actions and difficulties
Regulators are encouraging market participants to take innovative approaches for financial inclusion. To establish a proportionate but not burdensome regulation is crucial. Regulatory guidance and practitioners’ controls can also evolve to better accommodate between the development opportunities and risks. The most imminent and necessary actions rest primarily through the below aspects:
- Identification of customers and customer profiling, including but not limited to KYC tailored to third-party payment processors.
- Licensing and responsibilities of third-party payment processors.
- Operating guidelines, transaction amount limits and internal controls.
- Enhanced record-keeping by third-party payment vendors.
- More robust transaction monitoring and suspicious transaction reporting.
These AML procedures should be scrupulously carried out throughout the entire transaction process. Currently, when it comes to mitigating money laundering risks, we usually find ambiguity in the terms of service by third-party payment processors, or AML and KYC are not mentioned at all. That is because the delineation of responsibilities varies among payment systems and jurisdictions.
However, in the payment loop, the party who manages the account records should undertake AML responsibilities, especially as the information of funds movement heaps up. If third-party payment vendors adapt this mentality, it could hopefully lead to comprehensive monitoring and analysis.
Lin Danwan, CFE, has experience in AML and fraud risk management. She currently works with the financial crime compliance department of a global bank. Her recent interests are on RegTech application and comparative study on AML governance of emerging countries. Currently based in Hong Kong, she is fluent in English, Mandarin, Cantonese and French.