Money laundering vulnerabilities at PSPs
By Noortje Boere and Erik Reissenweber (AMLC specialists)
Money laundering is the hiding and/or giving an apparent legal status to funds originating from a crime so that they can be spent and invested in the upper world. The payment services provided by payment institutions, also known as Payment Service Providers (PSPs), can be used for this purpose. Money launderers want their behaviour to be unnoticeable and their identity to remain unknown. PSPs process large volumes of transactions, which means that money launderers may not stand out from the crowd. In particular, the mixing of payment flows and the fragmentation of the payment landscape offer risks for money laundering.
The Anti Money Laundering Center ('AMLC') conducted a survey in the first quarter of 2022 on perceived money laundering vulnerabilities in relation to PSPs and shares its findings through this article. The aim is to support the parties involved in their gatekeeper role. Payment institutions pay attention to integrity risks, but there is often a lack of insight into money flows that pass through multiple parties. We have therefore attempted to identify the vulnerabilities that transcend the level of a single PSP.
In doing so, we applied a two-pronged scope. Firstly, we examined the potential for abuse from the perspective of the money launderer: how can the money launderer abuse the nature of PSP services in order to launder money? Secondly, we based the research on gross vulnerabilities at PSPs: vulnerabilities that can occur if there are no or limited functioning mitigating measures. In this way, we expect to provide insights for both investigators and financial institutions. It is further up to the PSPs to put appropriate mitigating measures in place.
We also applied a delineation to the PSPs. Our research focuses on Dutch PSPs with a Dutch license, which therefore fall under the Dutch Prevention of Money Laundering and Terrorist Financing Act ('Wwft'). PSPs with a licence in another EU country, active under an EU passport in the Netherlands (for further explanation see next paragraph), fall outside the scope of this article. However, we do not exclude the possibility that the vulnerabilities described are also relevant to them. Furthermore, the research is limited to collecting PSPs that have a licence for payment services 3 and 5 (for more explanation: see next paragraph), as this fits the classic service of a PSP and in the Netherlands these are the most common payment services (for more explanation: see next paragraph). Moreover, the AMLC already investigated payment services 7 and 8 in 2017.
Taking this delineation into account, we arrived at the following research question: How can Dutch licensed PSPs be misused for money laundering purposes?
For over a decade, payments have no longer been the exclusive domain of banks. With the introduction of the European Payment Services Directive ('PSD') in 2007, a licensing requirement was created for non-bank PSPs, creating a diverse group of PSPs that are supervised by the Dutch Central Bank ('DNB') in the Netherlands. The purpose of the PSD and its sequel, the PSD2, introduced in 2015, was and is to create a safe, uniform, innovative and transparent payment market within Europe.
The provision of payment services in the EU requires a licence issued by the regulator in the EU country of establishment of the PSP. Licensed PSPs can also offer payment services in all other EU countries with a so-called EU passport. Supervision of the PSP remains with the local regulator, which sends a notification to regulators in the countries where the PSP also offers payment services.
Payment services 3 and 5
The explanations of the payment services for which PSPs can apply for a licence are extensively listed on the DNB website. It is beyond the scope of this article to deal with these payment services in detail; in brief, they are:
3. Services through which payment transactions, including money transfers, are carried out on a payment account with the user's payment service provider or with another payment service provider.
5. Services by which payment instruments are issued or accepted.
The customers of such PSPs are (web) retailers, further referred to as 'merchants'. PSPs offer these merchants the possibility of accepting payments through various payment methods, such as credit cards and iDeal. The added value of a PSP lies in the fact that a PSP often offers a variety of technical connections with many (international) payment methods. The PSP collects the incoming payments destined for contracted merchants on bank accounts of the third-party funds foundation affiliated to the PSP and pays out from these accounts in batches to its merchants. In some cases merchants connect to its contract and infrastructure themselves. We refer to these as sub-merchants (for further explanation see heading 2b).
A normal and expected transaction pattern on a trust account at PSPs is basically as follows:
- Incoming money flows:
- Large amounts from the affiliated payment methods that transfer payments from consumers bundled together to the PSP's third-party funds account.
- Outgoing money flows:
- Payments to affiliated (known and verified) bank accounts of merchants;
- Possibly refunds to accounts from which payments came (not shown).
- Transfers to accounts of the PSP itself; the deductions are part of the PSP's business model.
Legislation applicable to PSPs
PSPs fall under the Financial Supervision Act ('Wft') and are therefore required to have sound and controlled business operations. As indicated earlier, they must also comply with the Wwft. This entails, among other things, the obligation to conduct risk-based investigations into the identity of merchants, to monitor transactions and to report unusual transactions to the Financial Intelligence Unit ('FIU').
Possible money laundering vulnerabilities at PSPs
Money launderers typically exploit a combination of vulnerabilities in the financial system. As an example, we describe two fictitious scenarios.
- A drug trafficker sets up a fake webshop offering digital goods such as software downloads. The drug trafficker buys Paysafecards with illegally obtained cash or has them bought by money mules. With these Paysafecards, the drug trafficker then buys credit on an online gambling website and has it paid out. He declares his fortune with profits from online gambling. Or he pretends to sell software through his own web shop and shows through the PSP that the money is obtained from sales of his web shop. Then, as a successful webshop owner, he uses the profit to buy real estate in the upper world.
- A corrupt grain trader set up several clothes webshops in Europe in the name of a shell company in the Netherlands. He takes out a contract with several PSPs to handle payments. He lets payments flow from many different IP addresses spread across his accounts with different PSPs to his shell company in the Netherlands. The turnover at the individual PSPs seems to be in line with what is usual in the sector, but in total he can fork out turnover that is many times higher than usual.
Not every vulnerability that we discuss further in this article is in itself a significant risk. As the two scenarios show, vulnerabilities become a problem in practice if they occur in conjunction with each other.
Our research revealed the following money laundering vulnerabilities (in order of relevance as we assessed them). These are related to the specific circumstances of PSPs and the services they offer.
1. Mixing of financial flows
a. Large volumes
PSPs facilitate a large volume of transactions. And this only seems to be increasing. On 15 March 2022, the Payment Association of the Netherlands revealed that Dutch consumers spent more than 30 billion euros online in 2021, which means an increase of 16 percent compared to 2020. This large volume brings with it a vulnerability to undetected mixing of legal and illegal money flows. In addition, payments for online shops run 24 hours a day. Unusual patterns in payment behaviour are therefore more difficult to identify than for physical shops, such as payments outside opening hours.
b. Incoming payments from consumers
Payment method providers such as wallet providers (e.g. Paypal) and credit card companies (e.g. Visa and Mastercard) usually collect incoming payments from consumers for the merchants affiliated with PSPs and transfer these in batches to the account of the third-party funds foundation belonging to the PSP.
This makes insight into the origin (and destination, see below) of the funds difficult, as the batches consist of many individual transactions. The PSP determines, on the basis of the message traffic about the payments, to which merchant the PSP allocates which amount, but the bank that tries to mitigate the integrity risks with the trust account has no insight into this. It only sees a large batch payment from the payment method to the account of the Stichting derdengelden. The bank has no insight into the nature of the parties carrying out the transaction and the purpose behind it. Investigative bodies such as the police and the FIOD cannot simply make a claim against the bank in an investigation, because the large batch payments do not contain the detailed information that is often needed in an investigation.
c. Funds parked in the third-party account
Incoming payments from consumers into a trust account are legally the property of the merchants for whom the payments are intended. PSPs are legally obliged to safeguard third-party funds, for which the foundation is the only method used in the Netherlands. Third party funds have to be separated from the PSP's own funds (separated capital), especially because in case of bankruptcy of the PSP the third party funds fall outside the bankruptcy and can still be paid out to the merchants.
Without the administration of the PSP, it cannot be determined to whom the balance on the trust account belongs. The third-party account thus offers opportunities for merchants to (temporarily) store assets without it being clear to banks or the Tax Authorities to whom these assets belong. The PSP has to be able to provide the merchant with the necessary information to enable him to make his choice. Here lies a great responsibility for the PSP not to allow any unusualities.
d. Payments to merchants
A similar phenomenon occurs when PSPs pay out money to their merchants. PSPs save up incoming payments for merchants in order to deliver them to the bank in the form of a larger payment order. Because here, too, transactions are not broken down to individual levels, the bank or an investigative agency cannot detect the origin, let alone any unusual occurrences. The PSP can, of course, do this itself. The PSP therefore bears a great deal of responsibility for solid risk-mitigating measures.
e. Execution of payment orders on behalf of merchants
As indicated: PSPs submit payment orders to the bank where the third-party account foundation holds the bank account for the PSP. Preferably this is a largely automated process, with built-in controls. In some cases, the merchant himself can specify, for example in an online customer environment, to which bank account the balance of the PSP should be paid. The responsibility for checking this bank account lies with the PSP. The bank where the foundation has accommodated the account of the PSP cannot check whether a payment to bank account X is logical or related to illegal practices. Therefore, if a merchant wants a payout to a different bank account, the PSP will have to make the appropriate checks on the change of bank account.
In this respect it should be noted that PSPs may be tempted to process payment orders from merchants. There can be a legitimate need for this: the merchant realises that he has a legitimate balance on the account of the trust and it can save bank costs and time if the PSP pays suppliers of the merchant directly, instead of the balance first being transferred to the merchant's bank account, after which the merchant still has to pay suppliers. However, this would not be entirely in line with the intention of the PSP licensed for Payment Services 3 and 5; to collect incoming payments and pass them on to the merchant. If the merchant submits payment orders to the PSP, the PSP's service is more like providing a payment account to the merchant. Whether an additional licence for payment service 1 ("Services enabling cash to be placed on a payment account maintained by the payment service provider, and all the operations required for operating a payment account") fully covers the execution of payment orders is a legal question to which we have not found an easy answer in the context of this article. In our opinion, if the PSP lends itself to this, it brings with it additional integrity risks. It is known that some PSPs do wish to provide this service to merchants affiliated to them and specifically apply for a banking licence from DNB for this purpose.
2. Fragmentation of payment chain
By payment chain we mean the entire flow of funds from payer to recipient. This flow may pass over accounts of different parties before it reaches its destination.
a. Limited visibility on delivery
PSPs usually have no role in and limited insight into the delivery of products to consumers by the merchant. The merchant can therefore receive payments, but not deliver products, without the PSP having direct insight into this. This vulnerability also occurs with simpler forms of fraud, but then the PSP will receive complaints from consumers after not too long. If the merchant carries out a more complex construction in which the payers and merchant in fact work together, merchants can also use this vulnerability to launder illegally obtained money, by faking turnover. In such a set-up, the PSP may receive remarkably few or no complaints about non-delivery.
b. Limited insight into the origin and destination of payments
PSPs have limited insight into the origin of payments. PSPs enter into contractual relationships with the customer (read: the merchant) and the PSP should therefore know this merchant well. PSPs process payments from the customers to its merchants. The PSP has no client or contractual relationship with these customers of the merchant. The PSP is therefore partially hampered in finding out the (unusual nature of the) origin or the (unusual nature of the) destination of transactions. The PSP will have no insight into the nature of the parties making the transactions and the purpose behind them. In principle, the ultimate beneficiaries of payments can also be concealed. This also results in the unusual transactions reported by the PSPs often having a limited audit trail. Large PSPs, in contrast to smaller PSPs, have large amounts of data at their disposal and may be able to perform analyses that can determine something about the (un)usability of the transactions, but this will not always be easy to determine. To a certain extent, PSPs can lean on the Wwft obligations that the banks have where paying (legal) persons hold a payment account. Banks should already have investigated the payment account holders and the origin of the funds in those payment accounts. However, leaning on the execution of Wwft obligations by other financial institutions is usually not allowed, because a compliance vulnerability would automatically spread to a broader group of financial institutions. Only if each of these banks has their compliance in order, this mitigates the risk at the PSP to a certain extent.
c. Limited insight into the entire turnover
Merchants can conclude a contract with several PSPs for receiving payments. They can do this for legitimate reasons. It enables merchants to switch to the most attractive PSP at any time and for any desired payment, choosing the PSP that is most attractive in terms of:
● Incoming and outgoing payments;
● Payments in different countries; and
● Different payment methods.
This approach is usually referred to as 'load balancing'. The consequence of load balancing is that a PSP has a fragmented picture of its merchant's payment behaviour and turnover. Particularly if the PSP is only used for outgoing payments, mitigating the integrity risk becomes hardly feasible. In such cases the PSP is hindered in making a good risk assessment of the merchant and his transactions; no PSP can then oversee the entire payment traffic of a merchant and, when monitoring merchant behaviour, relying on comparisons with peers in the sector can lead to unreliable results.
d. Limited insight into sub-merchants
The PSP handles payments for its affiliated merchants. The PSP may not be able to see which merchants are using the payment services provided by the PSP if the merchant on its contract and infrastructure itself allows merchants (these are called 'sub merchants') to use the PSP's payment services.
This vulnerability can manifest itself in various ways. An (illegal) PSP can pose as a regular merchant. A crowdfunding platform can process payments of funders for a crowdfunding initiative (applicants) through a PSP and connect merchants itself. In this case those merchants are the funders that use the crowdfunding platform. Usually the PSP will notice that a merchant connects sub merchants. It is a possible vulnerability that without a licence money flows for sub merchants over the account of a merchant, think of a web builder (merchant of the PSP) who lets the PSP pay into his own account for payments meant for customers of the web builder who built the platform, while this money should actually be transferred directly to his customers. The question is whether this practice can be completely ruled out. This offers opportunities for money launderers to stay out of sight of the PSP. PSPs that recognise this vulnerability reduce this risk by properly detecting sub-merchants, carrying out the onboarding of sub-merchants themselves and having the money flows entirely through their own accounts.
3. Anonymous payment methods
Many forms of crime generate (large amounts of) cash that the criminal wants to launder. Cash offers anonymity. Some PSPs take little account of the risks involved in handling cash because they think they will not come into contact with cash. However, many PSPs do offer payment methods that are just one step away from cash. Think of the payment methods Paysafecard, certain gift cards and some prepaid cards. These cards are purchased with cash (or giro) and are processed by a PSP. These payment services fall under licences 3 and 5.
In addition to payment methods that convert cash into cash, there are payment methods that can be inherently anonymous. Examples are Paysafecard, certain crypto payment cards and certain crypto currencies. Value from these payment methods can, with or without a short diversions, be included in the transactions that a PSP processes. Wallets can also obstruct the view of the origin of funds; a consumer buys products or services and pays with a balance on a wallet, but it is unclear how this wallet has been fed.
4. International transactions
One of the purposes of the PSD is to create a level playing field for European payments. The introduction of the PSD2 has further promoted international payments. Money laundering usually has a strong international character. Involving multiple jurisdictions in money laundering constructions can impede detection. PSPs regularly facilitate international payments, such as:
- A paying customer from abroad for a merchant that is affiliated with a PSP in the Netherlands. The identity of the paying customer is unknown; or
- A merchant from a PSP based abroad.
It is expected that there are licensed PSPs in the Netherlands that process many international transactions and often do so in different currencies.
Under the Wwft, the Dutch PSP is obliged to report unusual transactions to the FIU. Due to the international nature of some of the transactions, this will regularly involve foreign merchants. A PSP who is licensed in the Netherlands, however, reports to FIU-the Netherlands. There is then information about a German subject, for example. Through the Egmont Group, it is possible for the Dutch FIU to share this information with the German FIU, but compared with a domestic transaction, a few extra steps are needed to unravel a money laundering construction.
5. Start-ups vulnerable to abuse
PSPs often start as start-ups and quickly scale up to become scale-ups. Start-ups that double their turnover in a short time are seen as an increased risk by a number of the experts we spoke to. Several reasons are given for this.
Often, the compliance measures of such a start-up do not grow at the same pace. KYC and transaction monitoring have not yet received the attention they require. Moreover, the start-up often does not yet have the knowledge, data for making comparisons with peers and experience to detect and report unusual behaviour. For that matter, comparing with peers is also sometimes a challenge for larger PSPs. For example, there are usually few auction houses that are customers of PSPs and it is then not easy to determine whether the merchant behaviour observed is (un)normal. There is also a perverse incentive from the competitive position in which the scale-up finds itself: the competition between PSPs is fierce and a starting PSP may therefore be inclined to accept greater risks. Big risks are also often associated with higher profit margins, so offering payment services to high-risk customers in high-risk sectors to earn good money in the initial phase is tempting. And because the start-up is not yet a major player in the market, it does not yet have a strong negotiating position and will not be able to make as high demands when it comes to verifying the customer's identity and business activities. The provision of inadequate documentation by the merchant is by no means always a reason for a start-up not to enter into a customer relationship.
The money launderer can make use of the vulnerabilities of such a start-up. On the other hand, it does not seem very likely that a launderer will be able to launder large volumes in a start-up without being noticed.
6. Remote identification and speed onboarding merchants
According to art. 3 Wwft the PSP must identify its merchant and verify his identity. The KYC process of many PSPs involves a number of risks that we list below.
- A PSP has relatively little face-to-face contact with merchants. PSPs focus their processes on the fast and frictionless connection of new merchants. On the other hand, a digital onboarding can collect (a lot of) smart data points such as location, time and comparison data;
- It happens that the PSP already receives payments on behalf of recently connected merchants, while the KYC process has not yet been completed. The competition between PSP's on the speed with which a merchant can go 'live' (read: accept payments) and pressure from the merchants, because the web shop goes live quickly is in many cases the reason for this. The merchant's frictionless connection is at odds with the thorough implementation of the identification and verification process, particularly in high-risk cases and if, in the period between receiving the first payments and paying out to the merchant, the merchant does not provide the required documentation for identification and verification;
- PSPs that exclusively process digital payments usually rely (in part) on the KYC performed at banks where the merchant and paying consumer have bank accounts. As mentioned, legally speaking, each financial institution in the chain has its own responsibility;
- Merchants are often web shop owners. In many cases they need little 'matter' to function. This can make it extra difficult for the PSP to assess the legitimacy of a merchant. This means that these merchants must be investigated via a more stringent customer due diligence process, for which time and resources are not always available;
- For various reasons, including privacy, PSPs do not exchange information at customer level. If a merchant is closed off at one PSP because of unacceptable integrity risks, then the merchant can try again at another PSP. In many cases the malicious merchant then knows which information must be withheld to be accepted as a customer.
In this article, on the basis of a literature study and interviews with experts, we described which vulnerabilities can occur at licensed Dutch PSPs that offer payment services 3 and 5. These vulnerabilities are related to the nature of the services that PSPs offer. The money laundering vulnerabilities and scenarios that we have described have emerged from theoretical insights in the literature or ideas from experts. It is possible that, on the basis of the vulnerabilities described and the increasing attention paid to them, potentially risky transactions and circumstances can be detected and recognised better and earlier, and that the reporting of unusual transactions to the FIU will be tightened up. With these stricter reports, we can once again take a more focused approach to combating money launderers. To counteract the risks arising from the fragmentation of the payments market, market parties throughout the payment chain, including private and public parties, will have to cooperate effectively.
We have used several research methods. First, we conducted a literature study. We searched various scientific databases using search terms such as "payment service provider", "PSP", "fintech", "money laundering" and "money laundering". During the execution of our research it became clear to us that little fundamental (scientific) research has been conducted into the money laundering possibilities of PSPs. We then held eight interviews with experts from both the public and private sectors, namely the FIU, Europol, the Police, VBIN, Big Four and PSPs. Thirdly, we questioned criminal investigations about possible modus operandi and vulnerabilities. Finally, we had the article proofread by a group of experts (including the aforementioned discussion partners).