Alternative : Illegal Online Sales Drive Transaction Laundering

Prepared by: G2 Web Services January 2018

Crypto Case Study.indd 1 1/2/2018 2:01:33 PM New Technology Disrupts the Global Just as criminal enterprises transitioned online to take Payments Industry advantage of new technology following the proliferation of card payments, the same is happening again, only this time Much attention has been focused on the payments industry alternative methods have become the means to in recent years with the media covering major data thefts, the an end. Criminal and illegal businesses find it increasingly introduction of EMV, the launch of mobile wallets, increasing difficult to accept payments due to more detailed adoption of virtual , and industry disruption from new examinations from acquirers. In turn, they have naturally entrants. Technological innovation, shifts in buying habits, migrated toward new systems that offer less scrutiny and more and growing interest in alternative payments systems are anonymity. Despite this movement by criminals into alternate heavily impacting the direction in which the industry is moving. payments, credit cards still dominate online commerce, even As global competition increases, organizations continue to for illegal goods. introduce new payment products and services to the financial marketplace. Prominent examples include prepaid cards, real-time transfers, peer-to-peer, and virtual currency. Opportunities and Risks Inherent for According to the 2015 World Payments Report, non-cash Adoption payments have grown faster than GDP across all regions worldwide, and the shift from physical to digital has drastically While it is most important for acquirers and partners to increased payments innovation and growth. A new study by protect against violations and fraud within their portfolios, global market research company Euromonitor International understanding the scope of new payments systems is also key indicates that consumer card payments surpassed cash in gauging future compliance-related concerns and business payments for the first time in 2016, registering $23.1 trillion growth opportunities. Virtual currency is gaining momentum as globally a legitimate means of conducting commerce in some regions, and some financial institutions have begun providing means of alternative payments, or may do so in the future. In these

According to a recent report from Moduslink, US online sales are expected to instances, risk and compliance professionals should consider continue a growth trajectory from US $234 billion in 2007 to US $1.09 trillion by the risks involved, including consumer protection, information 2017, a compound annual growth rate (CAGR) of 16.2%. Driven by a combination security, platform volatility, and convertibility into legal tender. of factors including economic recovery in mature markets, rapid expansion in In its most recently released Semiannual Risk Perspective Asia, and the global shift in new and progressive business models. A report by report, the Office of the Comptroller of the Currency (OCC) The Clearing House estimates that the peer-to-peer payments market alone could warned that virtual are an operational risk due to reach US $17 billion by 2019. their perceived role in facilitating and enabling cybercrime. Virtual currencies, including Bitcoin, give anonymity to cybercriminals and terrorist groups seeking to transfer and Transaction Launderers Transition launder money. The comments came amid an overall focus Commerce to New Systems on credit and strategic risk in the U.S. markets, particularly for small and mid-size . However, the head of the OCC, The rise of e-commerce bred a seemingly endless array of Thomas J Curry, also previously affirmed that blockchain- emerging risks, making it more difficult for acquirers and based have the potential to become their value chain partners to perform proper underwriting “revolutionary” in the banking industry. “The challenges can and merchant monitoring. Scrutiny by card schemes and be combated with strong risk management and anti-money governing bodies have added another layer of complexity laundering (AML) and BSA compliance,” he said. to operations. But, risk and compliance management tools have also evolved, alleviating threats to the global payments One recent study published by researchers at the central bank community by using tools that can pinpoint high-risk factors. of Germany, University College London and the University of Through vendor relationships, merchant acquirers have Wisconsin-Madison, centers on evidence that Bitcoin’s market succeeded in maintaining the upper hand at combatting fraud. has matured to a point where commerce is no longer driven While it’s impossible to terminate the will of criminals, the by illicit activities. But this is very much new terrain in the power of risk and compliance solutions has effectively worked global payments space, and the ultimate success of alternative to deter violating activities and driven illicit transactions to payments, including virtual currency, will depend on the ability alternative payments systems and new entrants. of institutions to recognize and mitigate risk.

g2webservices.com G2 Web Services • Alternative Payments: Plan B Becomes Plan A for Illegal Online Sales

Crypto Case Study.indd 2 1/2/2018 2:01:35 PM Developing Alternative Payments Compliance and Regulation In the US

The introduction of alternative payments to the marketplace has also attracted the attention of regulators globally. Efforts are being made to close regulatory loopholes and to get tough on the unlawful use of these systems. Many regulatory agencies have made advancements in laying out guidelines and restrictions.

Financial Crimes Enforcement Network (FinCEN): Issued a ruling in 2013 that stated to the extent a user creates or “mines” a convertible virtual currency solely for a user’s purposes, the user is not a money transmitter under the BSA. However, US businesses seeking to tokenize commodities for blockchain-based trading that go beyond the activities of a broker/dealer and are acting as a convertible virtual currency administrator fall under the definition of a money transmitter and are thus governed by BSA regulations. In 2014 the agency released new guidance for custodial Bitcoin exchanges and payment processors, ruling that such companies may be considered money services businesses under U.S. law. Further affirming that standard federal banking rules aimed at suspicious dollar transfers also apply to firms that issue or exchange money that isn’t linked to any government and exists only online. Consumer Financial Protection Bureau: Has yet to publish guidelines regarding virtual currency, but industry experts expect the organization to determine that cross-border transactions will fall within the scope of the Remittance Transfer Rule. This determination would mean that entities facilitating digital transfers would be obligated to comply with the Remittance Transfer Rule’s disclosure, reversibility, and error-resolution requirements. Commodity Futures Trading Commission (CFTC): Has been sharpening its focus on alternative payments systems. Although the CFTC has yet to enforce its authority in this space, the potential to label new systems as “commodities” would give the organization the ability to bring enforcement actions against anyone who attempts to manipulate virtual currency. Internal Revenue Service (IRS): May soon require taxpayers to report virtual currency accounts held in foreign exchanges and that foreign virtual currency exchanges may be considered foreign financial institutions that must report accounts to the IRS under the Foreign Account Tax Compliance Act (FATCA).

Securities and Exchange Commission (SEC): Treats securities crimes committed with virtual currency the same as money and has enforcement authority with respect to alternative payments investment programs.

Department of Justice (DOJ): Stated that compliance with existing anti-money laundering laws and regulations is critical to the use of virtual currency.

United States Congress: May have the ability to prohibit alternative payments under its authority to regulate commerce with foreign nations, with its exclusive constitutional power “to coin money” and “regulate the value there of.”

g2webservices.com G2 Web Services • Alternative Payments: Plan B Becomes Plan A for Illegal Online Sales

Crypto Case Study.indd 3 1/2/2018 2:01:35 PM Virtual Currency Warnings from Europol on Virtual Currencies G2 recently discovered a criminal syndicate operating multiple online pharmacies throughout Europe selling anabolic steroids “A migration from traditional payment mechanisms to and other unlawful pharmaceuticals. The criminals used an those offering a greater degree of anonymity, particularly interesting method for processing transactions to bypass the pseudonymous payment systems such as Bitcoin, has use of their merchant accounts. At checkout, when customers been observed.” chose credit card as their preferred payment method, they were redirected to a third-party peer-to-peer Bitcoin exchange and “Bitcoin is establishing itself as a single common currency prompted to convert their order total to Bitcoin (see Figure 1). for cybercriminals within the EU. Bitcoin is no longer Then the customers could return to the offending website to used preferentially within Darknet marketplaces but is complete the transaction using the virtual currency as payment increasingly being adopted for other types of cybercrime (see Figure 2). This process offers the buyer anonymity, as well.” and gives the seller the ability to convert the digital currency “Bitcoin is beginning to feature heavily in many EU law back into cash on the other end. This leaves no record of the enforcement investigations, accounting for over 40% of all transaction, shielding both buyer and seller from detection, and identified criminal-to-criminal payments.” gives the website the capacity to advertise the acceptance of all major card brands for purchasing illegal goods.

Alternative payments hold promise for the banking industry worldwide, and over time the risks involved could fade away with regulations and compliance controls in place. Some experts even claim that virtual currency could make governments more profitable and efficient. Given the current lack of international consensus regarding the classification and treatment of virtual currency, the regulatory approach ultimately adopted by the U.S. is likely to have a significant influence on the continued evolution in years to come.

Plan B Becomes Plan A for Bad Actors Figure 1: Online shopper prompted to convert order total to Bitcoin.

G2 has seen a trend of alternative payments services being utilized as Plan B for illegal online sales. Criminal syndicates and online fraudsters are using a wave of creative strategies to process transactions that bypass transitional merchant accounts and evade detection from acquirers and law enforcement. These scenarios have become a common theme in the global payments industry, and it’s essential for financial institutions and payments processors to be aware of the problem and vigilant in monitoring portfolios. Acquirers can terminate merchant accounts, but ultimately, criminals will find a way to seep between the cracks. Below are some recent examples of transaction launderers rerouting payments and utilizing new systems for financial gain at the expense of acquirers. Risk and compliance professionals need to be aware of these industry trends and emerging threats.

Figure 2: Online shopper instructed to purchase Bitcoin to pay.

g2webservices.com G2 Web Services • Alternative Payments: Plan B Becomes Plan A for Illegal Online Sales

Crypto Case Study.indd 4 1/2/2018 2:01:35 PM Third-Party Payment Processing and Peer-to- Cryptocurrency Liability Peer Transactions Technically, a merchant offering cryptocurrency payment A pair of websites were discovered to be part of an online options poses no direct risk to acquirers. The top half of Figure syndicate selling illegal drugs, and the merchant accounts 5 is the typical acquiring process. If any transaction laundering for the businesses were promptly terminated. But instead of were to happen in this process, the liability would lie with the abandoning operations, the violators posted a message on the acquirer when the transaction is completed. If a customer websites that stated their “credit card processing is down” and were to use bitcoin for their transaction, as dispalyed in the that alternative payments would be accepted. When a customer bottom half of the diagram, the transaction doesn’t authorize or added items to their shopping cart, the violator behind the settle through the card network. This means that the acquirer website would contact the customer directly via email with isn’t involved. However, if bitcoin is accepted at a merchant instructions to complete the transaction using a provided that also has a merchant account with an acquirer, it should PayPal link. This would bypass the need for a traditional be monitored because it may be an indicator of the type of merchant account in favor of third-party processing, which goods or content that will be sold. The acquirer is more directly can make it easier for violators to disguise illegal activity. On involved when the merchant is selling bitcoins via credit cards, a separate occasion, the same website emailed customers and is essentially acting as the exchange. a note that their PayPal account had been suspended, and that payments could now be made by a private peer-to-peer payment system (see Figure 3).

A few days later the violating merchant contacted customers with instructions to make payments via a new PayPal account established using a separate email address from a University domain (see Figure 4). The violators had seemingly bounced between payment processors, utilizing multiple methods for conducting illegal transactions. This is a common scenario as criminals have moved to using alternative payments systems for processing, effectively jumping between providers and systems as necessary.

Figure 4: The violating merchant contacted customers to make payments via a new PayPal account using a seperate email address.

Figure 3: After being shut down on Paypal, the merchant instructs payments to be made by a private peer-to-peer payment system.

Figure 5: Liability depends on where the transaction laundering occurs throughout the acquiring process.

g2webservices.com G2 Web Services • Alternative Payments: Plan B Becomes Plan A for Illegal Online Sales

Crypto Case Study.indd 5 1/2/2018 2:01:36 PM Money Transfers

G2 has also seen an emerging trend of websites encouraging customers to make payment via bank transfers and real-time money transfers (see Figure 6). These options are available in more than 60 different countries worldwide, making it a convenient option for international online sellers. Some of these sites even advertise discounts for customers using Money Transfer Control Number (MTCN), MoneyGram, Western Union Money Transfer, and similar services that allow for the transfer of funds across borders (see Figure 7). Violating websites present these options as “easy, reliable, and secure” with the ability to transfer money online using a credit or .

Figure 6: Customers are encouraged to make payment via bank transfers and real-time money transfers.

g2webservices.com G2 Web Services • Alternative Payments: Plan B Becomes Plan A for Illegal Online Sales

Crypto Case Study.indd 6 1/2/2018 2:01:36 PM G2 Solutions Hold the Key to Safe, Profitable Commerce

You have gone through all of the trouble and expense to board the merchants that fit your portfolio’s risk profile, and now you need to ensure those merchants continue to stay profitable. Ensuring their continued compliance with card network regulations (as well as acquirer terms of service) is not as simple as just monitoring their website. To find what a merchant may be hiding, you need access to a sophisticated group of solutions that give you a complete view of your merchant.

G2 Web Services offers comprehensive solutions, built on 12 years of monitoring expertise, industry knowledge and analyst experience. The foundation for our boarding and monitoring tools is the G2 Merchant Map® consisting of over a decade of data, including tens of millions of merchants, hundreds of millions of webpages and billions of merchant data points. With this proprietary data set, G2 can find connections between Figure 7: This site offers discounts for customers using services that allow merchants and detect changes in your merchant portfolio that for the transfer of funds across borders. other solution providers can’t. Whether you need to search for questionable site content, identify transaction laundering, Cryptocurrency and Violators map the merchant’s service providers, or track potential fraud, the full suite of G2 portfolio protection solutions can help. The G2 Merchant Map tracks how many fraudsters are offering Don’t use your team’s precious resources to attempt these cryptocurrency as an option. In 2014, it was offered on 2 processes alone, let G2 provide you an unparalleled view of percent of the violating sites discovered (see figure 8). In 2015, your merchants and a more efficient way to keep your portfolio it doubled and was offered on 4 percent of violating sites. This profitable. year, we’ve seen nearly a 200 percent increase in the number of sites offering cryptocurrencies as a payment option. In 2017 we expect to see even more of a rise in cryptocurrencies on violating sites and as a transaction laundering method. This is reminiscent of the boom of criminal enterprises that transitioned online to take advantage of e-commerce. This explosive growth indicates that the same trend is occurring with cryoptocurrencies.

Figure 8: The rise of cryptocurrency offered on transaction laundering sites.

g2webservices.com G2 Web Services • Alternative Payments: Plan B Becomes Plan A for Illegal Online Sales

Crypto Case Study.indd 7 1/2/2018 2:01:36 PM The Future of Payments is Unknown Sources:

Not all alternative payments systems will be sustainable in the http://www.coindesk.com/ long term, but enough have already been widely adopted that the impact on traditional banking will be felt for the foreseeable http://www.retaildive.com/news/forecast-card-payments-to- future. Threats exist, whether from merchants hopping between surpass-cash-payments-for-first-time-ever-this-y/427048/ accounts or bypassing them all together, syndicates utilizing http://www.wsj.com/articles/SB100014241278873243732045 new payments systems, or sellers converting to and from 78374611351125202 virtual currencies. Acquirers are liable for violating merchants hiding within their portfolios, and downstream partners will face http://www.worldpaymentsreport.com/ assessments for processing illicit transactions. The only way to be completely prepared is to ensure that risk and compliance https://www2.deloitte.com/content/dam/Deloitte/uk/ solutions are in place, and to be aware of and understand the Documents/financial-services/deloitte-uk-payments- developing landscape of alternative payments systems. disrupted-2015.pdf

If and when your organization decides to provide or facilitate https://www.irs.gov/pub/irs-drop/n-14-21.pdf the use of these new systems, especially where virtual currency is concerned, risk and compliance professionals should be http://www.consumerfinance.gov/ cautious. Because new entrants that are non-banks do not http://business.cch.com/BANKD/FinCEN-Press- necessarily face intense regulation and regular examination to Release-20140130.pdf make sure they are compliant, the entire payments chain can be put in jeopardy. http://www.occ.treas.gov/publications/publications-by-type/ other-publications-reports/semiannual-risk-perspective/ semiannual-risk-perspective-spring-2016.pdf

https://www.europol.europa.eu/activities-services/main- reports/internet-organised-crime-threat-assessment- iocta-2015

https://www.europol.europa.eu/activities-services/main- reports/internet-organised-crime-threat-assessment- iocta-2016

About G2 Web Services

G2 Web Services, a Verisk business, is a global technology and services G2 Web Services G2 Web Services company that helps banks, processors and their partners ensure safer and Corporate Headquarters London Office more profitable commerce. Clients use G2’s tools and expertise to perform 1750 112th Ave NE, Suite C101 68 Lombard Street better due diligence and monitoring so they can grow their portfolios and Bellevue, WA 98004 USA London, EC3V 9LJ manage changing rules and regulations while taking on acceptable risk. + 1-888-788-5353 United Kingdom

©2018 G2 Web Services. Specifications subject to change without notice. Printed in the U.S.A.

Crypto Case Study.indd 8 1/2/2018 2:01:41 PM