Transaction laundering in online payments

Understanding transaction laundering

Transaction laundering is a term that everyone in payments should know. Understanding the key risks facing acquiring banks and others in the payment ecosystem is indispensable.

Transaction laundering, at its core, is like laundering money through transactions. It involves conducting transactions on another website, unbeknownst to the acquiring bank, by exploiting the merchant account of a legitimate and law-abiding merchant. This merchant account, originally set up for a completely different business, is used to ‘wash’ or cleanse the transactions, concealing the true nature of the activity from the acquiring bank. This covert operation directly contravenes the merchant agreement, resembling a financial-world breach of contract.

Picture this: shady merchants employing a legitimate acquirer’s website as a smokescreen for their nefarious dealings. Their actual products or services include counterfeit goods, illegal substances, weaponry, unregulated pharmaceuticals, violating adult content, unregulated gambling, money laundering, and even the funding of terrorism.

Let us zoom in on counterfeit goods as an example. These fakes range from posh consumer luxuries like designer watches and perfumes to average B2B items like industrial machines, car parts, and even everyday consumer staples like toys, cosmetics, and groceries. In fact, if it is a product protected by intellectual property, you can bet someone is trying to fake it.

But here is the twist: some of these counterfeit products, like knockoff pharmaceuticals, spare parts, and toys, can be as reliable as a chocolate teapot, posing serious health and safety risks. According to EUROPOL, this racket accounts for a staggering 2.5% of world trade, translating to a jaw-dropping $461 billion.4 That is enough money to buy you a small country ... probably a counterfeit one, though.

Keep in mind that counterfeit products are just one piece of the puzzle in the world of transaction laundering. These numbers are just the tip of the iceberg since they only capture a small fraction of transaction laundering.

The sad reality is that tackling this insidious form of fraud proves to be a formidable challenge for acquirers and PSPs.

Why transaction laundering remains a problem

Transaction laundering takes on various forms. In today’s digital landscape, it has sadly become almost effortless. Why, you ask? Well, the ability to create professional-looking websites complete with checkout pages has become as accessible as streaming your favourite cat videos online.

The surge in demand for online payments, partially fuelled by the pandemic, continues to grow worldwide. Now, consider the global economic crises and the relentless pursuit of cost-cutting by many businesses, including banks. This translates into banks increasingly outsourcing their merchant due diligence and customer acquisition to PSPs and facilitators.

Unfortunately, some of these intermediaries might not have the resources or know-how to invest in the due diligence processes and well-trained compliance specialists that are needed.

Adding to the conundrum, the ever-evolving technology landscape brings new alternative payment methods. While these can be convenient, they often lack robust monitoring measures or effective fraud prevention tools.

In a truly bizarre twist, you might even find that certain individuals within your own organisation are unwittingly or, in rare instances, complicity aiding and abetting these laundering schemes.

Let us zoom in on some eye-opening statistics about transaction laundering in the realm of online payments. Brace yourself because these numbers might raise an eyebrow or two.

You might be surprised to learn that approximately 6% of unauthorised websites manage to slip through the cracks and get processed. Even worse, on average, 1.5% to 2% of a processor’s portfolio harbours illegal and completely unknown websites.5

But even when transaction laundering has been identified, that does not mean the end for the fraudsters: About one-quarter of terminated merchants, most likely terminated due to their involvement in transaction laundering, find their way back into the payment system with only minor tweaks to their entire operation and website setup.6

The war against transaction laundering is like an eternal game of cat and mouse, with savvy operators constantly trying to outwit the system while acquirers and PSPs work tirelessly to stay one step ahead. It is a high-stakes dance that keeps the online payments world on its toes, always ready for the next move in the never-ending pursuit of security and compliance.

A typology of transaction laundering

Now we take a closer look at all the different types of transaction laundering. First things first, transaction laundering is also often referred to as illegal aggregation or incompliant aggregation.

Compliant aggregation

But let us start with its counterpart compliant aggregation. We have all seen it before: Think about an online marketplace where small businesses congregate, and all their payments flow through one platform. Here, the marketplace aggregates all payments for those smaller merchants under its account with the acquiring bank.

Incompliant aggregation

Now that it is clear what is behind the curious concept of compliant aggregation, let us shine a light on what happens when things do not quite adhere to the rules.

Incompliant aggregation involves the processing of payments from a website that the acquirer or PSP is unaware of, even though it is owned and operated by the same merchant. Crucially, in this case, the merchant does not deal in or promote illegal services or products. Typically, these situations arise not out of nefarious intentions but due to a lack of communication or information on the part of the merchant. Imagine this: our merchant, who typically sells accessories through the page accessoirs.com, suddenly starts processing payments via accessoirs.de without informing you.

This change will not significantly impact your risk calculation unless it pertains to a high-risk business, potentially resulting in a missing registration with MRP or VIRP.

There are cases where non-compliant aggregation might be a deliberate choice. Picture this scenario: a merchant running a legitimate, regulated business with all the necessary licenses decides to venture into processing payments for a second business operating in a jurisdiction that demands a different set of licenses – licenses the merchant simply does not possess.

Illegal aggregation

Now that we have unravelled the mysteries of compliant and incompliant aggregation, let us delve into the murky world of illegal aggregation.

In the case of illegal aggregation, a fraudulent merchant consolidates transactions from a different merchant or website under their own merchant account without the consent or knowledge of the acquirer. Typically, this involves the sale of illegal goods or services.

But here is where it gets even more interesting. Illegal aggregation comes in three distinct forms, and the first one is what we call illegal aggregation without miscoding.

Here, a merchant orchestrates payments for another of their websites, one harbouring illegal goods or content, all while keeping it hidden from the watchful eye of the merchant acquirer. The twist here is that the goods or services offered on this rogue website are often similar to what can be found on their compliant and properly reported website but do not comply with card scheme rules or are downright illegal. We can think of it like trying to hide a wolf in sheep's clothing – it may look the same, but it's a whole different beast lurking beneath the surface.

You guessed right: If there is a variant without miscoding, there is also the opposite: Illegal aggregation with miscoding. To fully grasp this form of transaction laundering, we should remember that certain credit cards can be restricted for use within specific MCCs. For instance, credit cards might be blocked for high-risk businesses such as gambling or adult entertainment.

To counteract these blocks, fraudulent merchants attempt to exploit an acquirer bank by using a previously set up merchant account and Merchant ID (MID) for an entirely unrelated business. This allows them to process illegal transactions through a valid and approved account, effectively bypassing any restrictions.

We can observe this form of transaction laundering most often in connection with illegal gambling, serving two primary purposes: enabling unregulated operators to carry out their schemes and permitting cardholders in restricted jurisdictions to engage in online gambling.

Finally, we shine a spotlight on illegal aggregation through third-party transaction laundering. In this variant, a merchant who is not officially set up as a payment facilitator and lacks the necessary licenses for it (like an e-Money license) takes on the role of facilitating payments under their own name, all on behalf of a third party, typically another merchant.

This practice involves the unauthorised middleman acting as an intermediary, masking the identity of the actual beneficiary of the payments. It looks like a clandestine game of financial hide-and-seek, where the merchant facilitates these transactions without the proper permissions or oversight. The result? A convoluted web...