QUESTION
Our company is under investigation
by the banking department and law enforcement for allowing "money mules"
to use our financial services. They managed to use our mortgage and depository
services. The crooks targeted people in nursing homes and hospice care
facilities.
The banking department is now
determining if we properly implemented an Identity Theft Protection Program and
Anti-Money Laundering Program. They're looking back at the procedures as well
as the level of testing and training. Our CEO has told us that she expects an
administrative action against us.
We haven't updated our Identity
Theft Protection Program and Red Flags Rule in years. We're reviewing it now. Well, better late than never!
But we do the Anti-Money
Laundering Program testing and training as required. The banking department is
closely scrutinizing both written policies. Yesterday, we received a notice
from FinCEN that they are investigating our SAR filings.
The news fallout has been
devastating. We have been in business for decades and have never had a hit to
our reputation, let alone something as shocking as being an unwitting accessory
to an identity theft and money-laundering scheme. There's not enough money in
the world to reestablish trust!
How do "money mules"
operate?
How do "money mules"
exploit the stealing of identities?
How do "money mules"
undermine anti-money laundering procedures?
ANSWER
Your situation reminds me of a
recent arrest in California involving money mules. The victims' money is often
initially handled by "money mules," individuals who permit their
addresses or bank accounts to be used or agree to receive or negotiate cashier's
checks. In brief, a money mule moves money obtained illegally on behalf of
another individual. Funds are transferred in person, digitally, or through mail
or courier.
I have discussed money mules
previously. Here is one about how the COVID pandemic was used by criminals to
bilk the public: COVID-19: Imposters and Money Mules.
Money mules can be – but are not
always! – aware they are involved in laundering money obtained illegally. The
purpose of this illegal activity is to obscure the source of funds. They are a
key element in the money laundering and identity theft process.
Scheme
With some variance and nuances here
and there, the following are the steps to money mule schemes:
Step
1: Criminal looking to launder money employs a money mule to layer illicit
funds.
Step
2: Criminal transfers the funds to the money mule in person or electronically.
Step
3: Money mule either places[i]
the money into the financial system or receives money that has already been
integrated[ii]
into the financial system.
Step
4: Money mule uses a series of transfers and transactions to layer[iii]
the money.
Step
5: Money mule returns the layered funds to the criminal.
In the case I have in mind,[iv]
the FBI arrested money mules involved in scams that bilked grandparents. This
is brutal, wicked, and heartless, of course, but crooks will do what crooks
will do! A con is a con. A mark is a mark. As Hamlet observed, "one may
smile, and smile, and be a villain!"[v]
Two money mules were arrested and
indicted for their scheme to launder at least $2 million in proceeds obtained
from victims of grandparent scams who were defrauded with false claims that
their relatives were in distress and urgently needed funds.
The indictment detailed how
perpetrators of grandparent scams convince victims to send money – purportedly
to help relatives, frequently their grandchildren, who are typically described
as being in legal trouble – "to bank accounts, business entities, and
physical addresses specified by the scammers, using interstate wires and
cashier's checks…for the supposed purpose of assisting the relatives in
distress."
One of the money mules is said to be
a manager of money mules, and the other, thus recruited, recruited his own
money mules. Federal prosecutors further assert that the manager created
business entities and opened bank accounts using information stolen from
identity theft victims.
Once the money was in the accounts
associated with the money mules or identity theft victims, the two money mules
allegedly engaged in transactions designed to conceal the true nature of the
funds, which, in this case, had been obtained via wire fraud.
The indictment specifically alleges
that the scheme laundered funds obtained from victims of grandparent scams who
live in California and Pennsylvania. The bank fraud scheme alleged in the
indictment involves fraudulently obtained funds held in suspense in an account
set up in the name of an identity theft victim.
The two money mules and a
co-conspirator allegedly worked in concert to contact the bank and impersonate
the identity theft victim to secure the issuance of a check for nearly $83,000
that was remaining in the account.
As I noted above, money mules can be
unwittingly involved in a money mule scam. That seems hard to believe. Investigators
find that the trail usually ends with the money mule, who might not have
realized that they are laundering money for crime gangs. Unfortunately, the
process often depends on the unwitting money mule for its effectuation. The
enforcement authorities have found at least three primary types of money
mules: (1) unwitting, (2) witting, and (3) complicit. Here's a synopsis of
each type.
Types
(1) Unwitting Individuals are
unaware they are involved in criminal activity and engage in it thinking it's
legal. They are often deceived into doing the activity for someone they believe
to be an employer, acquaintance, perhaps a romance scammer, or somebody in a
position of some trust.
(2) Witting Individuals who
should be aware they are involved in suspicious activity but engage in it
anyway. While they aren't fully aware of the extent to which they are involved in criminal activity,
they typically ignore clear indicators that what they do is illegal or
suspicious.
(3) Complicit Individuals
know they are involved in criminal activity yet still engage in it willfully.
This type of money mule ranges from inexperienced individuals unaware of their
involvement to experienced and adept fraudsters who run entire money mule
rings.
Identity Theft Prevention Program
Beyond the legal ramifications of
acting as a money mule,[vi]
the people who serve as money mules may open themselves up to identity theft.
All of their personally identifiable information ("PII") can be
stolen by criminals, leading to the theft of their financial assets. Victims
often wind up with drained accounts, damaged credit, and deprivation of medical
treatment due to loss of cash liquidity.
Stealing an individual's identity is
a fraud committed or attempted using the identifying information of another
person without authority.[vii]
The "identifying information" of a victim is particularly onerous
because such information means "any name or number that may be used, alone
or in conjunction with any other information, to identify a specific person."[viii]
The Red Flags Rule (" Rule") goes
back to 2007 under a section in the Fair and Accurate Credit Transaction Act
(FACTA), which amended the Fair Credit Reporting Act (FCRA).[ix]
The Rule was promulgated in 2010.[x]
If you haven't reviewed your written
Identity Theft Protection Program – which is statutorily required – it
is a bit late now, given that the regulators are currently involved in an
investigation. In compliance, it is not the case to throw up your hands and, as you do, declare it is "better late than never." Indeed, that phrase harks all
the way back to Geoffrey Chaucer in the 14th century, who said, "For
better than never is late; never to succeed would be too long a period."[xi]
In compliance, virtually everything
has a tail, a trace, a remnant, a vestige, some lingering scintilla of
activity, a dash of evidence that cannot escape discovery at some point and in
some way. Thus, "better late than never" is not functionally good
enough in compliance.
Pay attention to the second half of
Chaucer's statement, "never to succeed would be too long a period."
There are no viable exceptions to maintaining regulatory vigilance, and if
there is a systemic or some other failure, admitting the mistake and fixing it
permanently. Regulators are sometimes sympathetic to companies that recognize
and willingly fix mistakes. But be assured that most of the time, they will
find out about the errors you prefer not to tell them about. To succeed in
compliance, you must proactively review, monitor, test, train, and implement regulatory requirements.
There are notorious correlations
between money mules and identity theft. I have been discussing "traditional"
money mules, but there are "synthetic identities" used by money
mules. Synthetic identities are created using a discrete combination of PII to
fabricate a person or entity. Given the availability of stolen data on the dark
web, these identities are easy to create on a large scale.
If you haven't reviewed your
Identity Theft Prevention Program in some time, you are quite remiss, and, from
a regulatory compliance perspective, you are not only opening yourself to
regulator scrutiny but may also be recklessly endangering your customers.
Anti-Money Laundering Program
You asked, How do "money
mules" undermine anti-money laundering procedures? In our Anti-Money Laundering test audits,
we have noted weaknesses in screening for money mules. The results of our
findings are provided in our Executive Summary, and we offer our work papers so
that you can see how deep we have gone to evaluate your AML program. We provide recommendations to fix the weaknesses.
Our
reviews have uncovered many money mule schemes. However, catching the scams is
a never-ending task because the crooks are remarkably inventive in finding ways
to undercut even the best AML programs.
There are telltale elements that
might indicate a money mule has landed on your AML radar. We are always adding to our audit list as crooks invent new schemes and scams. You should do the same! These scams come up repeatedly in our
AML test audits to the point that we consider them triggers to conducting an
investigation to determine if a Suspicious Activity Report (SAR) should be
filed with FinCEN[xii].
Our organization maintains a list of
warning signs that a money mule may be making their way onto a client's AML
radar. Our list contains elements provided by CISA[xiii],
and we build on these elements continually. In our estimation, AML compliance
must include, among other things, periodic testing, employee training, due
diligence, transaction monitoring, Identity Theft Protection Program mandates, KYC
and KYB[xiv]
requirements, CIP[xv], OFAC[xvi],
identity theft[xvii] "frozen credit" alerts, and historical SAR filings.
An example of due diligence is
conducting your own investigation. Money mules can contaminate PII. During an
investigation, a client of ours discovered that a money mule group used fake
websites and social media profiles to trick victims into providing their
personal information. It then used that PII to open bank accounts, apply for
mortgage loans, and set up cryptocurrency wallets. This criminal group then
laundered the stolen funds through a network of money mules, who received and
transferred the funds on behalf of the criminals.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director Lenders Compliance Group
[i] Placement is where illegitimate
funds are introduced to the legitimate financial system.
[ii] Integration is where layered
funds (which now appear legitimate) are returned to the criminal.
[iii] Layering is where the criminal
intentionally moves funds to disguise where the money actually originated.
[iv] Two Indicted in Scheme that
Allegedly Laundered over $2 Million Generated by ‘Grandparent Scams’ Targeting
Elderly Victims, Press Release, Department of Justice, U.S. Attorney's
Office, Central District of California, December 12, 2023
[v] Hamlet, Act 1, Scene 5,
Shakespeare
[vi] For instance, among other things, the
charge of conspiracy to commit money laundering carries a statutory maximum
penalty of 20 years in federal prison, and the charge of conspiracy to commit
bank fraud carries a sentence of up to 30 years.
[ix] The Red Flags Rule was issued in 2007
under § 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act),
Pub. L. 108-159, amending the Fair Credit Reporting Act (FCRA), 15 USC
1681m(e). The Red Flags Rule is published at 16 CFR 681.1. See also 72 FR, Nov.
9, 2007.
[x] The Rule was amended in 2010 by the Red
Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4), Pub. L. 111-319,
124 Stat. 3457 (December 18, 2010).
[xi] Actually, the phrase is a direct
translation from the Latin “potiusque sero quam nunquam” (viz., and
better late than never) in Livy’s fourth book Ab Urbe Condita (History
of Rome), 27 BC. The full quote in Livy is “Their insolence and recklessness
must be opposed, and better late than never.” (My translation.)
[xii] Financial Crimes Enforcement Network
(FinCEN), for nonbanks, see Anti-Money Laundering Program and Suspicious
Activity Report Filing Requirements for Residential Mortgage Lenders and
Originators, Financial Crimes Enforcement Network, 77 FR 8148-8160
(February 14, 2012), as revised from time to time.
[xiii] CISA provides several publications
involving money mules and other schemes. One example is Understanding and Protecting
Yourself Against Money Mule Schemes, Matthew DeSantis, Chad Dougherty,
Mindi McDowell, US-CERT, Cybersecurity & Infrastructure Security Agency
[xiv] Respectively, Know Your Customer (KYC)
and Know Your Business (KYB)
[xv] Customer Information Program (CIP)
[xvi] Office of Foreign Assets Control (OFAC)
[xvii] FCRA Identity Theft Rules, Op. cit. ix
