Thursday, February 15, 2024

Money Mules: ID Theft and AML Compliance


Our company is under investigation by the banking department and law enforcement for allowing "money mules" to use our financial services. They managed to use our mortgage and depository services. The crooks targeted people in nursing homes and hospice care facilities. 

The banking department is now determining if we properly implemented an Identity Theft Protection Program and Anti-Money Laundering Program. They're looking back at the procedures as well as the level of testing and training. Our CEO has told us that she expects an administrative action against us. 

We haven't updated our Identity Theft Protection Program and Red Flags Rule in years. We're reviewing it now. Well, better late than never! 

But we do the Anti-Money Laundering Program testing and training as required. The banking department is closely scrutinizing both written policies. Yesterday, we received a notice from FinCEN that they are investigating our SAR filings. 

The news fallout has been devastating. We have been in business for decades and have never had a hit to our reputation, let alone something as shocking as being an unwitting accessory to an identity theft and money-laundering scheme. There's not enough money in the world to reestablish trust! 

How do "money mules" operate? 

How do "money mules" exploit the stealing of identities? 

How do "money mules" undermine anti-money laundering procedures? 


Your situation reminds me of a recent arrest in California involving money mules. The victims' money is often initially handled by "money mules," individuals who permit their addresses or bank accounts to be used or agree to receive or negotiate cashier's checks. In brief, a money mule moves money obtained illegally on behalf of another individual. Funds are transferred in person, digitally, or through mail or courier. 

I have discussed money mules previously. Here is one about how the COVID pandemic was used by criminals to bilk the public: COVID-19: Imposters and Money Mules. 

Money mules can be – but are not always! – aware they are involved in laundering money obtained illegally. The purpose of this illegal activity is to obscure the source of funds. They are a key element in the money laundering and identity theft process. 


With some variance and nuances here and there, the following are the steps to money mule schemes: 

Step 1: Criminal looking to launder money employs a money mule to layer illicit funds. 

Step 2: Criminal transfers the funds to the money mule in person or electronically. 

Step 3: Money mule either places[i] the money into the financial system or receives money that has already been integrated[ii] into the financial system. 

Step 4: Money mule uses a series of transfers and transactions to layer[iii] the money. 

Step 5: Money mule returns the layered funds to the criminal. 

In the case I have in mind,[iv] the FBI arrested money mules involved in scams that bilked grandparents. This is brutal, wicked, and heartless, of course, but crooks will do what crooks will do! A con is a con. A mark is a mark. As Hamlet observed, "one may smile, and smile, and be a villain!"[v] 

Two money mules were arrested and indicted for their scheme to launder at least $2 million in proceeds obtained from victims of grandparent scams who were defrauded with false claims that their relatives were in distress and urgently needed funds. 

The indictment detailed how perpetrators of grandparent scams convince victims to send money – purportedly to help relatives, frequently their grandchildren, who are typically described as being in legal trouble – "to bank accounts, business entities, and physical addresses specified by the scammers, using interstate wires and cashier's checks…for the supposed purpose of assisting the relatives in distress." 

One of the money mules is said to be a manager of money mules, and the other, thus recruited, recruited his own money mules. Federal prosecutors further assert that the manager created business entities and opened bank accounts using information stolen from identity theft victims. 

Once the money was in the accounts associated with the money mules or identity theft victims, the two money mules allegedly engaged in transactions designed to conceal the true nature of the funds, which, in this case, had been obtained via wire fraud. 

The indictment specifically alleges that the scheme laundered funds obtained from victims of grandparent scams who live in California and Pennsylvania. The bank fraud scheme alleged in the indictment involves fraudulently obtained funds held in suspense in an account set up in the name of an identity theft victim. 

The two money mules and a co-conspirator allegedly worked in concert to contact the bank and impersonate the identity theft victim to secure the issuance of a check for nearly $83,000 that was remaining in the account. 

As I noted above, money mules can be unwittingly involved in a money mule scam. That seems hard to believe. Investigators find that the trail usually ends with the money mule, who might not have realized that they are laundering money for crime gangs. Unfortunately, the process often depends on the unwitting money mule for its effectuation. The enforcement authorities have found at least three primary types of money mules: (1) unwitting, (2) witting, and (3) complicit. Here's a synopsis of each type. 


(1) Unwitting Individuals are unaware they are involved in criminal activity and engage in it thinking it's legal. They are often deceived into doing the activity for someone they believe to be an employer, acquaintance, perhaps a romance scammer, or somebody in a position of some trust. 

(2) Witting Individuals who should be aware they are involved in suspicious activity but engage in it anyway. While they aren't fully aware of the extent to which they are involved in criminal activity, they typically ignore clear indicators that what they do is illegal or suspicious. 

(3) Complicit Individuals know they are involved in criminal activity yet still engage in it willfully. This type of money mule ranges from inexperienced individuals unaware of their involvement to experienced and adept fraudsters who run entire money mule rings. 

Identity Theft Prevention Program 

Beyond the legal ramifications of acting as a money mule,[vi] the people who serve as money mules may open themselves up to identity theft. All of their personally identifiable information ("PII") can be stolen by criminals, leading to the theft of their financial assets. Victims often wind up with drained accounts, damaged credit, and deprivation of medical treatment due to loss of cash liquidity. 

Stealing an individual's identity is a fraud committed or attempted using the identifying information of another person without authority.[vii] The "identifying information" of a victim is particularly onerous because such information means "any name or number that may be used, alone or in conjunction with any other information, to identify a specific person."[viii] 

The Red Flags Rule (" Rule") goes back to 2007 under a section in the Fair and Accurate Credit Transaction Act (FACTA), which amended the Fair Credit Reporting Act (FCRA).[ix] The Rule was promulgated in 2010.[x] 

If you haven't reviewed your written Identity Theft Protection Program – which is statutorily required – it is a bit late now, given that the regulators are currently involved in an investigation. In compliance, it is not the case to throw up your hands and, as you do, declare it is "better late than never." Indeed, that phrase harks all the way back to Geoffrey Chaucer in the 14th century, who said, "For better than never is late; never to succeed would be too long a period."[xi] 

In compliance, virtually everything has a tail, a trace, a remnant, a vestige, some lingering scintilla of activity, a dash of evidence that cannot escape discovery at some point and in some way. Thus, "better late than never" is not functionally good enough in compliance. 

Pay attention to the second half of Chaucer's statement, "never to succeed would be too long a period." There are no viable exceptions to maintaining regulatory vigilance, and if there is a systemic or some other failure, admitting the mistake and fixing it permanently. Regulators are sometimes sympathetic to companies that recognize and willingly fix mistakes. But be assured that most of the time, they will find out about the errors you prefer not to tell them about. To succeed in compliance, you must proactively review, monitor, test, train, and implement regulatory requirements. 

There are notorious correlations between money mules and identity theft. I have been discussing "traditional" money mules, but there are "synthetic identities" used by money mules. Synthetic identities are created using a discrete combination of PII to fabricate a person or entity. Given the availability of stolen data on the dark web, these identities are easy to create on a large scale. 

If you haven't reviewed your Identity Theft Prevention Program in some time, you are quite remiss, and, from a regulatory compliance perspective, you are not only opening yourself to regulator scrutiny but may also be recklessly endangering your customers. 

Anti-Money Laundering Program 

You asked, How do "money mules" undermine anti-money laundering procedures? In our Anti-Money Laundering test audits, we have noted weaknesses in screening for money mules. The results of our findings are provided in our Executive Summary, and we offer our work papers so that you can see how deep we have gone to evaluate your AML program. We provide recommendations to fix the weaknesses. 

Our reviews have uncovered many money mule schemes. However, catching the scams is a never-ending task because the crooks are remarkably inventive in finding ways to undercut even the best AML programs. 

There are telltale elements that might indicate a money mule has landed on your AML radar. We are always adding to our audit list as crooks invent new schemes and scams. You should do the same! These scams come up repeatedly in our AML test audits to the point that we consider them triggers to conducting an investigation to determine if a Suspicious Activity Report (SAR) should be filed with FinCEN[xii]. 

Our organization maintains a list of warning signs that a money mule may be making their way onto a client's AML radar. Our list contains elements provided by CISA[xiii], and we build on these elements continually. In our estimation, AML compliance must include, among other things, periodic testing, employee training, due diligence, transaction monitoring, Identity Theft Protection Program mandates, KYC and KYB[xiv] requirements, CIP[xv], OFAC[xvi], identity theft[xvii] "frozen credit" alerts, and historical SAR filings. 

An example of due diligence is conducting your own investigation. Money mules can contaminate PII. During an investigation, a client of ours discovered that a money mule group used fake websites and social media profiles to trick victims into providing their personal information. It then used that PII to open bank accounts, apply for mortgage loans, and set up cryptocurrency wallets. This criminal group then laundered the stolen funds through a network of money mules, who received and transferred the funds on behalf of the criminals.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group

[i] Placement is where illegitimate funds are introduced to the legitimate financial system.

[ii] Integration is where layered funds (which now appear legitimate) are returned to the criminal.

[iii] Layering is where the criminal intentionally moves funds to disguise where the money actually originated.

[iv] Two Indicted in Scheme that Allegedly Laundered over $2 Million Generated by ‘Grandparent Scams’ Targeting Elderly Victims, Press Release, Department of Justice, U.S. Attorney's Office, Central District of California, December 12, 2023

[v] Hamlet, Act 1, Scene 5, Shakespeare

[vi] For instance, among other things, the charge of conspiracy to commit money laundering carries a statutory maximum penalty of 20 years in federal prison, and the charge of conspiracy to commit bank fraud carries a sentence of up to 30 years.

[vii] 16 CFR 603.2(a)

[viii] 16 CFR 603.2(b)

[ix] The Red Flags Rule was issued in 2007 under § 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), Pub. L. 108-159, amending the Fair Credit Reporting Act (FCRA), 15 USC 1681m(e). The Red Flags Rule is published at 16 CFR 681.1. See also 72 FR, Nov. 9, 2007.

[x] The Rule was amended in 2010 by the Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4), Pub. L. 111-319, 124 Stat. 3457 (December 18, 2010).

[xi] Actually, the phrase is a direct translation from the Latin “potiusque sero quam nunquam” (viz., and better late than never) in Livy’s fourth book Ab Urbe Condita (History of Rome), 27 BC. The full quote in Livy is “Their insolence and recklessness must be opposed, and better late than never.” (My translation.)

[xii] Financial Crimes Enforcement Network (FinCEN), for nonbanks, see Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Residential Mortgage Lenders and Originators, Financial Crimes Enforcement Network, 77 FR 8148-8160 (February 14, 2012), as revised from time to time.

[xiii] CISA provides several publications involving money mules and other schemes. One example is Understanding and Protecting Yourself Against Money Mule Schemes, Matthew DeSantis, Chad Dougherty, Mindi McDowell, US-CERT, Cybersecurity & Infrastructure Security Agency

[xiv] Respectively, Know Your Customer (KYC) and Know Your Business (KYB)

[xv] Customer Information Program (CIP)

[xvi] Office of Foreign Assets Control (OFAC)

[xvii] FCRA Identity Theft Rules, Op. cit. ix