Fighting Fraud: Breaking the Chain Contents

Chapter 4: Cashing out

190.The process by which fraudsters withdraw their criminally obtained funds is known as ‘cashing out’. This is a common feature of all frauds. There are a number of ways in which criminals can cash out their stolen funds once a payment has been made, for example via withdrawal at an ATM machine, transferring the money into cryptocurrency to be withdrawn later or by laundering it, often by using money mules, sometimes to overseas accounts.

191.This chapter explores the various intervention points at which the process of cashing out could be interdicted so that criminals cannot walk away from their attempted fraud with a victim’s money. It is preferable that intervention should take place prior to this stage given the earlier in the chain a fraud is halted, the less the impact on the victim.

Figure 15: The Fraud Chain: Cashing out

Flow chart showing the process of "The Fraud Chain"

Source: Q 14 (Katy Worobec) and written evidence from CCSG (FDF0063)

Payments infrastructure

192.Fraudsters exploit the speed and ease with which digital and online banking users can make payments. As noted, individuals are seen as the ‘weak link’ in the fraud chain due to their capacity to be taken in by social engineering techniques to make authorised payments to fraudsters. Due to the current payments infrastructure, these payments happen at pace.

193.The payments ecosystem is comprised of all parties that interact during the process of a transaction. Payment systems, such as Bacs, the Image Clearing System for cheques, CHAPS, LINK (cash) and Faster Payments, are run by payment systems operators.306 The New Payments Architecture programme is due to be introduced in 2024 and will replace BACS and Faster Payments with updated payment systems intended to respond better to changes in technology.307 PSPs are third-party companies that help businesses to accept online payments.308

194.Three key regulators have responsibility for this ecosystem. The PSR was set up in 2015 to promote effective competition, innovation in payment systems, and to ensure that such systems are operated and developed to promote consumers’ interests. The FCA has responsibility for day-to-day supervision of payment services, and the Bank of England regulates systemic payment systems.309

195.Digital transfers are a widespread and growing means of payment in the UK. While cash remains the second most commonly used form of payment at 15%, behind debit card payments (48%), UK Finance expects that by 2031 cash will account for just 6% of all payments made in the UK while remote banking methods will continue to rise to a point where it is used by 93% of adults.310 Digital payments can be received by anyone with a bank account.

Know-your-customer

196.It is relatively easy to open a bank account in the UK today. This leaves the banking system vulnerable to fraudsters opening and closing bank accounts to launder the proceeds of fraud with relative ease. Under anti-money laundering (AML) regulations, regulated financial institutions are required to carry out due diligence on customers and companies when they open an account and on an ongoing basis—although the nature of checks varies given different types of customer, risk and product type—to check that they are who they say they are and to understand the customer’s expected behaviour. However, there are clearly flaws in the system. For example, synthetic identities can be created using a combination of real and fake information to create an entirely new identity.311 During the filming of his consumer rights programme, Joe Lycett opened a new bank account using a false name:

“I managed to open a bank account in someone else’s name, with their permission, and that felt concerning to me—that you could open accounts without too many questions being asked. It is quite easy to funnel money in that way.”312

197.Digital identity verification is a crucial step in banks’ counter-fraud approach. Biometric Know Your Customer (KYC) checks are used by some banks in order to confirm that a payment is being authorised by the account holder, for example by using facial identification on smartphones. However, some fraudsters are able to bypass these methods. Deepfake technology is a process that uses deep learning, a sub-field of artificial intelligence, to make fake pictures or voices and this can be used to fake an image or voice of a real-life user in order to convince a bank that they are the genuine customer.313

198.Dr Hutchings has cautioned against overstating the risks currently presented by such technology:

“I do not think we are seeing deepfakes so much as people trying to imitate genuine customers in some ways, such as by having an IP address that is in the same region as the customer. We are seeing less technical means that are just as effective at overcoming those types of algorithms. The more complicated technical approaches are not likely to be used in favour of relatively straightforward, non-technical attacks.”314

199.Transpact told us that fraudulent driving licences are frequently used to open bank accounts. Many banks allow driving licences as proof of ID to accommodate individuals who do not have a passport (usually alongside another form of proof of address). However, Transpact suggested that the security of driving licences is not as good as passports due to the lack of a cryptographically viable, encrypted chip. As a result, they argue that driving licences are “relatively easy to forge”. They also suggested that driving licences should include a cryptographically verifiable chip, similar to new passports, to ensure that the individual presenting the document can be verified.315

200.The on-hold Data Protection and Digital Information Bill will establish in law a framework for the provision of digital identity verification services in the UK and enable public authorities to disclose personal information to trusted digital identity providers for identity and eligibility verification.316 We are supportive of this work, however we are concerned that the framework and authentication systems must be watertight in order to avoid concerns that have been raised about digital identity theft, which could lead to fraud.317

201.Finally, AI and machine learning have a role in preventing fraudsters from opening accounts. For example, this technology can be used to understand customer behaviour better and flag characteristics that might be indicative of higher risk, such as several accounts being opened in a particular postcode where fraudsters are known to be in operation.

202.While we have heard that the process of opening a bank account may be too easy, we are equally aware that efforts to make opening bank accounts more difficult may have a negative impact on financial inclusion. The need to prevent financial crime must be balanced with this consideration in support of a society that champions access to financial services. A balance must be struck between preventing fraud and introducing new AML or KYC procedures that may create unnecessary obstacles for honest customers to open bank accounts.

Transaction monitoring

203.A key part of AML requirements is transaction monitoring. In a retail bank, this usually takes place via a system—either built in-house or purchased from a third party—based on ‘rules’ that flag transactions for review. This might include a balance limit being reached in a particular account, or the identification of transactions that appear ‘abnormal’ for an account or group of customers, and may require the use of AI and Machine Learning technologies to improve the ‘rules’ applied.

204.We have heard that transaction monitoring systems can lead to a large number of ‘false positive alerts’, which require extensive resources to review. In some cases, accounts may be frozen or closed if a bank suspects that it is being used for fraud, which can lead to customers being denied access to cash.318 In 2018, e-money service Revolut contacted the FCA to inform it of its failure to comply with AML procedures by switching off an automated system designed to stop suspicious money transfers. It told the regulator it did this after 8,000 false positives incorrectly identified legitimate transactions as being suspicious and blocked them as a result.319

205.Dr Mersinas told us that technology has not yet caught up with the scale of the issue:

“ … machine learning can, of course, be used for the legitimate purposes of marketing and entertainment, in coping with fraud, and with the opposite goals in mind. We are at the stage where the technology still has many false positives and many false negatives. Incidents are incorrectly marked as real incidents and vice versa. We are still bound by historical data. We are still bound by simulations and exercises. In that sense, we are not there yet.”320

206.Nicholas Taylor, former Head of Policy and Public Affairs at Revolut, told us that Revolut tackles fraud and money laundering through a two-pronged approach based on working with former law enforcement officials and financial crime experts, alongside engineers and technologists.321

207.The scope for improvement in transaction monitoring is made clear when looking at the FCA’s enforcement actions in recent years, which have largely focussed on failures in transaction monitoring rather than KYC processes. For example, in 2021, NatWest was fined £264.8 million in the first example of the FCA pursuing criminal charges for AML failures. It was found that NatWest was “responsible for a catalogue of failures in the way it monitored and scrutinised transactions that were self-evidently suspicious”.322 Also in 2021, HSBC was fined £63.9 million for deficient transaction monitoring processes over a period of eight years up to 2018.323

Enforcement of the AML regime

208.We have heard that supervision and enforcement of AML regulations is patchy. Ghela Boskovich, Regional Director of the Financial Data and Technology Association, told us that more action must be taken by banks receiving payments to ensure that they comply with KYC and AML requirements.324 Nicholas Taylor told us that “AML compliance is something that everyone needs to improve”.325

209.The FCA told us that it “prolifically enforced” the AML regime. Since 2018 it has taken action against 11 firms for inadequate AML, anti-bribery and corruption controls, culminating in £655 million in penalties.326 Far from being ‘prolific’, this figure seems startlingly low.

210.Transparency Task Force argued that given low enforcement activity by the FCA, more pressure should be put on the FCA to take more action to stop fraud reaching consumers. It suggested that patchy enforcement of rules may even ‘attract’ fraudsters to the financial services sector. The group argue that the FCA should lose what it terms its “broad exemption from civil liability” under Part 4(25) of the Financial Services Act 2012 and require it to pay redress for regulatory failure via changes to its Complaints Scheme.327

211.However, we recognise that the FCA’s capacity to bring prosecutions against corporations for failures to comply with AML regulations may be a by-product of inadequate resourcing. The FCA is funded by the institutions that it regulates. Its budget in 2020 (£632.6 million) was around a third of the US Securities and Exchange Commission (SEC) ($1.815 billion), the federal regulatory agency responsible for maintaining the fair and orderly function of the US securities markets.328

212.Furthermore, the measures introduced in the Financial Services and Markets Bill may increase oversight of the FCA and Prudential Regulation Authority’s (PRA) rules. For example, Clause 27 will introduce a requirement that the rules are kept under review, and the Treasury will be able to direct regulators to review certain rules if in the public interest. Clause 28 would give the Treasury powers to direct the regulators to make rules on certain issues. The legislation will also introduce greater measures to require reimbursement in cases of APP fraud (see paragraph 386).329

Faster Payments

213.Thanks to new banking technologies such as Open Banking and Faster Payments, payments can be made with speed and efficiency. Open Banking was introduced in 2018 to enable the sharing of transaction data with third parties more easily, to allow third parties to initiate payments directly from an account as a bank transfer, and to share firms’ product information and customer indicators more openly.330 Faster Payments is a payment system offering near-instant payments.331

214.The Committee has heard that the speed with which payments are processed has made it easier for fraudsters to quickly cash out stolen money. Last year, 3.4 billion transactions were processed via the Faster Payments System, up 20% on the figure for 2020.332 It was the method of payment used to facilitate 96% cases of APP fraud in 2020, an increase of 34% since 2019 according to UK Finance.333 Pay.UK, which operates the system, cautioned that APP fraud affects less than 1% (0.0066%) of payments made via this system.334 The Building Societies Association told us:

“Implementation in the UK concentrated solely on delivering speed of transaction and chose to ignore risks that too much speed did not give time for customers to consider fraud risk or PSPs to recover funds paid to fraudsters.”335

215.An increase in reports of fraud following the implementation of quicker payment systems has also been reported in other jurisdictions. Australia introduced the New Payments Platform in February 2018. At the time, the Reserve Bank of Australia raised concerns about fraud given the increase in speed of payments.336 The Australian Competition and Consumer Commission (ACCC) reported record levels of scam activity in 2021. $324 million was reported lost to Scamwatch, the ACCC’s reporting centre, up 84% since 2019. The ACCC recognised new payment methods and faster payment transfers as a means by which scammers can quickly move money between accounts before a victim realises that they are being scammed.337 The ACCC has since recommended the take up of Confirmation of Payee (see paragraph 220), based on the UK’s example, to mitigate losses.338

Action to tackle fraud at the payment stage

216.There are a number of steps that banks can take if they have reason to suspect that a payment might be fraudulent. Indicators of a suspicious payment might include an abnormally large payment, often to a new payee, or money being quickly transferred in and out of an account.

217.The Banking Protocol is a best-practice initiative introduced to help bank staff spot these ‘red flags’ and to alert police. The Protocol comes into effect when a bank suspects that a person making a payment in branch is being scammed. At this point they will speak to the customer to try to explain that a fraud could be taking place. If the customer wants to proceed with the payment, the bank can call the police if they still believe that criminal activity is taking place. This may help to shake the victim out of a so-called ‘hot state’.339 We have heard that the Banking Protocol has been considered highly effective. The Building Societies Association told us that between 2016 and 2021, the scheme stopped fraud estimated at a value of £142 million and led to 900 arrests. The Building Societies Association said:

“The most successful recent fraud policy intervention has been the Banking Protocol. This private/public initiative involving UK police forces, building societies and banks gives building societies and banks the option to bring in guaranteed police intervention where there are concerns that a customer might be being targeted for fraud.”340

218.Although UK Finance are working to expand it to telephone and online banking, the Protocol is not mandatory and is only best practice and it only applies in branch.341 We heard from members of the Midlands Fraud Forum that the Protocol is not applied evenly by all banks and staff require greater training in order to ensure it is effective.

“I met six of the nine red flags that banks should be looking out for under the Banking Protocol. Why didn’t banks immediately stop me from transferring money if they thought it was fraudulent?” - Rachel

219.Banks are also subject to the Quincecare duty. This places an onus on banks to refrain from executing payment instructions if there are reasonable grounds to believe that the instruction may be an attempt to misappropriate customer funds.342

220.Customers of some banks are required to go through the Confirmation of Payee (CoP) process when making online payments. CoP is a name-checking service that was introduced in 2020. It warns customers if a payee’s name does not match the account number they provide. More than 1 million CoP requests are made every day covering over 90% of Faster Payments volumes.343

221.While many of the major banks have implemented CoP, some of the smaller players in the market have not. Brian Dilley told us that the introduction of CoP was followed by a migration of fraudsters to banks that do not implement the measure.344 Nicholas Taylor said that “there is no reason why any firm operating in the UK should not have confirmation of payee”.345

222.We have heard arguments for and against slowing down the speed with which payments can take place. The arguments for retaining higher speed payments are about the convenience to customers, who value a smooth customer journey. Former Economic Secretary to the Treasury John Glen MP told the Treasury Committee that consumers do not want to see their payments slowed down.346

223.However, we found the evidence of Security Minister Tom Tugendhat compelling. He told us that the speed of transactions in the UK is one of the key reasons underpinning the high rate of fraud in the UK. We understand from the Minster that such discussions are now being held with the Treasury and fully support these discussions.347

224.Furthermore, in the PSR’s November 2021 consultation, the regulator expressed concern that slowing of payment services could disproportionately affect those with protected characteristics given that they might be perceived as more at risk of scams. They suggest that this may limit access to banking and payment services and result in poorer outcomes for certain demographic groups such as the elderly and those with serious mental health conditions.348 While we recognise this argument, it has been made abundantly clear to us that all people have the capacity to become victims of fraud, regardless of perceived vulnerability. Therefore, this measure should apply across the board.

225.We have heard that there would be value in slowing some payments to give more time to analyse suspicious payments. Rob Jones told us that slowing down a small number of Faster Payments would be beneficial as it would allow time for analysis of fraudulent payments and ultimately prevent APP fraud.349 Chris Hemsley, Managing Director of the PSR, told us:

“Most customers would agree that, if I am using my bank account to pay for something like a coffee, it needs to go through quickly. If I am moving potentially life-changing sums of money, a delay of what might be five minutes is not a return to the bad old days of five days to clear funds. It buys a bit of time for the prevention mechanisms to kick in.”350

226.The FCA has introduced the New Consumer Duty, a principles-based duty that comes into effect and firms will have to implement by July 2023. It stipulates that firms should consider building ‘positive friction’ into processes to deliver good outcomes. It suggests that additional steps in the customer journey that are designed to prevent fraud, “would not amount to an unreasonable barrier” and can help to prevent poor decisions. The Duty is outcomes-based rather than led by prescriptive rules. This means that it can be applied more flexibly as technology changes.351

227.Finally, information sharing may have a significant impact on reducing fraudulent transfers at the time of payment if shared in real-time. For example, Chris Hemsley told us that the regulator is working to improve information sharing between payment firms to ensure that they can share information around how long an account has been open, which impacts understanding of how risky the account might be.352

228.The speed with which payments are able to be executed, while beneficial for legitimate customers, is helping fraudsters to get their hands on stolen money at pace. Current provisions in place to help to prevent fraud are welcome but must be strengthened to stop payments reaching fraudsters before they are able to cash out stolen money.

229.To stop fraudulent payments slipping through the net, the speed with which certain payments can be made should be subject to a delay lasting no more than several hours. This might include high-value payments made by personal customers to new payees, with an option to extend this to existing payees in the case of high-value payments. The PSR should consult with industry on the introduction of such a measure and the value threshold to be set. Implementation of this measure must not impact the application of other measures such as AI-assisted transaction monitoring.

230.Approval of a banking and/or e-money licence in the UK must be made conditional upon signing up to Confirmation of Payee.

231.The Banking Protocol should be made mandatory and expanded to telephone and online banking. Banks should be required to provide more training to ensure compliance and to help staff to spot ‘red flags’.

232.The FCA should conduct a thematic review of retail banks to understand how easy it is for fraudsters to open accounts and consult with industry on the possible solutions, including potential reforms to AML procedures. It should encourage the regular stress-testing of KYC procedures in order to address emerging threats such as deepfake technology.

233.The FCA and PSR should work with PSPs to increase transparency and customer understanding about measures in place to prevent fraud, including possibly slowing the pace of transactions and KYC checks. This work should feed into the Government’s centrally led public awareness campaign (see paragraph 418).

Cryptoassets

234.A cryptoasset is a cryptographically secured digital representation of value or contractual rights that can be transferred, stored or traded electronically”.353 There are two major kinds of cryptoassets; unbacked assets like Bitcoin that are considered speculative and volatile, and stablecoins, which are tied to another asset like Pound Sterling.354

235.Europol recognises that “criminals involved in frauds strongly rely on the use of cryptocurrencies”.355 Since 2008, the emergence of cryptoassets has provided fraudsters with new opportunities to defraud people, for example through cryptoasset investment scams (see Box 5), and also to cash out their stolen funds. Mark Taber, an anti-fraud campaigner, told us that crypto is used by criminals because it “bypasses traditional banks and the anti-fraud and consumer protection measures they have in place.”356

236.Katie Martin explained how the process works:

“Money laundering on the wholesale side is relatively straightforward. You take ill-gotten gains from whatever it is—people trafficking or the drug trade [or fraud]—and convert those proceeds into cryptocurrencies and then pull them out of the financial system at the other end in currencies that you can actually use for day-to-day life, such as sterling, dollars or euros.”357

237.Cryptoassets can be held anonymously in crypto wallets based anywhere in the world, and the owners of such assets are hard to identify. This is due to difficulties matching blockchain addresses to real users.358 Issues with blockchain identification are compounded by traditionally poor KYC processes at the point of sign-up. Katie Martin told us that such checks are “often not there”, despite claims made by large crypto exchanges.359 For example, some cryptoasset exchanges do not require or provide identification or verification of those participating in it, nor do they generate historical records of transactions associated with real identities.360

Action to regulate cryptoassets

238.TSB has argued that greater use of KYC processes should be built into the cryptoasset ecosystem. It argued that crypto exchanges, which have typically suffered from poor security and KYC processes, should take steps to “tighten up their standards and to accept responsibility for reimbursing users suffering fraud on their accounts”.361 The Motion Picture Association took this further, arguing that all commercial entities should be required to establish the true identity of their customers as a precondition of doing business.362

239.In addition to KYC checks, we have heard that there should be greater scrutiny of on and off ramps within the cryptocurrency system. These are the points at which individuals move their money on and off cryptocurrency platforms. This would be beneficial because, in contrast to some other parts of the cryptoasset ecosystem, these ramps are usually regulated entities such as banks.363 Furthermore, regulating the process by which money is transferred from traditional banking into crypto might prove an easier task than regulating crypto itself, which is proving a complex challenge for regulators globally.

240.In the USA, the Chair of the Securities and Exchange Commission (SEC) has called on Congress for more powers to police crypto trading, lending and De-Fi platforms, which they described as a “Wild West”.364 The EU has set out its proposed principles in the Markets in Crypto Asset (MICA) directive, which is expected to come into force in 2024.365 MICA is intended to “protect consumers against some of the risks associated with the investment in cryptoassets, and help them avoid fraudulent schemes”.366

241.Some nation states have gone further, for example the Estonian Government has implemented additional obligations for cryptoasset service providers to implement KYC checks, which are similar to those that are placed on other types of financial services.367 The measure was implemented in March 2022 and it is too soon to analyse its impact.

242.The UK has also taken steps to regulate crypto. As of 2020, crypto exchanges and wallet providers must comply with AML obligations and register with the FCA. In March 2021, the FCA launched the Unregistered Crypto Currency Businesses List, which lists firms operating in the UK without registration and that do not appear to be seeking regulation. The list has helped to identify potential scam investments and has led to intervention and subsequent removal of such websites. There are 230 firms on the list as of May 2022.368

243.However, as noted, cryptoassets are not within the regulatory perimeter at present. The FCA intends to publish rules for crypto promotions when legislation has been introduced to bring qualifying cryptoassets within the financial promotions’ regime.369

244.HM Treasury has set out its approach to regulation, including the regulation of stablecoins.370 It confirmed its plans to legislate to bring certain stablecoins, where used for payment, into the regulatory remit of UK regulators. Under the Financial Services and Markets Bill, the Government will be able to bring newly classified ‘digital settlement assets’ including stablecoins and other cryptoassets within the regulatory perimeter.371 The Government intends to consult on the regulatory approach to other types of cryptoasset outside stablecoins (such as Bitcoin) later this year.372

245.The Economic Crime and Corporate Transparency Bill will provide additional powers to law enforcement to help them to seize and recover cryptoassets more easily. It will do this by amending criminal confiscation powers in Parts 2, 3 and 4 of POCA and civil recovery powers in Part 5.373 Whilst we welcome this step, the Committee is concerned that these efforts may be hampered by the difficulties associated with cross-jurisdictional civil orders.

246.Melissa Hodgman, Associate Director in the Enforcement Division at the SEC, told us about the importance of cross-border working given the decline of the ‘national market’ in favour of international, fast moving payments ecosystems including crypto.374 Katie Martin agreed that the global nature of cloud-based transactions presents opportunities for multilateral working:

“It is crucial that the UK is extremely plugged into what the international community is doing on [crypto] … it does not matter if one country manages to do it well. The bad actors can simply move somewhere else. International communication is key.”375

247.Finally, further technological developments in how digital money is used may present further opportunities for fraudsters. The Committee has heard that the Bank of England is in the early stages of discussing the future of a central bank digital currency, a type of digital bank note. Tom Mutton told us that identity verification was key to the security of any future such digital currency:

“If we have a central bank digital currency, we want it to have very strong financial crime controls. We want, as far as possible, to make sure that it is reducing financial crime such as fraud. Most of that comes to the question of identity verification. At the same time, if we are to have trust and confidence in the money, we need to make sure that it is upholding society’s reasonable expectations of privacy.”376

248.Alongside the threat of cryptoasset investment scams, cryptoassets are increasingly being used by fraudsters to syphon off their stolen funds, allowing them to disappear without trace. Regulators must focus more tightly on the ‘on and off-ramps’ that facilitate the transfer of funds from traditional banks into and out of crypto-based wallets. Regulators must use their existing powers to tackle this challenge and support the work of the global regulatory community as it continues to create an aligned approach to cryptoasset regulation.

249.The Government should work with the private sector to integrate better KYC checks into the cryptoasset account set-up process. This should include designing systems that ensure cryptoassets and crypto-wallets can be traced to an identified individual.

250.HM Treasury should urgently bring forward the measures in the Financial Services and Markets Bill to enable the FCA to regulate cryptoassets, as well as its forthcoming consultation on other types of cryptoassets.

251.The Home Office should urgently bring forward measures in the Economic Crime and Corporate Transparency Bill to allow the seizure of cryptoassets using civil recovery powers as well as the existing criminal powers.

Money mules

252.A money mule is someone who receives money from a third party in their bank account and transfers it somewhere else, or who withdraws it as cash and gives it to someone else, obtaining a commission for it or payments in kind. These individuals are targeted by ‘mule herders’, who recruit money mules, often using social media or gaming platforms.377 Mules may be promised a cut of the money that they are asked to transfer. The City of London Police told us:

“The continued use of ‘money mule networks’ to receive, move and conceal the proceeds of fraud is an ongoing and persistent threat evidenced across many fraud types and continues to facilitate the movement of fraudulent funds as well as access to victims across domestic and international jurisdictions. The recruitment of money mules for use in fraud has continued over the past year on both digital messaging services and social media platforms.”378

253.Criminals may also use more traditional tactics to recruit young people to act as money mules. Research from Cifas in the pre-pandemic year 2019 showed that the number of cases of 14 to 18 year olds acting as money mules grew by 73% (5,819 cases) in the previous two years.379 Mike Haley told us:

“There are certain areas and schools where we know that there are young people called ‘fraud stars’ who will hang around the gates and recruit people—we call them mule herders—into money mule activity … If you do not realise that this is criminal activity, and what the repercussions and consequences are to protect yourself, we will end up … sleepwalking not just into an epidemic of fraud but into our young people seeing it as a legitimate way of getting a new pair of trainers or a bit of cash.”380

254.We have also heard that overseas students’ bank accounts are often targeted once they have left the UK.381 The Devon and Cornwall Police told us that these students may have been recruited when they enter the UK and make their UK bank accounts available for money laundering once they have returned overseas.382 It is clear that banks should increase monitoring on such accounts and ensure that they are closed once the students leave the UK in a timely fashion once activity on the account has ceased.

255.Many of these young people are unaware of the consequences of being a money mule, which can include, bank account closure, limited access to loans or credit cards, difficulty obtaining a phone contract, and/or a prison sentence of up to 14 years.383 Philip Milton, Public Policy Manager at Meta, told us about the importance of education to tackle this threat:

“I point to education in this piece as well, because often you find that money mules do not actually know that that is what they are. It is often a crime that people commit unknowingly. The mule herders know exactly what they are doing, but often it is a get-rich-quick scheme for people who might not necessarily know the implications of what they are doing. It is effectively money laundering.”384

256.Geraldine Lawlor, Global Head of Financial Crime at KPMG, cautioned that there is a distinction between money mules who are unknowingly facilitating crime, and those that wilfully ignore advice:

“ … Sometimes individuals do not take heed, and they still allow access to their accounts. There is a point where you can determine that they have been reckless and have ignored all the attempts to prevent them going down that route and have gone ahead regardless. That is assessed in how you determine whether they should be treated as a criminal or a victim.”385

Action to tackle money muling

257.Tackling money muling is listed as a priority in the Retail Banking Fraud Sector Charter under Action 4, which sets out the need for more effective deterrents for such activity, and for these to be applied consistently.386

258.There are a number of procedures in place by banks to prevent and detect money muling. The Mule Insights Tactical Solution (MITS) was developed to track suspicious payments and identify mule accounts. It is a network-level solution that traces funds through the financial system.387 MITS works through algorithms, which alert financial institutions to suspect mule accounts within their portfolios. It is superior to manual tracking processes that cannot keep up with Faster Payments and allows financial institutions to see the whole payments network.388

259.The West Midlands Police and Crime Commissioner, Simon Foster, has funded a project to educate schoolchildren on the risks of being a money mule. The PCC told us that early intervention and preventative action are underused tools in the counter-fraud response, arguing that education increases fraud awareness within these groups.389 Mike Haley argued that education on the dangers of muling should be a mandatory part of the PSHE curriculum.”390

260.Transpact told the Committee that banks should do more to educate their customers on the risks of muling, arguing that too many mules claim they did not know what they were doing is wrong. It suggests that the payee bank (the mule’s account) should be held responsible for warning its customers of accepting such payments for the purposes of transferring illegally obtained money.391

261.Former Minister for Tech and the Digital Economy Damian Collins told us that the Government already funds several programmes to tackle media literacy in order to educate citizens with the “basic information they need to try to keep themselves safe and question the sources of information they see”.392

262.Money muling is a serious form of money laundering, yet not enough people are alert to the dangers and risks that can follow from allowing their bank account to be used to launder the proceeds of crime. The Committee is concerned that cost of living pressures could force more people from a range of demographic groups towards money muling.

263.Building on the work of Cifas and UK Finance, the Government should roll out a national campaign in partnership with schools and universities focussed on raising awareness of the dangers of money muling. It should also consider awareness campaigns for demographic groups that are not typically targeted by mule herders.

264.In partnership with industry, the Government must explore the functionality of a mechanism akin to Confirmation of Payee that alerts a payee about the dangers of money muling and requests authorisation when they receive a payment from an unknown bank account.


306 Pay.UK, ‘Faster Payment System’: https://www.wearepay.uk/what-we-do/payment-systems/faster-payment-system/ [accessed 11 March 2022]

307 ‘New regulatory framework set for New Payments Architecture’, Linklaters (13 December 2021): https://financialregulation.linklaters.com/post/102hede/future-regulatory-framework-set-for-new-payments-architecture [accessed 7 January 2022] and PSR, ‘New Payments Architecture (NPA)’: https://www.psr.org.uk/our-work/new-payments-architecture-npa/ [accessed 7 January 2021]

308 FCA, ‘Using payment service providers’ (9 March 2022): https://www.fca.org.uk/consumers/using-payment-service-providers [accessed 1 November 2022]

310 UK Finance, UK Payment Markets Summary 2022 (August 2022): https://www.ukfinance.org.uk/system/files/2022–08/UKF%20Payment%20Markets%20Summary%202022.pdf [accessed 1 November 2022]

311 ‘Faces are the next target for fraudsters’, Wall Street Journal (7 July 2021): available at https://www.wsj.com/articles/faces-are-the-next-target-for-fraudsters-11625662828 [accessed 1 November 2022] and LexisNexis Risk Solution, ‘What is Synthetic Identity Fraud?’: https://risk.lexisnexis.com/insights-resources/article/synthetic-identity-fraud [accessed 1 November 2022]

312 Q 93 (Joe Lycett)

313 ‘What are deepfakes: and how can you spot them?’ The Guardian (13 January 2020): https://www.theguardian.com/technology/2020/jan/13/what-are-deepfakes-and-how-can-you-spot-them [accessed 1 November 2022]

314 Q 63 (Dr Alice Hutchings)

315 Written evidence by Transpact.com (FDF0061)

317 Eversheds Sutherland, ‘UK Government aims to lead on trust in Digital IDs’ (23 March 2022): https://www.eversheds-sutherland.com/global/en/what/articles/index.page?ArticleID=en/tmt/UK-Government-aims-to-lead-on-trust-in-Digital-IDs [accessed 1 November 2022], see comments by Philip James.

318 See “It’s my money, not theirs’: Account closures exposed at Pockit, Revolut, Monese and Monzo’, The i (18 May 2021): https://inews.co.uk/inews-lifestyle/money/saving-and-banking/customers-pockit-revolut-monese-complain-unexpected-account-closures-1008448 [accessed 1 November 2022].

319 ‘Digital bank Revolut’s sanctions screening issue revealed’, Daily Telegraph (28 February 2019): available
at https://www.telegraph.co.uk/technology/2019/02/28/revolut-failed-block-suspicious-transactions/ [accessed 1 November 2022]

320 Q 63 (Dr Konstantinos Mersinas)

321 Q 36 (Nicholas Taylor)

322 FCA, ‘NatWest fined £264.8 million for anti-money laundering failures’ (13 December 2021): https://www.fca.org.uk/news/press-releases/natwest-fined-264.8million-anti-money-laundering-failures [accessed 1 November 2022]; Southwark Crown Court, R -v- National Westminster Bank, Sentencing Remarks of Mrs Justice Cockerill (13 December 2021)

323 FCA, ‘FCA fines HSBC Bank plc £63.9 million for deficient transaction monitoring controls’ (17 December 2021): https://www.fca.org.uk/news/press-releases/fca-fines-hsbc-bank-plc-deficient-transaction-monitoring-controls [accessed 1 November 2022]; see also FCA, Decision Notice: https://www.fca.org.uk/publication/decision-notices/hsbc-bank-plc.pdf [accessed 1 November 2022].

324 Q 74 (Ghela Boskovich)

325 Q 36 (Nicholas Taylor)

326 Written evidence by the FCA (FDF0091)

327 Financial Services Act 2012, Schedule 3, Part 4(25) and written evidence by Transparency Task Force (FDF0092)

328 Macfarlanes, ‘Is the United States more effective than the United Kingdom at prosecuting economic crime?’ (7 May 2021): https://www.macfarlanes.com/what-we-think/in-depth/2021/is-the-united-states-more-effective-than-the-united-kingdom-at-prosecuting-economic-crime/ [accessed 1 November 2022]

329 House of Commons Library, Financial Services and Markets Bill 2022–23,Research Briefing, CBP 9594, 1 September 2022 and Financial Services and Markets Bill, clauses 27 and 28

330 House of Commons Library, Open Banking: banking but not as we know it?, Briefing Paper CBP 08215, 26 January 2018

331 Pay.UK, ‘How Faster Payments works’: https://www.wearepay.uk/what-we-do/payment-systems/faster-payment-system/how-faster-payments-work/ [accessed 1 November 2022]

332 Pay.UK, ‘Faster Payment System’: https://www.wearepay.uk/what-we-do/payment-systems/faster-payment-system/ [accessed 1 November 2022]

333 UK Finance, Fraud: the facts 2021 (June 2021): https://www.ukfinance.org.uk/system/files/Fraud%20The%20Facts%202021-%20FINAL.pdf [accessed 1 November 2022]

334 Written evidence from Pay.UK (FDF0014)

335 Written evidence from the Building Societies Association (FDF0023)

336 ‘Australia Central Bank Acknowledges Faster Payments’ Risk Challenge’, PYMNTS.com (20 March 2018): https://www.pymnts.com/news/b2b-payments/2018/australia-banking-faster-payments-fraud/ [accessed 1 November 2022]

337 Australian Competition and Consumer Commission, Targeting scams: Report of the ACCC on scams activity 2021 (July 2022): https://www.accc.gov.au/system/files/Targeting%20scams%20-%20report%20of%20the%20ACCC%20on%20scams%20activity%202021.pdf [accessed 1 November 2022]

338 ‘‘People are losing a fortune’: ACCC urges banks to act as scam losses surge’, Sydney Morning Herald (4 July 2022): https://www.smh.com.au/business/consumer-affairs/people-are-losing-a-fortune-accc-urges-banks-to-act-as-scam-losses-surge-20220704-p5ayvy.html [accessed 1 November 2022]

339 Q 36 (Brian Dilley)

340 Written evidence from the Building Societies Association (FDF0023)

341 UK Finance, ‘Expanding the Banking Protocol Scheme’: https://www.ukfinance.org.uk/news-and-insight/blogs/expanding-banking-protocol-scheme [accessed 1 November 2022]

342 See Thomson Reuters Practical Law, Barclays Bank Plc v Quincecare Ltd [1992] 4 All E.R. 363 (24 February 1988): available at https://uk.practicallaw.thomsonreuters.com/Document/ID61FA820A39B11ECAA9B8E16236A2AFE/View/FullText.html [accessed 1 November 2022].

343 UK Finance, Fraud: the facts 2021 (June 2021): https://www.ukfinance.org.uk/system/files/Fraud%20The%20Facts%202021-%20FINAL.pdf [accessed 1 November 2022]

344 Q 36 (Brian Dilley)

345 Q 36 (Nicholas Taylor)

346 Oral evidence given taken before the Treasury Committee on 29 November 2021 (Session 2021–22), Q 430 (John Glen)

347 262 (Tom Tugendhat MP)

348 PSR, Authorised Push Payment (APP) Scams: Consultation paper (November 2021): https://www.psr.org.uk/media/kg0bx5v3/psr-cp21-10-app-scams-consultation-paper-nov-2021.pdf [accessed 1 November 2022]

349 Q 221 (Rob Jones)

350 Q 158 (Chris Hemsley)

351 FCA, FG22/5 Final non-Handbook Guidance for firms on the Consumer Duty (July 2022): https://www.fca.org.uk/publication/finalised-guidance/fg22-5.pdf [accessed 1 November 2022] and FCA, A new Consumer Duty: Feedback to CP21/36 and final rules (July 2022): https://www.fca.org.uk/publication/policy/ps22-9.pdf [accessed 1 November 2022]

352 Q 158 (Chris Hemsley)

353 The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692)

354 Bank of England, ‘What are cryptoassets’ (19 May 2020): https://www.bankofengland.co.uk/KnowledgeBank/what-are-cryptocurrencies (accessed 1 November 2022]

356 Written evidence from Mark Taber (FDF0056)

357 Q 70 (Katie Martin)

358 Ibid.

359 Ibid.

360 2 Bedford Row, ‘Money laundering and virtual cryptocurrencies’ (27 February 2018): https://www.2bedfordrow.co.uk/money-laundering-virtual-cryptocurrencies-sam-thomas/ [accessed 1 November 2022]

361 Written evidence from TSB (FDF0066)

362 Written evidence from the Motion Picture Association (FDF0068)

363 QQ 71–75 (Katie Martin)

364 ‘U.S. SEC Chair Gensler calls on Congress to help rein in crypto ‘Wild West’, Reuters (3 August 2021): https://www.reuters.com/technology/us-sec-chair-gensler-calls-congress-help-rein-crypto-wild-west-2021–08-03/ [accessed 1 November 2022]

365 ‘Borderless crypto markets show need for global rules’, Financial Times (28 February 2022): https://www.ft.com/content/0e0dc602-af91-4253-a230-c1598781b3b4 [accessed 1 November 2022]

366 European Council, Council of the European Union, ‘ Digital finance: agreement reached on European crypto-assets regulation (MiCA)’ (30 June 2022): https://www.consilium.europa.eu/en/press/press-releases/2022/06/30/digital-finance-agreement-reached-on-european-crypto-assets-regulation-mica/ [accessed 1 November 2022]

367 Q 177 (Markko Künnapu). See also ‘Crypto bears the brunt of Estonia’s war against dirty money’, Politico (11 March 2022): https://www.politico.eu/article/crypto-finance-estonia-dirty-money/ [accessed 1 November 2022].

368 Written evidence from the FCA (FDF0091) and the FCA (FDF0069)

369 FCA, ‘PS22/10: Strengthening our financial promotion rules for high-risk investments and firms approving financial promotions’ (1 August 2022): https://www.fca.org.uk/publications/policy-statements/ps22-10-strengthening-our-financial-promotion-rules-high-risk-investments-firms-approving-financial-promotions [accessed 1 November 2022]

370 HM Treasury, UK regulatory approach to cryptoassets, stablecoins, and distributed ledger technology in financial markets: Response to the consultation and call for evidence (April 2022): https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1088774/O-S_Stablecoins_consultation_response.pdf [accessed 1 November 2022]

371 Financial Services and Markets Bill, Chapter 2(22)

373 HM Government, ‘Fact sheet: Economic Crime and Corporate Transparency Bill’ (22 September 2022): https://www.gov.uk/government/publications/economic-crime-and-corporate-transparency-bill-2022-factsheets/fact-sheet-economic-crime-and-corporate-transparency-bill-overarching [accessed 1 November 2022]

374 Q 183 (Melissa Hodgman)

375 Q 79 (Katie Martin)

376 Q 165 (Tom Mutton)

377 Q 37 (Brian Dilley) and HSBC, Get to know gaming: spending: https://www.hsbc.co.uk/content/dam/hsbc/gb/pdf/video-transcripts/hsbc-transcript-spending.pdf [accessed 1 November 2022]

378 Written evidence from City of London Police (FDF0031)

379 BBC News, ‘Rise in teenage money mules prompts warnings’ (16 September 2019): https://www.bbc.co.uk/news/business-49717288 [accessed 1 November 2022]

380 Q 21 (Mike Haley)

381 Q 37 (Geraldine Lawlor)

382 Written evidence from Devon and Cornwall Police (FDF0009)

383 Cifas, UK Finance, ‘Don’t be fooled’: https://www.moneymules.co.uk/ [accessed 1 November 2022]

384 Q 138 (Philip Milton)

385 Q 37 (Geraldine Lawlor)

386 Home Office, ‘Fraud sector charter: retail banking’ (updated 26 October 2021): https://www.gov.uk/government/publications/joint-fraud-taskforce-retail-banking-charter/fraud-sector-charter-retail-banking-accessible-version [accessed 1 November 2022]

387 See written evidence submitted by Mastercard to the Treasury Committee inquiry on Economic Crime (ECC0074)

388 Vocalink, ‘Mule Insights Tactical Solution’: https://www.vocalink.com/newsroom/success-stories/case-study-mits/ [accessed 1 November 2022]

389 Written evidence from the West Midlands Police and Crime Commissioner (FDF0035)

390 Q 21 (Mike Haley)

391 Written evidence from Transpact.com (FDF0061)

392 Q 269 (Damian Collins MP)




© Parliamentary copyright 2022