Mobile Payment Providers & Regulators

Best practices to prevent AML/CTF risks.

July 19, 2011

By Mohammad Noor Zraiqat

It's not uncommon to hear about financial institutions being investigated by regulators for a variety of misdeeds.

And we often hear about reporting entities being subjected to investigations, local or international, for financial crimes.

But what about mobile payment providers? Are they being scrutinized as closely as financial institutions? Or will they undergo painstaking “know your customer” policies and enhanced due-diligence procedures?

You may think mobile payment providers aren't targeted by money launderers or terrorist financiers yet.

For many years this sector was left behind during the global war against money laundering and terrorist financing.

Although we believe in the high priority given to other sectors such as financial institutions, we have to admit the money launderers are always a step ahead in seeking new, less-regulated entities to launder their ill-gotten gains.

In 2006, the Financial Action Task Force issued its report on new payment methods of money laundering, including mobile payment vulnerabilities to money laundering and terrorist financing, as a benchmark for both regulators and reporting entities.

In 2010, the task force updated this report to cover a comprehensive risk-based approach and related risk factors. But the major addition was the money laundering typologies and study cases associated with these types of payments, including three cases related to mobile payment schemes over the last four years.

The main reasons for these results were:

  • Third-party funding (including straw men and nominees);
  • Exploitation of the non-face-to-face nature of new payment method accounts; and
  • Complicit new payment method providers or their employees.

Mobile payment systems vary among nations based on a variety of factors. A 2008 World Bank working paper classified mobile payment services into four categories:

1. Mobile financial information services. Through these services, subscribers can request general financial information from personal accounts. There are low or no anti-money laundering/counter-terrorism financing (AML/CTF) risks associated with these types of services.

2. Mobile bank and securities accounts. With this service, the mobile account will be bounded with a bank or security account with a facility to make transactions through the mobile phone.

Thus, the service will be like an Internet banking service that uses the mobile phone instead of the Internet.

This service poses AML/CTF risks, but it’s strictly overseen due to regulations and surveillance deployed by banks and securities companies.

In addition, the outsourcing business keeps the door opened for additional risks for non-face-to-face account opening procedures.

Additional risks may occur when the bank pools the funds into one account held in the name of mobile payment provider.

3. Mobile payments. These allow nonbank accountholders to make payments for their purchase, utility bills, or services using their mobile phones. For this service, the mobile payment providers play the role of a financial institution. Using the mobile phone as a prepaid card or an electronic purse form a risk for AML/CTF.

4. Mobile money. With this service, the subscriber may store money in the mobile phone and may make payments or transfers through his/her phone. This poses an extreme risk due to lack of regulations and oversight.

As shown above, AML/CTF risks associated with mobile payment/money services threaten the country’s systems and weakens the mobile payment provider’s reputation.

Following are some recommended best practices that will help to mitigate AML/CTF risks associated for both countries and mobile payment providers.

Next: Regulatory framework and legislations

Regulatory framework and legislations

Unfortunately, many of the world’s countries have no regulatory framework to fight money laundering or terrorist financing through mobile money/payment services.

Not considering a mobile payment provider as reporting entity is another big concern. Based on the Methodology of Assessing Compliance with FATF 40 and 9 Special Recommendations, FATF defined the financial institution as “any person or entity who conducts as a business one or more of the activities…”

These activities include acceptance of deposits and other payable funds from public, the transfer of money or value, and issuing and managing means of payment. The definition also applies to mobile payment providers, which acts as a nontraditional financial institution.

Accordingly, it should be considered as a reporting entity and subject to any AML law, act, or decree. This is what most governmental officials are not aware of.

For example, in some Middle Eastern countries, mobile payment providers aren’t permitted or encouraged to send suspicious activity reports to local authorities. They route them to a local bank with a business relationship so the bank can conduct extra due diligence then report it to the government.

Compliance program

Like any other reporting entity, mobile payment providers should be more confident in building up a healthy compliance program that underscores its compliance with local regulations and international standards. This requires:

• Designation of a compliance officer. Compliance is a brand-new term in mobile payment providers’ organizational culture. Designating a compliance officer within the company is a first step.

Qualified compliance specialists will be the cornerstone in implementing the required compliance program and following pertinent regulations.

• Policies and procedures. What would mobile operators do when regulators ask for documentation? Predefined internal policies and procedures should cover all daily operations among all related departments in mobile payment providers.

Such policies should include account-opening and closing policies, customer due-diligence procedures, and recordkeeping requirements. These may include clear preventive measures such as transaction rejections and limits in certain conditions.

• Training. A major challenge for the compliance officers is to provide proper training to all employees and related parties.

Design training materials according to the particular audience. For example, train front-line staff on the basics of money laundering red-flags in mobile payment services. Compliance officers and AML investigators are more interested in advanced and complex international money laundering typologies and regulations.

• Independent auditing. This is an effective tool to measure the success or failure of the compliance program. it will make sure previously detected deficiencies were corrected.

Due to the new threat of money laundering in the mobile payment industry and the increased number of mobile payment subscribers, mobile payment providers should implement an automated transactions monitoring solution that will detect unusual customer activity based on specified red-flags.

Mobile payment providers typically have excellent information technologies implemented already. This will pave the path for an easy deployment of a transaction monitoring and reporting system.

An effective system would be able to analyze transactions according to predefined scenarios that will enable the operators to block or close accounts when abnormal transaction patterns are detected.

Transaction monitoring systems should include:

  • Customer names screening and checking against local and international lists;
  • Behavioral analysis for accounts and subscribers to detect unusual transactions based on precise scenario management;
  • Detection management and related analysis tools that present any hidden relationships between subscribers and accounts;
  • False-positive and fine-tuning management;
  • Self-steering workflows that best fit the organization’s hierarchy module;
  • Extensive case management;
  • A risk-based approach, where all applicable risk factors will be calculated for a proper risk weighting; and
  • Regulatory and managerial reporting.

Like any other industry, mobile payments present specific risks, and regulators are unfamiliar with AML/CTF risks arising from these new services and products.

It would be a great starting point for mobile payment providers to assess the risks associated with each kind of services/products offered to the subscriber in comparison with the major four risk factors (anonymity, rapidity, elusiveness, and poor oversight).

The Mutual Evaluation Report by FATF is considering the assessment of mobile payment regulations. This makes it imperative for countries to move forward with their legislations to be harmonized with international standards and, consequently, be accountable for supervising the implementation of these regulations.

Building up a proper regulatory regime compliant with the international standards remains a big challenge for regulators and mobile payment providers due to lack of knowledge of compliance, anti-money laundering, risk management, and mitigation factors.

This is especially the case for people who are oriented towards mobile network operations only, and are new to this area of expertise.

Mohammad Noor Zraiqat is product manager, compliance solutions, for EastNets.