Money muling allows the criminal misuse of the financial system and facilitates fraud. We share the key findings from our review of payment services and account providers’ use of the National Fraud Database (NFD) and a money mule account detection tool to tackle risks associated with money muling activities.
Background to the review
Money muling is a money laundering technique where an individual - a 'money mule' - moves the proceeds of crime on behalf of criminals. In some cases, individuals are involved unwittingly. The national Economic Crime Plan 2 (2023–2026) and Fraud Strategy identify money mules’ integral role in moving the proceeds of fraud and enabling other crime types. This practice can also result in serious consequences for those persuaded or duped into allowing criminals to move money through their account. This underlines the importance of disrupting mule activity to protect the public.
FCA data indicates that a total of 194,084 money mules were offboarded by 25 firms between January 2022 and September 2023. Of these offboarded money mules, only 37% were reported to the National Fraud Database (NFD).
Using the NFD effectively, together with detection tools designed to trace the proceeds of fraud across payment networks, is critical in tackling mule activity. We have reviewed how firms use these controls and now share our key findings.
These findings should be read in conjunction with our previously published findings, in November 2023, where we shared our expectation for firms to strengthen their controls during onboarding, improving transaction monitoring to detect suspicious activity involving money mules, and to robustly address the associated risks.
Who this applies to
This review will be of interest to
- UK payment service providers (PSPs), which includes banks, building societies, payment firms, e-money firms and
- other businesses that provide payment accounts
Introduction
National Fraud Database (NFD)
The NFD is a cross-sector database that holds records of fraud and money mule cases in the UK.
The NFD is hosted and maintained by Cifas, an independent, not-for-profit fraud prevention organisation working to reduce fraud and related financial crime in the UK.
Firms’ membership of Cifas is voluntary. The organisation has over 750 members from various sectors including banks, credit card companies, retail credit, insurance, telecoms, and public agencies.
Member firms are required to ensure that each submission to the NFD meets a standard of proof, including the evidence to show that the customer knew the funds were, or might be, the proceeds of crime.
Money Mule Account Detection Tool
Some firms also use a money mule account detection tool which can trace the proceeds of fraud across the Faster Payments System (FPS). This tool provides regular alerts about suspected mules and a visual representation of the movement of funds, allowing firms to proactively tackle the muling risk.
Why we did this work
The aim of our review was to understand how the use of the NFD, and a widely used commercially available money mule account detection tool, supports firms’ approach to combating fraud and muling. We also wanted to understand the challenges and obstacles firms face in using these tools effectively.
What we looked at
We reviewed multiple cases across 13 firms where accounts suspected of money muling were identified. These covered cases where firms both reported these accounts to the NFD and where they did not.
Separately, we also reviewed data from a money mule account detection tool to gauge how effectively firms tackle money muling risks in their customer base. We looked at how firms respond to alerts raised through the tool to prevent mule activity and disrupt mule networks.
What we found in our review of firms’ use of the NFD
All the firms reviewed highlighted the importance of the NFD in their efforts to protect their customers from fraud and ensure they are not being used by fraudsters to launder the proceeds of crime. All firms reported a collaborative and supportive partnership with Cifas, which helped them prevent, detect, and disrupt fraud.
The evidential standard for reporting a money mule to the NFD is high. We were encouraged to find that where firms are filing customers’ details to the NFD, the standards were met supported by thorough investigations. We were also encouraged that most firms conducted a NFD check as part of their internal investigation of the fraud cases. Information on any previous records of fraud helps firms establish patterns of fraudulent behaviour and prevent repeated fraud attempts.
Firms were not automatically declining new account applicants flagged as a risk on the NFD. Positively, we saw firms referred those applications for an individual risk assessment.
Areas for improvement
We found the proportion of identified money mules being reported to the NFD varies considerably among firms: some are reporting far fewer cases than their peers, despite having similar overall numbers of accounts. In one notable example, a firm reported only 6% of their offboarded money mules to the NFD between January 2022 and September 2023. Whereas some firms submitted more than 66% of such cases to the NFD during the same timeframe.
We observed that, after the initial onboarding, only one firm was conducting real time checks of their customers against the NFD. As a result, most other firms failed to detect when one or more new fraud markers were added to the NFD by other firms. We found that some of these new markers were not identified by the firms for extended periods. In one instance, this was for more than two years. Some of the firms only discovered these markers after the fraud had already occurred and they were notified by external sources.
We found instances where a small number of firms were using the NFD to screen their new and existing customers but were not submitting any of their own cases to the NFD. The NFD is a reciprocal data sharing arrangement, and its strength is in the collective intelligence of all its members.
Our review included sample cases where firms decided not to file the customer’s details to the NFD, despite identifying them as a money mule and closing their accounts. In nearly a third of these cases, we disagreed with the firm’s decision not to file the customer’s details to the NFD, as we believe that these cases met the standard of proof required for NFD filing. In many of these cases, our review found that the firms failed to provide justification to support their decision not to file. We encourage firms to comprehensively record the outcome of their fraud investigations to evidence objective decision making.
In other cases, the firms’ rationale for not filing money mules to the NFD was their internal policy to exclude certain types of cases, such as cases of attempted fraud, customers of specific age groups, cases below a certain fraud loss value, and cases involving recipients of generational funds. Generational movement refers to the layering process to conceal the illicit origins of funds. First-generation mules receive money directly from the fraud victims, the subsequent recipients are referred to as second-generation mules, and so on. It is good practice for firms to assess each money mule case individually, based on its own specific circumstances, and submit all cases that meet the required standard of proof to the NFD.
Key challenges
One of the challenges firms reported was if they encountered a delayed response, or no response, to an information request to the firm where the funds had been sent from. Timely co-operation helps firms meet the standard of proof required to upload information into the NFD, and so we expect all firms to promptly respond to the information requests from other firms.
Firms find it challenging to demonstrate conclusively whether the customer willingly participated in money mule activities. This is a requirement of the standard of proof for filing cases to the NFD. We know that customers can unknowingly or unwittingly become money mules in certain situations. So, it is critical that member firms thoroughly verify and document that the standard of proof has been met before submitting cases to the NFD.
We understand that analysing how personal vulnerabilities contribute to fraudulent behaviour can be challenging. However, we found that, in most instances, the firms made no reference to customers’ recorded vulnerabilities when concluding their investigation into fraud cases. Firms also failed to provide a clear rationale for not filing the details of such customers to the NFD, even where their own investigation confirmed the customer’s willing involvement in fraud and money muling.
As only confirmed cases of fraud can be filed to the NFD, we note firms cannot share information on suspected money mules with the wider industry, although we recognise that some firms use other industry standard, cross sector databases to share this information on a more limited basis than the NFD. We recognise the challenge in sharing information on suspected money mules. Therefore, we invite industry to help drive forward improvement and ways to share this information more widely and as standard practice, while protecting unwitting mules and vulnerable customers. This would benefit individual firms and the wider work in the UK to tackle fraud. We are committed to supporting efforts to tackle the threat of money muling in an effective and proportionate way through partnership, data-sharing, and innovation. We see our role here as supporting industry to deliver solutions and are keen to help overcome barriers or challenges.
What we found in our review of firms’ use of a money mule account detection tool
The money mule account detection tool alerts firms to suspected mule accounts and visualises the movement of funds. Several firms told us the tool’s effectiveness increased when corroborated by additional supporting information. As a result, they do not treat alerts raised through the detection tool as a clear indicator of muling activity on their own.
Our review found most firms investigated alerts relating to funds arriving into suspected mule accounts at the first generation; however, they were less responsive to alerts that fired at later generations, despite the presence of clear risk factors. Some firms indicated they only act if the alerts met their internal thresholds, such as the value of the transaction. Firms that took this approach explained they sought to filter out alerts which they thought were unlikely to be money mules and to ensure better prioritising of their resources. We observed instances where thresholds could have been calibrated more effectively to detect genuine money muling activity and prompt investigation. We encourage firms to review and refine their thresholds to ensure these are appropriately set and capable of identifying instances of mule activity more accurately.
When firms did act on alerts, the quality of the investigation into suspected mule account activity varied. In one instance, a logical checklist approach was used to examine unusual transactions. For example, the firm considered where money that entered the account was from. However, our review suggested that the investigation made incorrect judgments when interpreting the indicators. This raised concerns on the depth of the review conducted. Firms should recognise the risk of not investigating all alerts appropriately and should ensure their reasoning is well documented.
Firms who identified mule activity promptly relied on the following indicators: unexpected or unexplained deposits into the accounts; rapid dispersal of funds through networks of accounts, often within minutes of receipt; the movement of funds to international jurisdictions; and rapid withdrawal of the funds from ATMs. This demonstrates that where firms have effectively calibrated their fraud monitoring systems, they are able to identify and respond to money muling risks.
Our additional findings
We found multiple patterns of unusual transactions which could have helped firms detect fraud cases internally, before being alerted by external sources. These cases included: customers receiving large deposits shortly after opening accounts that either exceeded or nearly exceeded their stated annual income or turnover; and unusual account activity not aligned with the nature of the business, and multiple rapid transactions within a short period. We expect firms to demonstrate strong risk management by proactively detecting unusual transactions to stop fraudulent transactions, sooner. Swift internal detection helps identify weaknesses in controls or emerging fraud patterns quickly, allowing firms to strengthen their defences before vulnerabilities can be widely exploited.
The Money Laundering Regulations require firms to assess, and where appropriate, collect information on the nature and purpose of any business relationship. The Joint Money Laundering Steering Group (JMLSG) guidance may be helpful for firms when verifying income or business turnover information during the account opening process. As previously observed, we again found instances where firms were not collecting or recording information on customers expected annual income or business turnover, as a part of their customers’ account-opening. Information collected at onboarding supports both the initial verification of a customer and can be used to inform and improve firms’ ongoing transaction monitoring systems to detect any unusual activities on a customer’s account.
We found instances where the firms could not easily produce customers’ proof of identification (ID) or proof of address documentation. This was either because the documentation was archived and took time and effort to retrieve, or the firm did not have access because a third party had carried out the identity verification. Firms should be able to refer to this information when investigating alerts, responding to law enforcement, or as part of customer’s re-authentication checks. This is in line with the firms’ record keeping obligations under the Money Laundering Regulations.
We were reassured that, overall, firms had a high incidence of reporting Suspicious Activity Reports (SARs) to the NCA following their investigation of suspected mule accounts. However, we also found some instances where SARs could have been considered and raised. Timely submission of SARs is critical to tackling the mule network, valuable account information from SARs can help law enforcement investigate and prosecute criminals involved in the proceeds of fraud.
Next steps
We have shared the findings of our review with Cifas recognising the crucial role of Cifas in preventing, detecting and disrupting financial crime activity. This review demonstrates the importance of data-sharing in disrupting mule activity to protect the public and build trust and confidence in financial markets.
We continue to directly engage with the firms included in this review to ensure they consider these findings to enhance their overall systems and controls for fraud.
We expect all other payment services and account providers to consider their own systems and controls against our findings. It is vital that firms have a proactive approach to identifying and swiftly remedying any weaknesses in their response to tackling the risks posed by money muling.
Firms should have strong and effective systems and controls to mitigate the risk of money mules. Crucially, firms must consistently keep under review their detection and monitoring methodologies, prioritising the identification of money mule activity, alongside educating consumers about the risks of money muling.