Proceeds of fraud - Detecting and preventing money mules

Multi-firm reviews Published: 19/10/2023 Last updated: 13/11/2023

We share the key findings from our review of payment account providers’ systems and controls against money mule activity so that others can learn from it. We outline our key findings, including examples of good practice, areas for improvement, and how firms manage the risks of money mule accounts in a proportionate way. 

Background to the review

The national Economic Crime Plan 2 (2023–2026) and Fraud Strategy direct public-private focus to agreed priorities to tackling economic crime. The plan and strategy set out that money mules are integral to moving proceeds of fraud and other crime types, and there should be focus on disrupting mule activity and protecting the public.

Financial services firms, in particular payment account providers like banks and e-money institutions, have a role in disrupting money mule activities. To achieve this firms should have a proportionate and risk-based approach to help make sure their platforms are not being exploited and their customers are not being put at risk by criminal groups. 

At the date of this publication, the Home Office is due to publish a money mules action plan in the coming weeks. Our work is aligned to the focus of this action plan to help inform how financial services firms play their part.

Summary of findings

Fraud currently accounts for 40% of all crime. The ease with which fraudsters cash out the proceeds through mule accounts continues to be a problem. Our review focused on the systems and controls for detecting and preventing money mule activity in firms that operate payment accounts. This evaluation included firms’ controls during onboarding, monitoring, and reporting.

Our findings indicate that some firms are working to address the challenges of money mules by implementing a range of measures and technologies to detect and deter fraudsters from using their organisation and harming their customers for illicit gains.

We have observed some firms establish proportionate approaches that use innovative solutions including facial recognition systems, device profiling and geolocation. However, despite these efforts, not all firms are responding with the same focus, and some firms need to do more to tackle the problem. This includes more proportionate checks at onboarding for indicators and red flags which may identify potential mules. When firms have onboarded customers, they need to ensure that their monitoring systems are set up to detect common mule behaviours and do more to monitor inbound transactions as well as outbound.

We found that most firms use the National Fraud Database as part of their onboarding checks and sharing information with relevant authorities using lawful gateways and where it is necessary to disrupt and detect fraud. However, we note that where some firms identify a mule account, they do not always report this promptly on relevant reporting systems, therefore delaying notifications to other firms. Additionally, some firms in receipt of fraudulent funds are not responding swiftly enough to alerts from notifying institutions. More timely reporting could help to close down mule networks.

Given the prevailing cost of living crisis, some customers might find themselves susceptible to providing their account details for money mule activities under influence or pressure. We ask firms to improve their communication strategies and awareness initiatives, keeping customers informed about the latest threats.

Based on our findings, we expect firms to take a proactive and proportionate approach to address the problem of money mule activity. This entails strengthening controls during onboarding, improving transaction monitoring to detect suspicious activity involving money mules, and optimising reporting mechanisms for swift action. Additionally, firms should proactively raise consumer awareness about the risks of acting as a money mule in order to protect them. These measures will help firms reinforce their controls in line with our recommendations.

We expect firms to establish proportionate systems and controls to manage the problem of money mules and the associated risks. We will use our full regulatory tools, including enforcement action, if we identify a firm failing to maintain proportionate and adequate systems and controls.

Introduction into money mules

A money mule is someone who is recruited by criminals to move illegally obtained money. Money mules play a crucial role in the process of cashing out the proceeds of fraud.

They are either knowingly involved or unknowingly involved in the fraudulent/money laundering process. 

Unknowingly involved money mules are drawn into criminal activities and are unaware of their involvement in illegal transactions. They are often deceived by fraudsters who present seemingly legitimate opportunities or plausible explanations for their actions. These individuals believe they are working for a legitimate company or helping someone in need. 

Knowingly involved money mules are fully aware of their participation in illicit activities and help criminals in money laundering or fraudulent schemes. These individuals may be motivated by financial gain, getting out of financial difficulties, or choosing to participate in criminal activities.

Who this applies to

The findings of this review will be of interest to Money Laundering Reporting Officers (MLROs) and industry practitioners working in financial crime and fraud roles within payment service providers and electronic money institutions.

This includes banks, building societies and payment firms. 

What we looked at

As part of our review, we focused on Payments Service Providers and Electronic Money Institutions (firms), some well-established and others newer to the market.

Our review focused on the systems and controls firms have in place to detect and prevent money mule activity, primarily related to cashing out the proceeds of fraud. This covered all aspects of firms’ response to mules including controls at onboarding, monitoring, and reporting.

Why we did this work

Fraud is the largest crime type, with levels growing in recent years. In the year ending December 2022, there were an estimated 3.7 million incidents of fraud, accounting for over 40% of all crimes in the UK [Crime in England and Wales: Appendix tables - Office for National Statistics (ons.gov.uk): Table A1]. This level of activity undermines market integrity as well as consumers’ and market participants’ confidence in the stability and reliability of financial institutions. As our 3-year strategy (2022-2025) explains, we are taking a range of actions to reduce and prevent financial crime. This includes targeting additional efforts on fraud where we can have the greatest impact. 

We are implementing an approach to help drive improvements in firms’ anti-fraud systems and controls, to reduce fraud, protect customers from the harms of fraud and stop firms being used to facilitate fraud. 

Fraudsters heavily rely on interconnected mule accounts to transfer and conceal the proceeds of fraud. These transactions can pass through various financial institutions or be converted into cash or cryptocurrencies, effectively masking the money trail, and funnelling the profits back to the criminal groups. The role of money mule networks in enabling fraud is growing. In 2022, firms reported more than 39,000 accounts linked to mule activity to the National Fraud Database [CIFAS: Fraudscape 2023]. 

Beyond the financial impact, there are risks to the public. Individuals are often enticed into providing mule accounts under false pretences of low risk and easy money, such as through fake cash jobs. These deceptive schemes can have far-reaching consequences, including potential legal troubles for individuals who may be unknowingly helping money laundering. The personal and emotional toll can be severe, with victims facing potential loss of their financial stability, damage to their credit rating, risk of criminal prosecution, and possible threat from criminal organisations.

What we found

Some firms have been working to tackle the issue of money mules, implementing various measures and advanced technologies to detect and prevent their services from being exploited by criminal groups.

Some firms are also taking proactive steps to pilot innovative solutions, products and systems aimed at bolstering their detection and monitoring capabilities when it comes to identifying money mules. These include using stronger risk assessment tools, monitoring and transaction analysis to identify and stop money mule activity. Many have also strengthened customer checks during onboarding to minimise the chances of mule accounts being established.  

Despite these significant measures, firms must continue to play their part in line with the national Economic Crime Plan and Fraud Strategy. We expect firms to remain vigilant by updating their controls as threat changes, working in partnership with others through industry and law enforcement data sharing initiatives, so that their controls remain proportionate, and risk based.

Good practices we identified

We saw the following good practices in the firms we reviewed.

Systems and controls

  • Many firms recognise the risk of money mules and have become increasingly aware that they can be used as an enabler for fraudsters. We have seen firms use technology so that they can properly calibrate their systems according to risk, and make sure that they are taking a risk-based approach. Some innovative solutions include the use of facial recognition systems, device profiling and geolocation. By analysing datasets and transaction patterns, these systems can flag suspicious activities, thus enabling firms to identify potential money mule networks.
  • Most firms are embracing new technology to better identify and prevent mules. Investing in machine learning systems helps reduce the inherent risks of static rules-based systems, which fraudsters can bypass as they continuously change their tactics and approach. While static rules are simpler to implement and can be cost effective, they lack adaptability to evolving fraud tactics, often resulting in high false positives, and missing sophisticated fraud schemes. Both types of systems have benefits and shortcomings and we do not propose a prescriptive approach. Firms should consider the most appropriate way to address the risk proportionate to the size and complexity of their business.
  • We found that firms using the National Fraud Database as part of onboarding checks were able to access valuable insights and data to detect and prevent mule activity. It also helped identify customers who were higher risk.
  • We also found that firms can use reporting systems to analyse the flow of funds between firms to help identify and disrupt mule activity. This also allows firms to identify further account holders who may have received such funds, stopping the mule networks. When a potential money mule is identified, firms can use these systems to notify and alert other firms being used by fraudsters. Collaboration can help to combat this prevalent issue.

Use of intelligence, industry engagement and data sharing

  • We found most firms have been increasingly using lawful data sharing to combat the issue of money mules. Through data sharing pilots and collaborative efforts, including with law enforcement, firms are better able to detect and prevent these activities. By sharing their data through appropriate mechanisms, they can identify potential money mule networks more effectively and track the movement of funds across multiple accounts.
  • We found that most firms engage with various external bodies to discuss intelligence and emerging threats. These external bodies include CIFAS, UK Finance, NECC and Fintech FinCrime Exchange. This allows firms to be able to share their findings and their preventative measures to mitigate a specific fraud typology. This then allows these relevant bodies to share these with others in the sector.

Training

  • Some firms have dedicated training for staff on financial crime and specifically fraud. Firms with these dedicated training programmes help ensure relevant staff are kept up to date with new criminal typologies and are therefore better able to detect and prevent money mule activity. Some firms have financial crime training for new joiners as well as refresher training for existing staff. Without this, firms may find it difficult to detect and prevent money mule activity as staff members would not be upskilled to identify such threats.

Areas that need improvement

Although we saw areas of good practice in the firms we reviewed, there were many areas we identified where firms should be doing more to tackle money mules.

Governance, management information (MI) and risk assessment

  • We found that where firms are outliers, in that they have more reported mule accounts than their peers, there is a lack of senior management oversight and a lack of MI reporting to ensure that steps are taken to address the risk and assess the impact of interventions. A proactive strategy for tackling money mules helps protect a firm’s regulatory compliance, reputation and customers.

Systems and controls

Onboarding

  • We found that some firms were undertaking relatively few checks at onboarding and were relying on subsequently monitoring customers’ behaviour to identify suspicious activities related to money mule typologies. Firms should have robust controls and take proactive steps during the customer onboarding process to detect potential red flags and identify potential money mules.
  • We observed some firms do not capture information during the onboarding phase such as, salary or turnover details. Failure to capture this information means a potential increase of false positive transaction monitoring alerts and additional investigation for alert handlers that could be avoided. This information helps to better identify transactions that are suspicious and those that are not.
  • Incorporating device profiling, geo-location and behavioural biometrics into onboarding controls significantly strengthens detection mechanisms. This enables firms to swiftly halt or reduce mule account creation during the initial stages. Firms should consider adopting these capabilities to enable them to more effectively disrupt mule networks.
  • We observed some firms are not always conducting further investigation into the reasons why some of their customers are using virtual addresses. An example of a virtual address is a mailing address provided by virtual office providers or mail forwarding services in the UK. These addresses are not physical office locations but serve as a mailing address for business correspondence. Neglecting further investigation into virtual addresses could enable fraudsters to exploit this vulnerability, leading to financial losses and increased levels of money mule accounts.
  • We found some firms are onboarding customers where multiple customers are using the same device with no clear reason. This is a typical mule characteristic where the customer may have sold on their account details to a ‘mule herder’ who now has control of their account. Firms should review customers who are using 1 device to access multiple accounts to verify if their reasoning is genuine, such as being members of the same household.
  • We have also found some firms onboarding multiple customers using the same physical address. Firms should be doing further due diligence checks to verify how many account holders are using the same address and whether there is a reasonable and valid explanation for this.
  • We have seen some firms sending out cards to their customers but not checking to see if the card has been activated. This is a simple check which enables the firm to confirm if the customer actually lives at the address which they have used to open their account.

Transaction monitoring

  • We found that some firms focus on outbound transaction monitoring and do not have adequate inbound transaction monitoring systems or controls. This may lead to firms being unable to detect mule accounts or doing so at a very late stage, most probably after funds have left via the mule account. Inbound transaction monitoring can help firms identify unusual transaction patterns such as rapid turnover and account behaviour changes, for example, a dormant account which is now in receipt of large funds. All these are common characteristics of mule behaviour and cannot be detected using outbound transaction monitoring.
  • Common mule characteristics, such as high value payments into a new or (previously) dormant account and similar amounts subsequently debiting the account, are not being detected as often as they should be. Firms should consider systems and controls which will help their ability to identify suspicious funds coming into their accounts as well as funds leaving their accounts.
  • As in the case of onboarding, some firms should also look to improve their detection of money mules during the transaction monitoring stage by considering device profiling, geolocation and behavioural biometrics systems. These systems working together will help firms to not only disrupt the mule network but also gather further intelligence on the characteristics of mule networks.
  • We observed some firms heavily rely on machine learning models. However, machine learning models require historical data to accurately understand a customer’s normal behaviour. The machine learning period can take time, particularly for new customers or those with limited transaction history. Our review also found that some firms were not able to explain the workings of machine learning tools. It is essential that firms understand how machine learning tools work, i.e. what the inputs and the expected outputs are, for both quality assurance purposes and testing capabilities. Machine learning models with a combination of tactical rules and behavioural biometrics can contribute to a robust and more proactive fraud detection system if firms fully understand and apply these tools appropriately.
  • Some of the firms we looked at had transaction monitoring alerts which triggered without the rule parameters having been met. There were also occasions we saw where alerts did not trigger when parameters had been met. Firms should ensure that where they have alerts set up, they are working correctly. We encourage firms to continuously test the alerts that are created, ensuring these are fit for purpose and alerting on customer events as expected.
  • In some firms, our review revealed that analysts are often uncertain about the specific criteria that triggered alerts in the machine learning tool. It is essential for analysts to understand the rationale behind these alerts, as this knowledge would guide their investigative efforts, sparing them from the need to conduct comprehensive reviews, which can be time-consuming. This can also help establish a feedback loop on potential revisions to improve the criteria for triggering alerts.
  • We found some firms were taking too long to implement changes to their transaction monitoring rules even where they had identified a mule characteristic or emerging risk. Being unable to implement new rules in a timely manner to counter immediate threats could lead to a risk of increased fraud rates.
  • Where alerts are investigated, we are seeing some firms recording poor narratives and rationale which do not explain why the alert handler was satisfied that there were no justified suspicions. A clear audit trail is necessary when handling alerts. This also helps if further alerts are raised on the customer and helps the feedback loop into the machine learning models.

Reporting

  • Firms should report mule activity quickly and efficiently through relevant reporting systems i.e. the National Fraud Database, allowing other firms to be notified if the same mule is looking to open accounts with them. Not reporting promptly affects the ability to disrupt and close mule networks.
  • We found that some firms whose accounts are in receipt of fraudulent funds do not always respond quickly and efficiently to the firms raising the alert. Receiving firms play a huge part in disrupting the mule network as well as protecting their own customers from being affected by fraudsters. Firms must act on requests from other firms promptly, informing them of suspicious and fraudulent funds.
  • We also found in some instances that Suspicious Activity Reports (SARs) were not raised at all or were not raised as quickly as we might expect. Raising SARs is extremely important in tackling the mule network. Valuable account information from SARs can help law enforcement investigate and prosecute criminals involved in the proceeds of fraud. 

Resourcing

  • Some firms would benefit from having dedicated resource allocated to actively investigating mules. The benefit of this is not only to be able to detect and monitor money mule accounts but also being able to work on notifications from other firms in a timely manner and report to other firms of fraud against their own customers.

Use of intelligence, industry engagement and data sharing

  • We found a lack of data sharing between some firms that are not part of similar UK reporting or data sharing initiatives.

Communication and awareness

  • While some firms have made progress in informing customers about the impact of fraud, their efforts to educate customers about money mule risks fall short. Given the prevailing cost of living crisis, some customers might find themselves susceptible to providing their account details for money mule activities under influence or pressure. We ask firms to improve their communication strategies and awareness initiatives, keeping customers informed about the latest threats.
  • Consumer education and awareness is essential to combat financial crime, protecting consumers, complying with regulations, and maintaining a firm's integrity and reputation.

Training

  • We have concerns in relation to the effectiveness of fraud alert investigations within some firms. We saw in some cases alert handlers working alerts and closing them, despite poor narratives and rationale. Also, in some cases we saw instances where clear suspicious activity did not result in the alert handlers raising a SAR. Firms can enhance the effectiveness of their alert investigations by ensuring that staff members have a clear understanding of their roles and responsibilities in combating fraud.

Next steps

We expect payment account providers to consider their own organisation’s arrangements, systems and controls against our findings. It is vital that firms have a proactive approach to identifying and swiftly remedying any weaknesses identified in their anti-fraud systems and controls. Firms should have proportionate and adequate systems and controls to mitigate the risk of money mules. We will use our full regulatory tools, including appropriate enforcement, should we identify a firm failing to maintain proportionate and adequate controls and thereby allowing its services and customers to be exploited by fraudsters.

Crucially, firms must consistently adapt their detection and monitoring methodologies, prioritising the identification of money mule activities alongside educating consumers about the inherent risks involved.