Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
July 18, 2022
Policy Updates Help Independent ATM Operators and Cash Users
Like many people, I take cash for granted. It's available when I need it, I can buy just about anything with it, and I can use it to pay anyone, anywhere. For me, the easiest way to get cash is at an ATM, and I take these machines for granted, too. They're everywhere: at all types of retail stores and shops, mall kiosks, standalone places all down the street, and banks.
Some recent Take On Payments posts focused on the importance of cash in times of crisis and the needs of people who are cash reliant and those who live in rural areas. In this latter post, we referred to a barrier some independent ATM deployers, or IADs, have faced. The barrier was rooted in banks sometimes closing existing IAD accounts or not allowing IADs to bank with them in the first place. This post picks up that thread, this time with some good news for the industry.
But first, what would make some banks reluctant to do business with IADs? Banks must comply with the Federal Financial Institutions Examination Council's (FFIEC) Bank Secrecy Act/Anti-Money Laundering (BSA/AML) rules. A previous edition of the BSA/AML Examination Manual used language indicating that ATM operators could be a fraud and money-laundering risk. But without a bank account, IADs can't operate. A sudden closure of an account causes business disruption at best, ultimate failure at worst. This was a real problem for the IAD providers who found themselves without an account and the people in communities that rely on cash but don't have access to a nearby ATM.
Late last year, thanks to efforts from ATM industry groups, the FFIEC, in consultation with the Financial Crimes Enforcement Network, recognized the efficiency of the controls that are in place for ATM transaction settlement and cash replenishment. Accordingly, the FFIEC revised the section in its manual on "Independent Automated Teller Machine (ATM) Owners or Operators" in a way that should help banks view ATM operator accounts more positively. It states that:
- financial institutions are "neither prohibited nor discouraged from providing banking services to independent ATM owner or operator customers..."
- an operator that maintains a separate cash settlement account with the bank for its ATMs presents a lower risk of money laundering, terrorist financing, or other illicit financial activity "because the bank knows the source of funds and can compare the volume of cash usage to EFT settlements to identify suspicious activity."
With access to cash remaining an important financial need nationwide and with a change in language that could help some IADs be more successful in running their businesses, perhaps more independent operators will contribute to serving populations nationwide. What do you think?
January 24, 2022
The Role of Cryptocurrency and Cryptoinsurance in Ransomware Payments
In the Risk Forum's end-of-the-year Talk About Payments webinar , ransomware was once again, unfortunately, a topic of discussion. For over five years now, our Take on Payments blog has often discussed ransomware, as financial losses due to ransomware attacks have steadily risen. In 2021, the federal government and the US Department of the Treasury issued guidance for the virtual currency industry in an effort to make it difficult for those behind ransomware attacks to receive cryptocurrency, the preferred ransom payment method. Whether or not these steps, or even an outright ban on cryptocurrency payments, will be effective in reducing ransomware attacks and their associated financial losses is still to be determined, but there are skeptics (including yours truly).
In 2019 posts (here and here), Dave Lott and I both wrote about the increasing frequency of people and companies obtaining insurance against ransomware attacks and the payment of ransoms by insurance companies. I think it is time for an evaluation of the costs and benefits of ransomware insurance. In fact, the FBI strongly recommends that ransomware payments not be made.
What are the basics? Organized crime syndicates, generally based in foreign countries, launch the vast majority of ransomware attacks. To protect against the financial consequences of such attacks, businesses may purchase insurance policies for coverage against cyber-related attacks that can include the payment of ransom in the event of a ransomware attack. If a syndicate receives a ransom payment, it not only encourages additional attacks but also allows the syndicate to grow and scale its criminal enterprise. As ransomware attacks flourish, businesses might become more likely to purchase insurance policies or expand existing policies with greater coverage to protect themselves. Another important issue to consider is whether companies that insure against ransomware as a form of protection could become less diligent in preventing an attack. Further, with increased attacks and higher demand for coverage, insurance providers may sell more policies at increased premiums to offset the potential for rising claims. Or perhaps the problem becomes so significant that the costs to insurers from claims outpaces their revenue from such policies, causing them to exit the business.
In a different viewpoint, maybe insurance coverage that includes ransom payments is in fact beneficial, especially in those circumstances when the "the damage inflicted by a cyber attack is greater than the cost of the ransom."
Over the past five years, since the Risk Forum began covering ransomware, we have witnessed significant growth in attacks and financial losses. While I am hopeful that both the public and private sector will find ways to slow the growth and ultimately stamp out ransomware attacks, the challenge is perhaps more daunting now than it was five years ago. It's promising to know that efforts are underway at the Treasury to address the challenge of ransom payments made with crytpocurrencies, but more may need to be done. As for this post, I am hoping that it can lead to a discussion on the pros and cons of this mitigation strategy as part of the effort at large to defeat ransomware.
April 12, 2021
NFTs Raise Questions about Money Laundering
I must admit—my head is spinning a bit trying to grasp the valuation of nonfungible tokens, which are commonly referred to as NFTs. In March, an NFT by the artist Beeple sold for almost $70 million. An NFT is a unique digital asset that is authenticated using a blockchain. Digital assets can be artwork, music, sports cards or videos, or even tweets. There are multiple marketplaces for purchasing NFTs, oftentimes with cryptocurrencies or stablecoins, and many of these platforms are focused on a specific segment of the NFT market such as this one dedicated to players and highlights from the National Basketball Association. (The concept seems so far-fetched that Saturday Night Live based a skit on NFTs.)
Once my head stops spinning due to the astronomical valuations of some NFTs, it immediately focuses on the money-laundering risks. For years, the art world has been used to launder funds. Reasons for this include the anonymity often sought by buyers and sellers, the use of shell companies to hide owners, the use of cash for high-value purchases, and the challenges of determining a fair market value for a singular piece of art that might be purchased for well above market value, which is a red flag for money laundering. Are these reasons for using art in the physical world to launder funds alleviated or exacerbated in the digital world? I don't have the answer for this question because I admittedly haven't spent the time to fully understand the measures the NFT industry has taken to mitigate money laundering risks. I do know that transactions on a public blockchain are transparent, but that doesn't necessarily mean that the individuals engaged in the transaction can be identified. And as I mentioned earlier, determining a fair value for NFTs presents quite the challenge.
Whether or not NFTs are being used for money laundering, I am not alone in asking the question. In March, the Financial Action Task Force, seeking input from the public by April 20, 2021, released a public consultation paper on draft guidance on a risk-based approach to virtual assets and virtual asset providers. This guidance has the potential to affect NFT marketplaces and providers by encouraging regulatory agencies across the globe to require them to perform some levels of Bank Secrecy Act/Anti-Money Laundering monitoring and reporting. The task force is looking to implement changes to the draft and approve this updated guidance at its June 2021 meeting.
Are you interested in learning more about NFTs and the potential risks they may pose? While we will continue to monitor developments and provide pertinent updates, let us know if you have questions or concerns that you think we should address given the increased media exposure and transaction volumes of NFTs.
December 14, 2020
Fighting Financial Crimes outside Financial Institutions
You don't have to know anything about money laundering to know that it doesn't involve someone running a bundle of dirty cash through the washing machine, or even laundromats more generally. Well, it does, but only in the metaphorical sense. Money laundering refers to the act of legitimizing ill-gotten gains—that is, "cleaning" it to hide illegal activity. Anyway, we've touched on the topic of money laundering a few times in this blog, mainly focusing on how financial institutions might identify and report individuals acting as money mules. Today, I'm going to look at the types of businesses that are at risk of being used by money launderers.
Desmond Alston, my colleague in the Risk and Compliance Division at the Federal Reserve Bank of Atlanta and a Certified Anti-Money-Laundering Specialist, or CAMS, shares his expertise. Desmond explains that money laundering is a three- step process:
- Placement: Dirty money is placed into a legitimate financial system.
- Layering: The source of the money is concealed through a series of transactions, or layers of movement.
- Integration: Money is returned to the criminal from what appears to be a reputable source.
Any business that provides the capacity for this sort of manipulation—not just depository financial institutions—can be a conduit for money laundering. Desmond points out:
- "Insurance companies can be conduits. A launderer can purchase a life insurance policy with a payment of criminally derived funds and then cancel the policy before a penalty would be applied or absorb a small penalty as a cost of the money laundering scheme. The resulting refund would be from a reputable source.
- "At a casino, a launderer could use criminal proceeds to buy chips, hang around for a while, eat a hamburger, gamble a bit—or not at all—and then cash out."
That's why it makes sense for organizations in many industries—art and antiquities dealers, auto dealerships, travel agencies, and charitable organizations as well as financial businesses like foreign exchange, mortgage lenders, and money service businesses—to make sure staff members are knowledgeable about money laundering. If these sorts of entities fail to file suspicious activity reports, or SARs, for cash transactions that exceed reporting minimums, they are complicit in the crime of money laundering.
Nonfinancial businesses can protect themselves by employing the five components of a solid anti-money-laundering (AML) and compliance program: (1) written policies, procedures, and internal controls; (2) supervision by a designated compliance officer; (3) training and development for staff at all levels; (4) customer due diligence; and (5) independent audit of the AML program.
It's probable, however, that laundromats have no worries—they just don't have the cash flow. While early 20th-century mobsters did indeed intermingle cash from legitimate businesses like laundromats with cash from bootlegging and other crimes, they rapidly moved on to international accounts. The term "money laundering" was first widely used by journalists in connection with the financing of the Watergate burglaries in the early 1970s, when laundromats were not part of the picture.
Thanks, Desmond, for this helpful information.