Mules – the ass-end of the problem

Fraud
Written By Simon McMahon

When it comes to APP fraud, the industry’s primary focus is currently on ‘breaking the spell’ cast on victims. However, its mules and the criminal organisations behind them that are the perpetrators of these crimes. More action needs to be taken to address the ‘ass-end’ of the problem if we are going to prevent APP fraud!

What are mules?

Money mules or simply mules are individuals or entities that receive the proceeds of crime into an account on behalf of others. Often these illicit funds are then wired to other accounts, sometimes overseas, to help obfuscate the trail of stolen funds (i.e. the ‘layering’ stage of money laundering) and impair any chance of their recovery. Mules are used by criminals to disguise criminal funds in accounts used for seemingly legitimate purposes to enable the funds to be distanced from predicate crimes.

Mules are typically paid for their services, often by keeping a small portion of the funds that they receive into and subsequently send out of their account. Importantly, a mule account can be the first account that receives stolen funds from a victim’s bank account, or an account further down the chain as stolen funds are routed through the financial system to further obfuscate their origin.

Types of mule

Mules come in different flavours. Firstly, there are mule accounts operated directly by fraudsters or known criminal associates:

  • Professional mules - engage in money laundering activities as a primary source of income. They knowingly facilitate the transfer of illicit funds through multiple accounts in exchange for a fee or commission. Professional mules may act as ‘mule herders’ (recruiting and instructing other mules) or may use fake companies to open mule accounts.

  • Compromised mules - individuals whose bank account details or personal information have become known to fraudsters as a result of falling victim to phishing scams or identity theft may become compromised mules. Their existing accounts may be used to receive and transfer funds without their knowledge or consent, or new accounts may have been opened using their identity.

Secondly, otherwise lawful individuals are often recruited to work for criminal enterprises as mules. In these cases, mules can be:

  • Willing mules - aware of the criminality of their actions but continue for personal gain

  • Unwitting mules - used by criminals to act as mules, but are unaware of the criminality of their actions from receiving the proceeds of crime

  • Coerced Mules - coerced mules are individuals who are forced or coerced into participating in money laundering activities against their will. They may be threatened with physical harm, blackmail, or other forms of intimidation to comply with demands

Why bother identifying mules?

Despite the FCA already requiring firms to pro-actively identify and exit mules, prioritisation of efforts to identify mules has generally been low across the industry. Recently however this laissez-faire attitude is changing, with firms paying far more attention to the mules that linger within their customer base. This is a result of the mandatory reimbursement requirements for APP fraud being introduced by the Payment Systems Regulator (PSR) - see our blog article here for more information. This requirement makes firms responsible for refunding 50% of the value of scam proceeds received by their customers, sharing the burden of fraud refunds equally between the payers (sending) bank and the payees (receiving) bank. Due to the potential fraud losses from refunds, organisations are now far more incentivised to identify, block and exit mules.

In addition to the cost of banking mules, there is also a large reputational risk – firms do not want to be seen as facilitating scams for fraudsters. The PSR is already reporting key stats for the 12 largest banks and payment firms in the UK, including the incidence and value of fraudulent funds received. Reporting is due to be broadened across all Faster Payments participants once the mandatory reimbursement requirement is in place in October 2024.

So how can mules actually be identified?

Prospective customers can be checked against the CIFAS National Fraud Database (NFD) when they are onboarded, preventing individuals or businesses already associated with mule activity from opening an account. Other avenues of customer due diligence may uncover red flags, such as reviewing companies house to reveal suspicious incorporations. However, only a limited proportion of mules are included in the NFD and these methods do not defend against existing customers that become mules.

For existing customers, the following methods are useful:

  1. Periodically screening existing customers against any new additions to the NFD

  2. Comparing basic KYC details about income and revenue to account activity to determine whether or not it is proportionate.

  3. Investigating high value payments into a new or (previously) dormant account

  4. Investigating rapid increases in the volume of payments to an account within a short space of time

  5. Investigating sudden increases in the number of payees on an account

  6. Investigating accounts with transactions sent to known mule accounts

For 2-6 above, firms often rely on their existing transaction monitoring (TM) systems to produce these alerts. This can creates issues, as in nearly all cases TM systems are designed for AML compliance and post-event monitoring, with no real-time or near real-time capabilities. When using a TM system rather than a real-time identification engine, firms should ensure that:

  1. Scenarios intended to provide coverage of mule behaviour are implemented and tuned (rather than assuming existing AML-focused rules will be effective)

  2. Alerts generated from ‘mule scenarios’ are addressed as an immediate priority, with different SLAs to other alerts

Investigating and reporting mules – dos and don’ts

Do Don't

Act quickly to hold/block payments to and from a potentially compromised account as soon as suitable threshold of evidence of mule activity is reached, until an investigation can be completed

 Submit anything to CIFAS that doesn’t meet the ‘four pillars’ of the Standard of Proof[1]  
Ensure thorough investigations into identified mules are conducted. Attempt to ascertain if mules were unwitting, coerced or compromised for reporting / information sharing purposes Unfairly submit unwitting or coerced mules to the fraud database 

Raise SARs when mules are identified – by definition a money mule is laundering the proceeds of crime and must be reported to the NCA in addition to any other reporting processes
Report confirmed mules to the CIFAS NFD. Collaboration and the reciprocity in sharing of confirmed fraudsters across the industry is a key defence against scammers
Record and retain records of investigations and customer correspondence in line with your data security policy and legal requirements

The future

When making a payment, there are limited methods firms can use for assessing the risk that the payee account may be a mule. Identifying and closing mule accounts can be a game of whack-a-mole; they pop up, are rapidly used to transfer illicit funds and are then closed within a relatively short period of time. Because of this, defences need to be able to respond quickly.

We believe that a real-time system needs to be put in place to enable sending PSPs to broadcast the details of suspected mule accounts to other PSPs across the industry once a victim’s fraud report has been verified. Without this, we’ll always be one step behind the mules and continue to be at the ass-end of the problem.

[1] https://www.cifas.org.uk/fraud-prevention-community/member-benefits/data/itd/internal-fraud-database-principles

Simon McMahon
Previous

Scam reimbursement requirements – preparing for October
Next

Fraud prevention - new minimum standards for preventing and responding to scams