We were delighted to be joined by Yulia Murat, Anti-Financial Crime Advisor on the latest instalment of our webinar series, Wired-In. In a thought-provoking session, Yulia explored the most frequent types of crime and how to combat these financial risks in e-commerce.
Reece Baggott, Digital Marketing Lead at NorthRow: Welcome to Wired-In. If you’re new to the series, Wired-In is a monthly series, where we invite subject matter experts from fin and regtech to cover specific topics like today with Yulia, our special guest.
Today, Yulia is going to be looking at managing AML risks in digital payments. But before we jump into a bit of an introduction, a bit about Yulia and start the session, there are always a few items we need to address from the webinar standpoint.
Yulia, if you don’t mind flicking the slide forward for me?
Awesome. Just a bit of a plug about NorthRow if you’re new to the series. We provide compliance software that includes KYC, KYB and ID&V, empowering you to make faster decisions, comply with ever-changing legislation and also combat financial crime.
One more slide for me, Yulia?
Awesome. As you can see today, joining me is Yulia Murat. She is a Risk Management and Anti-Financial Crime Advisor. So just a bit about Yulia, she helps fintech and regtech firms to build AML systems that are straightforward, scaleable, cost-efficient and compliant with regulations.
In the past, Yulia has led FCC functions, one of the largest payments-focused fintechs in the world, AliPay. Yulia has also headed up the correspondent banking and fintech AML team at Standard Chartered, where she focused on auditing fintechs aspiring to partner with the bank.
Between 2001 and 2022, Yulia worked with the FCA to assess applications from crypto firms to be registered in the UK.
So, Yulia, the floor is yours. Good luck and thank you!
Yulia Murat, Risk Management and Anti-Financial Crime Advisor: Thank you, Reece, for the introduction. It’s lovely to be with all of you here today.
So, as it always goes, it’s worth setting the scene. What are we talking about today?
The industry context is such that the digital payments landscape has exploded over the last several years. Obviously, the pandemic has been the main factor here. The industry has gone through a tremendous digitalisation process over the last two to three years. In the US alone, e-commerce sales increased by over $200b or 43% in 2020.
Merchants rely on online sales via their website more and more. And more consumers use contactless payments and technology providers develop new tools to meet this change in behaviour. We’re seeing a tremendous increase in the number of players in the industry, which transcends into bigger AML risks, and professionals like myself are attacking it and learning about it.
Today, I’m going to talk to you about merchant acquiring. For those who don’t know what it is, essentially it’s anybody like ourselves, going on a website and buying something online. Or, paying for a product in store. But today, I’ll be focusing on online payments via cards.
In a typical merchant acquiring transaction, what do we have?
We have a card holder, usually an individual, who is using their card to pay for something on a website which belongs to a merchant, on the left hand side.
How it all works behind the scenes is that the card holder has somebody who issued the card to them, usually an issuing bank. And the card usually belongs to one of these well known card schemes (Visa or Mastercard) which allows for the issuing banks to issue its cards to the cardholder.
We also have an acquirer, which is kind of the main subject of our webinar today. And we have payment gateways or they are also called payment processors – and I’ll explain to you what all the roles of these parties are in a brief moment.
We have these participants that I mentioned. For those of you who come from banking, it’s easier to understand the flow when we call the parties such as the cardholder, the ‘originator’ or the ‘sender’, the issuer would be the issuing bank, then we have a card scheme in the middle, then we have the acquirer or the acquiring bank, the payment gateway and the merchant who is the ‘beneficiary’ on the other side of the transaction.
What’s interesting here, from a risk perspective, is that these parties don’t have contractual or client principal relationships among all of them. The cardholder is the client of the issuing bank and they contract with the issuing bank, the bank that issued the credit or debit card to the person. The issuing bank, in turn, contracts with the card scheme to be able to issue cards to clients.
In turn, the acquirer or the acquiring bank contracts with the payment gateway or payment processor, and with the merchants – so the merchants are their clients.
What’s interesting here is that the acquiring bank does not have any relationships with the payers or the cardholders, and they have minimal visibility of those. The issuing bank does not have relationships with the merchants, they’re not their clients so they don’t have CDD on them and the risk obviously is higher on that side.
So, what does the acquirer or acquiring bank do? They essentially acquire the transaction for the merchant and they provide the merchant with the possibility to accept online payments. It’s important to understand here that the transactions that are shown to you are really basic.
What happens in reality is that sometimes there are a lot of moving parts and a lot of intermediaries within the transactions and it all depends on the relevant licensing. Whether the acquirer has, for example, a banking licence, whether they can be both a bank and a payment processor, or whether they only have an API (Authorised Payment Institutions) or EMI (Electronic Money Institutions) licence and they have to partner with a bank who in turn, provides the account for the merchant.
In reality, what we can have is additional parties in-between if, for example, it is a cross-border transaction and foreign exchange has to be facilitated as well. So we can have acquirers in different countries doing that. Sometimes it is done by one large provider who has different entities in different countries, but sometimes it is done by a multitude of separate providers.
The acquirer receives the authorisation request from the merchant’s payment gateway, which I’ll speak about in a moment. It then sends the authorisation request to the cardholder’s issuing bank, it sends an authorisation code back to the merchant’s payment gateway advising whether the transaction can or cannot be completed. It also collects card payments and transfers them to the merchant’s account. Here it depends whether the merchant’s account is with this institution if it’s a bank, or it can be another institution which is a bank holding the account for the merchant. And then it charges the merchant, because the merchants are their clients, they pay fees to the acquirers.
We also have a payment gateway or payment processor in between. These companies act like a bridge between all of these participants: the issuer, the acquirer, the merchant.
Their main role is to transmit information, they encrypt and securely transmit data between a merchant’s website and the acquirer. They also send a response to the merchant’s system indicating whether the transaction was approved or declined by the acquirer. They initiate a transfer of funds from the customer’s payment card to the merchant’s bank account. It’s important to understand here that I am speaking about card payments, but usually gateways also support other payment types, such as e-wallets and bank transfers.
On the other side of the transaction, we have the issuer or the issuing bank. They issue cards to the cardholder, they also receive an authorisation request from the acquirer when there is a request for the transaction to be made. They check the cardholder’s account to ensure they have sufficient funds, they send an authorisation code back to the acquirer, and they charge the cardholder who is their customer. So they receive profits from having cardholders as customers.
Now, let’s focus on FCC risks and obligations pertaining to each of these parties. Obviously, issuing banks are regulated as financial institutions. Their main risk lies with the cardholder, who is the client of the issuer. They have to manage this side of the transaction, they have to focus their risk management activity on this side of the transaction. However, the challenge is that they also facilitate transactions involving merchants who are not their customers, as I said before.
They need to understand and manage the risk pertaining to the other side of the transaction too which is a much larger challenge for them. They hold the CDD on the cardholder and not on the merchant.
Another regulatory requirement to keep in mind is the payment transparency requirements, the PSD2. It’s very relevant when all of these parties in the transaction are not related to each other which is usually the case. It’s sometimes even more relevant when the transactions facilitated by entities within one large group, it’s still the case that data has to be transferred together with the transaction as per the payments transparency requirements. There are certain data fields that have to travel with the transaction itself.
So, what do issuing banks usually see in its outgoing payments? Somebody paying for services or goods via their cards.
Because they contract with the card schemes, they also have to respect the respective card scheme’s compliance rules. And, focusing on the AML risks specifically, what we can have here is collusion by different parties aiming to launder significant amounts of funds. It’s possible to have collusion between the payers and the merchants, who aim to move funds through multiple accounts to obscure the origin and destination of the funds.
This is the main risk here, and obviously one of the biggest risks in this industry is fraud. There are a multitude of schemes whereby fraudulent transactions can happen. From somebody stealing cards, impersonating themselves – the main risk lies on the cardholder’s side. Impersonation is one of the biggest risks of identity theft, this is what the banks are focusing on in this respect.
Let’s move to the next party which is the acquiring bank or the acquirer. Again, these are regulated, whether they are banks and have a banking licence in which case they face stricter regulatory requirements. Or whether they are licensed as API or EMI institutions.
On this side, the main risk for acquirers lies with the merchant who is, in turn, their customer. There is a multitude of money laundering schemes related to merchant acquiring and they can be summarised mostly as transaction laundering. For those of you who are familiar with trade finance, the money laundering risk can be summarised by over or under-invoicing, or shadow transactions – as in, transactions that did not happen.
Again, we can have here collusion with the payer, somebody pretending to execute genuine transactions which did not happen in reality. Or we can have merchants moving illegitimate funds through their accounts, somebody creating fake websites, fake merchants.
In the US, a big problem now is so-called ‘alphabet’ websites where people create websites like ‘abcde.com’ and they act as fraudulent merchants collecting funds from customers but never delivering on their transactions.
More sophisticated schemes include creating a website which looks professional but simply never delivering on the transactions that occurred or creating websites purely for the purposes of money laundering with the pretence of having a genuine business and moving funds.
Another risk here is the sale of illegal and prohibited goods, and sometimes you can have a website which pretends to be genuine but in fact, it’s only created for the purpose of selling illegal goods.
Going back to what the acquiring bank is dealing with, it’s mainly incoming payments. So funds coming into their accounts. Again, they have to comply with the payment transparency requirements, such as the PSD2. And they also face the AML risks related to intermediaries, if there are any present in this transaction. In this case, if the main client base of the acquirer or the acquiring bank is not the merchants themselves, but other payment institutions, who in turn have merchants as their customers, then it becomes even more complicated from a risk management perspective because this particular organisation would not have contractual or CDD relationships with the merchant.
We also have here, the payment gateway – our facilitator which is also regulated in the EU and the UK. There are instances where the payment gateway may not be regulated for AML purposes like in the US for example or it also depends on their exact activity and what they do. But, broadly speaking, let’s say they are regulated. Again, on their side, and we need to remember the payment gateway can be the same entity as the acquirer, depending on their capabilities and their licensing. Their main risk lies with the merchant, which is also the client of the payment gateway, similar to the acquirer. They would normally have CDD on merchants and understanding of the risk they’re bringing.
Payment gateways also need to comply with security and data protection requirements, because their main job is to transfer data securely.
Their AML and terrorist financing risk is similar to that of acquirers. Obviously, one of their biggest risks is also fraud as I described before.
We’ve discussed merchant acquiring which is the big theme in online payments, but it can have various different sub-business models depending on whether foreign exchange is involved, whether there are cross-border payments, whether there are other financial institutions in between in the middle of the chain. However, broadly speaking, that is the business model.
There are other types of online paints which are not related to cards, as we all know, we’ve probably all tried them – hopefully! We can buy things using QR codes, through our e-wallets, through crypto. In Africa for example, a big thing is being able to pay using your phone number.
There are other payment methods which do not involve cards and they are executed through open banking. Essentially, various parties on the transaction talk to each other via APIs but the flow and how the transaction looks is the same as merchant acquiring – and so are the AML risks. However, the exception here is that as there is no card scheme, there is no need to comply with additional rules of the card scheme provider.
I’ll talk to you about another interesting payment model which is called ‘online to offline’, it’s related to cross-border travel. In this scheme, foreign nationals travel to the UK and they make purchases using their mobile wallets in shops, in restaurants and in other outlets that accept such payments. What happens in this case is that funds are debited from the payer’s foreign mobile wallets and are settled to the merchant’s bank account by the acquirer. It’s quite a big risk from the money laundering perspective for a number of reasons.
One reason is that retail banking is involved here and the clients are potentially from high-risk countries from a money laundering perspective, we can therefore have a risk of mules doing this, we can have money laundering schemes related to luxury goods that have been a focus of the UK enforcement authorities for a while now, and on top of this, we have cross-border payments and funds moving from potentially high risk countries to the UK where the source of funds is not obvious because it is facilitated within seconds.
I’m happy to answer any questions that you may have. If you don’t want to ask me questions today, please contact me on LinkedIn and I’m very happy to help you understand the regulatory requirements affecting your business, design and review your AML compliance policies, obtain regulatory licences in the UK, EU, Switzerland, in the UAE, Singapore, Hong Kong and elsewhere!
I can also help you to liaise with the regulators, I’ve worked for the FCA for a while so I am very familiar with the regulatory requirements relating to fintechs and crypto firms, and I can help you with any internal investigations.
Thank you very much for your attention.
Reece B: Massive thank you to you, Yulia. Please do reach out to her on LinkedIn as well, or if you’d like to get in touch with her, we can provide her email address on the email with the recording.
We have had a few questions come in, Yulia. If you would like to put a question in now, please use the questions tab to your right.
One that has come in is “How can we balance the need for compliance with the need to provide a seamless customer experience in digital payments?”
Yulia M: That’s a very good question, and it has been my job for a while! A very short answer to that is the number of clicks. So the number of clicks a customer has to make to become a client of a fintech company has to be as low as possible. A number of various solutions can help you with that, however on the back-end you do need a strong compliance advisory force that helps you to manage risk without putting too much burden on the customer.
So that’s why I said the number of clicks. The work on the customer has to be minimal, but behind the scenes, the work has to be robust to make sure the risk is managed.
Reece B: Awesome, thank you. Another question: “You mentioned the risk between money laundering and collusion with merchants, but are there any emerging risks or trends that you’re seeing in the digital payments space specifically?”
Yulia M: As I said, fake websites are a big thing all over the world, as e-commerce is exploding. A lot of fake websites are being created and it’s true that it is mainly fraud-related risk but fraud and AML usually go hand-in-hand. Very often, we see funds being transferred through fraudulent transactions but those funds in the first place are obtained illegally.
So, fake websites, counterfeit or illegal goods being sold on seemingly genuine websites, fraud related to credit card use – I would say these three are the main ones.
Reece B: Awesome, we’ve had a great question come in: “Is it mandatory to open a digital bank account to carry a cross-border remittance even after having an SPI (small payment institution) licence by the FCA?”
Yulia M: Any regulatory related questions, I suggest you reach out to me on LinkedIn, I need to understand your business model well before providing any advice.
Reece B: We’ll send you the contact details and the question for that person in particular. That seems to be all the questions that have come in so far. If you don’t mind sharing the slides again, Yulia? We’ve got a few more just to close from NorthRow.
Yulia M: Sure.
Reece B: Thank you. And if you do have any more questions that you think of after the session, don’t hesitate to get in touch with Yulia again or if you’d like to forward them to firstname.lastname@example.org, I’ll be able to pick them up and forward them on.
So we do have a double bill for you this month, on the 26th April, we welcome Federica who is going to look at a very hot topic at the minute which is the AML compliance and navigating the global sanctions landscape in 2023. With the recent avalanche of sanctions that have come in, she’ll look at all the dos and don’ts around this and the ineffectiveness of certain sanctions, down to beneficial data ownership.
The events page is live for that one, if you want to head over to the NorthRow events area of our website, you can sign up there.
Now for a bit of a shameless plug from NorthRow, if you’re looking to start your AML compliance journey, we offer onboarding, monitoring and remediation software. We launched WorkStation last year which is an end-to-end compliance platform which covers everything from KYC and KYB screening, case management, ID&V, right to work, AML compliance, ongoing monitoring and remediation.
We’ve also launched a new website, so there’s tons of resources on there to aid your compliance journey, so do check out NorthRow if you haven’t already!
And all that is left to say is thank you! Massive thanks to everyone who joined, I’ve seen a lot of new names today, and some from the past. And a huge thanks to you Yulia. Amazing presentation, amazing session!
Yulia M: Thank you for having me, thanks Reece, thanks everybody for your time today.