18.1 WHO ARE NON-FACE-TO-FACE CUSTOMERS?

A non-face-to-face transaction is where a transaction occurs without a customer having to be physically present. Examples of this type of activity include internet banking, telephone banking, credit cards and online share dealing. Non-face-to-face business is becoming increasingly popular in the financial services industry due to increased customer demand, the high costs of maintaining personal customer contact services and the ability to transact from a distance, which has been facilitated by developments in technology and telecommunications.

It is generally agreed that non-face-to-face transactions are more risky than face-to-face transactions, since the primary identification measures which must be carried out cannot include matching the face of the customer with a document. To overcome this, in some countries it is commonplace for there to be requirements for the customer to visit a branch to have their identity confirmed. However, in other countries this is not the case and the financial institution will need to assess the level of risk that the relationship poses to the firm in deciding which procedures to adopt.

Clearly, it is still possible, even with a customer-facing transaction, for identification fraud to be perpetrated. Much of the identification work is designed to link the person that is in front of the firm's employee with some form of official identification documentation which includes the customer's face. This does not actually prove that the customer is as expected, rather only that the person appearing for identification is the same as the person in the picture that appears on the official document, which might itself be forged.

However, non-face-to-face transactions aggravate the risks involved in financial transactions in a number of ways. Firstly, the financial institution actually will never have met the customer. Not only would they not know what the customer looked like, but they would also not generally have received official documents that confirm the picture of the customer and link this to the address, date of birth and other relevant details. This is due to the unwillingness of customers to part with such high-risk documents by sending them to a remote location.

The following factors all contribute to the additional risks that are involved in a firm undertaking business with customers on a non-face-to-face basis:

• The ease by which the customer will have access to the facility, regardless of time and location, with a minimum of controls in operation.
• The ease of making multiple fictitious applications without the customer incurring extra costs or there being a significant risk of detection by the firm.
• The absence of physical documents. This is not only the absence of any identification documents, but also the absence of signed contractual documentation; although some firms do request that documents should be signed and posted back. The firm, of course, has no way of verifying the signature!
• The speed at which electronic transactions are undertaken also renders it difficult to verify data prior to a transaction being committed to. Controls generally only operate in arrears and would have the effect of recording the inappropriate transaction.

18.2 ADDITIONAL MEASURES FOR NON-FACE-TO-FACE CUSTOMERS

Any firm that is engaged in non-face-to-face business activity will need to develop a series of appropriate risk-based policies and procedures to ensure that adequate controls are actually applied in practice. The nature of such additional procedures required will, of course, vary depending on the nature and scope of the non-face-to-face activities. The type of issues that a firm should consider will include the following:

• The firm still needs to think about how it will identify the customer. This may involve receiving some form of documentation or taking additional steps seeking independent data for verification. At the very least, if taking a deposit they will need to think how they would be able to provide the funds back to the customer in the absence of robust identification procedures having been conducted.
• The nature of supplementary measures to verify or certify the documents supplied or requiring confirmatory certification will also vary depending on the jurisdiction. There may be independent data that serve this purpose, for example electoral roll data or credit reference agency search information. It is the combination of data from various sources which potentially provides the required level of additional assurance.
• The firm will undertake work to consider the nature of the payment profile of the customer. Typically, they will require the first payment resulting from the operation of the account to be carried out through an account opened in the customer's name with a prime bank. The non-face-to-face firm is, therefore, trying to gain some level of assurance from the work conducted by a firm that does maintain a face-to-face relationship with the client. In doing this, the bank will need to assess whether it is satisfied with the quality of the bank in which the account is placed, and many restrict such activity to a bank based in their own jurisdiction which is known to maintain high-quality controls.

18.3 RISK-BASED APPROACH TO NON-FACE-TO-FACE CUSTOMERS

The extent to which additional money-laundering-deterrence measures need to be carried out should be judged through the application of the risk-based approach. The extent of verification that will actually be conducted will, therefore, depend on the nature and characteristics of the product or service requested and the firm's assessment of the money-laundering risk presented by the customer.

While we have so far concentrated on retail customers, you do need to recognise that in some parts of the industry it is normal for the customer not to be present – in wholesale markets, for example. In such cases, the focus needs to be on identifying that the financial institution is the firm that it purports to be and that the officer has the authority to bind the firm. Again, it is necessary to ensure that the named subsidiary of a bank is actually known by the holding company, since this has been abused in a number of cases. Whilst additional procedures are implemented, such circumstances do not, in themselves, increase the risk of money laundering in a transaction. Therefore, firms need to be able to judge for themselves which transactions appear to represent a higher risk of money laundering or terrorist financing and develop appropriate systems and procedures to enable them to do this.

One particular additional area of concern is customers that appear to be deliberately avoiding face-to-face contact. If such a scenario were to occur, it would be advisable for firms to have a clear and appropriate policy to deal with such circumstances, particularly systems and procedures as mentioned above. We would generally recommend that any such cases should be rejected and the customer potentially reported to the relevant authority.

18.4 THE PROBLEMS OF BUYING ONLINE

Sir Tim Berners-Lee, inventor of the internet, was reported as having been conned online when he bought a Christmas present from an online shop which failed to arrive. After telephoning the number from the website, he found that the number did not exist and the company was, in fact, a fake. Around one in four internet users in the UK have fallen victim to online phishing scams that attempt to steal people's financial details, while one in six have fallen victim to other types of online fraud.

Clearly, if you are dealing online with a firm you have not heard of, conducting basic due diligence is required, and this might well include calling the number on a website or seeing if there is any evidence that people have had problems with the firm. Sometimes, things you acquire may not be what you expect and e-auction sites enable such activity to continue. There is always a limit to the level of due diligence that appears appropriate given the size of a transaction, but it is this fact that the unscrupulous use to extract monies illegally.

This, again, highlights that, just by doing some basic due diligence procedures on attempting to really know your customer, you may be able to identify an illegal transaction. In this case, some financial institution would have been banking and transferring the sums resulting from the fraudulent site, which would clearly be caught by the regulations. Consequently, it is also incumbent upon firms to take care in monitoring the activity of any company which undertakes a high level of online trading in case it is also operating illegally.

18.5 FATF GUIDANCE

In October 2010 the FATF published a report on Money Laundering using New Payment Methods (http://www.fatf-gafi.org/media/fatf/documents/reports/ML%20using%20New%20Payment%20Methods.pdf). This highlighted some cases of recent concern, including the following:

The FATF categorised non-face-to-face internet payment methods into three groups:

• Online banking, where credit institutions offer online access to traditional banking services based on an account held at the credit institution in the customer's name. Online banking was outside the scope of the FATF document.
• Prepaid internet payment products, where firms which may not be credit institutions allow customers to send or receive funds through a virtual, prepaid account, accessed via the internet.
• Digital currencies, where customers typically purchase units of digital currencies or precious metals which can either be exchanged between account holders of the same service or exchanged against real currencies and withdrawn.

This report provides an analysis of many of the problems faced in practice, with guidance provided where appropriate or available. The importance of monitoring is highlighted, since the paper states that monitoring systems can be a very effective tool to mitigate financial crime risk.

To be effective, such systems must, at a minimum, allow the provider to identify:

• Discrepancies, for example between submitted customer information and the IP address;
• Unusual or suspicious transactions;
• Cases where the same account is used by multiple users;
• Cases where the same user opens multiple accounts;
• Cases where several products are funded by the same source.

Where products benefit from customer due diligence exemptions, systems should detect where a customer approaches a limit (on one product/transaction or cumulatively) beyond which full customer due diligence has to be applied.

The report recognises that value and transaction limits can also be a very powerful risk mitigant as they render a product less attractive to money launderers, especially when coupled with effective monitoring systems and procedures that prevent multiple purchases of low-value cards or multiple low-value accounts for a single customer. For example, the restrictive value limits implemented by most mobile payment service providers are thought to be one of the main reasons that so few money-laundering case studies involving mobile payments have been detected so far. Of course, the fact that they have not been detected does not mean that they are not happening.

The paper indicated a number of red flags, particularly when operating cross-border. Red flags are indicators of suspicious activity where a product's actual use deviates from its intended use or does not make economic sense. For example, cash withdrawals in foreign jurisdictions will be expected where the product is a prepaid traveller card, but unusual where the product is marketed to minors. Red flags should, therefore, not be applied unthinkingly, but tailored to the product's characteristics.

The following are examples identified in the paper:

• Discrepancies between the information submitted by the customer and information detected by monitoring systems.
• Individuals who hold an unusual volume of internet accounts with the same provider.
• A large and diverse source of funds (i.e. bank transfers, credit card and cash funding from different locations) used to fund the same account(s).
• Multiple reference bank accounts from banks located in various cities used to fund the same account.
• Loading or funding of account always done by third parties.
• Numerous cash loadings, just under the reporting threshold of US$10,000 (i.e. structured loading of prepaid cards), of the same prepaid card(s), conducted by the same individual(s) on a number of occasions.
• Multiple third party funding activities of an account, followed by the immediate transfer of funds to unrelated bank account(s).
• Multiple loading or funding of the same accounts, followed by ATM withdrawals shortly afterwards, over a short period of time.
• Multiple withdrawals conducted at different ATMs (sometimes located in various countries different from the jurisdiction where the account was funded).
• Internet payment account only used for withdrawals, and not for online purchases.
• Atypical use of the payment product (including unexpected and frequent cross-border access or transactions).
• Large number of bank accounts held by the same prepaid card company (sometimes in different countries) apparently used as flow-through accounts (may be indicative of layering activity).
• Prepaid card company located in one country but holding accounts in other countries (unexplained business rationale which could be suspicious).
• Back and forth movement of funds between bank accounts held by different prepaid card companies located in different countries (may be indicative of layering activity as it does not fit the business model).
• The volume and frequency of cash transactions (sometimes structured below the reporting threshold) conducted by the owner of a prepaid card company do not make economic sense.

As always with any such list there could be legitimate reasons for the transactions to be conducted. The red flag will require the firm to conduct investigation, and should not, in itself, create a suspicion.

Among the various issues considered in the paper were exemption from verification. The paper concludes that the overall risks of a product or service can also be mitigated by other means, such as applying account and transaction limits. Imposing very restrictive limits on the transactions or other functionalities may have an even more deterring effect to would-be launderers than the prospect of being verified. Furthermore, intensive monitoring can help mitigate the money-laundering risk of products as well.

In some jurisdictions, verification of the customer's identity may be difficult to accomplish, especially where identification documentation or other reliable documentation is not available for a great part of the population. Verification can also prove to be a financial burden for institutions or customers (e.g. where customers must travel a long distance to the bank or vice versa to be verified), deterring customers and institutions alike, and potentially endangering the economic success of the service provider.

The paper reported that case studies indicated that criminals were able to launder money even where verification had taken place, e.g. by using stolen or fake identities, or strawmen.

When considering the exemption from identification issues, the paper stated that, unlike verification, identification does not seem to cause a lot of cost or effort; the service provider simply needs to ask the customer's name.