A non-face-to-face transaction is where a transaction occurs without a customer having to be physically present. Examples of this type of activity include internet banking, telephone banking, credit cards and online share dealing. Non-face-to-face business is becoming increasingly popular in the financial services industry due to increased customer demand, the high costs of maintaining personal customer contact services and the ability to transact from a distance, which has been facilitated by developments in technology and telecommunications.
It is generally agreed that non-face-to-face transactions are more risky than face-to-face transactions, since the primary identification measures which must be carried out cannot include matching the face of the customer with a document. To overcome this, in some countries it is commonplace for there to be requirements for the customer to visit a branch to have their identity confirmed. However, in other countries this is not the case and the financial institution will need to assess the level of risk that the relationship poses to the firm in deciding which procedures to adopt.
Clearly, it is still possible, even with a customer-facing transaction, for identification fraud to be perpetrated. Much of the identification work is designed to link the person that is in front of the firm's employee with some form of official identification documentation which includes the customer's face. This does not actually prove that the customer is as expected, rather only that the person appearing for identification is the same as the person in the picture that appears on the official document, which might itself be forged.
However, non-face-to-face transactions aggravate the risks involved in financial transactions in a number of ways. Firstly, the financial institution actually will never have met the customer. Not only would they not know what the customer looked like, but they would also not generally have received official documents that confirm the picture of the customer and link this to the address, date of birth and other relevant details. This is due to the unwillingness of customers to part with such high-risk documents by sending them to a remote location.
The following factors all contribute to the additional risks that are involved in a firm undertaking business with customers on a non-face-to-face basis:
Any firm that is engaged in non-face-to-face business activity will need to develop a series of appropriate risk-based policies and procedures to ensure that adequate controls are actually applied in practice. The nature of such additional procedures required will, of course, vary depending on the nature and scope of the non-face-to-face activities. The type of issues that a firm should consider will include the following:
The extent to which additional money-laundering-deterrence measures need to be carried out should be judged through the application of the risk-based approach. The extent of verification that will actually be conducted will, therefore, depend on the nature and characteristics of the product or service requested and the firm's assessment of the money-laundering risk presented by the customer.
While we have so far concentrated on retail customers, you do need to recognise that in some parts of the industry it is normal for the customer not to be present – in wholesale markets, for example. In such cases, the focus needs to be on identifying that the financial institution is the firm that it purports to be and that the officer has the authority to bind the firm. Again, it is necessary to ensure that the named subsidiary of a bank is actually known by the holding company, since this has been abused in a number of cases. Whilst additional procedures are implemented, such circumstances do not, in themselves, increase the risk of money laundering in a transaction. Therefore, firms need to be able to judge for themselves which transactions appear to represent a higher risk of money laundering or terrorist financing and develop appropriate systems and procedures to enable them to do this.
One particular additional area of concern is customers that appear to be deliberately avoiding face-to-face contact. If such a scenario were to occur, it would be advisable for firms to have a clear and appropriate policy to deal with such circumstances, particularly systems and procedures as mentioned above. We would generally recommend that any such cases should be rejected and the customer potentially reported to the relevant authority.
Sir Tim Berners-Lee, inventor of the internet, was reported as having been conned online when he bought a Christmas present from an online shop which failed to arrive. After telephoning the number from the website, he found that the number did not exist and the company was, in fact, a fake. Around one in four internet users in the UK have fallen victim to online phishing scams that attempt to steal people's financial details, while one in six have fallen victim to other types of online fraud.
Clearly, if you are dealing online with a firm you have not heard of, conducting basic due diligence is required, and this might well include calling the number on a website or seeing if there is any evidence that people have had problems with the firm. Sometimes, things you acquire may not be what you expect and e-auction sites enable such activity to continue. There is always a limit to the level of due diligence that appears appropriate given the size of a transaction, but it is this fact that the unscrupulous use to extract monies illegally.
This, again, highlights that, just by doing some basic due diligence procedures on attempting to really know your customer, you may be able to identify an illegal transaction. In this case, some financial institution would have been banking and transferring the sums resulting from the fraudulent site, which would clearly be caught by the regulations. Consequently, it is also incumbent upon firms to take care in monitoring the activity of any company which undertakes a high level of online trading in case it is also operating illegally.
In October 2010 the FATF published a report on Money Laundering using New Payment Methods (http://www.fatf-gafi.org/media/fatf/documents/reports/ML%20using%20New%20Payment%20Methods.pdf). This highlighted some cases of recent concern, including the following:
The FATF categorised non-face-to-face internet payment methods into three groups:
This report provides an analysis of many of the problems faced in practice, with guidance provided where appropriate or available. The importance of monitoring is highlighted, since the paper states that monitoring systems can be a very effective tool to mitigate financial crime risk.
To be effective, such systems must, at a minimum, allow the provider to identify:
Where products benefit from customer due diligence exemptions, systems should detect where a customer approaches a limit (on one product/transaction or cumulatively) beyond which full customer due diligence has to be applied.
The report recognises that value and transaction limits can also be a very powerful risk mitigant as they render a product less attractive to money launderers, especially when coupled with effective monitoring systems and procedures that prevent multiple purchases of low-value cards or multiple low-value accounts for a single customer. For example, the restrictive value limits implemented by most mobile payment service providers are thought to be one of the main reasons that so few money-laundering case studies involving mobile payments have been detected so far. Of course, the fact that they have not been detected does not mean that they are not happening.
The paper indicated a number of red flags, particularly when operating cross-border. Red flags are indicators of suspicious activity where a product's actual use deviates from its intended use or does not make economic sense. For example, cash withdrawals in foreign jurisdictions will be expected where the product is a prepaid traveller card, but unusual where the product is marketed to minors. Red flags should, therefore, not be applied unthinkingly, but tailored to the product's characteristics.
The following are examples identified in the paper:
As always with any such list there could be legitimate reasons for the transactions to be conducted. The red flag will require the firm to conduct investigation, and should not, in itself, create a suspicion.
Among the various issues considered in the paper were exemption from verification. The paper concludes that the overall risks of a product or service can also be mitigated by other means, such as applying account and transaction limits. Imposing very restrictive limits on the transactions or other functionalities may have an even more deterring effect to would-be launderers than the prospect of being verified. Furthermore, intensive monitoring can help mitigate the money-laundering risk of products as well.
In some jurisdictions, verification of the customer's identity may be difficult to accomplish, especially where identification documentation or other reliable documentation is not available for a great part of the population. Verification can also prove to be a financial burden for institutions or customers (e.g. where customers must travel a long distance to the bank or vice versa to be verified), deterring customers and institutions alike, and potentially endangering the economic success of the service provider.
The paper reported that case studies indicated that criminals were able to launder money even where verification had taken place, e.g. by using stolen or fake identities, or strawmen.
When considering the exemption from identification issues, the paper stated that, unlike verification, identification does not seem to cause a lot of cost or effort; the service provider simply needs to ask the customer's name.