$200 Million Card Fraud Scheme Alleged18 Charged in Global Case that Reveals Cross-Channel Gaps
Arrests in connection with an alleged $200 million global credit card fraud ring offer an important reminder about gaps in cross-channel and cross-account fraud detection, says one anti-money-laundering expert.
See Also: Main Cyber Attack Destinations in 2016
Banking institutions must practice more due diligence when it comes to account activity monitoring - and greater reliance on big data would help, the expert advises.
On Feb. 5, federal authorities arrested 13 individuals allegedly connected to one of the biggest payment card schemes ever uncovered by the Department of Justice. The defendants' alleged criminal enterprise - built on synthetic, or fake, identities and fraudulent credit histories - crossed numerous state and international borders, investigators say.
The scheme involved the creation of false identities used to create fraudulent credit profiles, falsified information to establish creditworthiness with the credit bureaus and large loans that were never repaid by the fraudsters, according to court records that were recently unsealed.
The defendants have been accused of moving millions of dollars through accounts under their control, as well as wiring millions of dollars overseas. An investigative analysis of 169 bank accounts allegedly used by the defendants, their "sham" companies and/or complicit businesses identified $60 million in proceeds that had flowed through the numerous accounts, with most of those funds being withdrawn in cash, investigators say.
Additionally, those charged allegedly wired millions of dollars to Pakistan, India, the United Arab Emirates, Canada, Romania, China and Japan, authorities say. Due to the massive scope of the case, which involved more than 25,000 fraudulent credit cards, loss calculations are ongoing. Final figures may grow beyond the confirmed losses of more than $200 million.
Cybercrime experts from the Federal Bureau of Investigation have been investigating the case for 18 months. Several other individuals allegedly connected to the scheme were arrested earlier. So far, 18 individuals have been charged with bank fraud and face up to 30 years in prison and a $1 million fine.
Difficult to Trace
Micah Willbrand, director of AML market planning for LexisNexis' financial services division, says the two-year alleged scheme, which involved opening numerous business bank accounts, establishing high-scoring credit reports and moving funds to accounts in high-risk international markets, should have raised flags sooner. Unfortunately, international schemes are often the most difficult to trace, he says.
Bank Secrecy Act and AML regulations do not require banks to identify or scrutinize the recipient of funds associated with high-risk transactions, Willbrand says. "Laws and regulations today only require that the bank have KYC [know the customer] in place for the sender, not the receiver of money," he says.
And financial institutions have been reluctant, until recently, to push the envelope. Jurisdictional challenges related to international transactions would require banks to do a lot more leg work to verify the authenticity, risk and identity of a recipient to parallel the due diligence and KYC controls they have in place for senders, Willbrand says.
But card fraud schemes demonstrate why it's imperative to have KYC controls in place for both senders and recipients, he adds.
"With FACTA [Fair and Accurate Credit Transactions Act], all countries are realizing we need to know more about who's receiving the money. We need to be more transparent about how money is moving around the world, and that is something everyone is coming around to."
Authorities charge that the defendants and their conspirators in this case allegedly created more than 7,000 false identities and fraudulently obtained tens of thousands of credit cards they used to purchase lavish goods and stockpile large sums of cash.
The enterprise allegedly maintained more than 1,800 so-called "drop addresses," including houses, apartments and post office boxes, used as the mailing addresses for the synthetic identities. These IDs were used to create dozens of sham companies that did little or no legitimate business, investigators allege. Through those sham companies, the defendants and their co-conspirators purchased credit card terminals used to run up charges on fraudulent credit cards, authorities charge.
The sham companies established merchant accounts with merchant processors, investigators say. Those processors deposited funds they received from the credit card companies for charges made by the sham companies into business bank accounts opened by the alleged criminal enterprise. If a merchant processor shut down an account for some reason, the conspirators established a new business name and applied for new terminals, investigators allege.
The fake companies also served as "furnishers," providing false information to the credit bureaus about the credit histories of the synthetic identities they had affiliated with the companies. They then used lines of credit to increase their borrowing ability from card issuers and added authorized users to their credit card accounts to improve credit histories.
Authorities charge that the alleged criminal enterprise also relied on complicit businesses, including several jewelry stores in Jersey City, N.J., to conduct sham transactions on fraudulent cards to receive the proceeds from the credit card companies. Those proceeds would then be split with the alleged conspirators, investigators say.
"This elaborate network utilized thousands of false identities, fraudulent bank accounts, fake companies, and collusive merchants to defraud financial institutions of hundreds of millions of dollars in order to facilitate extravagant lifestyles they could otherwise not afford," FBI Special Agent David Velazquez says in the arrest announcement.
The Big Data Challenges
Willbrand says banking institutions have not done enough to monitor accounts or risk profiles after the initial review at account opening.
"Transaction monitoring and core banking systems, when they do risk ratings, tend to work in a vacuum," he says. "They set rules and say if something goes outside those boundaries, something is wrong. But the systems don't take into account any customer information or due diligence after the account is created."
Once the bank accepts who the owner of an account is, then that account owner is not typically reviewed again, Willbrand explains. "If they had gone back to review some these identities in this case, then some of that would have come out sooner," he adds.
Credit reporting bureaus, however, are building in more monitoring around synthetic identities, Willbrand adds, but their information is limited. "They are only looking at their files, rather than comparing their information with all of the other data out there, like where these 'identities' live and have lived, what their profiles are internationally, and what their credit is with the other bureaus."
Those challenges are amplified when transactions and accounts start crossing international borders. Data about identities is not combined internationally, Willbrand says. The only way to get an accurate profile is by cross-checking public records with utility bills and bank accounts around the world, he says.
Banking institutions are just starting to address some of these big data concerns, Willbrand adds. "[Recently] we have seen a high level ... of attention being paid to enhancing this due diligence area."
Willbrand says the manual review and overlaying of information can be too demanding for some banking institutions, especially smaller ones. But a number of companies are now offering automated or partially automated services to help banks and credit unions develop more inclusive profiles of customers and members, he says.
"To a certain extent, it is a big data approach," Willbrand says. "It allows you to bring out red flags that you would not have been able to raise four or five years ago."