Cybercriminals looking to launder money or finance nefarious deeds via the Internet have a host of tools at their disposal. And they'll be able to ply those means with greater skill if governments don't step up policing efforts. That's the warning in a new report by the Financial Action Task Force (FATF), an international organization based in France that develops recommendations for combating money laundering and terrorism financing. The yearlong study, just published on the group's Web site, highlights the risks of criminal exploitation of "new payment methods," many of which have taken hold on the Internet in recent years.
Just what are these methods? Among them are so-called e-purses, cards that let users store funds via memory chips, and Internet payment services that operate outside traditional banks or credit card companies. The biggest online payment brokers are eBay's (EBAY) PayPal and Neteller (NTLRF), a company based in the Isle of Man that is publicly traded on the London stock exchange. PayPal processed $9.1 billion in transactions in the last quarter alone. Neteller processed $7.3 billion in 2005.
No Paper Trail
Online payment services are useful to consumers who want to buy and sell over the Internet but are wary about providing sensitive financial information to online vendors. Rather than give an unproven Internet store a primary bank account number, for example, a user can transfer funds to the vendor through an online account. Such accounts can be opened with much less money—some accounts do not have a minimum—and therefore pose less risk. They also benefit users who lack the credit to open credit cards or funds to open a bank account.
But e-wallets and Internet payments are of particular concern to the FATF because they often let users anonymously open accounts online. Typically, all that is needed is a credit card, bank account number, money wire service, or—in some especially worrisome cases—a long-distance calling card. Credit card and bank accounts are easier to trace to individuals and have more identity verification requirements than phone cards, which can be bought anonymously with cash. Once flush with funds, the accounts can be used to make purchases without leaving a paper trail to the user the way a credit card or check would.
More needs to be done to make Internet payments transparent and easily traceable, says Daniel Glaser, the Treasury Dept.'s deputy assistant secretary for terrorist financing and financial crimes. The report shows Internet wallets "could be used for a lot of bad things," he says. "To the extent that they facilitate anonymous transactions, they are very useful for terrorist financiers, money launderers, and others that would obscure their identity."
Internet payment services are an additional security risk because, unlike e-purses, their presence on the Web has increased during the past several years. Of the FATF's 37 member countries, including the U.S., roughly 40% have such Internet payment services registered in their jurisdictions (see BusinessWeek.com, 7/12/06 "Betting Against Online Gambling"). That's not including countries such as Costa Rica, which have registered Internet payment services but are known to have less stringent banking regulations than many FATF members.
Online payments have gotten a big boost from the Internet gambling industry. The $12 billion-a-year industry has relied on such services, especially since 2001, when many U.S. credit card companies began refusing to process Internet gambling transactions for fear that users would default on debts. PayPal also joined the voluntary ban when it was acquired by eBay. However, U.S. users simply turned to other Internet payment services based outside the country.
In October the U.S. passed a law officially barring financial institutions from processing illegal gambling transactions, reinforcing the voluntary ban. The law is expected to encourage more gambling sites to rely on Internet payment services based outside the U.S. to process transactions from U.S. players (see BusinessWeek.com, 10/19/06, "Online Gambling Goes Underground").
According to the report, it would be difficult for individual countries to compel Internet services based outside their borders to stop processing transactions that are legal in the nation from which they operate. Thus, it would be problematic for U.S. law enforcement officials to stop Internet payment services from processing illegal gambling transactions made from U.S. computers. "With this thorny question of Internet gambling, where the United States has made a decision on policy that is not unanimous in the world community…there will be ways that that these systems will be exploited, kind of like the old days in prohibition," says Vincent Schmoll, principal administrator with the FATF secretariat and editor of the report. "Quite honestly, in the criminal financial world exploiting differences in jurisdictions has been the key thing all along."
Differences in regulatory policies regarding Internet payments is one of the issues the FATF will explore in upcoming months while it investigates the measures that countries should adopt to better secure online payment systems. Once it develops recommendations, countries can choose whether to adopt them. However, those that do not—or do a poor job of adopting them—are subject to peer reviews and can be ousted from the organization for failing to adopt stringent anti-money-laundering policies. Once ousted, FATF member countries can take actions such as requiring that financial transactions originating from the ousted nation receive increased scrutiny that delays processing. Ousted nations or countries that are considered to be failing to meet recommendations also risk losing standing with the International Monetary Fund and the World Bank, among others.
Among the security recommendations are imposing limits on the amounts that can be held in online accounts, thus limiting the potential for large amounts to be laundered, and implementing "suspicious activity" reporting practices. Major banking institutions and credit card companies in the U.S. have extensive suspicious activity guidelines, both to comply with U.S. laws and ensure their customers do not fall victim to identity theft.
To date, e-purses and other new Internet payment services have not been the subject of money laundering investigations. The FATF hopes to prevent these systems from falling prey to the problems currently plaguing prepaid phone cards and digital precious metal traders such as e-gold. Between 2001 and 2004, both the U.S. and Germany had individual cases in which at least €350,000 ($445,000) was laundered via prepaid cards.
Laundering through Loopholes
In March, 2004, an Oklahoma resident confessed to defrauding thousands of investors of nearly $9 million through an online scheme. He laundered their money through e-gold Ltd. Since then, cybercriminals have continued to use the "digital currency" to wire money out of the country to places with less stringent banking regulations (see BusinessWeek.com, 1/9/06, "Gold Rush").
Schmoll says the issue of whether Internet payment processes should be considered governable only by the states in which their servers are based will be a fundamental question for the FATF to answer. "This is sort of a nebulous area. Is PayPal a financial institution or is it simply a payment messaging service? These are legal questions that have to be sorted out."