Every Merchant Service Provider invests massive amount of time and resources in vetting ecommerce merchants. Yet, owing to the incredible complexity of modern payment systems and the ease with which an online business can be established, payment processors frequently fail to know the true origin of transactions passing through their networks.

How does this happen?

Below we’ve collected five common ways that criminals often use to infiltrate legitimate payment systems. Along the route, they expose Merchant Service Providers with the liability of facilitating criminal activity, and the accompanying risk of fines, chargebacks, legal action and brand or reputational damage.

1. MCC Mismatch

In the credit card processing industry, every merchant is categorized according to a Merchant Category Code (MCC). This helps determine the interchange fee (the amount that merchants pay to card-issuing banks per credit card transaction).

However, payment providers are often challenged to conduct effective onboarding and ongoing content monitoring—and can easily fail to detect merchants for whom the MCC code does not correspond to the actual website activity. The sales force, naturally, will be inclined to “round the corners” to help the merchants get the MCC that will most benefit them. In too many cases, this involves the loose usage of generic MCC types.

Fraudulent merchants will often establish an ecommerce website that falls into a “low-risk” merchant category to avoid high processing fees and scrutiny. After passing the KYC checks and onboarding procedures and successfully establishing their merchant account, they can easily change the content on the website and start selling unauthorized or illegal goods and services. They can do this to either avoid high processing fees associated with “high-risk” content or to sell illegal goods and services.

That is why continuous content monitoring beyond onboarding on the actual ecommerce website is imperative for Merchant Service Providers.

2. Transaction Laundering

Transaction laundering happens when a merchant processes transactions on behalf of another merchant. The technological advances in payments, combined with the easiness of establishing online ecommerce websites, creates ample opportunities for criminals to abuse the legitimate payments ecosystem with the help of transaction laundering.

Transaction laundering is much easier to execute than many MSPs may imagine. For example, drug dealers can easily use a flower shop as their gateway into the legitimate payment system. The drug dealers simply need to keep their illegal activities successfully concealed by funneling transactions through a legitimate merchant account.

Because the flower shop has passed all the necessary due-diligence and KYC procedures required by the MSPs, it is seen as a legitimate, low-risk merchant.

Because the connection between the illegal activities of the drug dealer and the flower shop is completely hidden from view, MSPs keep approving and processing transactions passing through this particular merchant account, completely unaware that those transactions originate in illegal activities.

Transaction launderers will often choose the so-called “low-risk” merchants as their storefronts. These MCC codes are associated with ecommerce in low value items with low chargebacks rates, and hence will be considered low-risk.

Inadequacy or traditional risk scoring is playing a large role here. Risk score is traditionally derived from the merchant’s estimated credit worthiness and perceived exposure to chargebacks. This approach to merchant risk is inadequate when it comes to sophisticated merchant-based fraud. By using “low-risk” merchants as their storefronts, transaction launderers avoid excessive scrutiny and are subject to less rigorous inspection by the MSP as their transactional activities appear legitimate and are deemed as “low-risk”. Criminals are well aware that maintaining a low volume of chargebacks will enable them to pass under the radar of risk and compliance departments. The nature of transaction laundering guarantees that on the surface, all transactions seem legitimate and low-risk for the Merchant Service Provider.

. EverCompliant discovered that the MCC codes associated with so-called “low-risk” merchants, are in fact the riskiest when it comes to transaction laundering activities.

Top 10 MCC codes used by Transaction launderers:

Book Stores Food Stores Convenience Stores Markets Household Appliance Stores Men’s and Boy’s Clothing Accessories Stores Variety Stores Cosmetic Stores Gift, Card, Novelty, and Souvenir Shops

Ironically, many MSPs are spending considerable resources on monitoring the so-called “high-risk” merchants, whereas illicit activity is occurring right under their noses through “low-risk” merchant accounts.

3. Mobile Apps

The rise of Mcommerce and proliferation of mobile payment solutions has brought with it the rise of transaction laundering on mobile. Not only do mobile payments present Merchant Service Providers with an additional layer of complexity when it comes to monitoring transactions, but content crawling and monitoring on mobile ecommerce apps is challenging and requires access to cutting-edge technology that many MSPs lack.

Transaction launderers often link ecommerce website payment environment to unknown mobile apps, that can easily be used to distribute illegal content. Transaction launderers can bypass the exhaustive controls of the major mobile app stores by hiding links to a payment environment of a registered ecommerce website—not to mention the unregulated world outside of major app stores, in which actual payment environments can be embedded.

As a result, Transaction Laundering on mobile gives international criminals easy access to global payment ecosystems. This contributes to a situation whereby MSPs end up unknowingly facilitating criminal activities, and suffer losses due to inaccurate risk assessments, fines and regulatory penalties.

4. Transaction laundering and Affiliate Networks

The affiliate marketing model opens a whole new dimension for transaction laundering. When affiliates are not vetted or onboarded correctly, merchants themselves can become victims of transaction laundering, as well as payment processors.

The system is simple: the transaction launderer sets up an affiliate account with the merchant for the sole purpose of laundering transactions that have originated in illegal activities. For example:

Affiliate programs pay handsome commissions, up to 80% in some high-risk industries, such as adult content and gambling. A transaction launderer might set up an affiliate account with a toy store, and receive a commission (for the sake of this example let’s set it at 50%) from the toy store for all sales from the customers that he refers to the toy store.

However, the transaction launderer also owns a drug sales portal, on a site completely disconnected from the toy affiliate site. He or she will sell drugs on his or her illegal portal, and will use his affiliate account to funnel the transaction.

In essence, transaction launderer will use the $100 originating from the drug portal to buy toys and receives $50 back from the toy store as a commission. The unsuspecting toy store receives the “order” and delivers the goods to an address specified by the transaction launderer. The transaction launderers now owns $50 in clean money that they have received as the commission for their sales of + $100 worth of toys that they can resell elsewhere.

This highly-sophisticated scheme is especially difficult to detect, and can be very lucrative for the transaction launderer. Tracing affiliate payments, especially between multiple and seemingly-unconnected ecommerce websites and merchant accounts, to illegal activity is extremely difficult.

5. MOTO payments linked to online payment pages

Mail Order/Telephone Order (MOTO) is another method used by transaction launderers for processing payments from unreported ecommerce websites.

While officially reserved for mail order and telephone order, fraudulent merchants can easily abuse this method by setting up a legitimate looking ecommerce site, hidden and unreported from the MSP, and funnel transactions through a registered merchant account that is cleared for accepting MOTO payments.

This scheme is used by legitimate brick-and-mortar merchants who set up unreported ecommerce sites, and process sales from these websites through a merchant account they established for their physical business. This effectively allows brick-and-mortar merchants to process unauthorized ecommerce transactions without MSPs consent. The MSP has no way of knowing that these transactions originate in ecommerce and is not aware of the nature of goods and services being sold.

The Bottom Line

To avoid the risk and liability associated with facilitating transaction laundering, payment processors need to consider adopting advanced cyber intelligence technology that uncovers hidden ecommerce networks, merchants and their associated activity. Criminals are always looking for new ways to take advantage of payment system for their own gain. The agility and adaptability of criminal networks requires an ongoing monitoring of the entire merchant ecosystem, not only of the website the MSP knows about. That is why, to avoid the liability associated with facilitating illegal activities, Merchant Service Providers need to employ a dedicated transaction laundering detection and prevention solution.

For more information on how transaction laundering affects the payments industry in general and Merchant Service Providers in particular, sign up to our blog!