Push-Payment Fraud Against Corporates: Banks Need to Invest More in Anti-Money Laundering
A payment of almost $5 million from Saudi Arabia suddenly arrives at the NatWest branch on Brixton High Street, transferred to an almost-dormant bank account that has never previously received more than a four-figure sum.
Almost immediately, the person controlling the bank account begins to disperse these funds in a flurry of payments to the Czech Republic, Hungary, Croatia and Hong Kong.
Suspicious as these transactions were, NatWest did not freeze the account when the Saudi money arrived. It allowed the outward payments to take place, despite the fact they triggered fraud alerts. NatWest temporarily froze the account, then unfroze it, and by the time the bank’s fraud team properly investigated and took decisive action, it was too late. The account had effectively been emptied, and the funds were long gone.
The $5 million was stolen from my client, an Italian engineering multinational called Maire Tecnimont. In a corporate version of push-payment fraud, somebody impersonated a senior manager at the company’s Saudi subsidiary and duped the payment to be sent out to NatWest in Brixton. From there, the money was funnelled to Eastern Europe and Asia and remains missing, effectively untraceable.
All of that took place in 2018, and Maire Tecnimont is currently suing NatWest in the English High Court over the incident. The bank argues it is not responsible, not least since, traditionally, the legal position has been that banks are not held to have a “duty of care” to third-party fraud victims who are not their account holders.
A court will decide where liability lies, and it is not my intention to prejudge the outcome here. What I would strongly suggest, though, is that the bank’s procedures in this episode were not sufficient to prevent a large-scale fraud, nor to prevent the successful laundering of large sums via the UK banking system.
It is beyond doubt that push-payment fraud on businesses represents a very considerable economic, and crime-fighting, problem. Confidence tricks on individual account-holders tend to get more attention in the press. But similar scams perpetrated on businesses - commonly referred to as “CEO Frauds”, since they involve a scammer impersonating a high-ranking official of the victim organisation - cost billions of dollars a year, according to statistics from the Federal Bureau of Investigation.
The FBI has identified Britain as a major through-station for fraudulent transfers. And unlike individual bank customers, businesses who fall victim to push-payment scams in the UK have scant entitlement to compensation.
Having acted on multiple matters involving CEO fraud, I believe the banking industry has to take this problem more seriously. On behalf of clients, I have made a submission to that effect to the House of Commons Treasury Select Committee, which is currently investigating Economic Crime.
Technology is part of the problem. Often, banks’ anti-money laundering (AML) monitoring depends on decades-old tech and does not include speedy fraud detection. Banks keep their AML and fraud detection procedures bifurcated, meaning they cannot cross-reference the account history against live transactions in real-time. It can take banks a month to review some suspicious transactions, by which time laundered funds have long since been dissipated.
But as any FinTech entrepreneur will tell you, the technology exists to ensure near to real-time monitoring of accounts. It is no longer acceptable for banks to refuse to implement this technology whilst allowing their account holders to launder money and facilitate criminal activities.
Often, banks’ anti-money laundering (AML) monitoring depends on decades-old tech and does not include speedy fraud detection.
At the heart of the problem is that the banks are currently not incentivised to invest in AML tech. Compensating fraud victims doesn’t cost them very much. Typically, a bank will indemnify its own customers in respect of sums lost via fraud through the bank’s own negligence, in line with various banking and customer obligations. But it does not offer similar protections to non-customers whose stolen money has been laundered through its systems – even when the criminal perpetrators are account-holders with the bank. It has little financial incentive, therefore, to monitor against fraudsters amongst its customers. And when the losses imposed on outsiders by those fraudster-customers run into the millions, the bank is even less willing to acknowledge liability.
The UK industry’s Voluntary Code is not fit for purpose. It offers protection to small-scale victims of push-payment fraud (individuals, “micro-enterprises” and small charities), but does not cover businesses with ten or more persons as employees, or balance sheets of more than €2 million.
As fraud becomes more sophisticated and pervasive, that position looks unsustainable. Some £3.2 trillion in company turnover in the UK is found in businesses of more than ten employees. All of these organisations are currently at risk of being defrauded without hope of compensation from the payments industry’s “no-blame fund”. Nor does the Voluntary Code cover international payments.
The result is that banks find themselves increasingly in reputational difficulties. In March - in an issue entirely unrelated to my clients – it was announced that NatWest would face prosecution from the Financial Conduct Authority, for allegedly failing to monitor and scrutinise transactions that turned out to be part of a large money-laundering scheme.
Fraudsters are evolving their methods and moving at pace with technology, whilst banks are falling behind, seemingly content just to trudge along. If the persistence of fraudsters continues to outstrip banks’ determination to combat them, it could fundamentally damage confidence in the UK’s all-important banking system.
This is not to say that banks – as opposed to, say, telecoms companies, whose systems might enable fraudsters to access a victim’s bank details – should have to shoulder all the financial responsibility for compensating the victims of push-payment fraud.
But in circumstances where a bank has been negligent in its implementation of AML controls and fraud prevention technology that is readily available, and the victim has suffered loss, the bank should be required to provide appropriate compensation – whether or not the victim is a customer of the bank, and whether or not the victim is a corporate entity. That, I suspect, would finally focus management attention and technology investment on fighting the fraudsters.
It may be a lot to ask, but it’s not unreasonable, or unfeasible. The GDPR has obliged large companies in many sectors to consider data protection in ways that few would have expected even ten years ago. Social media firms are under pressure to tackle misinformation and prejudicial language. These changes require money and computing power. But they are the changes that a big-data economy and society are demanding. Banks would be unwise to ignore those demands.