How to Mitigate AML/CTF Risks in Mobile Payments

Every day we read about a financial institution being detected by the regulator’s radar. In addition, quite often we hear about a reporting entity being subject to local or international investigations for being misused in a financial crime, or are notified by a friend or a monthly newsletter about an institution being fined for lack of money laundering preventative measures.

What about the mobile payments providers? Are they at the same level of compliance as financial institutions? Do they have rigorous know your customers (KYC) policies and enhanced due diligence procedures?

For many years, this sector has been left behind during the global war against money laundering and terrorist financing. Although we agree with the priority given to other bigger sectors, such as banks and other financial institutions, we have to admit that money launderers are always a step ahead in seeking new and less regulated entities to launder their ill-gotten gains.

In 2006, the Financial Action Task Force (FATF) issued a report on new payment methods (NPMs) of money laundering, including mobile payment vulnerabilities to money laundering and terrorist financing, as a benchmark for both regulators and reporting entities in terms of best practice. In a second initiative in 2010, FATF updated the same report to cover a comprehensive risk-based approach and related risk factors, but the major additions were money laundering typologies and case studies associated with these types of payments, including three cases related to mobile payment schemes over the past four years.

The study identified the three main money laundering methods involving NPMs:

  1. Third party funding (including strawmen and nominees).
  2. Exploitation of the non-face-to-face nature of NPM accounts.
  3. Complicit NPM providers or their employees.

Mobile Payment Systems

Mobile payment systems may vary from one country to another, based on the legislations, financial system, culture, and even the size of the telecom company. According to the 2008 World Bank Working Paper 146, ‘Integrity in Mobile Phone Financial Services’, mobile payment services can be classified in four categories:

  1. Mobile financial information services: This is a service where the subscriber can request information about their general financial information from their personal account. Law or no anti-money laundering (AML)/countering terrorist financing (CTF) risks associated with this type of services.
  2. Mobile bank and securities accounts services: With this service, the mobile account will be bounded with a bank or security account with a facility to make transactions through the mobile phone. Thus, the service offered will be similar to an internet banking service, but using the mobile phone instead of the internet. This service poses AML/CTF risks, but it is strictly overseen due to regulations and surveillance deployed by banks and securities companies. In addition, the outsourcing business especially with agents, keeps the door opened for additional risks for non-face-to-face account opening procedures. Additional risks may occur when the bank pools the funds into one account held in the name of mobile payment provider.
  3. Mobile payment services: This service allows non-bank account holders to make payments for their purchase, utilities bills, or services they have been offered using their mobile phones. For this service, the mobile payment providers play the role of a financial institution. Using the mobile phone as a prepaid card or an electronic purse form a risk for ML/TF.
  4. Mobile money services: With this service, the subscriber has the right to store money in the mobile phone and may make a payment or transfer through his/her phone. This poses an extreme risk due to lack of regulations and oversight.

Recommended Best Practices

AML/CTF risks associated with mobile payment/money services can threaten a country’s systems and weaken the mobile payment provider’s reputation. Below are some recommended best practices that will help to mitigate AML/CTF risk.

Regulatory framework and legislations

Unfortunately, many countries in the world, including most Middle East countries, have no regulatory framework to fight money laundering or terrorist financing through mobile money/payment services.

Another concern has arisen where countries do not classify a mobile payment provider as a reporting entity. Based on the methodology of assessing compliance with the FATF 40 and 9 Special Recommendations, FATF defined a financial institution as “any person or entity who conducts as a business one or more of the activities…” including:

  • Acceptance of deposits and other payable funds from public.
  • The transfer of money or value.
  • Issuing and managing means of payment.

The definition also applies to a mobile payment provider that acts as a non-traditional financial institution. Accordingly, it should be considered as a reporting entity and subject to all AML laws, acts or decrees – something that most governmental officials are not aware of.

As an example, in some Middle Eastern countries, mobile payment providers are not permitted or encouraged to send suspicious activity reports (SAR) to local competent authorities; they route it to a local bank with a business relationship so the bank can conduct extra due diligence, then report it to the government in case of a suspicion, even if the reported person does not have a bank account with that bank.

Compliance programme

Similar to any other reporting entity, mobile payment providers should be more confident in building a healthy compliance programme that underscores its compliance with local regulations and even the international standards. This requires the following:

  • Designation of a compliance officer: Compliance is a new term in a mobile payment provider’s organisational culture. Designating a compliance officer within the company is a first step. A qualified and certified compliance specialist will be the cornerstone in implementing the required compliance programme and so that regulations are followed and implemented properly.
  • Clear policies and procedures: What would mobile operators do when regulators knock on the door and ask for documents or evidence? Predefined internal policies and procedures should cover all daily operations among all related departments in mobile payment providers. Such policies should include account opening and closing policies, KYC and customer due diligence procedures, in addition to recordkeeping requirements. This may include clear preventative measures, such as transaction rejections and limits in certain conditions.
  • Training for employees, agents and other involved parties: A major challenge for a compliance officer is to provide proper training to all employees and related parties. Training materials should be designed according to the audience targeted, for example basics of money laundering red flags in mobile payment services should be provided to frontline staff, while compliance officers and AML investigators are more interested in advanced and complex international money laundering typologies and regulations.
  • Independent audit testing: This is a very effective tool to measure the success or failure of the compliance programme. Making sure that previously detected deficiencies were corrected will be a critical task for external auditors.

The above components create the basic compliance structure that may expand to other elements to govern the relationships with regulators and financial institutions where the operator maintains an account to run the service(s) on behalf of subscribers.

A Risk-based Approach and Automated Transaction Monitoring

Due to the new threat of money laundering in the mobile payment industry and the increased number of mobile payment subscribers, it is recommended that a mobile payment provider implement an automated transaction monitoring solution that will detect unusual customer activity based on internationally common or specified red flags.

Mobile payment providers typically have excellent information technologies already in place. This will pave the path for an easy deployment of a transaction monitoring and reporting system. An effective system would be able to analyse transactions according to predefined scenarios, which will enable the operators to block or close accounts when abnormal transaction patterns are detected.

Mobile payment providers should emphasise that any transaction monitoring system should include the following:

  • Customers names screening and checking against local and international lists.
  • Behavioural analysis for accounts and subscribers on both levels to detect unusual transactions based on precise scenario management.
  • Detection management and related analysis tools that present any hidden relationships between subscribers and accounts.
  • False positive and fine-tuning management.
  • Self-steering workflows that best fits the organisation hierarchy module.
  • Extensive case management.
  • A risk-based approach, where all applicable risk factors will be calculated for a proper risk weighting.
  • Regulatory and managerial reporting such as suspicious transaction reporting (STR)/SAR and other reports designed for internal use with auditable results.


Similar to any other industry, mobile payments present specific risks and regulators are unfamiliar with AML/CTF risks arising from these new services and products. It would be a great starting point for mobile payment providers to assess the risks associated with each kind of services/products offered to the subscriber in comparison with the major four risk factors – anonymity, rapidity, elusiveness, and poor oversight.

An appreciated effort in this field is the Groupe Speciale Mobile Association (GSMA) discussion paper, ‘Mobile Money: Methodology for Assessing Money Laundering and Terrorist Financing’. The FATF’s ‘Mutual Evaluation Report’ is considering the assessment of mobile payment regulations. This makes it imperative for countries to move forward with their legislations in harmonisation with international standards and be responsible for supervising the implementation of these regulations.

Building up a proper regulatory regime compliant with the international standards remains a significant challenge for regulators and mobile payment providers due to lack of knowledge of compliance, AML, risk management and mitigation factors. This is particularly the case for those oriented towards mobile network operations only, and are really very new to this area of expertise.

Case Study: Selling Stolen Phone Credits Through Mobile P2P Payments

In April 2010, an individual was sentenced in the Cayman Islands for using stolen credit card information to illegally obtain phone credits, which he then sold through the mobile person-to-person (P2P) payment services. Although the amount of money was small, the individual was charged for money laundering activity under the Proceeds of Crime Law of Cayman Islands.

Source: Cayman Islands Attorney General’s Office.



Related reading