Ross Meurant: NZ AAP Fraud Scam Enables International Money Laundering

Have New Zealand Banks unwittingly become “Enablers” of international money laundering?

Devoid of any form of criminal intent, have banking service providers become silent participants in fraud scams?

Moving from mere banking repositories to Behemoths facilitating a broad range of banking, financial and insurance services, APP fraud has become symptomatic of the frailties directly attributable to electronic transfers.

With Banks deflecting compensation requests and continuing to operate with relative impunity, APP frauds demonstrate how far or out of touch the banking service has become with its base of Loyal Core Client base, which relies on bank ethics and protection.

Perhaps banks should simply, stick to their knitting.

What is APP Fraud 

APP fraud scams are “Authorised Push Payment” transfers of money.  These scams require three participating elements: (i) a victim; (ii) a criminal enterprise; and (iii) Banks acting as intermediaries.

In general, scams include but are not necessarily limited to: (i) impersonation; (ii) invoice fraud; (iii) investment scams; (iv) romance scams; (v) CEO fraud i.e. is a type of spear phishing email attack; and (vi) technical support scams.

Often posing as legitimate companies, genuine persons, or representing “worthy schemes”, pervasive criminal elements regularly approach vulnerable people using a variety of contrived ruses, or devices to gain requisite confidence.  By this process they encourage the person (victim) to transfer funds from their bank account to that of the criminal enterprise.

Peculiar to APP fraud, the victim voluntarily approves or authorises the transfer of funds, from their bank account to another bank account, often through online banking, a device or by telephone.

Recovery of defrauded funds is increasingly rejected by Banks, placing responsibility and blame with their Loyal Core Client base. As a defence, Banks contend contributor negligence by the victims whom they claim by and large, relied on their own judgment and motivated by avarice, willingly participated. Hence the convenient fault, lies with victim.

Bank Responsibility

Each New Zealand Bank has a duty and obligation to operate in absolute adherence with standard operating procedures, business practices, Codes of Conduct and various Codes of Ethics.

Additionally, the Bank must comply with the “know your customer” (KYC) and “anti-money laundering” (AML) practices.  AML duties include Statutory obligations to report suspicious or unusual activity to the New Zealand Police Financial Intelligence Unit.

Scam Process.

APP fraud involves two banks. 

1     The “victim’s Bank” lawfully transfers funds upon instruction of its Loyal Core Client, to an “intermediary’s” NZ bank account.  A proper and a lawful transaction. 

2     The victim’s transferring Bank, has a right to believe on reasonable grounds that the intermediaries Bank account has been KYC checked by that Bank, and that the account is bona fide.  No matter, if the beneficial owners are offshore.

3     The intermediary Bank has an obligation under its customer KYC, Codes of Practice/Ethics and AML policies to have satisfied itself as to the bona fides of the party (and/or company) opening the account that all parties including beneficial owners involved are legitimate.  The intermediary account may be operated by an offshore entity.  Accordingly, more though research must be conducted – and not necessarily from a desktop.

4     When we make a payment via our computer or mobile APP, which is “unusual”, we will receive an alerting TXT to our mobile phone or to our email, from our bank: (a) alerting us to the transfer with instructions to call the bank if it’s not us making the transfer, and/or (b) providing a validation code number, if it is a transfer of our making.

5   The overarching problem lies not with the original transfer as the customer/victim is comfortable making the investment.  The problem arises however, with the intermediary Bank.  That is, when the money is transferred to a scammers' account.   Does a liability exist with intermediary bank? 

Salient point being, that the bank algorithms can and do detect “unusual” activity.

Question?  If $100.000 is transferred from the account of a Loyal Core Client (1) who does not regularly transfer $100K, such a transaction presumably precipitates a TXT code for validation, which in turn suggests that banks' algorithms are constantly searching.

APP fraud also involves Credit Card companies.

On one occasion I was contacted by a credit card provider, enquiring whether I had purchased at MacDonalds, as this purchase was not a usual transaction for me.  This alerted me to the fact that I had lost my card and that it was being used unlawfully.

The salient point being, that the Credit Card company algorithms detected an unusual transaction.

APP fraud also involves telecommunications providers.  Scammers contact victims either via email or a telephone call.

On a number of occasions, I (and I’m sure many readers too) have answered incoming mobile phone call from a number showing a New Zealand telco providers prefix, to be confronted with a foreign accent offering “opportunities”.  These calls immediately alerted to me that he/she was a scammer.  On each occasion, after politely declining the offer, I called back the number shown in my phone, which failed to connect.

Something is missing.

APP scammers use NZ Telco facilities.  Where is the co-ordination among Telecoms providers and banks?  What level of due diligence are Telcos obligated to apply when issuing a phone number/contact capability?

Banks harbouring clients who receive transfers of large amounts from another NZ bank, being amounts of money which are immediately transferred offshore?  Does this practice obligate Banks to revisit KYC and/or reconsider AML protocols?

Remember, as soon as funds are transferred by the victim, they have been obtained by a fraud and are subject to money laundering.

Criminal activity within the hallowed halls of banking institutions, should be the responsibility of internal bank investigators (invariably ex cops).

Does Client information protection outweigh interface with bank police and/or Telco company police?

Surely, long serving loyal bank clients deserve protection and care by the ostensible masters of financial transactions?

Dismissing mistakes by KYC’d clients, as self-negligence, is in my view, a step too far. 

Liability?

If bank algorithms are as effective as the above examples suggest, I contend that Banks do have liability where they fail to “place on hold” (2 days) transactions of unusually large amounts, to allow bank police to earn their salaries by examining the integrity the “unusual” transfer.

Last Resort

Acting in accordance with New Zealand law and not being “influenced” by foreign government “interests”, the NZ Police Financial Intelligence Unit, may be the last step in the process of investigating international criminal fraud and money laundering, but based on my recent informing FIU (2) of specific “activities”, in compliance with NZ law, as a former Police Inspector in charge of Criminal Intelligence Units, I hold the opinion that they need to, lift their game.

Remedy?

New Zealand’s Government takes up the cudgel in Parliament where it formulates a Bill for approval in the House, which clarifies the current ambiguity, by imposing a code of conduct on all banks, credit card companies and telco providers, rendering such providers liable for losses suffered by its KYC’d approved core clients and potentially liable for criminal money laundering charges.

Ross Meurant BA MPP Company Director. Former Police Inspector O/C Criminal Intelligence Unit & V.I.P. Security planning. Former Member of Parliament.  Former Honorary Consul.

(1)   https://www.nzherald.co.nz/nz/watchdog-refuses-compensation-for-100k-scam-victim-says-banks-cant-be-compelled-to-check-for-fraud/5XLD35BOVBHIXIYQYXV77EW5FY/

(2)  https://www.police.govt.nz/advice/businesses-and-organisations/fiu